Add plumbing for new tee_service_contexts
This will be used to enable some VMs to issue custom vendor-defined
SMCs. On the Android host side, the allow list of what VMs can access
what SMC services via selinux. In short the implementation will look
like these:
* new tee_service_contexts defines all SMC services available to VMs
and their mapping to selinux labels
* sepolicy defines what VMs can access what SMC services. The access
control is defined at the "VM owner process" (i.e. process using AVF
APIs to start a VM).
* virtmngr will enforce the access control by reading the mapping from
/system/ect/selinux_tee_service_contexts and the using
selinux_check_access function from libselinux to check if the VM owner
is allowed to access requested SMC services.
Since SMC is an arm concept, we use a more generic "tee_service" name
to define it.
More information available at go/pkvm-pvm-allow-vendor-tz-services-access
Follow up patch will define an example tee_service that can be used
to test these feature end-to-end.
Bug: 360102915
Test: build & flasg
Test: adb shell ls -alZ /system/etc/selinux/tee_service_contexts
Change-Id: I14976767ae1817688584f8f225dc8127647c13cc
diff --git a/Android.bp b/Android.bp
index b81820a..558810c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -126,6 +126,9 @@
}) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
true: ["plat_sepolicy_and_mapping.sha256"],
default: [],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["plat_tee_service_contexts"],
+ default: [],
}),
}
@@ -1024,6 +1027,9 @@
default: [
"system_ext_202404.compat.cil",
],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["system_ext_tee_service_contexts"],
+ default: [],
}),
system_ext_specific: true,
}
@@ -1060,6 +1066,9 @@
default: [
"product_202404.cil",
],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["product_tee_service_contexts"],
+ default: [],
}),
product_specific: true,
}
@@ -1097,7 +1106,10 @@
"vendor_bug_map",
"vndservice_contexts",
"vndservice_contexts_test",
- ],
+ ] + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["vendor_tee_service_contexts"],
+ default: [],
+ }),
vendor: true,
}
@@ -1201,6 +1213,9 @@
}) + select(soong_config_variable("ANDROID", "RELEASE_BOARD_API_LEVEL_FROZEN"), {
true: ["se_freeze_test"],
default: [],
+ }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+ true: ["plat_tee_service_contexts"],
+ default: [],
}),
}
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 330e02f..c96dda5 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -91,6 +91,7 @@
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
android.RegisterModuleType("seapp_contexts", seappFactory)
android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
+ android.RegisterModuleType("tee_service_contexts", teeServiceFactory)
android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
@@ -538,6 +539,12 @@
return m
}
+func teeServiceFactory() android.Module {
+ m := newModule()
+ m.build = m.buildGeneralContexts
+ return m
+}
+
func seappFactory() android.Module {
m := newModule()
m.build = m.buildSeappContexts
diff --git a/contexts/Android.bp b/contexts/Android.bp
index 850601f..08a4f64 100644
--- a/contexts/Android.bp
+++ b/contexts/Android.bp
@@ -68,6 +68,11 @@
srcs: ["vndservice_contexts"],
}
+se_build_files {
+ name: "tee_service_contexts_files",
+ srcs: ["tee_service_contexts"],
+}
+
file_contexts {
name: "plat_file_contexts",
defaults: ["contexts_flags_defaults"],
@@ -614,3 +619,34 @@
name: "fuzzer_bindings_test",
srcs: [":plat_service_contexts"],
}
+
+tee_service_contexts {
+ name: "plat_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.plat_private}"],
+}
+
+tee_service_contexts {
+ name: "system_ext_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.system_ext_private}"],
+ system_ext_specific: true,
+}
+
+tee_service_contexts {
+ name: "product_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [":tee_service_contexts_files{.product_private}"],
+ product_specific: true,
+}
+
+tee_service_contexts {
+ name: "vendor_tee_service_contexts",
+ defaults: ["contexts_flags_defaults"],
+ srcs: [
+ ":tee_service_contexts_files{.plat_vendor}",
+ ":tee_service_contexts_files{.vendor}",
+ ":tee_service_contexts_files{.reqd_mask}",
+ ],
+ soc_specific: true,
+}
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 7400a33..51d27d3 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -65,6 +65,7 @@
/vendor_seapp_contexts seapp_contexts_file
/plat_seapp_contexts seapp_contexts_file
/sepolicy sepolicy_file
+/plat_tee_service_contexts tee_service_contexts_file
/plat_service_contexts service_contexts_file
/plat_hwservice_contexts hwservice_contexts_file
/plat_keystore2_key_contexts keystore2_key_contexts_file
@@ -452,6 +453,7 @@
#/system/etc/selinux/mapping/30.compat.0.cil sepolicy_file
/system/etc/selinux/plat_mac_permissions.xml mac_perms_file
/system/etc/selinux/plat_property_contexts property_contexts_file
+/system/etc/selinux/plat_tee_service_contexts tee_service_contexts_file
/system/etc/selinux/plat_service_contexts service_contexts_file
/system/etc/selinux/plat_hwservice_contexts hwservice_contexts_file
/system/etc/selinux/plat_keystore2_key_contexts keystore2_key_contexts_file
@@ -689,6 +691,8 @@
/vendor/odm/etc/selinux/odm_keystore2_key_contexts keystore2_key_contexts_file
/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
/vendor/odm/etc/selinux/odm_mac_permissions.xml mac_perms_file
+/odm/etc/selinux/odm_tee_service_contexts tee_service_contexts_file
+/vendor/odm//etc/selinux/odm_tee_service_contexts tee_service_contexts_file
/product system_file
/product/does_not_exist system_file
@@ -717,6 +721,8 @@
/system/product/etc/selinux/product_service_contexts service_contexts_file
/product/etc/selinux/product_mac_permissions.xml mac_perms_file
