commit f50811bc9e1324cab2848714afc1adbcb18ebdb1
author Armelle Laine <armellel@google.com> Thu Jan 23 00:40:04 2025 +0000
committer Armelle Laine <armellel@google.com> Mon Feb 10 22:46:57 2025 +0000
tree 4fa1883f8ed9b1ea6d3a3515f21657d80bafc6fa
parent b618d0822f0d0ec9fae244d18125f80fb9cf6844

guest: trusty: enable pvmfw-verified pVM for security and test VMs

- rules that use unsigned images for x86, signed images for arm64

- system_ext artifacts enabled only on devices enabling
  `trusty_system_vm` via a soong config variable:

- VM payload configuration:
  support a `placeholder_trusted_hal` soong bool variable allowing
  to enable placeholder hals on devices that don't support
  the Trusted HALs (Cuttlefish on x86_64 for example)
   (placeholder_trusted_hal shall not be enabled in production)

- security_vm: update launcher build rules to also support arm64
  and define .rc prebuilts to be reused by any device
  (not just cuttlefish)

- test_vm: enable pvmfw-verified pVM by adding image signing rules

Bug: 391719387
Bug: 391210895
Test: qemu_trusty_arm64-trunk_staging-userdebug
Change-Id: I82dc911e482538e3f22dde6246a64e712bd0f1d0

guest/trusty/test_vm/Android.bp

diff --git a/guest/trusty/test_vm/Android.bp b/guest/trusty/test_vm/Android.bp
index 498028d..699b673 100644
--- a/guest/trusty/test_vm/Android.bp
+++ b/guest/trusty/test_vm/Android.bp
@@ -17,34 +17,16 @@
     default_team: "trendy_team_trusty",
 }
 
-// python -c "import hashlib; print(hashlib.sha256(b'trusty_test_vm_salt').hexdigest())"
-trusty_test_vm_salt = "5ce3eab1a08540e1334c83f54b8608aa6c23feee6939693cac41441449c5a51f"
-
-TRUSTY_TEST_VM_VERSION = 1
-
-avb_add_hash_footer {
-    name: "trusty_test_vm_signed",
-    filename: "trusty_test_vm_signed",
-    partition_name: "boot",
-    private_key: ":trusty_vm_sign_key",
-    salt: trusty_test_vm_salt,
-    rollback_index: TRUSTY_TEST_VM_VERSION,
-    src: ":empty_file",
-    enabled: false,
-    arch: {
-        x86_64: {
-            src: ":trusty-test-lk.elf",
-            enabled: true,
-        },
-    },
-}
-
 prebuilt_etc {
     name: "trusty_test_vm_config",
     enabled: false,
     arch: {
+        arm64: {
+            src: "trusty-test_vm-config-arm64.json",
+            enabled: true,
+        },
         x86_64: {
-            src: "vm_config_lk_x86_64.json",
+            src: "trusty-test_vm-config-x86_64.json",
             enabled: true,
         },
     },
@@ -55,11 +37,14 @@
     name: "trusty_vm_launcher_sh",
     enabled: false,
     arch: {
+        arm64: {
+            enabled: true,
+        },
         x86_64: {
-            src: "trusty-vm-launcher.sh",
             enabled: true,
         },
     },
+    src: "trusty-vm-launcher.sh",
     filename: "trusty-vm-launcher.sh",
 }
 
@@ -67,20 +52,32 @@
     name: "trusty_wait_ready_sh",
     enabled: false,
     arch: {
+        arm64: {
+            enabled: true,
+        },
         x86_64: {
-            src: "trusty-wait-ready.sh",
             enabled: true,
         },
     },
+    src: "trusty-wait-ready.sh",
     filename: "trusty-wait-ready.sh",
 }
 
 sh_test {
     name: "TrustyTestVM_UnitTests",
     src: "trusty-ut-ctrl.sh",
+    enabled: false,
+    arch: {
+        arm64: {
+            enabled: true,
+        },
+        x86_64: {
+            enabled: true,
+        },
+    },
     filename_from_src: true,
     data: [
-        ":trusty_test_vm_signed",
+        ":trusty_test_vm_elf",
         ":trusty_test_vm_config",
         "trusty-vm-launcher.sh",
         "trusty-wait-ready.sh",
@@ -91,10 +88,4 @@
     test_suites: [
         "general-tests",
     ],
-    enabled: false,
-    arch: {
-        x86_64: {
-            enabled: true,
-        },
-    },
 }