Add teeServices field to AppConfig & RawConfig
This patch just adds the field. It will be used in the follow up patches
Bug: 360102915
Test: atest MicrodroidTests
Change-Id: I951d911ee60c48085b14a24e0bbf6c394256ce6c
diff --git a/android/virtmgr/src/aidl.rs b/android/virtmgr/src/aidl.rs
index e2b2804..9d72506 100644
--- a/android/virtmgr/src/aidl.rs
+++ b/android/virtmgr/src/aidl.rs
@@ -1152,6 +1152,8 @@
for param in custom_config.extraKernelCmdlineParams.iter() {
append_kernel_param(param, &mut vm_config);
}
+
+ vm_config.teeServices.clone_from(&custom_config.teeServices);
}
// Unfortunately specifying page_shift = 14 in bootconfig doesn't enable 16k pages emulation,
@@ -1759,6 +1761,26 @@
Ok(())
}
+fn check_no_tee_services(config: &VirtualMachineConfig) -> binder::Result<()> {
+ match config {
+ VirtualMachineConfig::RawConfig(config) => {
+ if !config.teeServices.is_empty() {
+ return Err(anyhow!("tee_services_allowlist feature is disabled"))
+ .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+ }
+ }
+ VirtualMachineConfig::AppConfig(config) => {
+ if let Some(custom_config) = &config.customConfig {
+ if !custom_config.teeServices.is_empty() {
+ return Err(anyhow!("tee_services_allowlist feature is disabled"))
+ .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+ }
+ }
+ }
+ };
+ Ok(())
+}
+
fn check_protected_vm_is_supported() -> binder::Result<()> {
let is_pvm_supported =
hypervisor_props::is_protected_vm_supported().or_service_specific_exception(-1)?;
@@ -1783,6 +1805,9 @@
if !cfg!(debuggable_vms_improvements) {
check_no_extra_kernel_cmdline_params(config)?;
}
+ if !cfg!(tee_services_allowlist) {
+ check_no_tee_services(config)?;
+ }
Ok(())
}
diff --git a/android/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl b/android/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
index 9123742..114a851 100644
--- a/android/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
+++ b/android/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
@@ -130,6 +130,9 @@
/** Additional parameters to pass to the VM's kernel cmdline. */
String[] extraKernelCmdlineParams;
+
+ /** List of tee services this VM wants to access */
+ String[] teeServices;
}
/** Configuration parameters guarded by android.permission.USE_CUSTOM_VIRTUAL_MACHINE */
diff --git a/android/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl b/android/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl
index 9f2a23e..5728a68 100644
--- a/android/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl
+++ b/android/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineRawConfig.aidl
@@ -110,4 +110,7 @@
/** Enable or disable USB passthrough support */
@nullable UsbConfig usbConfig;
+
+ /** List of tee services this VM wants to access */
+ String[] teeServices;
}
diff --git a/libs/framework-virtualization/src/android/system/virtualmachine/VirtualMachineConfig.java b/libs/framework-virtualization/src/android/system/virtualmachine/VirtualMachineConfig.java
index 3d1964d..8230166 100644
--- a/libs/framework-virtualization/src/android/system/virtualmachine/VirtualMachineConfig.java
+++ b/libs/framework-virtualization/src/android/system/virtualmachine/VirtualMachineConfig.java
@@ -744,6 +744,7 @@
return usbConfig;
})
.orElse(null);
+ config.teeServices = EMPTY_STRING_ARRAY;
return config;
}
@@ -798,6 +799,7 @@
new VirtualMachineAppConfig.CustomConfig();
customConfig.devices = EMPTY_STRING_ARRAY;
customConfig.extraKernelCmdlineParams = EMPTY_STRING_ARRAY;
+ customConfig.teeServices = EMPTY_STRING_ARRAY;
try {
customConfig.vendorImage =
ParcelFileDescriptor.open(mVendorDiskImage, MODE_READ_ONLY);