commit 48966b6105be61ea89f42310532582a2059f2b89
author Nikita Ioffe <ioffe@google.com> Tue Oct 22 14:01:17 2024 +0000
committer Nikita Ioffe <ioffe@google.com> Tue Nov 12 15:37:53 2024 +0000
tree ef50713f5289b84f5b838a589822972a371be8a9
parent 292fc6fe12a64e02a101f3db5e4bb60032cb00b0

Add plumbing for new tee_service_contexts

This will be used to enable some VMs to issue custom vendor-defined
SMCs. On the Android host side, the allow list of what VMs can access
what SMC services via selinux. In short the implementation will look
like these:

* new tee_service_contexts defines all SMC services available to VMs
  and their mapping to selinux labels
* sepolicy defines what VMs can access what SMC services. The access
  control is defined at the "VM owner process" (i.e. process using AVF
  APIs to start a VM).
* virtmngr will enforce the access control by reading the mapping from
  /system/ect/selinux_tee_service_contexts and the using
  selinux_check_access function from libselinux to check if the VM owner
  is allowed to access requested SMC services.

Since SMC is an arm concept, we use a more generic "tee_service" name
to define it.

More information available at go/pkvm-pvm-allow-vendor-tz-services-access

Follow up patch will define an example tee_service that can be used
to test these feature end-to-end.

Bug: 360102915
Test: build & flasg
Test: adb shell ls -alZ /system/etc/selinux/tee_service_contexts
Change-Id: I14976767ae1817688584f8f225dc8127647c13cc

Android.bp

diff --git a/Android.bp b/Android.bp
index b81820a..558810c 100644
--- a/Android.bp
+++ b/Android.bp
@@ -126,6 +126,9 @@
     }) + select(soong_config_variable("ANDROID", "PRODUCT_PRECOMPILED_SEPOLICY"), {
         true: ["plat_sepolicy_and_mapping.sha256"],
         default: [],
+    }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+        true: ["plat_tee_service_contexts"],
+        default: [],
     }),
 }
 
@@ -1024,6 +1027,9 @@
         default: [
             "system_ext_202404.compat.cil",
         ],
+    }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+        true: ["system_ext_tee_service_contexts"],
+        default: [],
     }),
     system_ext_specific: true,
 }
@@ -1060,6 +1066,9 @@
         default: [
             "product_202404.cil",
         ],
+    }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+        true: ["product_tee_service_contexts"],
+        default: [],
     }),
     product_specific: true,
 }
@@ -1097,7 +1106,10 @@
         "vendor_bug_map",
         "vndservice_contexts",
         "vndservice_contexts_test",
-    ],
+    ] + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+        true: ["vendor_tee_service_contexts"],
+        default: [],
+    }),
     vendor: true,
 }
 
@@ -1201,6 +1213,9 @@
     }) + select(soong_config_variable("ANDROID", "RELEASE_BOARD_API_LEVEL_FROZEN"), {
         true: ["se_freeze_test"],
         default: [],
+    }) + select(release_flag("RELEASE_AVF_ENABLE_VM_TO_TEE_SERVICES_ALLOWLIST"), {
+        true: ["plat_tee_service_contexts"],
+        default: [],
     }),
 }