Merge "Use SDK_INT_FULL as the tag for the debian image" into main
diff --git a/android/TerminalApp/java/com/android/virtualization/terminal/ConfigJson.java b/android/TerminalApp/java/com/android/virtualization/terminal/ConfigJson.java
index bd1af49..b79e346 100644
--- a/android/TerminalApp/java/com/android/virtualization/terminal/ConfigJson.java
+++ b/android/TerminalApp/java/com/android/virtualization/terminal/ConfigJson.java
@@ -92,12 +92,7 @@
rules.put("\\$PAYLOAD_DIR", InstalledImage.getDefault(context).getInstallDir().toString());
rules.put("\\$USER_ID", String.valueOf(context.getUserId()));
rules.put("\\$PACKAGE_NAME", context.getPackageName());
- String appDataDir = context.getDataDir().toString();
- // TODO: remove this hack
- if (context.getUserId() == 0) {
- appDataDir = "/data/data/" + context.getPackageName();
- }
- rules.put("\\$APP_DATA_DIR", appDataDir);
+ rules.put("\\$APP_DATA_DIR", context.getDataDir().toString());
try (BufferedReader br = new BufferedReader(r)) {
return br.lines()
diff --git a/android/virtmgr/src/aidl.rs b/android/virtmgr/src/aidl.rs
index 0f81f3d..e9074c6 100644
--- a/android/virtmgr/src/aidl.rs
+++ b/android/virtmgr/src/aidl.rs
@@ -889,34 +889,18 @@
.context("Failed to extract vendor hashtree digest")
.or_service_specific_exception(-1)?;
- let vendor_hashtree_digest = if let Some(ref vendor_hashtree_digest) = vendor_hashtree_digest {
+ let mut trusted_props = if let Some(ref vendor_hashtree_digest) = vendor_hashtree_digest {
info!(
"Passing vendor hashtree digest to pvmfw. This will be rejected if it doesn't \
match the trusted digest in the pvmfw config, causing the VM to fail to start."
);
- Some((cstr!("vendor_hashtree_descriptor_root_digest"), vendor_hashtree_digest.as_slice()))
+ vec![(cstr!("vendor_hashtree_descriptor_root_digest"), vendor_hashtree_digest.as_slice())]
} else {
- None
+ vec![]
};
- let key_material;
- let secretkeeper_public_key = if is_secretkeeper_supported() {
- let sk: Strong<dyn ISecretkeeper> = binder::wait_for_interface(SECRETKEEPER_IDENTIFIER)?;
- if sk.getInterfaceVersion()? >= 2 {
- let PublicKey { keyMaterial } = sk.getSecretkeeperIdentity()?;
- key_material = keyMaterial;
- Some((cstr!("secretkeeper_public_key"), key_material.as_slice()))
- } else {
- None
- }
- } else {
- None
- };
-
- let trusted_props: Vec<(&CStr, &[u8])> =
- vec![vendor_hashtree_digest, secretkeeper_public_key].into_iter().flatten().collect();
-
let instance_id;
+ let key_material;
let mut untrusted_props = Vec::with_capacity(2);
if cfg!(llpvm_changes) {
instance_id = extract_instance_id(config);
@@ -925,7 +909,14 @@
if want_updatable && is_secretkeeper_supported() {
// Let guest know that it can defer rollback protection to Secretkeeper by setting
// an empty property in untrusted node in DT. This enables Updatable VMs.
