Basic Keystore availability test
Loop up the Keystore service from the test payload to make sure it can
be found and communicated with.
Bug: 190578423
Test: atest MicrodroidHostTestCases
Change-Id: I1dd863202b7de5405658ee5e922b955e3cba6741
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 6424988..55d1eae 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -77,6 +77,8 @@
"cgroups.json",
"public.libraries.android.txt",
+ "android.system.keystore2-V1-ndk_platform",
+
// TODO(b/185767624): remove hidl after full keymint support
"hwservicemanager",
diff --git a/microdroid/sepolicy/system/private/keystore_keys.te b/microdroid/sepolicy/system/private/keystore_keys.te
index 2f97608..03625dc 100644
--- a/microdroid/sepolicy/system/private/keystore_keys.te
+++ b/microdroid/sepolicy/system/private/keystore_keys.te
@@ -20,3 +20,6 @@
# A keystore2 namespace for resume on reboot.
type resume_on_reboot_key, keystore2_key_type;
+# A keystore2 namespace for VM payloads.
+type vm_payload_key, keystore2_key_type;
+
diff --git a/microdroid/sepolicy/system/private/microdroid_launcher.te b/microdroid/sepolicy/system/private/microdroid_launcher.te
index 5a313b6..6bcd4f1 100644
--- a/microdroid/sepolicy/system/private/microdroid_launcher.te
+++ b/microdroid/sepolicy/system/private/microdroid_launcher.te
@@ -24,3 +24,18 @@
# Allow to set debug prop
set_prop(microdroid_launcher, debug_prop)
+
+# Talk to binder services (for keystore)
+binder_use(microdroid_launcher);
+
+# Allow payloads to use keystore
+use_keystore(microdroid_launcher);
+
+# Allow payloads to use and manage their keys
+allow microdroid_launcher vm_payload_key:keystore2_key {
+ delete
+ get_info
+ manage_blob
+ rebind
+ use
+};