Check whether remote attestation is supported with system property
This cl introduces a new system property
avf.remote_attestation.enabled to allow vendors to
disable the remote attestation feature in vendor init.
Bug: 341598459
Test: enable/disable the feature and check VmAttestationTestApp
Change-Id: I5b26ba029ea1be74d8c0d139d69aee608c92f327
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 8fe4167..41d09bc 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -353,6 +353,7 @@
))
.with_log();
}
+ remote_provisioning::check_remote_attestation_is_supported()?;
info!("Received csr. Requestting attestation...");
let (key_blob, certificate_chain) = if test_mode {
check_use_custom_virtual_machine()?;
@@ -403,7 +404,8 @@
}
fn isRemoteAttestationSupported(&self) -> binder::Result<bool> {
- is_remote_provisioning_hal_declared()
+ Ok(is_remote_provisioning_hal_declared()?
+ && remote_provisioning::is_remote_attestation_supported())
}
fn getAssignableDevices(&self) -> binder::Result<Vec<AssignableDevice>> {
diff --git a/virtualizationservice/src/remote_provisioning.rs b/virtualizationservice/src/remote_provisioning.rs
index c2c04df..490ff01 100644
--- a/virtualizationservice/src/remote_provisioning.rs
+++ b/virtualizationservice/src/remote_provisioning.rs
@@ -32,6 +32,7 @@
Strong,
};
use hypervisor_props::is_protected_vm_supported;
+use rustutils::system_properties;
use service_vm_comm::{RequestProcessingError, Response};
/// Constructs a binder object that implements `IRemotelyProvisionedComponent`.
@@ -49,7 +50,7 @@
#[allow(non_snake_case)]
impl IRemotelyProvisionedComponent for AvfRemotelyProvisionedComponent {
fn getHardwareInfo(&self) -> BinderResult<RpcHardwareInfo> {
- check_protected_vm_is_supported()?;
+ check_remote_attestation_is_supported()?;
Ok(RpcHardwareInfo {
versionNumber: 3,
@@ -65,7 +66,7 @@
testMode: bool,
macedPublicKey: &mut MacedPublicKey,
) -> BinderResult<Vec<u8>> {
- check_protected_vm_is_supported()?;
+ check_remote_attestation_is_supported()?;
if testMode {
return Err(Status::new_service_specific_error_str(
@@ -109,7 +110,7 @@
keysToSign: &[MacedPublicKey],
challenge: &[u8],
) -> BinderResult<Vec<u8>> {
- check_protected_vm_is_supported()?;
+ check_remote_attestation_is_supported()?;
const MAX_CHALLENGE_SIZE: usize = 64;
if challenge.len() > MAX_CHALLENGE_SIZE {
@@ -133,16 +134,27 @@
}
}
-fn check_protected_vm_is_supported() -> BinderResult<()> {
- if is_protected_vm_supported().unwrap_or(false) {
- Ok(())
- } else {
- Err(Status::new_exception_str(
+pub(crate) fn check_remote_attestation_is_supported() -> BinderResult<()> {
+ if !is_protected_vm_supported().unwrap_or(false) {
+ return Err(Status::new_exception_str(
ExceptionCode::UNSUPPORTED_OPERATION,
Some("Protected VM support is missing for this operation"),
))
- .with_log()
+ .with_log();
}
+ if !is_remote_attestation_supported() {
+ return Err(Status::new_exception_str(
+ ExceptionCode::UNSUPPORTED_OPERATION,
+ Some("Remote attestation is disabled"),
+ ))
+ .with_log();
+ }
+ Ok(())
+}
+
+pub(crate) fn is_remote_attestation_supported() -> bool {
+ // Remote attestation is enabled by default.
+ system_properties::read_bool("avf.remote_attestation.enabled", true).unwrap_or(true)
}
pub(crate) fn to_service_specific_error(response: Response) -> Status {