/system/product/etc/selinux/product_mac_permissions.xml mac_perms_file
+/product/etc/selinux/product_tee_service_contexts tee_service_contexts_file
+/system/product/etc/selinux/product_tee_service_contexts tee_service_contexts_file
/product/lib system_lib_file
/product/lib/does_not_exist system_lib_file
@@ -761,6 +767,8 @@
/system/system_ext/etc/selinux/system_ext_mac_permissions.xml mac_perms_file
/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
/system/system_ext/etc/selinux/userdebug_plat_sepolicy.cil sepolicy_file
+/system_ext/etc/selinux/system_ext_tee_service_contexts tee_service_contexts_file
+/system/system_ext/etc/selinux/system_ext_tee_service_contexts tee_service_contexts_file
/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
/system/system_ext/bin/aidl_lazy_test_server aidl_lazy_test_server_exec
diff --git a/flagging/Android.bp b/flagging/Android.bp
index 5466d2a..f68375b 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -23,6 +23,7 @@
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_AVF_ENABLE_NETWORK",
"RELEASE_AVF_ENABLE_MICROFUCHSIA",
+ "RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST",
"RELEASE_AVF_ENABLE_WIDEVINE_PVM",
"RELEASE_RANGING_STACK",
"RELEASE_READ_FROM_NEW_STORAGE",
diff --git a/private/access_vectors b/private/access_vectors
index 9d82ac8..f91c1a4 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -807,3 +807,8 @@
{
create
}
+
+class tee_service
+{
+ use
+}
diff --git a/private/attributes b/private/attributes
index 7e25e94..13479c9 100644
--- a/private/attributes
+++ b/private/attributes
@@ -27,3 +27,7 @@
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
attribute update_provider;
expandattribute update_provider false;
+
+until_board_api(202504, `
+ attribute tee_service_type;
+')
diff --git a/private/file.te b/private/file.te
index 60aa5d5..df17906 100644
--- a/private/file.te
+++ b/private/file.te
@@ -244,5 +244,10 @@
# boot otas for 16KB developer option
type vendor_boot_ota_file, vendor_file_type, file_type;
')
+
+until_board_api(202504, `
+ type tee_service_contexts_file, system_file_type, file_type;
+')
+
## END Types added in 202504 in public/file.te
diff --git a/private/file_contexts b/private/file_contexts
index a957f24..20ef9b8 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -83,6 +83,7 @@
/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
+/plat_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
@@ -377,6 +378,7 @@
/system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
@@ -493,6 +495,7 @@
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_tee_service_contexts u:object_r:tee_service_contexts_file:s0
#############################
# Product files
@@ -509,6 +512,7 @@
/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(product|system/product)/etc/selinux/product_tee_service_contexts u:object_r:tee_service_contexts_file:s0
/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
@@ -545,6 +549,7 @@
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/(system_ext|system/system_ext)/etc/aconfig(/.*)? u:object_r:system_aconfig_storage_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_tee_service_contexts u:object_r:tee_service_contexts_file:s0
#############################
# VendorDlkm files
diff --git a/private/security_classes b/private/security_classes
index 1d13d9f..0537214 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -172,3 +172,6 @@
class drmservice # userspace
# FLASK
+
+# Permissions for VMs to access SMC services
+class tee_service # userspace
diff --git a/private/shell.te b/private/shell.te
index 38c5ac8..31bf506 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -483,6 +483,8 @@
allow shell linux_vm_setup_exec:file { entrypoint r_file_perms };
')
+allow shell tee_service_contexts_file:file r_file_perms;
+
# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
recovery_only(`
diff --git a/private/tee_service_contexts b/private/tee_service_contexts
new file mode 100644
index 0000000..3791876
--- /dev/null
+++ b/private/tee_service_contexts
@@ -0,0 +1,9 @@
+# Tee services contexts.
+#
+# This file defines all tee services available to VMs.
+# This file is read by virtmngr.
+#
+# Format:
+# <tee_service_name> <label>
+#
+# <tee_service_name> must be a string
diff --git a/private/tee_services.te b/private/tee_services.te
new file mode 100644
index 0000000..c6fdb5c
--- /dev/null
+++ b/private/tee_services.te
@@ -0,0 +1,3 @@
+# Specify tee_services in this file.
+# Please keep the names in the alphabetical order and comment each new entry.
+
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 023e3e9..ca72279 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -135,3 +135,10 @@
allow virtualizationmanager tun_device:chr_file rw_file_perms;
allow virtualizationmanager vmnic:fd use;
')
+
+# virtualizationmanager reads tee_service_contexts_file to determine if VM is allowed
+# to access requested tee services
+allow virtualizationmanager tee_service_contexts_file:file r_file_perms;
+# virtualizationmanager uses libselinux to check if VM is allowed to access requested
+# tee services.
+selinux_check_access(virtualizationmanager)
diff --git a/public/attributes b/public/attributes
index 0503450..6e11b86 100644
--- a/public/attributes
+++ b/public/attributes
@@ -452,3 +452,8 @@
# All types of ART properties.
attribute dalvik_config_prop_type;
+
+# All tee services that can be accessed by VMs
+starting_at_board_api(202504, `
+ attribute tee_service_type;
+')
diff --git a/public/file.te b/public/file.te
index 4a2fc9f..94483a3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -649,6 +649,7 @@
starting_at_board_api(202504, `
type sysfs_udc, fs_type, sysfs_type;
+ type tee_service_contexts_file, system_file_type, file_type;
')
# system/sepolicy/public is for vendor-facing type and attribute definitions.