commit 5af986b63762c524268237f9ede6b29522ac34a3
author Alice Wang <aliceywang@google.com> Tue May 21 15:07:59 2024 +0000
committer Alice Wang <aliceywang@google.com> Fri May 24 06:51:59 2024 +0000
tree dfdce6d706a1b008caf88e4d7453948dc0d8ca2c
parent d47ad8b61add656be0c6d3d59ec4283c35949e00

Use soong variable avf_remote_attestation_enabled to enable RA

The new soong variable allows OEMs to disale the RA feature
easily when they do not plan to support it.

The remote attestation feature is opt-in by default, as it
is a strongly recommended feature from Android V. It will
be disabled if PRODUCT_AVF_REMOTE_ATTESTATION_DISABLED is
set to true in the Makefile, otherwise it will be enabled
when the feature flag
RELEASE_AVF_ENABLE_REMOTE_ATTESTATION is on.

Bug: 331269709
Bug: 341292601
Test: run VM remote attestation on Pixel 6 and check it is
disabled
Test: run VM remote attestation on Pixel 7 and check it is
enabled

Change-Id: Idcc1c4c300f64661293394e7102cf68c3bdc38f2

apex/Android.bp

diff --git a/apex/Android.bp b/apex/Android.bp
index 99b2dee..43819dc 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -47,7 +47,7 @@
         "release_avf_enable_device_assignment",
         "release_avf_enable_llpvm_changes",
         "release_avf_enable_network",
-        "release_avf_enable_remote_attestation",
+        "avf_remote_attestation_enabled",
         "release_avf_enable_vendor_modules",
         "release_avf_enable_virt_cpufreq",
         "release_avf_support_custom_vm_with_paravirtualized_devices",
@@ -204,7 +204,7 @@
                 },
             },
         },
-        release_avf_enable_remote_attestation: {
+        avf_remote_attestation_enabled: {
             vintf_fragments: [
                 "virtualizationservice.xml",
             ],
@@ -235,7 +235,7 @@
     config_namespace: "ANDROID",
     bool_variables: [
         "release_avf_enable_llpvm_changes",
-        "release_avf_enable_remote_attestation",
+        "avf_remote_attestation_enabled",
     ],
     properties: ["srcs"],
 }
@@ -247,7 +247,7 @@
         release_avf_enable_llpvm_changes: {
             srcs: ["virtualizationservice.rc.llpvm"],
         },
-        release_avf_enable_remote_attestation: {
+        avf_remote_attestation_enabled: {
             srcs: ["virtualizationservice.rc.ra"],
         },
     },

docs/vm_remote_attestation.md

diff --git a/docs/vm_remote_attestation.md b/docs/vm_remote_attestation.md
index 835dcac..3483351 100644
--- a/docs/vm_remote_attestation.md
+++ b/docs/vm_remote_attestation.md
@@ -106,3 +106,18 @@
     normal mode.
 -   The `vmComponents` field contains a list of all the APKs and apexes loaded
     by the pVM.
+
+## To Support It
+
+VM remote attestation is a strongly recommended feature from Android V. To support
+it, you only need to provide a valid VM DICE chain satisfying the following
+requirements:
+
+- The DICE chain must have a UDS-rooted public key registered at the RKP factory.
+- The DICE chain should have RKP VM markers that help identify RKP VM as required
+  by the [remote provisioning HAL][rkp-hal-markers].
+
+The feature is enabled by default. To disable it, you can set
+`PRODUCT_AVF_REMOTE_ATTESTATION_DISABLED` to true in your Makefile.
+
+[rkp-hal-markers]: https://android.googlesource.com/platform/hardware/interfaces/+/main/security/rkp/README.md#hal