Merge "Skip guest register getting on arm32." into main
diff --git a/debuggerd/crasher/Android.bp b/debuggerd/crasher/Android.bp
index 4c6a400..3af806b 100644
--- a/debuggerd/crasher/Android.bp
+++ b/debuggerd/crasher/Android.bp
@@ -15,7 +15,6 @@
"-fstack-protector-all",
"-Wno-date-time",
],
- tidy: false, // crasher.cpp tests many memory access errors
srcs: ["crasher.cpp"],
arch: {
arm: {
diff --git a/debuggerd/test_permissive_mte/Android.bp b/debuggerd/test_permissive_mte/Android.bp
index f333242..4403b8a 100644
--- a/debuggerd/test_permissive_mte/Android.bp
+++ b/debuggerd/test_permissive_mte/Android.bp
@@ -18,7 +18,6 @@
cc_binary {
name: "mte_crash",
- tidy: false,
srcs: ["mte_crash.cpp"],
sanitize: {
memtag_heap: true,
diff --git a/fastboot/Android.bp b/fastboot/Android.bp
index d3e0581..6e47a08 100644
--- a/fastboot/Android.bp
+++ b/fastboot/Android.bp
@@ -307,12 +307,6 @@
generated_headers: ["platform_tools_version"],
- tidy_flags: [
- // DO NOT add quotes around header-filter flag regex argument,
- // because build/soong will add quotes around the whole flag.
- "-header-filter=(system/core/fastboot/|development/host/windows/usb/api/)",
- ],
-
target: {
windows: {
srcs: ["usb_windows.cpp"],
diff --git a/libsysutils/Android.bp b/libsysutils/Android.bp
index 842db40..18a6aa6 100644
--- a/libsysutils/Android.bp
+++ b/libsysutils/Android.bp
@@ -32,18 +32,6 @@
export_include_dirs: ["include"],
- tidy: true,
- tidy_checks: [
- "-*",
- "cert-*",
- "clang-analyzer-security*",
- "android-*",
- ],
- tidy_checks_as_errors: [
- "cert-*",
- "clang-analyzer-security*",
- "android-*",
- ],
apex_available: [
"//apex_available:anyapex",
"//apex_available:platform",
diff --git a/toolbox/Android.bp b/toolbox/Android.bp
index 3142542..5169aa1 100644
--- a/toolbox/Android.bp
+++ b/toolbox/Android.bp
@@ -84,3 +84,22 @@
vendor: true,
defaults: ["toolbox_binary_defaults"],
}
+
+// This one is installed in the generic ramdisk, and can be executed during
+// init-first-stage.
+// As there are no dynamic linker available, this must be statically linked.
+cc_binary {
+ name: "toolbox_ramdisk",
+ defaults: ["toolbox_binary_defaults"],
+ ramdisk: true,
+ static_executable: true,
+ system_shared_libs: [],
+ exclude_shared_libs: [
+ "libbase",
+ "liblog",
+ ],
+ static_libs: [
+ "libbase",
+ "liblog",
+ ],
+}
diff --git a/trusty/sysprops/Android.bp b/trusty/sysprops/Android.bp
new file mode 100644
index 0000000..ec27f51
--- /dev/null
+++ b/trusty/sysprops/Android.bp
@@ -0,0 +1,15 @@
+sysprop_library {
+ name: "trusty-properties",
+ srcs: ["android/sysprop/trusty/security_vm.sysprop"],
+ property_owner: "Platform",
+ api_packages: ["android.sysprop.trusty"],
+ apex_available: [
+ "//apex_available:platform",
+ ],
+}
+
+rust_binary {
+ name: "trusty-properties-example",
+ srcs: ["example.rs"],
+ rustlibs: ["libtrusty_properties_rust"],
+}
diff --git a/trusty/sysprops/android/sysprop/trusty/security_vm.sysprop b/trusty/sysprops/android/sysprop/trusty/security_vm.sysprop
new file mode 100644
index 0000000..a079ecf
--- /dev/null
+++ b/trusty/sysprops/android/sysprop/trusty/security_vm.sysprop
@@ -0,0 +1,67 @@
+# Copyright (C) 2025 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This module accesses properties regarding the Trusty VM that runs apps
+# used to provide security for the system, such as Keymint or Gatekeeper.
