Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 65e6fdb83347f1760d482531b7529de09058666a^! / .
commit65e6fdb83347f1760d482531b7529de09058666a[log] [tgz]
authorNikita Ioffe <ioffe@google.com>Mon Feb 17 17:00:27 2025 +0000
committerNikita Ioffe <ioffe@google.com>Mon Mar 03 17:50:19 2025 +0000
treea718506fdae4232d225c2fd7bdfcf4c7b2d92e89
parent22e5d0a0b7e5109245cb15b4dbf1c47f71804d81 [diff]
Only allow pVMs to request access to tee services

Bug: 360102915
Bug: 391774181
Test: presubmit
Change-Id: I58e5c2554b4543685df3e56200fa0a2e6e286227

diff --git a/android/virtmgr/src/aidl.rs b/android/virtmgr/src/aidl.rs
index a47aa23..d53138f 100644
--- a/android/virtmgr/src/aidl.rs
+++ b/android/virtmgr/src/aidl.rs

@@ -727,7 +727,10 @@
         *is_protected = config.protectedVm;
 
         if !config.teeServices.is_empty() {
-            // TODO(ioffe): only pVMs should be able to request access to teeServices.
+            if !config.protectedVm {
+                return Err(anyhow!("only protected VMs can request tee services"))
+                    .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+            }
             check_tee_service_permission(&caller_secontext, &config.teeServices)
                 .with_log()
                 .or_binder_exception(ExceptionCode::SECURITY)?;
@@ -750,7 +753,7 @@
                 .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
         }
 
-        // TODO(ioffe): remove this check in a follow-up patch.
+        // TODO(b/391774181): remove this check in a follow-up patch.
         if !system_tee_services.is_empty() {
             return Err(anyhow!("support for system tee services is coming soon!"))
                 .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);