Pass a VM secret to KeyMint from microdroid_manager
This secret will be used to protect the keyblobs so that only a VM that
gets the same secret will be able to use those blobs. It is held in a
system property so that it won't be lost should KeyMint happen to
restart and has SELinux rules to ensure only microdroid_manager can set
the value and only KeyMint can read the value.
Bug: 190578423
Test: atest MicrodroidHostTestCases
Change-Id: I675cc9d6e9942090a761b83a6b9456b5c9909747
diff --git a/microdroid_manager/Android.bp b/microdroid_manager/Android.bp
index 15c439b..902b5da 100644
--- a/microdroid_manager/Android.bp
+++ b/microdroid_manager/Android.bp
@@ -12,6 +12,7 @@
"libanyhow",
"libkernlog",
"libkeystore2_system_property-rust",
+ "liblibc",
"liblog_rust",
"libmicrodroid_metadata",
"libmicrodroid_payload_config",
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index d88ba1a..1506142 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -19,7 +19,7 @@
use anyhow::{anyhow, bail, Result};
use keystore2_system_property::PropertyWatcher;
-use log::{error, info};
+use log::{error, info, warn};
use microdroid_payload_config::{Task, TaskType, VmPayloadConfig};
use std::fs::{self, File};
use std::os::unix::io::{FromRawFd, IntoRawFd};
@@ -39,6 +39,11 @@
if !metadata.payload_config_path.is_empty() {
let config = load_config(Path::new(&metadata.payload_config_path))?;
+ let fake_secret = "This is a placeholder for a value that is derived from the images that are loaded in the VM.";
+ if let Err(err) = keystore2_system_property::write("ro.vmsecret.keymint", fake_secret) {
+ warn!("failed to set ro.vmsecret.keymint: {}", err);
+ }
+
// TODO(jooyung): wait until sys.boot_completed?
if let Some(main_task) = &config.task {
exec_task(main_task).map_err(|e| {