From 895ba8bdfacfdca906e310c45b1d7091bb31810b Mon Sep 17 00:00:00 2001
From: "A. Cody Schuffelen" <schuffelen@google.com>
Date: Wed, 27 Mar 2024 11:43:28 -0700
Subject: [PATCH] Package the rust_nonsecure keymint default HAL in an APEX

This will make it easier to swap in and out with the Cuttlefish remote
implementation.

Bug: 331474817
Test: m com.android.hardware.keymint.rust_nonsecure
Change-Id: I0e9a350b62a90ef6126db109195e19b4181d0cf8
---
 security/keymint/aidl/default/Android.bp    | 44 ++++++++++++++++++++-
 security/keymint/aidl/default/file_contexts |  3 ++
 security/keymint/aidl/default/manifest.json |  5 +++
 3 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 security/keymint/aidl/default/file_contexts
 create mode 100644 security/keymint/aidl/default/manifest.json

diff --git a/security/keymint/aidl/default/Android.bp b/security/keymint/aidl/default/Android.bp
index c707845275..1d23a34830 100644
--- a/security/keymint/aidl/default/Android.bp
+++ b/security/keymint/aidl/default/Android.bp
@@ -115,5 +115,47 @@ rust_library {
         "libkmr_wire",
     ],
     srcs: ["ta/lib.rs"],
-
+}
+
+apex {
+    name: "com.android.hardware.keymint.rust_nonsecure",
+    manifest: "manifest.json",
+    file_contexts: "file_contexts",
+    key: "com.google.cf.apex.key",
+    certificate: ":com.android.hardware.certificate",
+    soc_specific: true,
+    updatable: false,
+    binaries: [
+        "android.hardware.security.keymint-service.nonsecure",
+    ],
+    prebuilts: [
+        "keymint_aidl_nonsecure_init_rc",
+        "keymint_aidl_nonsecure_vintf",
+        "android.hardware.hardware_keystore.xml", // permissions
+    ],
+}
+
+prebuilt_etc {
+    name: "keymint_aidl_nonsecure_init_rc",
+    filename_from_src: true,
+    vendor: true,
+    src: ":gen-keymint_aidl_nonsecure_init_rc",
+}
+
+genrule {
+    name: "gen-keymint_aidl_nonsecure_init_rc",
+    srcs: ["android.hardware.security.keymint-service.nonsecure.rc"],
+    out: ["android.hardware.security.keymint-service.nonsecure.apex.rc"],
+    cmd: "sed -E 's%/vendor/bin/%/apex/com.android.hardware.keymint/bin/%' $(in) > $(out)",
+}
+
+prebuilt_etc {
+    name: "keymint_aidl_nonsecure_vintf",
+    sub_dir: "vintf",
+    vendor: true,
+    srcs: [
+        "android.hardware.security.keymint-service.xml",
+        "android.hardware.security.sharedsecret-service.xml",
+        "android.hardware.security.secureclock-service.xml",
+    ],
 }
diff --git a/security/keymint/aidl/default/file_contexts b/security/keymint/aidl/default/file_contexts
new file mode 100644
index 0000000000..dce7e3cff1
--- /dev/null
+++ b/security/keymint/aidl/default/file_contexts
@@ -0,0 +1,3 @@
+(/.*)?                                                           u:object_r:vendor_file:s0
+/etc(/.*)?                                                       u:object_r:vendor_configs_file:s0
+/bin/hw/android\.hardware\.security\.keymint-service\.nonsecure  u:object_r:hal_keymint_rust_exec:s0
diff --git a/security/keymint/aidl/default/manifest.json b/security/keymint/aidl/default/manifest.json
new file mode 100644
index 0000000000..289943e186
--- /dev/null
+++ b/security/keymint/aidl/default/manifest.json
@@ -0,0 +1,5 @@
+{
+    "name": "com.android.hardware.keymint",
+    "version": 1,
+    "vendorBootstrap": true
+}