Pass a VM secret to KeyMint from microdroid_manager This secret will be used to protect the keyblobs so that only a VM that gets the same secret will be able to use those blobs. It is held in a system property so that it won't be lost should KeyMint happen to restart and has SELinux rules to ensure only microdroid_manager can set the value and only KeyMint can read the value. Bug: 190578423 Test: atest MicrodroidHostTestCases Change-Id: I675cc9d6e9942090a761b83a6b9456b5c9909747

commit: 6f3e5fe3885437c0a88e52a7c34c24c41df52971 [log] [tgz]
author: Andrew Scull <ascull@google.com> Fri Jul 02 12:38:21 2021 +0000
committer: Andrew Scull <ascull@google.com> Tue Jul 13 13:37:42 2021 +0000
tree: adde2548e2e29d51dd89cdd1992b03905ccd6f9f
parent: a003f85c370bedd4762c5ddbf82bbf3ffdab98f2 [diff] [blame]
diff --git a/microdroid/sepolicy/system/private/domain.te b/microdroid/sepolicy/system/private/domain.te
index 54423ec..da811ed 100644
--- a/microdroid/sepolicy/system/private/domain.te
+++ b/microdroid/sepolicy/system/private/domain.te

@@ -218,7 +218,7 @@
 
 # workaround for supressing property accesses.
 # TODO: remove these
-set_prop(domain, property_type)
+set_prop(domain, property_type -vmsecret_keymint_prop)
 # auditallow { domain -init } property_type:property_service set;
 # auditallow { domain -init } property_type:file rw_file_perms;
commit	6f3e5fe3885437c0a88e52a7c34c24c41df52971	[log] [tgz]
author	Andrew Scull <ascull@google.com>	Fri Jul 02 12:38:21 2021 +0000
committer	Andrew Scull <ascull@google.com>	Tue Jul 13 13:37:42 2021 +0000
tree	adde2548e2e29d51dd89cdd1992b03905ccd6f9f
parent	a003f85c370bedd4762c5ddbf82bbf3ffdab98f2 [diff] [blame]