Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL"
Revert submission 2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK
Reason for revert: Relands the original topic:
https://r.android.com/q/topic:%22expose-avf-rkp-hal%22
Changes from the reverted cl aosp/2812455:
- The AIDL service type has been renamed from avf_* to hal_* to be
consistent with the others.
- The new AIDL service type, hal_remotelyprovisionedcomponent_avf_service,
for the IRPC/avf service, has been set up with the server/client model
for AIDL Hal. The virtualizationservice is declared as server and
RKPD is declared as client to access the service instead of raw
service permission setup as in the reverted cl. This is aligned
with the AIDL Hal configuration recommendation.
- Since the existing type for IRPC hal_remotelyprovisionedcomponent is
already associated with keymint server/client and has specific
permission requirements, and some of the keymint clients might not
need the AVF Hal. We decided to create a new AIDL service type
instead of reusing the exisiting keymint service type.
Reverted changes: /q/submissionid:2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK
Bug: 312427637
Bug: 310744536
Bug: 299257581
Test: atest MicrodroidHostTests librkp_support_test
Change-Id: Id37764b5f98e3c30c0c63601560697cf1c02c0ad
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index ca647f1..5bbfecc 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -14,6 +14,7 @@
hal_secretkeeper_service
hal_codec2_service
hal_macsec_service
+ hal_remotelyprovisionedcomponent_avf_service
hal_threadnetwork_service
virtual_camera_service
ot_daemon_service
diff --git a/private/keystore.te b/private/keystore.te
index 73961ac..b81ccfa 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -11,6 +11,11 @@
# talk to keymint
hal_client_domain(keystore, hal_keymint)
+# Ignore keystore attempts to access the AVF RKP Hal but keystore is not suppose to
+# access it.
+# TODO(b/312427637): Investigate the reason and fix the denial.
+dontaudit keystore hal_remotelyprovisionedcomponent_avf_service:service_manager { find };
+
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
diff --git a/private/rkpd_app.te b/private/rkpd_app.te
index 509a96e..e7809e9 100644
--- a/private/rkpd_app.te
+++ b/private/rkpd_app.te
@@ -9,6 +9,7 @@
# RKPD needs to be able to call the remote provisioning HALs
hal_client_domain(rkpdapp, hal_keymint)
+hal_client_domain(rkpdapp, hal_remotelyprovisionedcomponent_avf)
# Grant access to certain system properties related to RKP
get_prop(rkpdapp, device_config_remote_key_provisioning_native_prop)
diff --git a/private/service_contexts b/private/service_contexts
index 33040e9..90fb943 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -94,6 +94,7 @@
android.hardware.security.authgraph.IAuthGraphKeyExchange/nonsecure u:object_r:hal_authgraph_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
+android.hardware.security.keymint.IRemotelyProvisionedComponent/avf u:object_r:hal_remotelyprovisionedcomponent_avf_service:s0
android.hardware.gatekeeper.IGatekeeper/default u:object_r:hal_gatekeeper_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 2a9da11..8c26cc7 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -330,6 +330,7 @@
hal_client_domain(system_server, hal_power)
hal_client_domain(system_server, hal_power_stats)
hal_client_domain(system_server, hal_rebootescrow)
+hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf)
hal_client_domain(system_server, hal_sensors)
hal_client_domain(system_server, hal_tetheroffload)
hal_client_domain(system_server, hal_thermal)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 21d77b0..e17797e 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -21,6 +21,10 @@
binder_call(virtualizationservice, vfio_handler)
')
+# Allow the virtualizationservice domain to serve a remotely provisioned component for
+# pVM remote attestation.
+hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
+
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;