Merge "Add placeholder for docs on updatable VM and remote attestation" into main
diff --git a/README.md b/README.md
index 210f70e..1b092f6 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@
* [vmbase](vmbase/README.md)
AVF APIs:
-* [Java API](javalib/README.md)
+* [Java API](java/framework/README.md)
* [VM Payload API](vm_payload/README.md)
How-Tos:
@@ -29,4 +29,4 @@
* [Building and running a demo app in C++](demo_native/README.md)
* [Debugging](docs/debug)
* [Using custom VM](docs/custom_vm.md)
-* [Device assignment](docs/device_assignment.md)
\ No newline at end of file
+* [Device assignment](docs/device_assignment.md)
diff --git a/authfs/Android.bp b/authfs/Android.bp
index 8ac600d..e04d5e1 100644
--- a/authfs/Android.bp
+++ b/authfs/Android.bp
@@ -73,6 +73,7 @@
tools: [
"fsverity_manifest_generator",
"fsverity",
+ "soong_zip",
],
srcs: [
"testdata/input.4k",
@@ -85,13 +86,11 @@
* to load a generated fsverity manifest for the test input files into the
* test VM.
*/
- cmd: "out_dir=$$(dirname $(out))" +
- "&& assets_dir=\"assets\" " +
- "&& mkdir -p $$out_dir/$$assets_dir" +
+ cmd: "mkdir -p $(genDir)/assets" +
"&& $(location fsverity_manifest_generator) " +
" --fsverity-path $(location fsverity) " +
" --base-dir $$(dirname $(in) | head -1) " +
- " --output $$out_dir/$$assets_dir/input_manifest.pb " +
+ " --output $(genDir)/assets/input_manifest.pb " +
" $(in) " +
- "&& jar cf $(out) -C $$out_dir $$assets_dir",
+ "&& $(location soong_zip) -jar -o $(out) -C $(genDir) -D $(genDir)/assets",
}
diff --git a/authfs/tests/benchmarks/Android.bp b/authfs/tests/benchmarks/Android.bp
index 93ba41a..27a6af1 100644
--- a/authfs/tests/benchmarks/Android.bp
+++ b/authfs/tests/benchmarks/Android.bp
@@ -46,9 +46,8 @@
srcs: [
":measure_io",
],
- cmd: "out_dir=$$(dirname $(out))" +
- "&& bin_dir=\"bin\" " +
- "&& mkdir -p $$out_dir/$$bin_dir" +
- "&& cp $(in) $$out_dir/$$bin_dir" +
- "&& jar cf $(out) -C $$out_dir $$bin_dir",
+ tools: ["soong_zip"],
+ cmd: "mkdir -p $(genDir)/bin" +
+ "&& cp $(in) $(genDir)/bin" +
+ "&& $(location soong_zip) -jar -o $(out) -C $(genDir) -D $(genDir)/bin",
}
diff --git a/compos/common/compos_client.rs b/compos/common/compos_client.rs
index a8a176a..abaa74c 100644
--- a/compos/common/compos_client.rs
+++ b/compos/common/compos_client.rs
@@ -62,8 +62,6 @@
pub debug_mode: bool,
/// CPU topology of the VM. Defaults to 1 vCPU.
pub cpu_topology: VmCpuTopology,
- /// List of task profiles to apply to the VM
- pub task_profiles: Vec<String>,
/// If present, overrides the amount of RAM to give the VM
pub memory_mib: Option<i32>,
/// Whether the VM prefers staged APEXes or activated ones (false; default)
@@ -131,10 +129,7 @@
protectedVm: protected_vm,
memoryMib: parameters.memory_mib.unwrap_or(0), // 0 means use the default
cpuTopology: cpu_topology,
- customConfig: Some(CustomConfig {
- taskProfiles: parameters.task_profiles.clone(),
- ..Default::default()
- }),
+ customConfig: Some(CustomConfig { ..Default::default() }),
});
// Let logs go to logcat.
@@ -144,7 +139,7 @@
service,
&config,
console_fd,
- /*console_in_fd */ None,
+ /* console_in_fd */ None,
log_fd,
Some(callback),
)
diff --git a/compos/composd/Android.bp b/compos/composd/Android.bp
index b0294dd..75f0c4f 100644
--- a/compos/composd/Android.bp
+++ b/compos/composd/Android.bp
@@ -7,6 +7,7 @@
srcs: ["src/composd_main.rs"],
edition: "2021",
prefer_rlib: true,
+ defaults: ["avf_build_flags_rust"],
rustlibs: [
"android.system.composd-rust",
"android.system.virtualizationservice-rust",
diff --git a/compos/composd/src/instance_manager.rs b/compos/composd/src/instance_manager.rs
index 510ad11..9e94035 100644
--- a/compos/composd/src/instance_manager.rs
+++ b/compos/composd/src/instance_manager.rs
@@ -82,9 +82,8 @@
// a system property. Start the VM with all CPUs and assume the guest will start a suitable
// number of dex2oat threads.
