[km] Include non-secure KM HAL with Trusty VM in /system_ext
Bug: 355194622
Test: launch_cvd --noresume --console=true \
--extra_kernel_cmdline='androidboot.selinux=permissive' \
--secure_hals=guest_keymint_trusty_insecure
Change-Id: I1ecdca049cfd6d33caf98f95d1260083bed2c155
diff --git a/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc b/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
new file mode 100644
index 0000000..318c13b
--- /dev/null
+++ b/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
@@ -0,0 +1,17 @@
+service system.keymint.rust-trusty.nonsecure \
+ /system_ext/bin/hw/android.hardware.security.keymint-service.rust.trusty.system.nonsecure \
+ --dev ${ro.hardware.trusty_ipc_dev.keymint:-/dev/trusty-ipc-dev0}
+ disabled
+ user nobody
+ group drmrpc
+ # The keymint service is not allowed to restart.
+ # If it crashes, a device restart is required.
+ oneshot
+
+# Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled
+# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM
+# has a mechanism to notify the host.
+on late-fs && property:ro.hardware.security.keymint.trusty.system=1 && \
+ property:ro.hardware.trusty_vm_cid=*
+ setprop ro.hardware.trusty_ipc_dev.keymint VSOCK:${ro.hardware.trusty_vm_cid}:1
+ start system.keymint.rust-trusty.nonsecure