commit 69f3da832fb080b1e2db2270e26b16c84d7b194e
author Armelle Laine <armellel@google.com> Wed Aug 28 06:51:35 2024 +0000
committer Armelle Laine <armellel@google.com> Wed Sep 25 06:46:54 2024 +0000
tree a8298303c6074a75bf6da8cf8d5b30c7256edfb4
parent 1350207265745ad3e5ee26017a0f8cc14dc268b8

trusty: support secure storage in system-ext

Bug: 355194622
Test: CF gets booted with KeyMint TA in VM
Change-Id: I3708ac572068162ca57c0e9b287296cea73215a7

trusty/storage/interface/Android.bp

diff --git a/trusty/storage/interface/Android.bp b/trusty/storage/interface/Android.bp
index d031b0c..769f53d 100644
--- a/trusty/storage/interface/Android.bp
+++ b/trusty/storage/interface/Android.bp
@@ -20,6 +20,7 @@
 
 cc_library_static {
     name: "libtrustystorageinterface",
-    vendor: true,
+    vendor_available: true,
+    system_ext_specific: true,
     export_include_dirs: ["include"],
 }

trusty/storage/proxy/Android.bp

diff --git a/trusty/storage/proxy/Android.bp b/trusty/storage/proxy/Android.bp
index 7ef0e6f..f32188a 100644
--- a/trusty/storage/proxy/Android.bp
+++ b/trusty/storage/proxy/Android.bp
@@ -18,10 +18,8 @@
     default_applicable_licenses: ["Android-Apache-2.0"],
 }
 
-cc_binary {
-    name: "storageproxyd",
-    vendor: true,
-
+cc_defaults {
+    name: "storageproxyd.defaults",
     srcs: [
         "checkpoint_handling.cpp",
         "ipc.c",
@@ -47,14 +45,22 @@
         "libtrustystorageinterface",
         "libtrusty",
     ],
-    target: {
-        vendor: {
-            // vendor variant requires this flag
-            cflags: ["-DVENDOR_FS_READY_PROPERTY"],
-        },
-    },
     cflags: [
         "-Wall",
         "-Werror",
     ],
 }
+
+cc_binary {
+    name: "storageproxyd",
+    defaults: ["storageproxyd.defaults"],
+    vendor: true,
+    // vendor variant requires this flag
+    cflags: ["-DVENDOR_FS_READY_PROPERTY"],
+}
+
+cc_binary {
+    name: "storageproxyd.system",
+    defaults: ["storageproxyd.defaults"],
+    system_ext_specific: true,
+}

trusty/trusty-storage-cf.mk

diff --git a/trusty/trusty-storage-cf.mk b/trusty/trusty-storage-cf.mk
new file mode 100644
index 0000000..3b46445
--- /dev/null
+++ b/trusty/trusty-storage-cf.mk
@@ -0,0 +1,25 @@
+#
+# Copyright (C) 2024 The Android Open-Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
+# This makefile should be included by the cuttlefish device
+# when enabling the Trusty VM to pull in the baseline set
+# of storage specific modules
+
+PRODUCT_PACKAGES += \
+	storageproxyd.system \
+	rpmb_dev.system \
+

trusty/utils/rpmb_dev/Android.bp

diff --git a/trusty/utils/rpmb_dev/Android.bp b/trusty/utils/rpmb_dev/Android.bp
index 603a1a8..13f151d 100644
--- a/trusty/utils/rpmb_dev/Android.bp
+++ b/trusty/utils/rpmb_dev/Android.bp
@@ -15,11 +15,8 @@
     default_applicable_licenses: ["Android-Apache-2.0"],
 }
 
