commit 5ffb2f8d0d42f7c64f5ce253dd46fda494d3dc41
author Inseob Kim <inseob@google.com> Tue May 28 04:01:41 2024 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue May 28 04:01:41 2024 +0000
tree 6f8ecf3c1034dc540a21d85e69f0dfa550367775
parent d2988487de9ce68e05ab789992a4bd572d127550
parent 3fcf537b467d9b198f94b7db5aa85e40279f1375

Merge "Fix SELinux denial check" into main

apex/Android.bp

diff --git a/apex/Android.bp b/apex/Android.bp
index 99b2dee..43819dc 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -47,7 +47,7 @@
         "release_avf_enable_device_assignment",
         "release_avf_enable_llpvm_changes",
         "release_avf_enable_network",
-        "release_avf_enable_remote_attestation",
+        "avf_remote_attestation_enabled",
         "release_avf_enable_vendor_modules",
         "release_avf_enable_virt_cpufreq",
         "release_avf_support_custom_vm_with_paravirtualized_devices",
@@ -204,7 +204,7 @@
                 },
             },
         },
-        release_avf_enable_remote_attestation: {
+        avf_remote_attestation_enabled: {
             vintf_fragments: [
                 "virtualizationservice.xml",
             ],
@@ -235,7 +235,7 @@
     config_namespace: "ANDROID",
     bool_variables: [
         "release_avf_enable_llpvm_changes",
-        "release_avf_enable_remote_attestation",
+        "avf_remote_attestation_enabled",
     ],
     properties: ["srcs"],
 }
@@ -247,7 +247,7 @@
         release_avf_enable_llpvm_changes: {
             srcs: ["virtualizationservice.rc.llpvm"],
         },
-        release_avf_enable_remote_attestation: {
+        avf_remote_attestation_enabled: {
             srcs: ["virtualizationservice.rc.ra"],
         },
     },

docs/vm_remote_attestation.md

diff --git a/docs/vm_remote_attestation.md b/docs/vm_remote_attestation.md
index 835dcac..3483351 100644
--- a/docs/vm_remote_attestation.md
+++ b/docs/vm_remote_attestation.md
@@ -106,3 +106,18 @@
     normal mode.
 -   The `vmComponents` field contains a list of all the APKs and apexes loaded
     by the pVM.
+
+## To Support It
+
+VM remote attestation is a strongly recommended feature from Android V. To support
+it, you only need to provide a valid VM DICE chain satisfying the following
+requirements:
+
+- The DICE chain must have a UDS-rooted public key registered at the RKP factory.
+- The DICE chain should have RKP VM markers that help identify RKP VM as required
+  by the [remote provisioning HAL][rkp-hal-markers].
+
+The feature is enabled by default. To disable it, you can set
+`PRODUCT_AVF_REMOTE_ATTESTATION_DISABLED` to true in your Makefile.
+
+[rkp-hal-markers]: https://android.googlesource.com/platform/hardware/interfaces/+/main/security/rkp/README.md#hal