commit 618b06190b883820990f31a93b7abc4b3603758e
author Nikita Ioffe <ioffe@google.com> Mon Mar 03 16:37:38 2025 -0800
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Mon Mar 03 16:37:38 2025 -0800
tree 5c54faabf5d5053d662095aa7750dc865b095969
parent de15e4c815a9a6c88604468607c18566713010aa
parent 22e5d0a0b7e5109245cb15b4dbf1c47f71804d81

virtmgr: also support non-vendor tee services am: 22e5d0a0b7

Original change: https://android-review.googlesource.com/c/platform/packages/modules/Virtualization/+/3498408

Change-Id: I4553064e84c34608f50188c0cd67651a9814070b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

android/virtmgr/src/aidl.rs

diff --git a/android/virtmgr/src/aidl.rs b/android/virtmgr/src/aidl.rs
index 28f36fd..a298f64 100644
--- a/android/virtmgr/src/aidl.rs
+++ b/android/virtmgr/src/aidl.rs
@@ -151,6 +151,17 @@
     }
 });
 
+// TODO(ioffe): add service for guest-ffa.
+const KNOWN_TEE_SERVICES: [&str; 0] = [];
+
+fn check_known_tee_service(tee_service: &str) -> binder::Result<()> {
+    if !KNOWN_TEE_SERVICES.contains(&tee_service) {
+        return Err(anyhow!("unknown tee_service {tee_service}"))
+            .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+    }
+    Ok(())
+}
+
 fn create_or_update_idsig_file(
     input_fd: &ParcelFileDescriptor,
     idsig_fd: &ParcelFileDescriptor,
@@ -716,11 +727,35 @@
         *is_protected = config.protectedVm;
 
         if !config.teeServices.is_empty() {
+            // TODO(ioffe): only pVMs should be able to request access to teeServices.
             check_tee_service_permission(&caller_secontext, &config.teeServices)
                 .with_log()
                 .or_binder_exception(ExceptionCode::SECURITY)?;
         }
 
+        let mut system_tee_services = Vec::new();
+        let mut vendor_tee_services = Vec::new();
+        for tee_service in config.teeServices.clone() {
+            if !tee_service.starts_with("vendor.") {
+                check_known_tee_service(&tee_service)?;
+                system_tee_services.push(tee_service);
+            } else {
+                vendor_tee_services.push(tee_service);
+            }
+        }
+
+        // TODO(b/391774181): handle vendor tee services (which require talking to HAL) as well.
+        if !vendor_tee_services.is_empty() {
+            return Err(anyhow!("support for vendor tee services is coming soon!"))
+                .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+        }
+
+        // TODO(ioffe): remove this check in a follow-up patch.
+        if !system_tee_services.is_empty() {
+            return Err(anyhow!("support for system tee services is coming soon!"))
+                .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+        }
+
         let kernel = maybe_clone_file(&config.kernel)?;
         let initrd = maybe_clone_file(&config.initrd)?;