Merge "Remove task-profile" into main
diff --git a/authfs/Android.bp b/authfs/Android.bp
index 8ac600d..e04d5e1 100644
--- a/authfs/Android.bp
+++ b/authfs/Android.bp
@@ -73,6 +73,7 @@
tools: [
"fsverity_manifest_generator",
"fsverity",
+ "soong_zip",
],
srcs: [
"testdata/input.4k",
@@ -85,13 +86,11 @@
* to load a generated fsverity manifest for the test input files into the
* test VM.
*/
- cmd: "out_dir=$$(dirname $(out))" +
- "&& assets_dir=\"assets\" " +
- "&& mkdir -p $$out_dir/$$assets_dir" +
+ cmd: "mkdir -p $(genDir)/assets" +
"&& $(location fsverity_manifest_generator) " +
" --fsverity-path $(location fsverity) " +
" --base-dir $$(dirname $(in) | head -1) " +
- " --output $$out_dir/$$assets_dir/input_manifest.pb " +
+ " --output $(genDir)/assets/input_manifest.pb " +
" $(in) " +
- "&& jar cf $(out) -C $$out_dir $$assets_dir",
+ "&& $(location soong_zip) -jar -o $(out) -C $(genDir) -D $(genDir)/assets",
}
diff --git a/authfs/tests/benchmarks/Android.bp b/authfs/tests/benchmarks/Android.bp
index 93ba41a..27a6af1 100644
--- a/authfs/tests/benchmarks/Android.bp
+++ b/authfs/tests/benchmarks/Android.bp
@@ -46,9 +46,8 @@
srcs: [
":measure_io",
],
- cmd: "out_dir=$$(dirname $(out))" +
- "&& bin_dir=\"bin\" " +
- "&& mkdir -p $$out_dir/$$bin_dir" +
- "&& cp $(in) $$out_dir/$$bin_dir" +
- "&& jar cf $(out) -C $$out_dir $$bin_dir",
+ tools: ["soong_zip"],
+ cmd: "mkdir -p $(genDir)/bin" +
+ "&& cp $(in) $(genDir)/bin" +
+ "&& $(location soong_zip) -jar -o $(out) -C $(genDir) -D $(genDir)/bin",
}
diff --git a/javalib/api/test-current.txt b/javalib/api/test-current.txt
index 0a988d8..3cd8e42 100644
--- a/javalib/api/test-current.txt
+++ b/javalib/api/test-current.txt
@@ -16,7 +16,7 @@
public static final class VirtualMachineConfig.Builder {
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder addExtraApk(@NonNull String);
- method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder setOs(@NonNull String);
+ method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setOs(@NonNull String);
method @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setPayloadConfigPath(@NonNull String);
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setVendorDiskImage(@NonNull java.io.File);
method @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder setVmConsoleInputSupported(boolean);
@@ -26,6 +26,7 @@
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull public java.util.List<java.lang.String> getSupportedOSList() throws android.system.virtualmachine.VirtualMachineException;
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @RequiresPermission(android.system.virtualmachine.VirtualMachine.MANAGE_VIRTUAL_MACHINE_PERMISSION) public boolean isFeatureEnabled(String) throws android.system.virtualmachine.VirtualMachineException;
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_DICE_CHANGES = "com.android.kvm.DICE_CHANGES";
+ field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_LLPVM_CHANGES = "com.android.kvm.LLPVM_CHANGES";
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_MULTI_TENANT = "com.android.kvm.MULTI_TENANT";
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_REMOTE_ATTESTATION = "com.android.kvm.REMOTE_ATTESTATION";
field @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") public static final String FEATURE_VENDOR_MODULES = "com.android.kvm.VENDOR_MODULES";
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
index f39c346..693a7d7 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
@@ -530,6 +530,7 @@
&& this.mEncryptedStorageBytes == other.mEncryptedStorageBytes
&& this.mVmOutputCaptured == other.mVmOutputCaptured
&& this.mVmConsoleInputSupported == other.mVmConsoleInputSupported
+ && (this.mVendorDiskImage == null) == (other.mVendorDiskImage == null)
&& Objects.equals(this.mPayloadConfigPath, other.mPayloadConfigPath)
&& Objects.equals(this.mPayloadBinaryName, other.mPayloadBinaryName)
&& Objects.equals(this.mPackageName, other.mPackageName)
@@ -1022,6 +1023,7 @@
*/
@TestApi
@FlaggedApi(Flags.FLAG_AVF_V_TEST_APIS)
+ @RequiresPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION)
@NonNull
public Builder setOs(@NonNull String os) {
mOs = requireNonNull(os, "os must not be null");
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java b/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
index f263b32..5020ff0 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachineManager.java
@@ -119,9 +119,10 @@
prefix = "FEATURE_",
value = {
FEATURE_DICE_CHANGES,
+ FEATURE_LLPVM_CHANGES,
FEATURE_MULTI_TENANT,
FEATURE_REMOTE_ATTESTATION,
- FEATURE_VENDOR_MODULES
+ FEATURE_VENDOR_MODULES,
})
public @interface Features {}
@@ -164,6 +165,15 @@
IVirtualizationService.FEATURE_VENDOR_MODULES;
/**
+ * Feature to enable Secretkeeper protected secrets in Microdroid based pVMs.