let cpu_topology = VmCpuTopology::MatchHost;
- let task_profiles = vec!["SCHED_SP_COMPUTE".to_string()];
let memory_mib = Some(compos_memory_mib()?);
- Ok(VmParameters { cpu_topology, task_profiles, memory_mib, ..Default::default() })
+ Ok(VmParameters { cpu_topology, memory_mib, ..Default::default() })
}
fn compos_memory_mib() -> Result<i32> {
diff --git a/java/Android.bp b/java/Android.bp
new file mode 100644
index 0000000..1c55f78
--- /dev/null
+++ b/java/Android.bp
@@ -0,0 +1,24 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+soong_config_module_type {
+ name: "avf_flag_aware_android_app",
+ module_type: "android_app",
+ config_namespace: "ANDROID",
+ bool_variables: ["release_avf_allow_preinstalled_apps"],
+ properties: ["manifest"],
+}
+
+// Defines our permissions
+avf_flag_aware_android_app {
+ name: "android.system.virtualmachine.res",
+ installable: true,
+ apex_available: ["com.android.virt"],
+ platform_apis: true,
+ soong_config_variables: {
+ release_avf_allow_preinstalled_apps: {
+ manifest: "AndroidManifestNext.xml",
+ },
+ },
+}
diff --git a/javalib/AndroidManifest.xml b/java/AndroidManifest.xml
similarity index 100%
rename from javalib/AndroidManifest.xml
rename to java/AndroidManifest.xml
diff --git a/javalib/AndroidManifestNext.xml b/java/AndroidManifestNext.xml
similarity index 100%
rename from javalib/AndroidManifestNext.xml
rename to java/AndroidManifestNext.xml
diff --git a/javalib/Android.bp b/java/framework/Android.bp
similarity index 67%
rename from javalib/Android.bp
rename to java/framework/Android.bp
index a7c531e..32b2aee 100644
--- a/javalib/Android.bp
+++ b/java/framework/Android.bp
@@ -2,27 +2,6 @@
default_applicable_licenses: ["Android-Apache-2.0"],
}
-soong_config_module_type {
- name: "avf_flag_aware_android_app",
- module_type: "android_app",
- config_namespace: "ANDROID",
- bool_variables: ["release_avf_allow_preinstalled_apps"],
- properties: ["manifest"],
-}
-
-// Defines our permissions
-avf_flag_aware_android_app {
- name: "android.system.virtualmachine.res",
- installable: true,
- apex_available: ["com.android.virt"],
- platform_apis: true,
- soong_config_variables: {
- release_avf_allow_preinstalled_apps: {
- manifest: "AndroidManifestNext.xml",
- },
- },
-}
-
java_sdk_library {
name: "framework-virtualization",
diff --git a/javalib/README.md b/java/framework/README.md
similarity index 100%
rename from javalib/README.md
rename to java/framework/README.md
diff --git a/javalib/api/current.txt b/java/framework/api/current.txt
similarity index 100%
rename from javalib/api/current.txt
rename to java/framework/api/current.txt
diff --git a/javalib/api/module-lib-current.txt b/java/framework/api/module-lib-current.txt
similarity index 100%
rename from javalib/api/module-lib-current.txt
rename to java/framework/api/module-lib-current.txt
diff --git a/javalib/api/module-lib-removed.txt b/java/framework/api/module-lib-removed.txt
similarity index 100%
rename from javalib/api/module-lib-removed.txt
rename to java/framework/api/module-lib-removed.txt
diff --git a/javalib/api/removed.txt b/java/framework/api/removed.txt
similarity index 100%
rename from javalib/api/removed.txt
rename to java/framework/api/removed.txt
diff --git a/javalib/api/system-current.txt b/java/framework/api/system-current.txt
similarity index 100%
rename from javalib/api/system-current.txt
rename to java/framework/api/system-current.txt
diff --git a/javalib/api/system-removed.txt b/java/framework/api/system-removed.txt
similarity index 100%
rename from javalib/api/system-removed.txt
rename to java/framework/api/system-removed.txt
diff --git a/javalib/api/test-current.txt b/java/framework/api/test-current.txt
similarity index 89%
rename from javalib/api/test-current.txt
rename to java/framework/api/test-current.txt
index 0a988d8..3cd8e42 100644
--- a/javalib/api/test-current.txt
+++ b/java/framework/api/test-current.txt
@@ -16,7 +16,7 @@
public static final class VirtualMachineConfig.Builder {
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder addExtraApk(@NonNull String);
- method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder setOs(@NonNull String);
+ method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setOs(@NonNull String);
method @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setPayloadConfigPath(@NonNull String);
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setVendorDiskImage(@NonNull java.io.File);
method @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder setVmConsoleInputSupported(boolean);
@@ -26,6 +26,7 @@
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull public java.util.List<java.lang.String> getSupportedOSList() throws android.system.virtualmachine.VirtualMachineException;
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @RequiresPermission(android.system.virtualmachine.VirtualMachine.MANAGE_VIRTUAL_MACHINE_PERMISSION) public boolean isFeatureEnabled(String) throws android.system.virtualmachine.VirtualMachineException;
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_DICE_CHANGES = "com.android.kvm.DICE_CHANGES";
+ field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_LLPVM_CHANGES = "com.android.kvm.LLPVM_CHANGES";
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_MULTI_TENANT = "com.android.kvm.MULTI_TENANT";
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_REMOTE_ATTESTATION = "com.android.kvm.REMOTE_ATTESTATION";
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_VENDOR_MODULES = "com.android.kvm.VENDOR_MODULES";
diff --git a/javalib/api/test-removed.txt b/java/framework/api/test-removed.txt
similarity index 100%
rename from javalib/api/test-removed.txt
rename to java/framework/api/test-removed.txt
diff --git a/javalib/jarjar-rules.txt b/java/framework/jarjar-rules.txt
similarity index 100%
rename from javalib/jarjar-rules.txt
rename to java/framework/jarjar-rules.txt
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachine.java b/java/framework/src/android/system/virtualmachine/VirtualMachine.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualMachine.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachine.java
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineCallback.java b/java/framework/src/android/system/virtualmachine/VirtualMachineCallback.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualMachineCallback.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachineCallback.java
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java b/java/framework/src/android/system/virtualmachine/VirtualMachineConfig.java
similarity index 99%
rename from javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachineConfig.java
index 19e663f..693a7d7 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
+++ b/java/framework/src/android/system/virtualmachine/VirtualMachineConfig.java
@@ -530,6 +530,7 @@
&& this.mEncryptedStorageBytes == other.mEncryptedStorageBytes
&& this.mVmOutputCaptured == other.mVmOutputCaptured
&& this.mVmConsoleInputSupported == other.mVmConsoleInputSupported
+ && (this.mVendorDiskImage == null) == (other.mVendorDiskImage == null)
&& Objects.equals(this.mPayloadConfigPath, other.mPayloadConfigPath)
&& Objects.equals(this.mPayloadBinaryName, other.mPayloadBinaryName)
&& Objects.equals(this.mPackageName, other.mPackageName)
@@ -587,7 +588,6 @@
if (mVendorDiskImage != null) {
VirtualMachineAppConfig.CustomConfig customConfig =
new VirtualMachineAppConfig.CustomConfig();
- customConfig.taskProfiles = EMPTY_STRING_ARRAY;
customConfig.devices = EMPTY_STRING_ARRAY;
try {
customConfig.vendorImage =
@@ -1023,6 +1023,7 @@
*/
@TestApi
@FlaggedApi(Flags.FLAG_AVF_V_TEST_APIS)
+ @RequiresPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION)
@NonNull
public Builder setOs(@NonNull String os) {
mOs = requireNonNull(os, "os must not be null");
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineDescriptor.java b/java/framework/src/android/system/virtualmachine/VirtualMachineDescriptor.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualMachineDescriptor.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachineDescriptor.java
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineException.java b/java/framework/src/android/system/virtualmachine/VirtualMachineException.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualMachineException.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachineException.java
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java b/java/framework/src/android/system/virtualmachine/VirtualMachineManager.java
similarity index 97%
rename from javalib/src/android/system/virtualmachine/VirtualMachineManager.java
rename to java/framework/src/android/system/virtualmachine/VirtualMachineManager.java
index f263b32..5020ff0 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
+++ b/java/framework/src/android/system/virtualmachine/VirtualMachineManager.java
@@ -119,9 +119,10 @@
prefix = "FEATURE_",
value = {
FEATURE_DICE_CHANGES,
+ FEATURE_LLPVM_CHANGES,
FEATURE_MULTI_TENANT,
FEATURE_REMOTE_ATTESTATION,
- FEATURE_VENDOR_MODULES
+ FEATURE_VENDOR_MODULES,
})
public @interface Features {}
@@ -164,6 +165,15 @@
IVirtualizationService.FEATURE_VENDOR_MODULES;
/**
+ * Feature to enable Secretkeeper protected secrets in Microdroid based pVMs.
