[km] Add a new rust binary for non-secure KeyMint host
The new binary sets non-secure RoT for keymint. The non-secure
version will be used on cuttlefish.
Bug: 355194622
Test: CF is gets booted with KeyMint TA in VM
Change-Id: Iff202c6d4bb70dabeb866b4f3fbc18c006bb219e
diff --git a/trusty/keymint/Android.bp b/trusty/keymint/Android.bp
index 92d9c6f..1b87d80 100644
--- a/trusty/keymint/Android.bp
+++ b/trusty/keymint/Android.bp
@@ -17,12 +17,10 @@
default_applicable_licenses: ["Android-Apache-2.0"],
}
-rust_binary {
- name: "android.hardware.security.keymint-service.rust.trusty",
+rust_defaults {
+ name: "android.hardware.security.keymint-service.rust.trusty.default",
relative_install_path: "hw",
vendor: true,
- init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"],
- vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"],
srcs: [
"src/keymint_hal_main.rs",
],
@@ -37,7 +35,23 @@
"liblog_rust",
],
prefer_rlib: true,
+}
+
+rust_binary {
+ name: "android.hardware.security.keymint-service.rust.trusty",
+ defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
+ init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"],
+ vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"],
required: [
"android.hardware.hardware_keystore.xml",
],
}
+
+rust_binary {
+ name: "android.hardware.security.keymint-service.rust.trusty.nonsecure",
+ defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
+ features: ["nonsecure"],
+ rustlibs: [
+ "libkmr_hal_nonsecure",
+ ],
+}
diff --git a/trusty/keymint/src/keymint_hal_main.rs b/trusty/keymint/src/keymint_hal_main.rs
index 3c5627b..a0b1d79 100644
--- a/trusty/keymint/src/keymint_hal_main.rs
+++ b/trusty/keymint/src/keymint_hal_main.rs
@@ -18,7 +18,7 @@
use kmr_hal::{
extract_rsp, keymint, rpc, secureclock, send_hal_info, sharedsecret, SerializedChannel,
};
-use log::{error, info};
+use log::{error, info, warn};
use std::{
ffi::CString,
ops::DerefMut,
@@ -109,7 +109,11 @@
error!("{}", panic_info);
}));
- info!("Trusty KM HAL service is starting.");
+ if cfg!(feature = "nonsecure") {
+ warn!("Non-secure Trusty KM HAL service is starting.");
+ } else {
+ info!("Trusty KM HAL service is starting.");
+ }
info!("Starting thread pool now.");
binder::ProcessState::start_thread_pool();
@@ -126,6 +130,29 @@
)?;
let tipc_channel = Arc::new(Mutex::new(TipcChannel(connection)));
+ #[cfg(feature = "nonsecure")]
+ {
+ // When the non-secure feature is enabled, retrieve root-of-trust information
+ // (with the exception of the verified boot key hash) from Android properties, and
+ // populate the TA with this information. On a real device, the bootloader should
+ // provide this data to the TA directly.
+ let boot_req = kmr_hal_nonsecure::get_boot_info();
+ info!("boot/HAL->TA: boot info is {:?}", boot_req);
+ kmr_hal::send_boot_info(tipc_channel.lock().unwrap().deref_mut(), boot_req)
+ .map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?;
+ // When the non-secure feature is enabled, also retrieve device ID information
+ // (except for IMEI/MEID values) from Android properties and populate the TA with
+ // this information. On a real device, a factory provisioning process would populate
+ // this information.
+ let attest_ids = kmr_hal_nonsecure::attestation_id_info();
+ if let Err(e) =
+ kmr_hal::send_attest_ids(tipc_channel.lock().unwrap().deref_mut(), attest_ids)
+ {
+ error!("Failed to send attestation ID info: {:?}", e);
+ }
+ info!("Successfully sent non-secure boot info and attestation IDs to the TA.");
+ }
+
// Register the Keymint service
let km_service = keymint::Device::new_as_binder(tipc_channel.clone());
let km_service_name = format!("{}/{}", KM_SERVICE_NAME, SERVICE_INSTANCE);