- untrusted_props.push((cstr!("defer-rollback-protection"), &[]))
+ untrusted_props.push((cstr!("defer-rollback-protection"), &[]));
+ let sk: Strong<dyn ISecretkeeper> =
+ binder::wait_for_interface(SECRETKEEPER_IDENTIFIER)?;
+ if sk.getInterfaceVersion()? >= 2 {
+ let PublicKey { keyMaterial } = sk.getSecretkeeperIdentity()?;
+ key_material = keyMaterial;
+ trusted_props.push((cstr!("secretkeeper_public_key"), key_material.as_slice()));
+ }
}
}
diff --git a/android/vm_demo_native/main.cpp b/android/vm_demo_native/main.cpp
index d7ff02e..e1acc05 100644
--- a/android/vm_demo_native/main.cpp
+++ b/android/vm_demo_native/main.cpp
@@ -361,8 +361,10 @@
// This is the main routine that follows the steps in order
Result<void> inner_main() {
- TemporaryDir work_dir;
- std::string work_dir_path(work_dir.path);
+ std::string work_dir_path("/data/local/tmp/vm_demo/");
+ if (mkdir(work_dir_path.c_str(), 0700) == -1 && errno != EEXIST) {
+ return ErrnoError() << "failed to create working directory " << work_dir_path.c_str();
+ }
// Step 1: connect to the virtualizationservice
unique_fd fd = OR_RETURN(get_service_fd());
diff --git a/build/debian/release.sh b/build/debian/release.sh
index 437f9c8..8f89e21 100755
--- a/build/debian/release.sh
+++ b/build/debian/release.sh
@@ -83,7 +83,7 @@
local image=$(get_image_path ${arch} ${build_id})
local tag=${tag:-${build_id}}
- local serving_url=/android/ferrochrome/${arch}/${tag}/${image_filename}
+ local serving_url=/android/ferrochrome/${tag}/${arch}/${image_filename}
echo "Releasing ${image} to ${serving_url}"
local request='payload : { url_path: '"\"${serving_url}\""' source_path : '"\"${image}\""' }'
diff --git a/build/microdroid/Android.bp b/build/microdroid/Android.bp
index f750f62..68b715d 100644
--- a/build/microdroid/Android.bp
+++ b/build/microdroid/Android.bp
@@ -487,7 +487,7 @@
],
}
-flag_aware_avb_add_hash_footer_defaults {
+avb_add_hash_footer_defaults {
name: "microdroid_kernel_signed_defaults",
src: ":empty_file",
partition_name: "boot",
@@ -502,10 +502,16 @@
enabled: true,
},
},
+}
+
+MICRODROID_GKI_ROLLBACK_INDEX = 1
+
+flag_aware_avb_add_hash_footer_defaults {
+ name: "microdroid_kernel_cap_defaults",
// Below are properties that are conditionally set depending on value of build flags.
soong_config_variables: {
release_avf_enable_llpvm_changes: {
- rollback_index: 1,
+ rollback_index: MICRODROID_GKI_ROLLBACK_INDEX,
props: [
{
name: "com.android.virt.cap",
@@ -516,9 +522,36 @@
},
}
+flag_aware_avb_add_hash_footer_defaults {
+ name: "microdroid_kernel_cap_with_uefi_defaults",
+ // Below are properties that are conditionally set depending on value of build flags.
+ soong_config_variables: {
+ release_avf_enable_llpvm_changes: {
+ rollback_index: MICRODROID_GKI_ROLLBACK_INDEX,
+ props: [
+ {
+ name: "com.android.virt.cap",
+ value: "secretkeeper_protection|supports_uefi_boot",
+ },
+ ],
+ conditions_default: {
+ props: [
+ {
+ name: "com.android.virt.cap",
+ value: "supports_uefi_boot",
+ },
+ ],
+ },
+ },
+ },
+}
+
avb_add_hash_footer {
name: "microdroid_kernel_signed",
- defaults: ["microdroid_kernel_signed_defaults"],
+ defaults: [
+ "microdroid_kernel_signed_defaults",
+ "microdroid_kernel_cap_defaults",
+ ],
filename: "microdroid_kernel",
arch: {
arm64: {
@@ -550,7 +583,10 @@
avb_add_hash_footer {
name: "microdroid_kernel_16k_signed",
- defaults: ["microdroid_kernel_signed_defaults"],
+ defaults: [
+ "microdroid_kernel_signed_defaults",
+ "microdroid_kernel_cap_defaults",
+ ],
filename: "microdroid_kernel_16k",
arch: {
arm64: {
@@ -590,10 +626,9 @@
src: "microdroid_gki-android15-6.6.json",
}
-avb_add_hash_footer {
- name: "microdroid_gki-android15-6.6_kernel_signed",
+avb_add_hash_footer_defaults {
+ name: "microdroid_gki_kernel_signed_defaults",
defaults: ["microdroid_kernel_signed_defaults"],
- filename: "microdroid_gki-android15-6.6_kernel_signed",
arch: {
arm64: {
src: ":microdroid_gki_kernel_prebuilts-android15-6.6-arm64",
@@ -608,6 +643,24 @@
],
}
+avb_add_hash_footer {
+ name: "microdroid_gki-android15-6.6_kernel_signed",
+ defaults: [
+ "microdroid_gki_kernel_signed_defaults",
+ "microdroid_kernel_cap_defaults",
+ ],
+ filename: "microdroid_gki-android15-6.6_kernel_signed",
+}
+
+avb_add_hash_footer {
+ name: "microdroid_gki-android15-6.6_kernel_signed_supports_uefi_boot",
+ defaults: [
+ "microdroid_gki_kernel_signed_defaults",
+ "microdroid_kernel_cap_with_uefi_defaults",
+ ],
+ filename: "microdroid_gki-android15-6.6_kernel_signed_supports_uefi_boot",
+}
+
// HACK: use cc_genrule for arch-specific properties
cc_genrule {
name: "microdroid_gki-android15-6.6_kernel_signed-lz4",
diff --git a/guest/trusty/test_vm/Android.bp b/guest/trusty/test_vm/Android.bp
new file mode 100644
index 0000000..d10bf6e
--- /dev/null
