Add build time feature flag for pvm remote attestation
Bug: 299604057
Test: m com.android.virt
Change-Id: Iabc9ae83b4c54bdfcb9657775cf7cb0c78bc9bbf
diff --git a/Android.bp b/Android.bp
index 4fa696f..22581b0 100644
--- a/Android.bp
+++ b/Android.bp
@@ -36,6 +36,7 @@
"release_avf_enable_dice_changes",
"release_avf_enable_llpvm_changes",
"release_avf_enable_multi_tenant_microdroid_vm",
+ "release_avf_enable_remote_attestation",
"release_avf_enable_vendor_modules",
],
properties: [
@@ -55,6 +56,9 @@
release_avf_enable_multi_tenant_microdroid_vm: {
cfgs: ["payload_not_root"],
},
+ release_avf_enable_remote_attestation: {
+ cfgs: ["remote_attestation"],
+ },
release_avf_enable_vendor_modules: {
cfgs: ["vendor_modules"],
},
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 6f5a487..645a82b 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -160,10 +160,20 @@
fn requestCertificate(&self, csr: &[u8]) -> binder::Result<Vec<u8>> {
check_manage_access()?;
info!("Received csr. Getting certificate...");
- request_certificate(csr)
- .context("Failed to get certificate")
+ if cfg!(remote_attestation) {
+ request_certificate(csr)
+ .context("Failed to get certificate")
+ .with_log()
+ .or_service_specific_exception(-1)
+ } else {
+ Err(Status::new_exception_str(
+ ExceptionCode::UNSUPPORTED_OPERATION,
+ Some(
+ "requestCertificate is not supported with the remote_attestation feature disabled",
+ ),
+ ))
.with_log()
- .or_service_specific_exception(-1)
+ }
}
fn getAssignableDevices(&self) -> binder::Result<Vec<AssignableDevice>> {