guest: trusty: enable pvmfw-verified pVM for security and test VMs
- rules that use unsigned images for x86, signed images for arm64
- system_ext artifacts enabled only on devices enabling
`trusty_system_vm` via a soong config variable:
- VM payload configuration:
support a `placeholder_trusted_hal` soong bool variable allowing
to enable placeholder hals on devices that don't support
the Trusted HALs (Cuttlefish on x86_64 for example)
(placeholder_trusted_hal shall not be enabled in production)
- security_vm: update launcher build rules to also support arm64
and define .rc prebuilts to be reused by any device
(not just cuttlefish)
- test_vm: enable pvmfw-verified pVM by adding image signing rules
Bug: 391719387
Bug: 391210895
Test: qemu_trusty_arm64-trunk_staging-userdebug
Change-Id: I82dc911e482538e3f22dde6246a64e712bd0f1d0
diff --git a/guest/trusty/common/Android.bp b/guest/trusty/common/Android.bp
index 0541ed5..d6c524f 100644
--- a/guest/trusty/common/Android.bp
+++ b/guest/trusty/common/Android.bp
@@ -1,7 +1,33 @@
+soong_config_module_type {
+ name: "trusty_vm_prebuilt_etc",
+ module_type: "prebuilt_etc",
+ config_namespace: "trusty_system_vm",
+ bool_variables: [
+ "enabled",
+ "placeholder_trusted_hal",
+ ],
+ properties: ["src"],
+}
+
+soong_config_module_type {
+ name: "trusty_vm_avb_add_hash_footer",
+ module_type: "avb_add_hash_footer",
+ config_namespace: "trusty_system_vm",
+ bool_variables: ["enabled"],
+ properties: ["src"],
+}
+
prebuilt_etc {
name: "early_vms.xml",
- src: "early_vms.xml",
filename: "early_vms.xml",
relative_install_path: "avf",
system_ext_specific: true,
+ enabled: select(soong_config_variable("trusty_system_vm", "enabled"), {
+ true: true,
+ default: false,
+ }),
+ src: select(soong_config_variable("trusty_system_vm", "enabled"), {
+ true: "early_vms.xml",
+ default: ":empty_file",
+ }),
}