+++ b/guest/trusty/test_vm/Android.bp
@@ -0,0 +1,76 @@
+// Copyright (C) 2024 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+ default_team: "trendy_team_trusty",
+}
+
+// python -c "import hashlib; print(hashlib.sha256(b'trusty_test_vm_salt').hexdigest())"
+trusty_test_vm_salt = "5ce3eab1a08540e1334c83f54b8608aa6c23feee6939693cac41441449c5a51f"
+
+TRUSTY_TEST_VM_VERSION = 1
+
+avb_add_hash_footer {
+ name: "trusty_test_vm_signed",
+ filename: "trusty_test_vm_signed",
+ partition_name: "boot",
+ private_key: ":trusty_vm_sign_key",
+ salt: trusty_test_vm_salt,
+ rollback_index: TRUSTY_TEST_VM_VERSION,
+ src: ":empty_file",
+ enabled: false,
+ arch: {
+ x86_64: {
+ src: ":trusty-test-lk.elf",
+ enabled: true,
+ },
+ },
+}
+
+prebuilt_etc {
+ name: "trusty_test_vm_config",
+ enabled: false,
+ arch: {
+ x86_64: {
+ src: "vm_config_lk_x86_64.json",
+ enabled: true,
+ },
+ },
+ filename: "trusty-test_vm-config.json",
+}
+
+sh_test {
+ name: "TrustyTestVM_UnitTests",
+ src: "trusty-ut-ctrl.sh",
+ filename_from_src: true,
+ data: [
+ ":trusty_test_vm_signed",
+ ":trusty_test_vm_config",
+ "trusty-vm-launcher.sh",
+ "trusty-wait-ready.sh",
+ ],
+ // TODO(b/378367793) use the AndroidTest.xml generated from the trusty
+ // test-map for test_vm payload
+ test_config_template: "AndroidTest.xml",
+ test_suites: [
+ "general-tests",
+ ],
+ enabled: false,
+ arch: {
+ x86_64: {
+ enabled: true,
+ },
+ },
+}
diff --git a/guest/trusty/test_vm/AndroidTest.xml b/guest/trusty/test_vm/AndroidTest.xml
new file mode 100644
index 0000000..d8710ab
--- /dev/null
+++ b/guest/trusty/test_vm/AndroidTest.xml
@@ -0,0 +1,109 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ Copyright 2024 The Android Open Source Project
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+ <configuration description="Runs {MODULE}">
+ <!-- object type="module_controller" class="com.android.tradefed.testtype.suite.module.CommandSuccessModuleController" -->
+ <!--Skip the test when trusty VM is not enabled. -->
+ <!--option name="run-command" value="getprop trusty.test_vm.nonsecure_vm_ready | grep 1" /-->
+ <!--/object-->
+ <target_preparer class="com.android.tradefed.targetprep.RootTargetPreparer" />
+ <!-- Target Preparers - Run Shell Commands -->
+ <target_preparer class="com.android.tradefed.targetprep.PushFilePreparer">
+ <option name="cleanup" value="true" />
+ <option name="push-file" key="trusty-ut-ctrl.sh" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh" />
+ <option name="push-file" key="trusty-vm-launcher.sh" value="/data/local/tmp/trusty_test_vm/trusty-vm-launcher.sh" />
+ <option name="push-file" key="trusty-wait-ready.sh" value="/data/local/tmp/trusty_test_vm/trusty-wait-ready.sh" />
+ <option name="push-file" key="trusty-test_vm-config.json" value="/data/local/tmp/trusty_test_vm/trusty-test_vm-config.json" />
+ <option name="push-file" key="trusty_test_vm_signed" value="/data/local/tmp/trusty_test_vm/trusty_test_vm_signed" />
+ </target_preparer>
+ <target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
+ <option name="throw-if-cmd-fail" value="true" />
+ <!--Note: the first run-command shall not expect the background command to have started -->
+ <option name="run-bg-command" value="sh /data/local/tmp/trusty_test_vm/trusty-vm-launcher.sh" />
+ <option name="run-command" value="sh /data/local/tmp/trusty_test_vm/trusty-wait-ready.sh" />
+ <option name="run-command" value="start storageproxyd_test_system" />
+ <option name="teardown-command" value="stop storageproxyd_test_system" />
+ <option name="teardown-command" value="killall storageproxyd_test_system || true" />
+ </target_preparer>
+ <test class="com.android.tradefed.testtype.binary.ExecutableTargetTest" >
+ <option name="parse-gtest" value="true" />
+ <option name="abort-if-device-lost" value="true"/>
+ <option name="abort-if-root-lost" value="true" />
+ <option name="per-binary-timeout" value="10m" />
+ <option name="test-command-line" key="com.android.kernel.mmutest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.mmutest"/>
+ <option name="test-command-line" key="com.android.kernel.threadtest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.threadtest"/>
+ <option name="test-command-line" key="com.android.kernel.iovectest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.iovectest"/>
+ <option name="test-command-line" key="com.android.kernel.timertest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.timertest"/>
+ <option name="test-command-line" key="com.android.kernel.btitest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.btitest"/>
+ <option name="test-command-line" key="com.android.kernel.cachetest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.cachetest"/>