+ *
+ * @hide
+ */
+ @TestApi
+ @FlaggedApi(Flags.FLAG_AVF_V_TEST_APIS)
+ public static final String FEATURE_LLPVM_CHANGES = IVirtualizationService.FEATURE_LLPVM_CHANGES;
+
+ /**
* Returns a set of flags indicating what this implementation of virtualization is capable of.
*
* @see #CAPABILITY_PROTECTED_VM
diff --git a/libs/avf_features/Android.bp b/libs/avf_features/Android.bp
new file mode 100644
index 0000000..71f33db
--- /dev/null
+++ b/libs/avf_features/Android.bp
@@ -0,0 +1,26 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_defaults {
+ name: "libavf_features.defaults",
+ crate_name: "avf_features",
+ defaults: ["avf_build_flags_rust"],
+ srcs: ["src/lib.rs"],
+ edition: "2021",
+ prefer_rlib: true,
+ rustlibs: [
+ "android.system.virtualizationservice-rust",
+ "libanyhow",
+ "liblog_rust",
+ ],
+}
+
+rust_library {
+ name: "libavf_features",
+ defaults: ["libavf_features.defaults"],
+ apex_available: [
+ "//apex_available:platform",
+ "com.android.virt",
+ ],
+}
diff --git a/libs/avf_features/src/lib.rs b/libs/avf_features/src/lib.rs
new file mode 100644
index 0000000..c0faab0
--- /dev/null
+++ b/libs/avf_features/src/lib.rs
@@ -0,0 +1,38 @@
+// Copyright 2024, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Provide functionality for handling AVF build-time feature flags.
+
+use android_system_virtualizationservice::aidl::android::system::virtualizationservice::{
+ IVirtualizationService::FEATURE_DICE_CHANGES, IVirtualizationService::FEATURE_LLPVM_CHANGES,
+ IVirtualizationService::FEATURE_MULTI_TENANT,
+ IVirtualizationService::FEATURE_REMOTE_ATTESTATION,
+ IVirtualizationService::FEATURE_VENDOR_MODULES,
+};
+use log::warn;
+
+/// Check if an AVF feature is enabled.
