commit 3d9ce1a9657d785ba4d377552ae22e86ec405c1f
author Alice Wang <aliceywang@google.com> Fri Jun 07 09:07:34 2024 +0000
committer Alice Wang <aliceywang@google.com> Mon Jun 10 09:16:24 2024 +0000
tree 5585e8e21a73b9de82592c3871ba0f2c6e26e214
parent da362e9fa9df8d4f6b434e5f00c5e9e23927ec99

Add system property to disable avf remote attestation

Introduce a new system property
avf.remote_attestation.enabled to allow vendors
to disable the feature in vendor init.

Bug: 341598459
Test: enable/disable the feature and check VmAttestationTestApp
Change-Id: I809e4c62a8590822eef70093e33854ab79757835

private/property.te

diff --git a/private/property.te b/private/property.te
index a55bfb2..19513d9 100644
--- a/private/property.te
+++ b/private/property.te
@@ -74,6 +74,9 @@
 system_restricted_prop(persist_sysui_builder_extras_prop)
 system_restricted_prop(persist_sysui_ranking_update_prop)
 
+# Properties which should only be written by vendor_init
+system_vendor_config_prop(avf_virtualizationservice_prop)
+
 typeattribute log_prop log_property_type;
 typeattribute log_tag_prop log_property_type;
 typeattribute wifi_log_prop log_property_type;

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index d22ee7d..7807086 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -740,6 +740,9 @@
 ro.fuse.bpf.enabled u:object_r:storage_config_prop:s0 exact bool
 ro.fuse.bpf.is_running u:object_r:vold_status_prop:s0 exact bool
 
+# Allow the vendor to disable the remote attestation feature at boot-time.
+avf.remote_attestation.enabled u:object_r:avf_virtualizationservice_prop:s0 exact bool
+
 hypervisor.pvmfw.path                              u:object_r:hypervisor_pvmfw_prop:s0 exact string
 hypervisor.virtualizationmanager.debug_policy.path u:object_r:hypervisor_virtualizationmanager_prop:s0 exact string
 

private/virtualizationservice.te

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index b5c04af..f7db405 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -34,6 +34,10 @@
 # pVM remote attestation.
 hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
 
+# Allow the virtualizationservice to inspect whether remote attestation is supported
+# through the system property.
+get_prop(virtualizationservice, avf_virtualizationservice_prop)
+
 # Allow calling into the system server to find "permission_service".
 binder_call(virtualizationservice, system_server)
 allow virtualizationservice permission_service:service_manager find;