Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 657defb5177b2717b1360a9048a389d650078922^! / .
commit657defb5177b2717b1360a9048a389d650078922[log] [tgz]
authorNikita Ioffe <ioffe@google.com>Mon Jan 20 01:28:40 2025 +0000
committerNikita Ioffe <ioffe@google.com>Wed Jan 29 15:00:44 2025 +0000
treed8ee29d0f3976b1f15795a22c87bbb01af782b0c
parentb4ec19d062c15b6005eb04abebe1360ab40af312 [diff]
Add new USE_RELAXED_MICRODROID_ROLLBACK_PROTECTION permission

This permission can be used by the payloads delivered via mainline
modules to relax microdroids rollback protection schema.

Bug: 378681279
Test: presubmit
Change-Id: I3b7ce0aaa3151794e693dbdd55347fe7b947782f

diff --git a/android/android.system.virtualmachine.res/AndroidManifest.xml b/android/android.system.virtualmachine.res/AndroidManifest.xml
index ebcb8ba..c38d2b1 100644
--- a/android/android.system.virtualmachine.res/AndroidManifest.xml
+++ b/android/android.system.virtualmachine.res/AndroidManifest.xml

@@ -40,5 +40,14 @@
   <permission android:name="android.permission.DEBUG_VIRTUAL_MACHINE"
       android:protectionLevel="signature" />
 
+  <!-- @hide Makes Microdroid pVM use a more relaxed rollback protection scheme.
+    Should only be used by payloads delivered inside Mainline modules.
+    See packages/modules/Virtualization/docs/mainline_module_payload.md.
+    <p>Protection level: signature|development|privileged
+  -->
+  <permission android:name="android.permission.USE_RELAXED_MICRODROID_ROLLBACK_PROTECTION"
+      android:protectionLevel="signature|development|privileged" />
+
+
   <application android:hasCode="false" />
 </manifest>

diff --git a/docs/mainline_module_payload.md b/docs/mainline_module_payload.md
new file mode 100644
index 0000000..84617f0
--- /dev/null
+++ b/docs/mainline_module_payload.md

@@ -0,0 +1,19 @@
+# Delivery Microdroid pVM payload via Mainline modules
+
+There are several additional challenges when a Microdroid pVM payload is
+delivered inside a Mainline module.
+
+## Mainline rollbacks
+
+Mainline modules are expected to be rolled back on a device in case a problem
+with a Mainline release has been detected. This doesn't work well with the
+rollback protection of Microdroid pVMs - if a payload is updated, then a
+previous version of the payload is not allowed to access it's secrets.
+
+To work around this challenge, payloads delivered via Mainline modules are
+expected to request
+`android.permission.USE_RELAXED_MICRODROID_ROLLBACK_PROTECTION` privileged
+permission.
+
+TODO(ioffe): add more context on how permission is used once the implementation
+is done.