+pub fn is_feature_enabled(feature: &str) -> bool {
+ match feature {
+ FEATURE_DICE_CHANGES => cfg!(dice_changes),
+ FEATURE_LLPVM_CHANGES => cfg!(llpvm_changes),
+ FEATURE_MULTI_TENANT => cfg!(multi_tenant),
+ FEATURE_REMOTE_ATTESTATION => cfg!(remote_attestation),
+ FEATURE_VENDOR_MODULES => cfg!(vendor_modules),
+ _ => {
+ warn!("unknown feature {feature}");
+ false
+ }
+ }
+}
diff --git a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
index 20b5a50..4503cd3 100644
--- a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
+++ b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
@@ -1084,6 +1084,13 @@
}
mOs = (mGki != null) ? "microdroid_gki-" + mGki : "microdroid";
+
+ new CommandRunner(getDevice())
+ .tryRun(
+ "pm",
+ "grant",
+ SHELL_PACKAGE_NAME,
+ "android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
}
@After
@@ -1098,21 +1105,13 @@
mTestLogs, getDevice(), LOG_PATH, "vm.log-" + mTestName.getMethodName());
getDevice().uninstallPackage(PACKAGE_NAME);
-
- // testCustomVirtualMachinePermission revokes this permission. Grant it again as cleanup
- new CommandRunner(getDevice())
- .tryRun(
- "pm",
- "grant",
- SHELL_PACKAGE_NAME,
- "android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
}
- private void assumeProtectedVm() throws Exception {
+ private void assumeProtectedVm() {
assumeTrue("This test is only for protected VM.", mProtectedVm);
}
- private void assumeNonProtectedVm() throws Exception {
+ private void assumeNonProtectedVm() {
assumeFalse("This test is only for non-protected VM.", mProtectedVm);
}
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index 070478e..0132b0d 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -140,13 +140,17 @@
@Before
public void setup() {
prepareTestSetup(mProtectedVm, mGki);
- // USE_CUSTOM_VIRTUAL_MACHINE permission has protection level signature|development, meaning
- // that it will be automatically granted when test apk is installed. We have some tests
- // checking the behavior when caller doesn't have this permission (e.g.
- // createVmWithConfigRequiresPermission). Proactively revoke the permission so that such
- // tests can pass when ran by itself, e.g.:
- // atest com.android.microdroid.test.MicrodroidTests#createVmWithConfigRequiresPermission
- revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ if (mGki != null) {
+ // Using a non-default VM always needs the custom permission.
+ grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ } else {
+ // USE_CUSTOM_VIRTUAL_MACHINE permission has protection level signature|development,
+ // meaning that it will be automatically granted when test apk is installed.
+ // But most callers shouldn't need this permission, so by default we run tests with it
+ // revoked.
+ // Tests that rely on the state of the permission should explicitly grant or revoke it.
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ }
}
@After
@@ -588,6 +592,9 @@
.isFalse();
assertConfigCompatible(baseline, newBaselineBuilder().setPayloadBinaryName("different"))
.isFalse();
+ assertConfigCompatible(
+ baseline, newBaselineBuilder().setVendorDiskImage(new File("/foo/bar")))
+ .isFalse();
int capabilities = getVirtualMachineManager().getCapabilities();
if ((capabilities & CAPABILITY_PROTECTED_VM) != 0
&& (capabilities & CAPABILITY_NON_PROTECTED_VM) != 0) {
@@ -637,6 +644,7 @@
VirtualMachineConfig.Builder otherOsBuilder =
newBaselineBuilder().setOs("microdroid_gki-android14-6.1");
assertConfigCompatible(microdroidOsConfig, otherOsBuilder).isFalse();
+
}
private VirtualMachineConfig.Builder newBaselineBuilder() {
@@ -776,6 +784,7 @@
})
public void createVmWithConfigRequiresPermission() throws Exception {
assumeSupportedDevice();
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
VirtualMachineConfig config =
newVmConfigBuilderWithPayloadConfig("assets/" + os() + "/vm_config.json")
@@ -2134,6 +2143,7 @@
assumeFalse(
"boot with vendor partition is failing in HWASAN enabled Microdroid.", isHwasan());
assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
File vendorDiskImage =
new File("/data/local/tmp/cts/microdroid/test_microdroid_vendor_image.img");
diff --git a/virtualizationmanager/Android.bp b/virtualizationmanager/Android.bp
index c46385c..bb6ccb7 100644
--- a/virtualizationmanager/Android.bp
+++ b/virtualizationmanager/Android.bp
@@ -32,6 +32,7 @@
"libandroid_logger",
"libanyhow",
"libapkverify",
+ "libavf_features",
"libavflog",
"libbase_rust",
"libbinder_rs",
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 7d09728..0a8ef27 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -35,10 +35,6 @@
IVirtualMachine::{BnVirtualMachine, IVirtualMachine},
IVirtualMachineCallback::IVirtualMachineCallback,
IVirtualizationService::IVirtualizationService,
- IVirtualizationService::FEATURE_MULTI_TENANT,
- IVirtualizationService::FEATURE_VENDOR_MODULES,
- IVirtualizationService::FEATURE_DICE_CHANGES,
- IVirtualizationService::FEATURE_REMOTE_ATTESTATION,
MemoryTrimLevel::MemoryTrimLevel,
Partition::Partition,
PartitionType::PartitionType,
@@ -306,19 +302,7 @@
/// Returns whether given feature is enabled
fn isFeatureEnabled(&self, feature: &str) -> binder::Result<bool> {
check_manage_access()?;
-
- // This approach is quite cumbersome, but will do the work for the short term.
