Revert^2 "pVM to use Secretkeeper protected secrets"
9f145f29aa217d89543fd86d7cc8e51d7dd6e071
These secrets are to be stored in Secretkeeper which provides
tamper-evident storage for pVMs.
Regular binder proxy cannot be transferred over RPC binder, so we build
SecretkeeperProxy service that forwards the rpc binder request from
within pVM to Secretkeeper HAL which is a regular binderized HAL. This
proxy service is hosted by virtualizationmanager.
Note on supported device: (is_sk_supported() method): Non protected VM
trusts the claim, whilst for protected VM, we require authentication
data from pvmfw. Support for pVM is not fully done (this doesn't affect
security since pvmfw does code_hash check).
Issue with original patch - SecretkeeperProxy did not implement
deleteIds & deleteAll, which were added to aidl few commits back & hence
presubmits didn't catch them.
Bug: 291213394
Test: MicrodroidTests#encryptedStorageIsPersistent
Change-Id: Ib2cc3d21bd6bd4c8b4e173f32ea680d67fb1d9ac
diff --git a/virtualizationmanager/Android.bp b/virtualizationmanager/Android.bp
index 33897b2..88e9c70 100644
--- a/virtualizationmanager/Android.bp
+++ b/virtualizationmanager/Android.bp
@@ -5,7 +5,11 @@
rust_defaults {
name: "virtualizationmanager_defaults",
crate_name: "virtualizationmanager",
- defaults: ["avf_build_flags_rust"],
+ defaults: [
+ "avf_build_flags_rust",
+ "secretkeeper_use_latest_hal_aidl_rust",
+ "authgraph_use_latest_hal_aidl_rust",
+ ],
edition: "2021",
// Only build on targets which crosvm builds on.
enabled: false,