+ *
+ * @hide
+ */
+ @TestApi
+ @FlaggedApi(Flags.FLAG_AVF_V_TEST_APIS)
+ public static final String FEATURE_LLPVM_CHANGES = IVirtualizationService.FEATURE_LLPVM_CHANGES;
+
+ /**
* Returns a set of flags indicating what this implementation of virtualization is capable of.
*
* @see #CAPABILITY_PROTECTED_VM
diff --git a/javalib/src/android/system/virtualmachine/VirtualizationFrameworkInitializer.java b/java/framework/src/android/system/virtualmachine/VirtualizationFrameworkInitializer.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualizationFrameworkInitializer.java
rename to java/framework/src/android/system/virtualmachine/VirtualizationFrameworkInitializer.java
diff --git a/javalib/src/android/system/virtualmachine/VirtualizationService.java b/java/framework/src/android/system/virtualmachine/VirtualizationService.java
similarity index 100%
rename from javalib/src/android/system/virtualmachine/VirtualizationService.java
rename to java/framework/src/android/system/virtualmachine/VirtualizationService.java
diff --git a/javalib/jni/Android.bp b/java/jni/Android.bp
similarity index 100%
rename from javalib/jni/Android.bp
rename to java/jni/Android.bp
diff --git a/javalib/jni/android_system_virtualmachine_VirtualMachine.cpp b/java/jni/android_system_virtualmachine_VirtualMachine.cpp
similarity index 100%
rename from javalib/jni/android_system_virtualmachine_VirtualMachine.cpp
rename to java/jni/android_system_virtualmachine_VirtualMachine.cpp
diff --git a/javalib/jni/android_system_virtualmachine_VirtualizationService.cpp b/java/jni/android_system_virtualmachine_VirtualizationService.cpp
similarity index 100%
rename from javalib/jni/android_system_virtualmachine_VirtualizationService.cpp
rename to java/jni/android_system_virtualmachine_VirtualizationService.cpp
diff --git a/javalib/jni/common.h b/java/jni/common.h
similarity index 100%
rename from javalib/jni/common.h
rename to java/jni/common.h
diff --git a/javalib/service/Android.bp b/java/service/Android.bp
similarity index 86%
rename from javalib/service/Android.bp
rename to java/service/Android.bp
index 9c1fa01..fdfb203 100644
--- a/javalib/service/Android.bp
+++ b/java/service/Android.bp
@@ -23,8 +23,13 @@
],
defaults: [
"framework-system-server-module-defaults",
+ "platform_service_defaults",
],
- sdk_version: "system_server_current",
+ libs: [
+ "framework",
+ "services.core",
+ ],
+ sdk_version: "core_platform",
apex_available: ["com.android.virt"],
installable: true,
}
diff --git a/javalib/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java b/java/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java
similarity index 100%
rename from javalib/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java
rename to java/service/src/com/android/system/virtualmachine/VirtualizationSystemService.java
diff --git a/libs/avf_features/Android.bp b/libs/avf_features/Android.bp
new file mode 100644
index 0000000..71f33db
--- /dev/null
+++ b/libs/avf_features/Android.bp
@@ -0,0 +1,26 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_defaults {
+ name: "libavf_features.defaults",
+ crate_name: "avf_features",
+ defaults: ["avf_build_flags_rust"],
+ srcs: ["src/lib.rs"],
+ edition: "2021",
+ prefer_rlib: true,
+ rustlibs: [
+ "android.system.virtualizationservice-rust",
+ "libanyhow",
+ "liblog_rust",
+ ],
+}
+
+rust_library {
+ name: "libavf_features",
+ defaults: ["libavf_features.defaults"],
+ apex_available: [
+ "//apex_available:platform",
+ "com.android.virt",
+ ],
+}
diff --git a/libs/avf_features/src/lib.rs b/libs/avf_features/src/lib.rs
new file mode 100644
index 0000000..c0faab0
--- /dev/null
+++ b/libs/avf_features/src/lib.rs
@@ -0,0 +1,38 @@
+// Copyright 2024, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Provide functionality for handling AVF build-time feature flags.
+
+use android_system_virtualizationservice::aidl::android::system::virtualizationservice::{
+ IVirtualizationService::FEATURE_DICE_CHANGES, IVirtualizationService::FEATURE_LLPVM_CHANGES,
+ IVirtualizationService::FEATURE_MULTI_TENANT,
+ IVirtualizationService::FEATURE_REMOTE_ATTESTATION,
+ IVirtualizationService::FEATURE_VENDOR_MODULES,
+};
+use log::warn;
+
+/// Check if an AVF feature is enabled.
+pub fn is_feature_enabled(feature: &str) -> bool {
+ match feature {
+ FEATURE_DICE_CHANGES => cfg!(dice_changes),
+ FEATURE_LLPVM_CHANGES => cfg!(llpvm_changes),
+ FEATURE_MULTI_TENANT => cfg!(multi_tenant),
+ FEATURE_REMOTE_ATTESTATION => cfg!(remote_attestation),
+ FEATURE_VENDOR_MODULES => cfg!(vendor_modules),
+ _ => {
+ warn!("unknown feature {feature}");
+ false
+ }
+ }
+}
diff --git a/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java b/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
index 77cae32..ba02067 100644
--- a/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
+++ b/tests/benchmark/src/java/com/android/microdroid/benchmark/MicrodroidBenchmarks.java
@@ -276,9 +276,9 @@
(builder) -> builder);
}
- @Test
- public void testMicrodroidDebugBootTime_withVendorPartition() throws Exception {
- assume().withMessage("Cuttlefish doesn't support device tree under" + " /proc/device-tree")
+ private void testMicrodroidDebugBootTime_withVendorBase(File vendorDiskImage) throws Exception {
+ // TODO(b/325094712): Boot fails with vendor partition in Cuttlefish.
