Fail early with a descriptive error message if pVMs are not supported
Bug: 350902964
Test: run-microdroid --protected on cf_x86_64
Change-Id: If65afa302e2567f411eb0796ed73d483f28b7538
diff --git a/virtualizationmanager/Android.bp b/virtualizationmanager/Android.bp
index d1ef4de..ada66dd 100644
--- a/virtualizationmanager/Android.bp
+++ b/virtualizationmanager/Android.bp
@@ -70,6 +70,7 @@
"libvsock",
"liblibfdt",
"libfsfdt",
+ "libhypervisor_props",
// TODO(b/202115393) stabilize the interface
"packagemanager_aidl-rust",
],
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 575af6b..8870f17 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -465,9 +465,12 @@
let kernel = maybe_clone_file(&config.kernel)?;
let initrd = maybe_clone_file(&config.initrd)?;
- // In a protected VM, we require custom kernels to come from a trusted source (b/237054515).
if config.protectedVm {
+ // In a protected VM, we require custom kernels to come from a trusted source
+ // (b/237054515).
check_label_for_kernel_files(&kernel, &initrd).or_service_specific_exception(-1)?;
+ // Fail fast with a meaningful error message in case device doesn't support pVMs.
+ check_protected_vm_is_supported()?;
}
let zero_filler_path = temporary_directory.join("zero.img");
@@ -1502,6 +1505,17 @@
Ok(())
}
+fn check_protected_vm_is_supported() -> binder::Result<()> {
+ let is_pvm_supported =
+ hypervisor_props::is_protected_vm_supported().or_service_specific_exception(-1)?;
+ if is_pvm_supported {
+ Ok(())
+ } else {
+ Err(anyhow!("pVM is not supported"))
+ .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION)
+ }
+}
+
fn check_config_features(config: &VirtualMachineConfig) -> binder::Result<()> {
if !cfg!(vendor_modules) {
check_no_vendor_modules(config)?;