+ <option name="test-command-line" key="com.android.kernel.console-unittest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.console-unittest"/>
+ <option name="test-command-line" key="com.android.kernel.dpc-unittest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.dpc-unittest"/>
+ <option name="test-command-line" key="com.android.kernel.iovectest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.iovectest"/>
+ <option name="test-command-line" key="com.android.kernel.ktipc.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.ktipc.test"/>
+ <option name="test-command-line" key="com.android.kernel.memorytest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.memorytest"/>
+ <option name="test-command-line" key="com.android.kernel.pactest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.pactest"/>
+ <option name="test-command-line" key="com.android.kernel.uirq-unittest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.uirq-unittest"/>
+ <option name="test-command-line" key="com.android.kernel.usercopy-unittest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.usercopy-unittest"/>
+ <option name="test-command-line" key="com.android.kernel.userscstest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.kernel.userscstest"/>
+ <option name="test-command-line" key="com.android.trusty.rust.keymint.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.keymint.test"/>
+ <option name="test-command-line" key="com.android.manifesttest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.manifesttest"/>
+ <option name="test-command-line" key="com.android.memref.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.memref.test"/>
+ <option name="test-command-line" key="com.android.trusty.rust.memref.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.memref.test"/>
+ <option name="test-command-line" key="com.android.timer-unittest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.timer-unittest"/>
+ <option name="test-command-line" key="com.android.ipc-unittest.ctrl" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.ipc-unittest.ctrl"/>
+ <!--option name="test-command-line" key="com.android.trusty.cfitest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.cfitest"/-->
+ <option name="test-command-line" key="com.android.trusty.crashtest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.crashtest"/>
+ <option name="test-command-line" key="com.android.trusty.dlmalloctest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.dlmalloctest"/>
+ <option name="test-command-line" key="com.android.trusty.hwaes.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.hwaes.test"/>
+ <option name="test-command-line" key="com.android.trusty.hwbcc.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.hwbcc.test"/>
+ <option name="test-command-line" key="com.android.trusty.rust.tipc.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.tipc.test"/>
+ <option name="test-command-line" key="com.android.trusty.rust.hwkey.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.hwkey.test"/>
+ <option name="test-command-line" key="com.android.trusty.rust.hwbcc.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.hwbcc.test"/>
+ <option name="test-command-line" key="com.android.trusty.rust.hwwsk.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.hwwsk.test"/>
+ <option name="test-command-line" key="com.android.trusty.rust.storage.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.storage.test"/>
+ <option name="test-command-line" key="com.android.trusty.smc.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.smc.test"/>
+ <option name="test-command-line" key="com.android.uirq-unittest" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.uirq-unittest"/>
+ <!-- Unit tests for legacy hwcrypto services - these hwcrypto services are used by hwcryptohal /-->
+ <option name="test-command-line" key="com.android.trusty.hwcrypto.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.hwcrypto.test"/>
+ <option name="test-command-line" key="com.android.trusty.hwrng.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.hwrng.test"/>
+ <!-- Unit tests for hwcryptohal (exposing IHWCryptoKey/IHWCryptoOperations AIDL) - Note: VTS tests are defined alongside the interface /-->
+ <option name="test-command-line" key="com.android.trusty.rust.hwcryptohalserver.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.hwcryptohalserver.test"/>
+ <option name="test-command-line" key="com.android.trusty.rust.hwcryptohal_common.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.hwcryptohal_common.test"/>
+ <option name="test-command-line" key="com.android.trusty.rust.hwcryptokey_test.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.hwcryptokey_test.test"/>
+ </test>
+ <!-- disabling storage test as they are redundant with the VTS -->
