Package the rust_nonsecure keymint default HAL in an APEX

This will make it easier to swap in and out with the Cuttlefish remote implementation. Bug: 331474817 Test: m com.android.hardware.keymint.rust_nonsecure Change-Id: I0e9a350b62a90ef6126db109195e19b4181d0cf8
2024-03-27 11:43:28 -07:00 · 2024-03-27 11:43:28 -07:00 · 895ba8bdfa
commit 895ba8bdfa
parent c523f76846
3 changed files with 51 additions and 1 deletions
--- a/security/keymint/aidl/default/Android.bp
+++ b/security/keymint/aidl/default/Android.bp
@ -115,5 +115,47 @@ rust_library {
        "libkmr_wire",
    ],
    srcs: ["ta/lib.rs"],
-
+}
+
+apex {
+    name: "com.android.hardware.keymint.rust_nonsecure",
+    manifest: "manifest.json",
+    file_contexts: "file_contexts",
+    key: "com.google.cf.apex.key",
+    certificate: ":com.android.hardware.certificate",
+    soc_specific: true,
+    updatable: false,
+    binaries: [
+        "android.hardware.security.keymint-service.nonsecure",
+    ],
+    prebuilts: [
+        "keymint_aidl_nonsecure_init_rc",
+        "keymint_aidl_nonsecure_vintf",
+        "android.hardware.hardware_keystore.xml", // permissions
+    ],
+}
+
+prebuilt_etc {
+    name: "keymint_aidl_nonsecure_init_rc",
+    filename_from_src: true,
+    vendor: true,
+    src: ":gen-keymint_aidl_nonsecure_init_rc",
+}
+
+genrule {
+    name: "gen-keymint_aidl_nonsecure_init_rc",
+    srcs: ["android.hardware.security.keymint-service.nonsecure.rc"],
+    out: ["android.hardware.security.keymint-service.nonsecure.apex.rc"],
+    cmd: "sed -E 's%/vendor/bin/%/apex/com.android.hardware.keymint/bin/%' $(in) > $(out)",
+}
+
+prebuilt_etc {
+    name: "keymint_aidl_nonsecure_vintf",
+    sub_dir: "vintf",
+    vendor: true,
+    srcs: [
+        "android.hardware.security.keymint-service.xml",
+        "android.hardware.security.sharedsecret-service.xml",
+        "android.hardware.security.secureclock-service.xml",
+    ],
 }
--- a/security/keymint/aidl/default/file_contexts
+++ b/security/keymint/aidl/default/file_contexts
@ -0,0 +1,3 @@
+(/.*)?                                                           u:object_r:vendor_file:s0
+/etc(/.*)?                                                       u:object_r:vendor_configs_file:s0
+/bin/hw/android\.hardware\.security\.keymint-service\.nonsecure  u:object_r:hal_keymint_rust_exec:s0
--- a/security/keymint/aidl/default/manifest.json
+++ b/security/keymint/aidl/default/manifest.json
@ -0,0 +1,5 @@
+{
+    "name": "com.android.hardware.keymint",
+    "version": 1,
+    "vendorBootstrap": true
+}