Support running protected VMs.
Test: atest VirtualizationTestCases
Change-Id: Ia6e605a73f6dd14e87fc7ad5e12bf973b1d2b499
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl
index 6ca9cc7..cb28856 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl
@@ -39,4 +39,7 @@
/** Disk images to be made available to the VM. */
DiskImage[] disks;
+
+ /** Whether the VM should be a protected VM. */
+ boolean protected_vm;
}
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 6d3f737..6b889c6 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -115,6 +115,7 @@
initrd: as_asref(&config.initrd),
disks,
params: config.params.to_owned(),
+ protected: config.protected_vm,
};
let composite_disk_mappings: Vec<_> = indirect_files
.iter()
diff --git a/virtualizationservice/src/crosvm.rs b/virtualizationservice/src/crosvm.rs
index 797011c..669c631 100644
--- a/virtualizationservice/src/crosvm.rs
+++ b/virtualizationservice/src/crosvm.rs
@@ -39,6 +39,7 @@
pub initrd: Option<&'a File>,
pub disks: Vec<DiskFile>,
pub params: Option<String>,
+ pub protected: bool,
}
/// A disk image to pass to crosvm for a VM.
@@ -55,6 +56,8 @@
child: SharedChild,
/// The CID assigned to the VM for vsock communication.
pub cid: Cid,
+ /// Whether the VM is a protected VM.
+ pub protected: bool,
/// Directory of temporary files used by the VM while it is running.
pub temporary_directory: PathBuf,
/// The UID of the process which requested the VM.
@@ -75,6 +78,7 @@
fn new(
child: SharedChild,
cid: Cid,
+ protected: bool,
temporary_directory: PathBuf,
requester_uid: u32,
requester_sid: String,
@@ -83,6 +87,7 @@
VmInstance {
child,
cid,
+ protected,
temporary_directory,
requester_uid,
requester_sid,
@@ -107,6 +112,7 @@
let instance = Arc::new(VmInstance::new(
child,
config.cid,
+ config.protected,
temporary_directory,
requester_uid,
requester_sid,
@@ -163,6 +169,10 @@
// TODO(qwandor): Remove --disable-sandbox.
command.arg("run").arg("--disable-sandbox").arg("--cid").arg(config.cid.to_string());
+ if config.protected {
+ command.arg("--protected-vm");
+ }
+
if let Some(log_fd) = log_fd {
command.stdout(log_fd);
} else {
diff --git a/vm/src/config.rs b/vm/src/config.rs
index 169fdab..8ea0d8f 100644
--- a/vm/src/config.rs
+++ b/vm/src/config.rs
@@ -43,6 +43,9 @@
/// Disk images to be made available to the VM.
#[serde(default)]
pub disks: Vec<DiskImage>,
+ /// Whether the VM should be a protected VM.
+ #[serde(default)]
+ pub protected: bool,
}
impl VmConfig {
@@ -80,6 +83,7 @@
params: self.params.clone(),
bootloader: maybe_open_parcel_file(&self.bootloader, false)?,
disks: self.disks.iter().map(DiskImage::to_parcelable).collect::<Result<_, Error>>()?,
+ protected_vm: self.protected,
})
}
}