+ assume().withMessage("Cuttlefish doesn't support device tree under /proc/device-tree")
.that(isCuttlefish())
.isFalse();
// TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
@@ -287,11 +287,6 @@
.that(isHwasan())
.isFalse();
assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
-
- File vendorDiskImage = new File("/vendor/etc/avf/microdroid/microdroid_vendor.img");
- assume().withMessage("Microdroid vendor image doesn't exist, skip")
- .that(vendorDiskImage.exists())
- .isTrue();
runBootTimeTest(
"test_vm_boot_time_debug_with_vendor_partition",
"assets/" + os() + "/vm_config.json",
@@ -300,6 +295,27 @@
}
@Test
+ public void testMicrodroidDebugBootTime_withVendorPartition() throws Exception {
+ File vendorDiskImage = new File("/vendor/etc/avf/microdroid/microdroid_vendor.img");
+ assume().withMessage("Microdroid vendor image doesn't exist, skip")
+ .that(vendorDiskImage.exists())
+ .isTrue();
+ testMicrodroidDebugBootTime_withVendorBase(vendorDiskImage);
+ }
+
+ @Test
+ public void testMicrodroidDebugBootTime_withCustomVendorPartition() throws Exception {
+ assume().withMessage(
+ "Skip test for protected VM, pvmfw config data doesn't contain any"
+ + " information of test images, such as root digest.")
+ .that(mProtectedVm)
+ .isFalse();
+ File vendorDiskImage =
+ new File("/data/local/tmp/microdroid-bench/microdroid_vendor_image.img");
+ testMicrodroidDebugBootTime_withVendorBase(vendorDiskImage);
+ }
+
+ @Test
public void testMicrodroidImageSize() throws IOException {
Bundle bundle = new Bundle();
for (File file : new File(APEX_ETC_FS).listFiles()) {
diff --git a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
index 2c72561..2c92f04 100644
--- a/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
+++ b/tests/helper/src/java/com/android/microdroid/test/device/MicrodroidDeviceTestBase.java
@@ -21,6 +21,7 @@
import static com.google.common.truth.TruthJUnit.assume;
import static org.junit.Assume.assumeTrue;
+import static org.junit.Assume.assumeFalse;
import android.app.Instrumentation;
import android.app.UiAutomation;
@@ -611,4 +612,8 @@
protected void assumeProtectedVM() {
assumeTrue("Skip on non-protected VM", mProtectedVm);
}
+
+ protected void assumeNonProtectedVM() {
+ assumeFalse("Skip on protected VM", mProtectedVm);
+ }
}
diff --git a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
index 20b5a50..4503cd3 100644
--- a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
+++ b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
@@ -1084,6 +1084,13 @@
}
mOs = (mGki != null) ? "microdroid_gki-" + mGki : "microdroid";
+
+ new CommandRunner(getDevice())
+ .tryRun(
+ "pm",
+ "grant",
+ SHELL_PACKAGE_NAME,
+ "android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
}
@After
@@ -1098,21 +1105,13 @@
mTestLogs, getDevice(), LOG_PATH, "vm.log-" + mTestName.getMethodName());
getDevice().uninstallPackage(PACKAGE_NAME);
-
- // testCustomVirtualMachinePermission revokes this permission. Grant it again as cleanup
- new CommandRunner(getDevice())
- .tryRun(
- "pm",
- "grant",
- SHELL_PACKAGE_NAME,
- "android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
}
- private void assumeProtectedVm() throws Exception {
+ private void assumeProtectedVm() {
assumeTrue("This test is only for protected VM.", mProtectedVm);
}
- private void assumeNonProtectedVm() throws Exception {
+ private void assumeNonProtectedVm() {
assumeFalse("This test is only for non-protected VM.", mProtectedVm);
}
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidCapabilitiesTest.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidCapabilitiesTest.java
index a0826c9..eb23e21 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidCapabilitiesTest.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidCapabilitiesTest.java
@@ -22,6 +22,7 @@
import com.android.compatibility.common.util.CddTest;
import com.android.microdroid.test.device.MicrodroidDeviceTestBase;
+import org.junit.Ignore;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.JUnit4;
@@ -37,6 +38,7 @@
public class MicrodroidCapabilitiesTest extends MicrodroidDeviceTestBase {
@Test
@CddTest(requirements = {"9.17/C-1-1", "9.17/C-2-1"})
+ @Ignore("b/326092480")
public void supportForProtectedOrNonProtectedVms() {
assumeSupportedDevice();
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index 070478e..3b8b4ac 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -140,13 +140,17 @@
@Before
public void setup() {
prepareTestSetup(mProtectedVm, mGki);
- // USE_CUSTOM_VIRTUAL_MACHINE permission has protection level signature|development, meaning
- // that it will be automatically granted when test apk is installed. We have some tests
- // checking the behavior when caller doesn't have this permission (e.g.
- // createVmWithConfigRequiresPermission). Proactively revoke the permission so that such
- // tests can pass when ran by itself, e.g.:
- // atest com.android.microdroid.test.MicrodroidTests#createVmWithConfigRequiresPermission
- revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ if (mGki != null) {
+ // Using a non-default VM always needs the custom permission.
+ grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ } else {
+ // USE_CUSTOM_VIRTUAL_MACHINE permission has protection level signature|development,
+ // meaning that it will be automatically granted when test apk is installed.
+ // But most callers shouldn't need this permission, so by default we run tests with it
+ // revoked.
+ // Tests that rely on the state of the permission should explicitly grant or revoke it.
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ }
}
@After
@@ -588,6 +592,9 @@
.isFalse();
assertConfigCompatible(baseline, newBaselineBuilder().setPayloadBinaryName("different"))
.isFalse();
+ assertConfigCompatible(
+ baseline, newBaselineBuilder().setVendorDiskImage(new File("/foo/bar")))
+ .isFalse();
int capabilities = getVirtualMachineManager().getCapabilities();
if ((capabilities & CAPABILITY_PROTECTED_VM) != 0
&& (capabilities & CAPABILITY_NON_PROTECTED_VM) != 0) {
@@ -637,6 +644,7 @@
VirtualMachineConfig.Builder otherOsBuilder =
newBaselineBuilder().setOs("microdroid_gki-android14-6.1");
assertConfigCompatible(microdroidOsConfig, otherOsBuilder).isFalse();
+
}
private VirtualMachineConfig.Builder newBaselineBuilder() {
@@ -776,6 +784,7 @@
})
public void createVmWithConfigRequiresPermission() throws Exception {
assumeSupportedDevice();
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
VirtualMachineConfig config =
newVmConfigBuilderWithPayloadConfig("assets/" + os() + "/vm_config.json")
@@ -2124,28 +2133,34 @@
}
}
- @Test
- public void configuringVendorDiskImageRequiresCustomPermission() throws Exception {
+ private VirtualMachineConfig buildVmConfigWithVendor(File vendorDiskImage) throws Exception {
assumeSupportedDevice();
+ // TODO(b/325094712): Boot fails with vendor partition in Cuttlefish.