- // TODO(b/298012279): make this scalable.
- match feature {
- FEATURE_DICE_CHANGES => Ok(cfg!(dice_changes)),
- FEATURE_MULTI_TENANT => Ok(cfg!(multi_tenant)),
- FEATURE_REMOTE_ATTESTATION => Ok(cfg!(remote_attestation)),
- FEATURE_VENDOR_MODULES => Ok(cfg!(vendor_modules)),
- _ => {
- warn!("unknown feature {feature}");
- Ok(false)
- }
- }
+ Ok(avf_features::is_feature_enabled(feature))
}
fn enableTestAttestation(&self) -> binder::Result<()> {
@@ -602,10 +586,14 @@
} else {
// Additional custom features not included in CustomConfig:
// - specifying a config file;
- // - specifying extra APKs.
+ // - specifying extra APKs;
+ // - specifying an OS other than Microdroid.
match &config.payload {
Payload::ConfigPath(_) => true,
- Payload::PayloadConfig(payload_config) => !payload_config.extraApks.is_empty(),
+ Payload::PayloadConfig(payload_config) => {
+ !payload_config.extraApks.is_empty()
+ || payload_config.osName != MICRODROID_OS_NAME
+ }
}
}
}
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
index 7962bc3..f7bbf55 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/IVirtualizationService.aidl
@@ -23,6 +23,7 @@
interface IVirtualizationService {
const String FEATURE_DICE_CHANGES = "com.android.kvm.DICE_CHANGES";
+ const String FEATURE_LLPVM_CHANGES = "com.android.kvm.LLPVM_CHANGES";
const String FEATURE_MULTI_TENANT = "com.android.kvm.MULTI_TENANT";
const String FEATURE_REMOTE_ATTESTATION = "com.android.kvm.REMOTE_ATTESTATION";
const String FEATURE_VENDOR_MODULES = "com.android.kvm.VENDOR_MODULES";
diff --git a/vm/Android.bp b/vm/Android.bp
index 04aff5e..c1d9b6b 100644
--- a/vm/Android.bp
+++ b/vm/Android.bp
@@ -12,6 +12,7 @@
rustlibs: [
"android.system.virtualizationservice-rust",
"libanyhow",
+ "libavf_features",
"libbinder_rs",
"libclap",
"libenv_logger",
diff --git a/vm/src/main.rs b/vm/src/main.rs
index 127132b..355e193 100644
--- a/vm/src/main.rs
+++ b/vm/src/main.rs
@@ -228,6 +228,8 @@
#[derive(Parser)]
enum Opt {
+ /// Check if the feature is enabled on device.
+ CheckFeatureEnabled { feature: String },
/// Run a virtual machine with a config in APK
RunApp {
#[command(flatten)]
@@ -300,6 +302,13 @@
virtmgr.connect().context("Failed to connect to VirtualizationService")
}
+fn command_check_feature_enabled(feature: &str) {
+ println!(
+ "Feature {feature} is {}",
+ if avf_features::is_feature_enabled(feature) { "enabled" } else { "disabled" }
+ );
+}
+
fn main() -> Result<(), Error> {
env_logger::init();
let opt = Opt::parse();
@@ -308,6 +317,10 @@
ProcessState::start_thread_pool();
match opt {
+ Opt::CheckFeatureEnabled { feature } => {
+ command_check_feature_enabled(&feature);
+ Ok(())
+ }
Opt::RunApp { config } => command_run_app(config),
Opt::RunMicrodroid { config } => command_run_microdroid(config),
Opt::Run { config } => command_run(config),