commit c96b35e648714b7ce069135cc391470912f9dfb4
author Alan Stokes <alanstokes@google.com> Fri May 03 13:21:20 2024 +0100
committer Alan Stokes <alanstokes@google.com> Tue May 07 15:37:29 2024 +0100
tree 83503c100597f7cb5566281cf9598d4629510d4e
parent b0d12a730913dfaad9bea2ae81f5058d898aa996

Allow marking a VM non-updatable

Where a VM will never need to be updated we can mark it as
such. Currently this is used to disable use of Secretkeeper for the
VM, falling back to checking for identical code.

Bug: 338022149
Test: TH
Change-Id: I4ebc76b84106f13e63d2cc19cff108421cbc4f49

virtualizationmanager/src/aidl.rs

diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 0c4aa7c..73d69b9 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -434,7 +434,8 @@
         if cfg!(llpvm_changes) {
             instance_id = extract_instance_id(config);
             untrusted_props.push((cstr!("instance-id"), &instance_id[..]));
-            if is_secretkeeper_supported() {
+            let want_updatable = extract_want_updatable(config);
+            if want_updatable && is_secretkeeper_supported() {
                 // Let guest know that it can defer rollback protection to Secretkeeper by setting
                 // an empty property in untrusted node in DT. This enables Updatable VMs.
                 untrusted_props.push((cstr!("defer-rollback-protection"), &[]))
@@ -1374,6 +1375,16 @@
     }
 }
 
+fn extract_want_updatable(config: &VirtualMachineConfig) -> bool {
+    match config {
+        VirtualMachineConfig::RawConfig(_) => true,
+        VirtualMachineConfig::AppConfig(config) => {
+            let Some(custom) = &config.customConfig else { return true };
+            custom.wantUpdatable
+        }
+    }
+}
+
 fn extract_gdb_port(config: &VirtualMachineConfig) -> Option<NonZeroU16> {
     match config {
         VirtualMachineConfig::RawConfig(config) => NonZeroU16::new(config.gdbPort as u16),

virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl

diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
index 890535b..417d5d3 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineAppConfig.aidl
@@ -118,6 +118,12 @@
 
         /** List of SysFS nodes of devices to be assigned */
         String[] devices;
+
+        /**
+         * Whether the VM should be able to keep its secret when updated, if possible. This
+         * should rarely need to be set false.
+         */
+        boolean wantUpdatable = true;
     }
 
     /** Configuration parameters guarded by android.permission.USE_CUSTOM_VIRTUAL_MACHINE */

vm/src/run.rs

diff --git a/vm/src/run.rs b/vm/src/run.rs
index ca3e857..f3a5987 100644
--- a/vm/src/run.rs
+++ b/vm/src/run.rs
@@ -149,7 +149,6 @@
     let payload_config_str = format!("{:?}!{:?}", config.apk, payload);
 
     let custom_config = CustomConfig {
-        customKernelImage: None,
         gdbPort: config.debug.gdb.map(u16::from).unwrap_or(0) as i32, // 0 means no gdb
         vendorImage: vendor,
         devices: config
@@ -160,6 +159,7 @@
                 x.to_str().map(String::from).ok_or(anyhow!("Failed to convert {x:?} to String"))
             })
             .collect::<Result<_, _>>()?,
+        ..Default::default()
     };
 
     let vm_config = VirtualMachineConfig::AppConfig(VirtualMachineAppConfig {