assumeFalse(
"Cuttlefish doesn't support device tree under /proc/device-tree", isCuttlefish());
- // TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
+ // TODO(b/317567210): Boot fails with vendor partition in HWASAN enabled microdroid
// after introducing verification based on DT and fstab in microdroid vendor partition.
assumeFalse(
"boot with vendor partition is failing in HWASAN enabled Microdroid.", isHwasan());
assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
-
- File vendorDiskImage =
- new File("/data/local/tmp/cts/microdroid/test_microdroid_vendor_image.img");
VirtualMachineConfig config =
newVmConfigBuilderWithPayloadBinary("MicrodroidTestNativeLib.so")
.setVendorDiskImage(vendorDiskImage)
.setDebugLevel(DEBUG_LEVEL_FULL)
.build();
+ grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ return config;
+ }
+
+ @Test
+ public void configuringVendorDiskImageRequiresCustomPermission() throws Exception {
+ File vendorDiskImage =
+ new File("/data/local/tmp/cts/microdroid/test_microdroid_vendor_image.img");
+ VirtualMachineConfig config = buildVmConfigWithVendor(vendorDiskImage);
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
VirtualMachine vm =
forceCreateNewVirtualMachine("test_vendor_image_req_custom_permission", config);
-
SecurityException e =
assertThrows(
SecurityException.class, () -> runVmTestService(TAG, vm, (ts, tr) -> {}));
@@ -2156,27 +2171,11 @@
@Test
public void bootsWithVendorPartition() throws Exception {
- assumeSupportedDevice();
- assumeFalse(
- "Cuttlefish doesn't support device tree under /proc/device-tree", isCuttlefish());
- // TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
- // after introducing verification based on DT and fstab in microdroid vendor partition.
- assumeFalse(
- "Boot with vendor partition is failing in HWASAN enabled Microdroid.", isHwasan());
- assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
-
- grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
-
File vendorDiskImage = new File("/vendor/etc/avf/microdroid/microdroid_vendor.img");
assumeTrue("Microdroid vendor image doesn't exist, skip", vendorDiskImage.exists());
- VirtualMachineConfig config =
- newVmConfigBuilderWithPayloadBinary("MicrodroidTestNativeLib.so")
- .setVendorDiskImage(vendorDiskImage)
- .setDebugLevel(DEBUG_LEVEL_FULL)
- .build();
+ VirtualMachineConfig config = buildVmConfigWithVendor(vendorDiskImage);
VirtualMachine vm = forceCreateNewVirtualMachine("test_boot_with_vendor", config);
-
TestResults testResults =
runVmTestService(
TAG,
@@ -2184,40 +2183,57 @@
(ts, tr) -> {
tr.mMountFlags = ts.getMountFlags("/vendor");
});
-
assertThat(testResults.mException).isNull();
int expectedFlags = MS_NOATIME | MS_RDONLY;
assertThat(testResults.mMountFlags & expectedFlags).isEqualTo(expectedFlags);
}
@Test
- public void creationFailsWithUnsignedVendorPartition() throws Exception {
- assumeSupportedDevice();
- assumeFalse(
- "Cuttlefish doesn't support device tree under /proc/device-tree", isCuttlefish());
- // TODO(b/317567210): Boots fails with vendor partition in HWASAN enabled microdroid
- // after introducing verification based on DT and fstab in microdroid vendor partition.
- assumeFalse(
- "boot with vendor partition is failing in HWASAN enabled Microdroid.", isHwasan());
- assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
+ public void bootsWithCustomVendorPartitionForNonPvm() throws Exception {
+ assumeNonProtectedVM();
+ File vendorDiskImage =
+ new File("/data/local/tmp/cts/microdroid/test_microdroid_vendor_image.img");
+ VirtualMachineConfig config = buildVmConfigWithVendor(vendorDiskImage);
- grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ VirtualMachine vm =
+ forceCreateNewVirtualMachine("test_boot_with_custom_vendor_non_pvm", config);
+ TestResults testResults =
+ runVmTestService(
+ TAG,
+ vm,
+ (ts, tr) -> {
+ tr.mMountFlags = ts.getMountFlags("/vendor");
+ });
+ assertThat(testResults.mException).isNull();
+ int expectedFlags = MS_NOATIME | MS_RDONLY;
+ assertThat(testResults.mMountFlags & expectedFlags).isEqualTo(expectedFlags);
+ }
- File unsignedVendorDiskImage =
- new File(
- "/data/local/tmp/cts/microdroid/test_microdroid_vendor_image_unsigned.img");
- VirtualMachineConfig config =
- newVmConfigBuilderWithPayloadBinary("MicrodroidTestNativeLib.so")
- .setVendorDiskImage(unsignedVendorDiskImage)
- .setDebugLevel(DEBUG_LEVEL_FULL)
- .build();
+ @Test
+ public void bootFailsWithCustomVendorPartitionForPvm() throws Exception {
+ assumeProtectedVM();
+ File vendorDiskImage =
+ new File("/data/local/tmp/cts/microdroid/test_microdroid_vendor_image.img");
+ VirtualMachineConfig config = buildVmConfigWithVendor(vendorDiskImage);
- BootResult bootResult = tryBootVmWithConfig(config, "test_boot_with_unsigned_vendor");
+ BootResult bootResult = tryBootVmWithConfig(config, "test_boot_with_custom_vendor_pvm");
assertThat(bootResult.payloadStarted).isFalse();
assertThat(bootResult.deathReason).isEqualTo(VirtualMachineCallback.STOP_REASON_REBOOT);
}
@Test
+ public void creationFailsWithUnsignedVendorPartition() throws Exception {
+ File vendorDiskImage =
+ new File(
+ "/data/local/tmp/cts/microdroid/test_microdroid_vendor_image_unsigned.img");
+ VirtualMachineConfig config = buildVmConfigWithVendor(vendorDiskImage);
+
+ VirtualMachine vm = forceCreateNewVirtualMachine("test_boot_with_unsigned_vendor", config);
+ assertThrowsVmExceptionContaining(
+ () -> vm.run(), "Failed to extract vendor hashtree digest");
+ }
+
+ @Test
public void systemPartitionMountFlags() throws Exception {
assumeSupportedDevice();
diff --git a/virtualizationmanager/Android.bp b/virtualizationmanager/Android.bp
index c46385c..d8f8209 100644
--- a/virtualizationmanager/Android.bp
+++ b/virtualizationmanager/Android.bp
@@ -32,6 +32,7 @@
"libandroid_logger",
"libanyhow",
"libapkverify",
+ "libavf_features",
"libavflog",
"libbase_rust",
"libbinder_rs",
@@ -41,6 +42,7 @@
"libcommand_fds",
"libdisk",
"libglob",
+ "libhex",
"libhypervisor_props",
"liblazy_static",
"liblibc",
@@ -61,6 +63,7 @@
"libshared_child",
"libstatslog_virtualization_rust",
"libtombstoned_client_rust",
+ "libvbmeta_rust",
"libvm_control",
"libvmconfig",
"libzip",
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index a2194cc..0655e5f 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -35,10 +35,6 @@
IVirtualMachine::{BnVirtualMachine, IVirtualMachine},
IVirtualMachineCallback::IVirtualMachineCallback,
IVirtualizationService::IVirtualizationService,
- IVirtualizationService::FEATURE_MULTI_TENANT,
- IVirtualizationService::FEATURE_VENDOR_MODULES,
- IVirtualizationService::FEATURE_DICE_CHANGES,
- IVirtualizationService::FEATURE_REMOTE_ATTESTATION,
MemoryTrimLevel::MemoryTrimLevel,
Partition::Partition,
PartitionType::PartitionType,
@@ -91,6 +87,7 @@
use std::os::unix::raw::pid_t;
use std::path::{Path, PathBuf};
use std::sync::{Arc, Mutex, Weak};
+use vbmeta::VbMetaImage;
use vmconfig::VmConfig;
use vsock::VsockStream;
use zip::ZipArchive;
@@ -306,19 +303,7 @@
/// Returns whether given feature is enabled
fn isFeatureEnabled(&self, feature: &str) -> binder::Result<bool> {
check_manage_access()?;
-
- // This approach is quite cumbersome, but will do the work for the short term.