+ <!--test class="com.android.tradefed.testtype.binary.ExecutableTargetTest" >
+ <option name="parse-gtest" value="true" />
+ <option name="abort-if-device-lost" value="true" />
+ <option name="abort-if-root-lost" value="true" />
+ <option name="per-binary-timeout" value="40m" />
+ <option name="test-command-line" key="com.android.trusty.rust.storage_unittest_aidl.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.storage_unittest_aidl.test"/>
+ <option name="test-command-line" key="com.android.trusty.rust.storage_unittest_aidl_ns.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.storage_unittest_aidl_ns.test"/>
+ <option name="test-command-line" key="com.android.storage-unittest.tp" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.storage-unittest.tp"/>
+ <option name="test-command-line" key="com.android.storage-unittest.tdea" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.storage-unittest.tdea"/>
+ <option name="test-command-line" key="com.android.storage-unittest.nsp" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.storage-unittest.nsp"/>
+ <option name="test-command-line" key="com.android.storage-unittest.td" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.storage-unittest.td"/>
+ <option name="test-command-line" key="com.android.storage-unittest.tdp" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.storage-unittest.tdp"/>
+ </test-->
+ <test class="com.android.tradefed.testtype.binary.ExecutableTargetTest" >
+ <option name="parse-gtest" value="true" />
+ <!--option name="abort-if-device-lost" value="true" /-->
+ <!--option name="abort-if-root-lost" value="true" /-->
+ <option name="per-binary-timeout" value="40m" />
+ <option name="test-command-line" key="com.android.trusty.rust.binder_rpc_test.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.rust.binder_rpc_test.test"/>
+ <option name="test-command-line" key="com.android.trusty.binder.test" value="/data/local/tmp/trusty_test_vm/trusty-ut-ctrl.sh com.android.trusty.binder.test"/>
+ </test>
+ </configuration>
diff --git a/guest/trusty/test_vm/README.md b/guest/trusty/test_vm/README.md
new file mode 100644
index 0000000..1673844
--- /dev/null
+++ b/guest/trusty/test_vm/README.md
@@ -0,0 +1,7 @@
+## Trusty test_vm
+
+The Trusty test_vm ought to include the test TAs for different test types:
+- Trusty kernel OS test
+- Trusty IPC tests
+- Trusty user-space tests for service TAs (DT tree for example)
+- and most importantly the VTS tests TA for the trusted HALs.
diff --git a/guest/trusty/test_vm/TEST_MAPPING b/guest/trusty/test_vm/TEST_MAPPING
new file mode 100644
index 0000000..6f2b56e
--- /dev/null
+++ b/guest/trusty/test_vm/TEST_MAPPING
@@ -0,0 +1,9 @@
+{
+ "trusty-test_vm-presubmit": [
+ ],
+ "trusty-test_vm-postsubmit": [
+ {
+ "name": "TrustyTestVM_UnitTests"
+ }
+ ]
+}
diff --git a/guest/trusty/test_vm/trusty-ut-ctrl.sh b/guest/trusty/test_vm/trusty-ut-ctrl.sh
new file mode 100644
index 0000000..77a9459
--- /dev/null
+++ b/guest/trusty/test_vm/trusty-ut-ctrl.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Copyright (C) 2024 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+/system_ext/bin/trusty-ut-ctrl.system -D VSOCK:${2:-$(getprop trusty.test_vm.vm_cid)}:1 $1
diff --git a/guest/trusty/test_vm/trusty-vm-launcher.sh b/guest/trusty/test_vm/trusty-vm-launcher.sh
new file mode 100755
index 0000000..cb8661f
--- /dev/null
+++ b/guest/trusty/test_vm/trusty-vm-launcher.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# Copyright 2024 Google Inc. All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+/apex/com.android.virt/bin/vm run /data/local/tmp/trusty_test_vm/trusty-test_vm-config.json
diff --git a/guest/trusty/test_vm/trusty-wait-ready.sh b/guest/trusty/test_vm/trusty-wait-ready.sh
new file mode 100755
index 0000000..842853c
--- /dev/null
+++ b/guest/trusty/test_vm/trusty-wait-ready.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+set -euo pipefail
+
+function get_cid {
+ local max_cid
+ max_cid=$(/apex/com.android.virt/bin/vm list | awk 'BEGIN { FS="[:,]" } /cid/ { print $2; }' | sort -n | tail -1)
+
+ # return the value trimmed from whitespaces
+ echo "${max_cid}" | xargs
+}
+
+function wait_for_cid {
+ TIMES=${1:-20}
+ X=0
+ local init_cid
+ init_cid=$(get_cid)
+ while [ "$TIMES" -eq 0 ] || [ "$TIMES" -gt "$X" ]
+ do
+ local cid
+ cid=$(get_cid)
+ echo "wait_for_cid: retry $(( X++ )) / $TIMES : init_cid=$init_cid cid=$cid";
+ if [ "$cid" -gt "$init_cid" ]
+ then
+ break
+ else
+ sleep 2
+ fi
+ done
+ setprop trusty.test_vm.vm_cid "$cid"
+}
+
+# This script is expected to be started before the trusty_test_vm is started
+# wait_for_cid gets the max cid and wait for it to be updated as an indication
+# that the trusty_test_vm has properly started.
