commit 796a155b2417876bef32514b492a91ee4f1039d0
author Nikita Ioffe <ioffe@google.com> Mon Mar 03 16:37:42 2025 -0800
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Mon Mar 03 16:37:42 2025 -0800
tree 4e1bad838bb9092081e4585255464cdb42a7db7e
parent 618b06190b883820990f31a93b7abc4b3603758e
parent a781e518d63e47bd5f1e02ce6736a2c476caa7fa

Merge changes from topic "prepare-for-system-tee-services" into main am: a781e518d6

Original change: https://android-review.googlesource.com/c/platform/packages/modules/Virtualization/+/3498409

Change-Id: Ia0ce723ec3ee9fec75b4abbfcd1a83e3f5988c9c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

android/virtmgr/src/aidl.rs

diff --git a/android/virtmgr/src/aidl.rs b/android/virtmgr/src/aidl.rs
index a298f64..3c5408c 100644
--- a/android/virtmgr/src/aidl.rs
+++ b/android/virtmgr/src/aidl.rs
@@ -727,7 +727,10 @@
         *is_protected = config.protectedVm;
 
         if !config.teeServices.is_empty() {
-            // TODO(ioffe): only pVMs should be able to request access to teeServices.
+            if !config.protectedVm {
+                return Err(anyhow!("only protected VMs can request tee services"))
+                    .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+            }
             check_tee_service_permission(&caller_secontext, &config.teeServices)
                 .with_log()
                 .or_binder_exception(ExceptionCode::SECURITY)?;
@@ -750,7 +753,7 @@
                 .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
         }
 
-        // TODO(ioffe): remove this check in a follow-up patch.
+        // TODO(b/391774181): remove this check in a follow-up patch.
         if !system_tee_services.is_empty() {
             return Err(anyhow!("support for system tee services is coming soon!"))
                 .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);