commit b3b4057985d72f2ea6b90582c6ac3bfed0895ed2
author Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Sat Mar 01 14:23:13 2025 -0800
committer Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Sat Mar 01 14:23:13 2025 -0800
tree f14cd7aa5f0c4bb883e3b424b03638085bb79cc5
parent 2d92cce6a3c4d6788becd0bc1731873f17beba19
parent 12f6aa60cf5cf577a04805682f18bb1a0e5ba5e8

Snap for 13145626 from 12f6aa60cf5cf577a04805682f18bb1a0e5ba5e8 to 25Q2-release

Change-Id: Ie1caf700bd3d2ca9a22fd9e52a4fc708ca1aa58f

build/apex/Android.bp

diff --git a/build/apex/Android.bp b/build/apex/Android.bp
index 5323296..8934de0 100644
--- a/build/apex/Android.bp
+++ b/build/apex/Android.bp
@@ -259,11 +259,6 @@
     srcs: [
         "sign_virt_apex.py",
     ],
-    version: {
-        py3: {
-            embedded_launcher: true,
-        },
-    },
     required: [
         // sign_virt_apex should be runnable from outside the source tree,
         // therefore, any required tool should be listed in build/make/core/Makefile as well.
@@ -332,11 +327,6 @@
     srcs: [
         "replace_bytes.py",
     ],
-    version: {
-        py3: {
-            embedded_launcher: true,
-        },
-    },
 }
 
 // Encapsulate the contributions made by the com.android.virt to the bootclasspath.

guest/trusty/common/early_vms.xml

diff --git a/guest/trusty/common/early_vms.xml b/guest/trusty/common/early_vms.xml
index 1ed324c..e9d4c61 100644
--- a/guest/trusty/common/early_vms.xml
+++ b/guest/trusty/common/early_vms.xml
@@ -19,4 +19,9 @@
         <cid>200</cid>
         <path>/system_ext/bin/trusty_security_vm_launcher</path>
     </early_vm>
+    <early_vm>
+        <name>trusty_security_vm_launcher_protected</name>
+        <cid>210</cid>
+        <path>/system_ext/bin/trusty_security_vm_launcher</path>
+    </early_vm>
 </early_vms>

guest/trusty/security_vm/launcher/security_vm_launcher-arm64.rc

diff --git a/guest/trusty/security_vm/launcher/security_vm_launcher-arm64.rc b/guest/trusty/security_vm/launcher/security_vm_launcher-arm64.rc
index c0e0537..3f3e48d 100644
--- a/guest/trusty/security_vm/launcher/security_vm_launcher-arm64.rc
+++ b/guest/trusty/security_vm/launcher/security_vm_launcher-arm64.rc
@@ -18,3 +18,30 @@
     setprop trusty.security_vm.nonsecure_vm_ready 1
     setprop trusty.security_vm.vm_cid 200
     start trusty_security_vm_launcher
+
+##########################
+# BELOW IS FOR TEST ONLY #
+##########################
+
+service trusty_security_vm_launcher_protected /system_ext/bin/trusty_security_vm_launcher \
+--name trusty_security_vm_launcher_protected \
+--kernel /system_ext/etc/vm/trusty_vm/trusty-security_vm.elf \
+--memory-size-mib 32 \
+--protected
+    disabled
+    user system
+    group system virtualmachine
+    capabilities IPC_LOCK NET_BIND_SERVICE SYS_RESOURCE SYS_NICE
+    stdio_to_kmsg
+    oneshot
+
+# Testing protected vm during early boot
+# TODO(b/): solve the MMIO guard issue preventing Host/VM communications
+# to reproduce: uncomment the `on post-fs` section
+#on post-fs
+#    start trusty_security_vm_launcher_protected
+
+# TODO(b/): solve the pKVM crash
+# to reproduce: uncomment the `on init` section
+#on init
+#    start trusty_security_vm_launcher_protected