commit fcbf5ff4c5781b9911e538766a494149abcef327
author Alice Wang <aliceywang@google.com> Mon Oct 09 09:25:50 2023 +0000
committer Alice Wang <aliceywang@google.com> Mon Oct 30 18:23:22 2023 +0000
tree 784850f3160a10f8fb3e045d097810ed96e81188
parent 71d06a4e5abe1cf80dd24813e1418e80e978b8aa

[rkp] Expose RKP Hal implementation in virtualizationservice

The service is only exposed when the remote attestation feature
flag is enabled.

Bug: 299257581
Test: atest MicrodroidHostTests
Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: Ie6129a57231d00ee17af5fff202adbfb566e1115

virtualizationservice/src/remote_provisioning.rs

diff --git a/virtualizationservice/src/remote_provisioning.rs b/virtualizationservice/src/remote_provisioning.rs
index a9a07a5..40f54db 100644
--- a/virtualizationservice/src/remote_provisioning.rs
+++ b/virtualizationservice/src/remote_provisioning.rs
@@ -27,7 +27,11 @@
 };
 use anyhow::Context;
 use avflog::LogResult;
-use binder::{BinderFeatures, Interface, IntoBinderResult, Result as BinderResult, Status, Strong};
+use binder::{
+    BinderFeatures, ExceptionCode, Interface, IntoBinderResult, Result as BinderResult, Status,
+    Strong,
+};
+use hypervisor_props::is_protected_vm_supported;
 use service_vm_comm::{RequestProcessingError, Response};
 
 /// Constructs a binder object that implements `IRemotelyProvisionedComponent`.
@@ -45,11 +49,13 @@
 #[allow(non_snake_case)]
 impl IRemotelyProvisionedComponent for AvfRemotelyProvisionedComponent {
     fn getHardwareInfo(&self) -> BinderResult<RpcHardwareInfo> {
+        check_protected_vm_is_supported()?;
+
         Ok(RpcHardwareInfo {
             versionNumber: 3,
             rpcAuthorName: String::from("Android Virtualization Framework"),
             supportedEekCurve: CURVE_NONE,
-            uniqueId: Some(String::from("Android Virtualization Framework 1")),
+            uniqueId: Some(String::from("AVF Remote Provisioning 1")),
             supportedNumKeysInCsr: MIN_SUPPORTED_NUM_KEYS_IN_CSR,
         })
     }
@@ -59,6 +65,8 @@
         testMode: bool,
         macedPublicKey: &mut MacedPublicKey,
     ) -> BinderResult<Vec<u8>> {
+        check_protected_vm_is_supported()?;
+
         if testMode {
             return Err(Status::new_service_specific_error_str(
                 STATUS_REMOVED,
@@ -101,6 +109,8 @@
         keysToSign: &[MacedPublicKey],
         challenge: &[u8],
     ) -> BinderResult<Vec<u8>> {
+        check_protected_vm_is_supported()?;
+
         const MAX_CHALLENGE_SIZE: usize = 64;
         if challenge.len() > MAX_CHALLENGE_SIZE {
             let message = format!(
@@ -123,6 +133,18 @@
     }
 }
 
+fn check_protected_vm_is_supported() -> BinderResult<()> {
+    if is_protected_vm_supported().unwrap_or(false) {
+        Ok(())
+    } else {
+        Err(Status::new_exception_str(
+            ExceptionCode::UNSUPPORTED_OPERATION,
+            Some("Protected VM support is missing for this operation"),
+        ))
+        .with_log()
+    }
+}
+
 fn to_service_specific_error(response: Response) -> Status {
     match response {
         Response::Err(e) => match e {