- // TODO(b/298012279): make this scalable.
- match feature {
- FEATURE_DICE_CHANGES => Ok(cfg!(dice_changes)),
- FEATURE_MULTI_TENANT => Ok(cfg!(multi_tenant)),
- FEATURE_REMOTE_ATTESTATION => Ok(cfg!(remote_attestation)),
- FEATURE_VENDOR_MODULES => Ok(cfg!(vendor_modules)),
- _ => {
- warn!("unknown feature {feature}");
- Ok(false)
- }
- }
+ Ok(avf_features::is_feature_enabled(feature))
}
fn enableTestAttestation(&self) -> binder::Result<()> {
@@ -397,6 +382,23 @@
None
};
+ let vendor_hashtree_digest = extract_vendor_hashtree_digest(config)
+ .context("Failed to extract vendor hashtree digest")
+ .or_service_specific_exception(-1)?;
+
+ let trusted_props = if let Some(ref vendor_hashtree_digest) = vendor_hashtree_digest {
+ info!(
+ "Passing vendor hashtree digest to pvmfw. This will be rejected if it doesn't \
+ match the trusted digest in the pvmfw config, causing the VM to fail to start."
+ );
+ vec![(
+ cstr!("vendor_hashtree_descriptor_root_digest"),
+ vendor_hashtree_digest.as_slice(),
+ )]
+ } else {
+ vec![]
+ };
+
let untrusted_props = if cfg!(llpvm_changes) {
// TODO(b/291213394): Replace this with a per-VM instance Id.
let instance_id = b"sixtyfourbyteslonghardcoded_indeed_sixtyfourbyteslonghardcoded_h";
@@ -405,17 +407,23 @@
vec![]
};
- let device_tree_overlay = if host_ref_dt.is_some() || !untrusted_props.is_empty() {
- let dt_output = temporary_directory.join(VM_DT_OVERLAY_PATH);
- let mut data = [0_u8; VM_DT_OVERLAY_MAX_SIZE];
- let fdt = create_device_tree_overlay(&mut data, host_ref_dt, &untrusted_props)
+ let device_tree_overlay =
+ if host_ref_dt.is_some() || !untrusted_props.is_empty() || !trusted_props.is_empty() {
+ let dt_output = temporary_directory.join(VM_DT_OVERLAY_PATH);
+ let mut data = [0_u8; VM_DT_OVERLAY_MAX_SIZE];
+ let fdt = create_device_tree_overlay(
+ &mut data,
+ host_ref_dt,
+ &untrusted_props,
+ &trusted_props,
+ )
.map_err(|e| anyhow!("Failed to create DT overlay, {e:?}"))
.or_service_specific_exception(-1)?;
- fs::write(&dt_output, fdt.as_slice()).or_service_specific_exception(-1)?;
- Some(File::open(dt_output).or_service_specific_exception(-1)?)
- } else {
- None
- };
+ fs::write(&dt_output, fdt.as_slice()).or_service_specific_exception(-1)?;
+ Some(File::open(dt_output).or_service_specific_exception(-1)?)
+ } else {
+ None
+ };
let debug_level = match config {
VirtualMachineConfig::AppConfig(config) => config.debugLevel,
@@ -554,7 +562,6 @@
memory_mib: config.memoryMib.try_into().ok().and_then(NonZeroU32::new),
cpus,
host_cpu_topology,
- task_profiles: config.taskProfiles.clone(),
console_out_fd,
console_in_fd,
log_fd,
@@ -603,16 +610,46 @@
} else {
// Additional custom features not included in CustomConfig:
// - specifying a config file;
- // - specifying extra APKs.
+ // - specifying extra APKs;
+ // - specifying an OS other than Microdroid.
match &config.payload {
Payload::ConfigPath(_) => true,
- Payload::PayloadConfig(payload_config) => !payload_config.extraApks.is_empty(),
+ Payload::PayloadConfig(payload_config) => {
+ !payload_config.extraApks.is_empty()
+ || payload_config.osName != MICRODROID_OS_NAME
+ }
}
}
}
}
}
+fn extract_vendor_hashtree_digest(config: &VirtualMachineConfig) -> Result<Option<Vec<u8>>> {
+ let VirtualMachineConfig::AppConfig(config) = config else {
+ return Ok(None);
+ };
+ let Some(custom_config) = &config.customConfig else {
+ return Ok(None);
+ };
+ let Some(file) = custom_config.vendorImage.as_ref() else {
+ return Ok(None);
+ };
+
+ let file = clone_file(file)?;
+ let size =
+ file.metadata().context("Failed to get metadata from microdroid vendor image")?.len();
+ let vbmeta = VbMetaImage::verify_reader_region(&file, 0, size)
+ .context("Failed to get vbmeta from microdroid-vendor.img")?;
+
+ for descriptor in vbmeta.descriptors()?.iter() {
+ if let vbmeta::Descriptor::Hashtree(_) = descriptor {
+ let root_digest = hex::encode(descriptor.to_hashtree()?.root_digest());
+ return Ok(Some(root_digest.as_bytes().to_vec()));
+ }
+ }
+ Err(anyhow!("No hashtree digest is extracted from microdroid vendor image"))
+}
+
fn write_zero_filler(zero_filler_path: &Path) -> Result<()> {
let file = OpenOptions::new()
.create_new(true)
@@ -782,7 +819,6 @@
if let Some(file) = custom_config.customKernelImage.as_ref() {
vm_config.kernel = Some(ParcelFileDescriptor::new(clone_file(file)?))
