Add microdroid-specialized KeyMint service
KeyMint in microdroid will initially be a specialized version of the
software KeyMint reference implementation. Begin this specialization by
removing the services that aren't needed within VMs.
Bug: 190578423
Test: atest MicrodroidHostTestCases
Change-Id: I6eee95944ccc555656868dad193f29b83ebf46a4
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 55d1eae..0add9c3 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -158,7 +158,7 @@
name: "microdroid_vendor",
use_avb: true,
deps: [
- "android.hardware.security.keymint-service",
+ "android.hardware.security.keymint-service.microdroid",
"microdroid_fstab",
"microdroid_precompiled_sepolicy",
"microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
diff --git a/microdroid/init.rc b/microdroid/init.rc
index 4410b82..b683230 100644
--- a/microdroid/init.rc
+++ b/microdroid/init.rc
@@ -101,7 +101,7 @@
start keystore2
on late-fs
- start vendor.keymint-default
+ start vendor.keymint-microdroid
# TODO(b/185767624): change the hard-coded size?
mount tmpfs tmpfs /data noatime nosuid nodev rw size=128M
diff --git a/microdroid/keymint/Android.bp b/microdroid/keymint/Android.bp
new file mode 100644
index 0000000..5867900
--- /dev/null
+++ b/microdroid/keymint/Android.bp
@@ -0,0 +1,32 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_binary {
+ name: "android.hardware.security.keymint-service.microdroid",
+ relative_install_path: "hw",
+ init_rc: ["android.hardware.security.keymint-service.microdroid.rc"],
+ vintf_fragments: [
+ "android.hardware.security.keymint-service.microdroid.xml",
+ ],
+ vendor: true,
+ cflags: [
+ "-Wall",
+ "-Wextra",
+ ],
+ shared_libs: [
+ "android.hardware.security.keymint-V1-ndk_platform",
+ "libbase",
+ "libbinder_ndk",
+ "libcppbor_external",
+ "libcrypto",
+ "libkeymaster_portable",
+ "libkeymint",
+ "liblog",
+ "libpuresoftkeymasterdevice",
+ "libutils",
+ ],
+ srcs: [
+ "service.cpp",
+ ],
+}
diff --git a/microdroid/keymint/android.hardware.security.keymint-service.microdroid.rc b/microdroid/keymint/android.hardware.security.keymint-service.microdroid.rc
new file mode 100644
index 0000000..d6851bd
--- /dev/null
+++ b/microdroid/keymint/android.hardware.security.keymint-service.microdroid.rc
@@ -0,0 +1,3 @@
+service vendor.keymint-microdroid /vendor/bin/hw/android.hardware.security.keymint-service.microdroid
+ class early_hal
+ user nobody
diff --git a/microdroid/keymint/android.hardware.security.keymint-service.microdroid.xml b/microdroid/keymint/android.hardware.security.keymint-service.microdroid.xml
new file mode 100644
index 0000000..73d15a8
--- /dev/null
+++ b/microdroid/keymint/android.hardware.security.keymint-service.microdroid.xml
@@ -0,0 +1,6 @@
+<manifest version="1.0" type="device">
+ <hal format="aidl">
+ <name>android.hardware.security.keymint</name>
+ <fqname>IKeyMintDevice/default</fqname>
+ </hal>
+</manifest>
diff --git a/microdroid/keymint/service.cpp b/microdroid/keymint/service.cpp
new file mode 100644
index 0000000..d2b75a1
--- /dev/null
+++ b/microdroid/keymint/service.cpp
@@ -0,0 +1,60 @@
+/*
+ * Copyright 2021, The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define LOG_TAG "android.hardware.security.keymint-service"
+
+#include <AndroidKeyMintDevice.h>
+#include <android-base/logging.h>
+#include <android/binder_manager.h>
+#include <android/binder_process.h>
+#include <keymaster/soft_keymaster_logger.h>
+
+using aidl::android::hardware::security::keymint::AndroidKeyMintDevice;
+using aidl::android::hardware::security::keymint::SecurityLevel;
+
+template <typename T, class... Args>
+std::shared_ptr<T> addService(Args&&... args) {
+ std::shared_ptr<T> ser = ndk::SharedRefBase::make<T>(std::forward<Args>(args)...);
+ auto instanceName = std::string(T::descriptor) + "/default";
+ LOG(INFO) << "adding keymint service instance: " << instanceName;
+ binder_status_t status =
+ AServiceManager_addService(ser->asBinder().get(), instanceName.c_str());
+ CHECK(status == STATUS_OK);
+ return ser;
+}
+
+int main() {
+ // Zero threads seems like a useless pool, but below we'll join this thread to it, increasing
+ // the pool size to 1.
+ ABinderProcess_setThreadPoolMaxThreadCount(0);
+ // Add Keymint Service
+ std::shared_ptr<AndroidKeyMintDevice> keyMint =
+ addService<AndroidKeyMintDevice>(SecurityLevel::SOFTWARE);
+
+ // VMs cannot implement the Secure Clock Service
+ // addService<AndroidSecureClock>(keyMint);
+
+ // VMs don't need to implement the Shared Secret Service as the host
+ // facilities the establishment of the shared secret.
+ // addService<AndroidSharedSecret>(keyMint);
+
+ // VMs don't implement the Remotely Provisioned Component Service as the
+ // host facilities provisioning.
+ // addService<AndroidRemotelyProvisionedComponentDevice>(keyMint);
+
+ ABinderProcess_joinThreadPool();
+ return EXIT_FAILURE; // should not reach
+}
diff --git a/microdroid/microdroid_compatibility_matrix.xml b/microdroid/microdroid_compatibility_matrix.xml
index 7293d22..dbc12a8 100644
--- a/microdroid/microdroid_compatibility_matrix.xml
+++ b/microdroid/microdroid_compatibility_matrix.xml
@@ -6,30 +6,6 @@
<interface>
<name>IKeyMintDevice</name>
<instance>default</instance>
- <instance>strongbox</instance>
- </interface>
- </hal>
- <hal format="aidl" optional="true">
- <name>android.hardware.security.keymint</name>
- <interface>
- <name>IRemotelyProvisionedComponent</name>
- <instance>default</instance>
- </interface>
- </hal>
- <hal format="aidl" optional="true">
- <name>android.hardware.security.secureclock</name>
- <version>1</version>
- <interface>
- <name>ISecureClock</name>
- <instance>default</instance>
- </interface>
- </hal>
- <hal format="aidl" optional="true">
- <name>android.hardware.security.sharedsecret</name>
- <version>1</version>
- <interface>
- <name>ISharedSecret</name>
- <instance>default</instance>
</interface>
</hal>
</compatibility-matrix>
diff --git a/microdroid/sepolicy/vendor/file_contexts b/microdroid/sepolicy/vendor/file_contexts
index 71b4fcd..0aa85cf 100644
--- a/microdroid/sepolicy/vendor/file_contexts
+++ b/microdroid/sepolicy/vendor/file_contexts
@@ -35,4 +35,4 @@
/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
-/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
+/bin/hw/android\.hardware\.security\.keymint-service\.microdroid u:object_r:hal_keymint_default_exec:s0