commit bf3711ef404353d9f75f4e4b0a6cc7364f4e8a9e
author Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> Thu Dec 07 16:03:20 2023 +0000
committer Shikha Panwar <shikhapanwar@google.com> Thu Dec 14 17:24:45 2023 +0000
tree 18297da7a0e3e0eb1373169da4b5c28353fe2366
parent 648257038dd0884b44b7f8968356d3aff0e25e32

pVM to use Secretkeeper protected secrets

These secrets are to be stored in Secretkeeper which provides
tamper-evident storage for pVMs.

Regular binder proxy cannot be transferred over RPC binder, so we build
SecretkeeperProxy service that forwards the rpc binder request from
within pVM to Secretkeeper HAL which is a regular binderized HAL. This
proxy service is hosted by virtualizationmanager.

Note on supported device: (is_sk_supported() method): Non protected VM
trusts the claim, whilst for protected VM, we require authentication
data from pvmfw. Support for pVM is not fully done (this doesn't affect
security since pvmfw does code_hash check).

Test: atest MicrodroidTests#encryptedStorageIsPersistent
Bug: 291213394
Change-Id: I3adb78b5eb9d5e7d53b2f990616668e0ceb63471

virtualizationmanager/Android.bp

diff --git a/virtualizationmanager/Android.bp b/virtualizationmanager/Android.bp
index 33897b2..88e9c70 100644
--- a/virtualizationmanager/Android.bp
+++ b/virtualizationmanager/Android.bp
@@ -5,7 +5,11 @@
 rust_defaults {
     name: "virtualizationmanager_defaults",
     crate_name: "virtualizationmanager",
-    defaults: ["avf_build_flags_rust"],
+    defaults: [
+        "avf_build_flags_rust",
+        "secretkeeper_use_latest_hal_aidl_rust",
+        "authgraph_use_latest_hal_aidl_rust",
+    ],
     edition: "2021",
     // Only build on targets which crosvm builds on.
     enabled: false,