}
- vm_config.taskProfiles = custom_config.taskProfiles.clone();
vm_config.gdbPort = custom_config.gdbPort;
if let Some(file) = custom_config.vendorImage.as_ref() {
diff --git a/virtualizationmanager/src/crosvm.rs b/virtualizationmanager/src/crosvm.rs
index 3380df3..ddd3e68 100644
--- a/virtualizationmanager/src/crosvm.rs
+++ b/virtualizationmanager/src/crosvm.rs
@@ -107,7 +107,6 @@
pub memory_mib: Option<NonZeroU32>,
pub cpus: Option<NonZeroU32>,
pub host_cpu_topology: bool,
- pub task_profiles: Vec<String>,
pub console_out_fd: Option<File>,
pub console_in_fd: Option<File>,
pub log_fd: Option<File>,
@@ -824,10 +823,6 @@
}
}
- if !config.task_profiles.is_empty() {
- command.arg("--task-profiles").arg(config.task_profiles.join(","));
- }
-
if let Some(gdb_port) = config.gdb_port {
command.arg("--gdb").arg(gdb_port.to_string());
}
diff --git a/virtualizationmanager/src/dt_overlay.rs b/virtualizationmanager/src/dt_overlay.rs
index 71d3a26..b39ba3a 100644
--- a/virtualizationmanager/src/dt_overlay.rs
+++ b/virtualizationmanager/src/dt_overlay.rs
@@ -31,15 +31,18 @@
/// * `dt_path` - (Optional) Path to (proc style) device tree to be included in the overlay.
/// * `untrusted_props` - Include a property in /avf/untrusted node. This node is used to specify
/// host provided properties such as `instance-id`.
+/// * `trusted_props` - Include a property in /avf node. This overwrites nodes included with
+/// `dt_path`. In pVM, pvmfw will reject if it doesn't match the value in pvmfw config.
///
-/// Example: with `create_device_tree_overlay(_, _, [("instance-id", _),])`
+/// Example: with `create_device_tree_overlay(_, _, [("instance-id", _),], [("digest", _),])`
/// ```
/// {
/// fragment@0 {
/// target-path = "/";
/// __overlay__ {
/// avf {
-/// untrusted { instance-id = [0x01 0x23 .. ] }
+/// digest = [ 0xaa 0xbb .. ]
+/// untrusted { instance-id = [ 0x01 0x23 .. ] }
/// }
/// };
/// };
@@ -50,36 +53,54 @@
buffer: &'a mut [u8],
dt_path: Option<&'a Path>,
untrusted_props: &[(&'a CStr, &'a [u8])],
+ trusted_props: &[(&'a CStr, &'a [u8])],
) -> Result<&'a mut Fdt> {
- if dt_path.is_none() && untrusted_props.is_empty() {
+ if dt_path.is_none() && untrusted_props.is_empty() && trusted_props.is_empty() {
return Err(anyhow!("Expected at least one device tree addition"));
}
let fdt =
Fdt::create_empty_tree(buffer).map_err(|e| anyhow!("Failed to create empty Fdt: {e:?}"))?;
- let root = fdt.root_mut().map_err(|e| anyhow!("Failed to get root: {e:?}"))?;
- let mut node =
- root.add_subnode(cstr!("fragment@0")).map_err(|e| anyhow!("Failed to fragment: {e:?}"))?;
- node.setprop(cstr!("target-path"), b"/\0")
- .map_err(|e| anyhow!("Failed to set target-path: {e:?}"))?;
- let node = node
+ let root = fdt.root_mut().map_err(|e| anyhow!("Failed to get root node: {e:?}"))?;
+ let mut fragment = root
+ .add_subnode(cstr!("fragment@0"))
+ .map_err(|e| anyhow!("Failed to add fragment node: {e:?}"))?;
+ fragment
+ .setprop(cstr!("target-path"), b"/\0")
+ .map_err(|e| anyhow!("Failed to set target-path property: {e:?}"))?;
+ let overlay = fragment
.add_subnode(cstr!("__overlay__"))
- .map_err(|e| anyhow!("Failed to __overlay__ node: {e:?}"))?;
+ .map_err(|e| anyhow!("Failed to add __overlay__ node: {e:?}"))?;
+ let avf =
+ overlay.add_subnode(AVF_NODE_NAME).map_err(|e| anyhow!("Failed to add avf node: {e:?}"))?;
if !untrusted_props.is_empty() {
- let mut node = node
- .add_subnode(AVF_NODE_NAME)
- .map_err(|e| anyhow!("Failed to add avf node: {e:?}"))?
+ let mut untrusted = avf
.add_subnode(UNTRUSTED_NODE_NAME)
- .map_err(|e| anyhow!("Failed to add /avf/untrusted node: {e:?}"))?;
+ .map_err(|e| anyhow!("Failed to add untrusted node: {e:?}"))?;
for (name, value) in untrusted_props {
- node.setprop(name, value).map_err(|e| anyhow!("Failed to set property: {e:?}"))?;
+ untrusted
+ .setprop(name, value)
+ .map_err(|e| anyhow!("Failed to set untrusted property: {e:?}"))?;
}
}
+ // Read dt_path from host DT and overlay onto fdt.
if let Some(path) = dt_path {
fdt.overlay_onto(cstr!("/fragment@0/__overlay__"), path)?;
}
+
+ if !trusted_props.is_empty() {
+ let mut avf = fdt
+ .node_mut(cstr!("/fragment@0/__overlay__/avf"))
+ .map_err(|e| anyhow!("Failed to search avf node: {e:?}"))?