+# wait_for_cid polls for the CID change at 2 seconds intervals
+# the input argument is the max number of retries (20 by default)
+wait_for_cid "$@"
+
+echo trusty.test_vm.vm_cid="$(getprop trusty.test_vm.vm_cid)"
diff --git a/guest/trusty/test_vm/vm_config_lk_x86_64.json b/guest/trusty/test_vm/vm_config_lk_x86_64.json
new file mode 100644
index 0000000..5effca5
--- /dev/null
+++ b/guest/trusty/test_vm/vm_config_lk_x86_64.json
@@ -0,0 +1,6 @@
+{
+ "name": "trusty_test_vm",
+ "kernel": "/data/local/tmp/trusty_test_vm/trusty_test_vm_signed",
+ "platform_version": "1.0",
+ "memory_mib": 112
+}
diff --git a/libs/libvmbase/src/bionic.rs b/libs/libvmbase/src/bionic.rs
index 8b40dae..3c0cd6f 100644
--- a/libs/libvmbase/src/bionic.rs
+++ b/libs/libvmbase/src/bionic.rs
@@ -72,6 +72,7 @@
pub static mut ERRNO: c_int = 0;
#[no_mangle]
+#[allow(unused_unsafe)]
unsafe extern "C" fn __errno() -> *mut c_int {
// SAFETY: C functions which call this are only called from the main thread, not from exception
// handlers.
diff --git a/libs/libvmbase/src/layout.rs b/libs/libvmbase/src/layout.rs
index 9a702b0..cf3a8fc 100644
--- a/libs/libvmbase/src/layout.rs
+++ b/libs/libvmbase/src/layout.rs
@@ -14,6 +14,8 @@
//! Memory layout.
+#![allow(unused_unsafe)]
+
pub mod crosvm;
use crate::linker::__stack_chk_guard;
diff --git a/libs/nested_virt/src/lib.rs b/libs/nested_virt/src/lib.rs
index b43fcb7..b2aea88 100644
--- a/libs/nested_virt/src/lib.rs
+++ b/libs/nested_virt/src/lib.rs
@@ -21,12 +21,21 @@
/// Return whether we will be running our VM in a VM, which causes the nested VM to run very slowly.
pub fn is_nested_virtualization() -> Result<bool> {
- // Currently nested virtualization only occurs when we run KVM inside the cuttlefish VM.
- // So we just need to check for vsoc.
- if let Some(value) = system_properties::read("ro.product.vendor.device")? {
- // Fuzzy matching to allow for vsoc_x86, vsoc_x86_64, vsoc_x86_64_only, ...
- Ok(value.starts_with("vsoc_"))
- } else {
- Ok(false)
+ // Nested virtualization occurs when we run KVM inside the cuttlefish VM or when
+ // we run trusty within qemu.
+ let checks = [
+ ("ro.product.vendor.device", "vsoc_"), // vsoc_x86, vsoc_x86_64, vsoc_x86_64_only, ...
+ ("ro.hardware", "qemu_"), // qemu_trusty, ...
+ ];
+
+ for (property, prefix) in checks {
+ if let Some(value) = system_properties::read(property)? {
+ if value.starts_with(prefix) {
+ return Ok(true);
+ }
+ }
}
+
+ // No match -> not nested
+ Ok(false)
}