+
+module: "android.sysprop.trusty.security_vm"
+owner: Platform
+
+# The default Context Identifier to connect to Trusty over vsock.
+prop {
+ api_name: "vm_cid"
+ prop_name: "trusty.security_vm.vm_cid"
+ type: Integer
+ scope: Internal
+ access: Readonly
+}
+
+# Signals when a nonsecure VM is ready.
+#
+# This is used to launch dependent HALs.
+#
+# Trusty security VMs come in two flavors: non-secure and secure.
+#
+# 1. Non-secure VMs run on emulated environments like Cuttlefish, which lack
+# pVM firmware and TEE support. Consequently, KeyMint's root-of-trust data
+# is passed into the VM from the host's HAL, and an RPMB proxy provides
+# secure storage.
+# 2. Secure VMs run on physical devices. Here, pVM firmware handles the
+# transfer of root-of-trust data via DeviceTree, and a TEE provides secure
+# storage.
+prop {
+ api_name: "nonsecure_vm_ready"
+ prop_name: "trusty.security_vm.nonsecure_vm_ready"
+ type: Boolean
+ scope: Internal
+ access: Readonly
+}
+
+# The Trusty Security VM is enabled.
+prop {
+ api_name: "enabled"
+ prop_name: "trusty.security_vm.enabled"
+ type: Boolean
+ scope: Public
+ access: Readonly
+}
+
+# KeyMint is enabled in the Trusty Security VM.
+prop {
+ api_name: "keymint_enabled"
+ prop_name: "trusty.security_vm.keymint.enabled"
+ type: Boolean
+ scope: Public
+ access: Readonly
+}
diff --git a/trusty/sysprops/api/trusty-properties-current.txt b/trusty/sysprops/api/trusty-properties-current.txt
new file mode 100644
index 0000000..aa792fc
--- /dev/null
+++ b/trusty/sysprops/api/trusty-properties-current.txt
@@ -0,0 +1,11 @@
+props {
+ module: "android.sysprop.trusty.security_vm"
+ prop {
+ api_name: "enabled"
+ prop_name: "trusty.security_vm.enabled"
+ }
+ prop {
+ api_name: "keymint_enabled"
+ prop_name: "trusty.security_vm.keymint.enabled"
+ }
+}
diff --git a/trusty/sysprops/api/trusty-properties-latest.txt b/trusty/sysprops/api/trusty-properties-latest.txt
new file mode 100644
index 0000000..aa792fc
--- /dev/null
+++ b/trusty/sysprops/api/trusty-properties-latest.txt
@@ -0,0 +1,11 @@
+props {
+ module: "android.sysprop.trusty.security_vm"
+ prop {
+ api_name: "enabled"
+ prop_name: "trusty.security_vm.enabled"
+ }
+ prop {
+ api_name: "keymint_enabled"
+ prop_name: "trusty.security_vm.keymint.enabled"
+ }
+}
diff --git a/trusty/sysprops/example.rs b/trusty/sysprops/example.rs
new file mode 100644
index 0000000..f21e779
--- /dev/null
+++ b/trusty/sysprops/example.rs
@@ -0,0 +1,11 @@
+//! Example showing how to access the `trusty.security_vm.vm_cid` system property with Rust.
+
+use trusty_properties::security_vm;
+
+fn main() {
+ match security_vm::vm_cid() {
+ Ok(Some(cid)) => println!("CID: {cid}"),
+ Ok(None) => println!("CID property not set"),
+ Err(e) => println!("Error: {e:?}"),
+ }
+}