+ .ok_or(anyhow!("Failed to get avf node"))?;
+ for (name, value) in trusted_props {
+ avf.setprop(name, value)
+ .map_err(|e| anyhow!("Failed to set trusted property: {e:?}"))?;
+ }
+ }
+
fdt.pack().map_err(|e| anyhow!("Failed to pack DT overlay, {e:?}"))?;
Ok(fdt)
@@ -92,7 +113,7 @@
#[test]
fn empty_overlays_not_allowed() {
let mut buffer = vec![0_u8; VM_DT_OVERLAY_MAX_SIZE];
- let res = create_device_tree_overlay(&mut buffer, None, &[]);
+ let res = create_device_tree_overlay(&mut buffer, None, &[], &[]);
assert!(res.is_err());
}
@@ -102,7 +123,8 @@
let prop_name = cstr!("XOXO");
let prop_val_input = b"OXOX";
let fdt =
- create_device_tree_overlay(&mut buffer, None, &[(prop_name, prop_val_input)]).unwrap();
+ create_device_tree_overlay(&mut buffer, None, &[(prop_name, prop_val_input)], &[])
+ .unwrap();
let prop_value_dt = fdt
.node(cstr!("/fragment@0/__overlay__/avf/untrusted"))
@@ -113,4 +135,23 @@
.expect("Prop not found!");
assert_eq!(prop_value_dt, prop_val_input, "Unexpected property value");
}
+
+ #[test]
+ fn trusted_prop_test() {
+ let mut buffer = vec![0_u8; VM_DT_OVERLAY_MAX_SIZE];
+ let prop_name = cstr!("XOXOXO");
+ let prop_val_input = b"OXOXOX";
+ let fdt =
+ create_device_tree_overlay(&mut buffer, None, &[], &[(prop_name, prop_val_input)])
+ .unwrap();
+
+ let prop_value_dt = fdt
+ .node(cstr!("/fragment@0/__overlay__/avf"))
+ .unwrap()
+ .expect("/avf node doesn't exist")
+ .getprop(prop_name)
+ .unwrap()
+ .expect("Prop not found!");
+ assert_eq!(prop_value_dt, prop_val_input, "Unexpected property value");
+ }
}
diff --git a/virtualizationservice/Android.bp b/virtualizationservice/Android.bp
index e0bb97f..843873b 100644
--- a/virtualizationservice/Android.bp
+++ b/virtualizationservice/Android.bp
@@ -39,7 +39,6 @@
"libopenssl",
"librkpd_client",
"librustutils",
- "libvmclient",
"libstatslog_virtualization_rust",
"libtombstoned_client_rust",
"libvsock",
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
index 7962bc3..f7bbf55 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
@@ -23,6 +23,7 @@
interface IVirtualizationService {
const String FEATURE_DICE_CHANGES = "com.android.kvm.DICE_CHANGES";
+ const String FEATURE_LLPVM_CHANGES = "com.android.kvm.LLPVM_CHANGES";
const String FEATURE_MULTI_TENANT = "com.android.kvm.MULTI_TENANT";
const String FEATURE_REMOTE_ATTESTATION = "com.android.kvm.REMOTE_ATTESTATION";
const String FEATURE_VENDOR_MODULES = "com.android.kvm.VENDOR_MODULES";
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
index 9021055..8302a2f 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
@@ -101,11 +101,6 @@
*/
int gdbPort = 0;
- /**
- * List of task profile names to apply for the VM
- */
- String[] taskProfiles;
-
/** A disk image containing vendor specific modules. */
@nullable ParcelFileDescriptor vendorImage;
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl
index 7c0ed0c..6be2833 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl
@@ -60,11 +60,6 @@
@utf8InCpp String platformVersion;
/**
- * List of task profile names to apply for the VM
- */
- String[] taskProfiles;
-
- /**
* Port at which crosvm will start a gdb server to debug guest kernel.
* If set to zero, then gdb server won't be started.
*/
diff --git a/virtualizationservice/src/atom.rs b/virtualizationservice/src/atom.rs
index 862646b..6e0064f 100644
--- a/virtualizationservice/src/atom.rs
+++ b/virtualizationservice/src/atom.rs
@@ -47,7 +47,6 @@
cpu_affinity: "", // deprecated
memory_mib: atom.memoryMib,
apexes: &atom.apexes,
- // TODO(seungjaeyoo) Fill information about task_profile
// TODO(seungjaeyoo) Fill information about disk_image for raw config
};
diff --git a/vm/Android.bp b/vm/Android.bp
index 04aff5e..c1d9b6b 100644
--- a/vm/Android.bp
+++ b/vm/Android.bp
@@ -12,6 +12,7 @@
rustlibs: [
"android.system.virtualizationservice-rust",
"libanyhow",
+ "libavf_features",
"libbinder_rs",
"libclap",
"libenv_logger",
diff --git a/vm/src/main.rs b/vm/src/main.rs
index de9291c..355e193 100644
--- a/vm/src/main.rs
+++ b/vm/src/main.rs
@@ -45,10 +45,6 @@
#[arg(long, default_value = "one_cpu", value_parser = parse_cpu_topology)]
cpu_topology: CpuTopology,
- /// Comma separated list of task profile names to apply to the VM
- #[arg(long)]
- task_profiles: Vec<String>,
-
/// Memory size (in MiB) of the VM. If unspecified, defaults to the value of `memory_mib`
/// in the VM config file.
#[arg(short, long)]
@@ -232,6 +228,8 @@
#[derive(Parser)]
enum Opt {
+ /// Check if the feature is enabled on device.
+ CheckFeatureEnabled { feature: String },
/// Run a virtual machine with a config in APK
RunApp {
#[command(flatten)]
@@ -304,6 +302,13 @@
virtmgr.connect().context("Failed to connect to VirtualizationService")
}
+fn command_check_feature_enabled(feature: &str) {
+ println!(
+ "Feature {feature} is {}",
+ if avf_features::is_feature_enabled(feature) { "enabled" } else { "disabled" }
+ );
+}
+
fn main() -> Result<(), Error> {
env_logger::init();
let opt = Opt::parse();
@@ -312,6 +317,10 @@
ProcessState::start_thread_pool();
match opt {
+ Opt::CheckFeatureEnabled { feature } => {
+ command_check_feature_enabled(&feature);
+ Ok(())
+ }
Opt::RunApp { config } => command_run_app(config),
Opt::RunMicrodroid { config } => command_run_microdroid(config),
Opt::Run { config } => command_run(config),
diff --git a/vm/src/run.rs b/vm/src/run.rs
index 1d2f48b..5a4a459 100644
--- a/vm/src/run.rs
+++ b/vm/src/run.rs
@@ -136,7 +136,6 @@
let custom_config = CustomConfig {
customKernelImage: None,
gdbPort: config.debug.gdb.map(u16::from).unwrap_or(0) as i32, // 0 means no gdb
- taskProfiles: config.common.task_profiles,
vendorImage: vendor,
devices: config
.microdroid
@@ -235,7 +234,6 @@
vm_config.gdbPort = gdb.get() as i32;
}
vm_config.cpuTopology = config.common.cpu_topology;
- vm_config.taskProfiles = config.common.task_profiles;
run(
get_service()?.as_ref(),
&VirtualMachineConfig::RawConfig(vm_config),
diff --git a/vm_payload/README.md b/vm_payload/README.md
index ec4dc59..419d854 100644
--- a/vm_payload/README.md
+++ b/vm_payload/README.md
@@ -9,7 +9,7 @@
available in the VM, and only 64 bit code is supported.
To create a VM and run the payload from Android see the [AVF Java
-APIs](../javalib/README.md).
+APIs](../java/framework/README.md).
## Entry point