-cc_binary {
-    name: "rpmb_dev",
-    vendor: true,
-    host_supported: true,
-
+cc_defaults {
+    name: "rpmb_dev.cc_defaults",
     srcs: [
         "rpmb_dev.c",
     ],
@@ -32,7 +29,23 @@
         "-Wall",
         "-Werror",
     ],
+}
+
+cc_binary {
+    name: "rpmb_dev",
+    defaults: ["rpmb_dev.cc_defaults"],
+    vendor: true,
+    host_supported: true,
     init_rc: [
         "rpmb_dev.rc",
     ],
 }
+
+cc_binary {
+    name: "rpmb_dev.system",
+    defaults: ["rpmb_dev.cc_defaults"],
+    system_ext_specific: true,
+    init_rc: [
+        "rpmb_dev.system.rc",
+    ],
+}

trusty/utils/rpmb_dev/rpmb_dev.system.rc

diff --git a/trusty/utils/rpmb_dev/rpmb_dev.system.rc b/trusty/utils/rpmb_dev/rpmb_dev.system.rc
new file mode 100644
index 0000000..b78c4e2
--- /dev/null
+++ b/trusty/utils/rpmb_dev/rpmb_dev.system.rc
@@ -0,0 +1,64 @@
+service storageproxyd_system /system_ext/bin/storageproxyd.system \
+        -d ${storageproxyd_system.trusty_ipc_dev:-/dev/trusty-ipc-dev0} \
+        -r /dev/socket/rpmb_mock_system \
+        -p /data/secure_storage_system \
+        -t sock
+    disabled
+    user system
+    group system
+
+service rpmb_mock_init_system /system_ext/bin/rpmb_dev.system \
+        --dev /mnt/secure_storage_rpmb_system/persist/RPMB_DATA --init --size 2048
+    disabled
+    user system
+    group system
+    oneshot
+
+service rpmb_mock_system /system_ext/bin/rpmb_dev.system \
+        --dev /mnt/secure_storage_rpmb_system/persist/RPMB_DATA \
+        --sock rpmb_mock_system
+    disabled
+    user system
+    group system
+    socket rpmb_mock_system stream 660 system system
+
+# storageproxyd
+on late-fs && \
+    property:trusty_vm_system_nonsecure.ready=1 && \
+    property:storageproxyd_system.trusty_ipc_dev=*
+    wait /dev/socket/rpmb_mock_system
+    start storageproxyd_system
+
+
+# RPMB Mock
+on post-fs && \
+    property:trusty_vm_system_nonsecure.ready=1 && \
+    property:trusty_vm_system.vm_cid=*
+    # Create a persistent location for the RPMB data
+    # (work around lack of RPMb block device on CF).
+    # file contexts secure_storage_rpmb_system_file
+    # (only used on Cuttlefish as this is non secure)
+    mkdir /metadata/secure_storage_rpmb_system 0770 system system
+    mkdir /mnt/secure_storage_rpmb_system 0770 system system
+    symlink /metadata/secure_storage_rpmb_system \
+            /mnt/secure_storage_rpmb_system/persist
+    # Create a system persist directory in /metadata
+    # (work around lack of dedicated system persist partition).
+    # file contexts secure_storage_persist_system_file
+    mkdir /metadata/secure_storage_persist_system 0770 system system
+    mkdir /mnt/secure_storage_persist_system 0770 system system
+    symlink /metadata/secure_storage_persist_system \
+            /mnt/secure_storage_persist_system/persist
+    setprop storageproxyd_system.trusty_ipc_dev VSOCK:${trusty_vm_system.vm_cid}:1
+    exec_start rpmb_mock_init_system
+    start rpmb_mock_system
+
+on post-fs-data && \
+    property:trusty_vm_system_nonsecure.ready=1 && \
+    property:storageproxyd_system.trusty_ipc_dev=*
+    # file contexts secure_storage_system_file
+    mkdir /data/secure_storage_system 0770 root system
+    symlink /mnt/secure_storage_persist_system/persist \
+            /data/secure_storage_system/persist
+    chown root system /data/secure_storage_system/persist
+    restart storageproxyd_system