Merge logic of DICE HAL and diced in to dice-service

The DICE HAL and diced are replaced with dice-service which implements
the diced services and also contains the HAL logic directly, without
exposing an implementation of the HAL service.

Bug: 243133253
Test: atest MicrodroidTests
Change-Id: Ia0edeadb04a3fdd37ee1a69a875a7b29586702c5

microdroid/system/private/compos_key_helper.te

@@ -9,8 +9,8 @@ typeattribute compos_key_helper no_crash_dump_domain;
 # Allow using DICE binder service
 binder_use(compos_key_helper);
 allow compos_key_helper dice_node_service:service_manager find;
-binder_call(compos_key_helper, diced);
+binder_call(compos_key_helper, dice_service);
-allow compos_key_helper diced:diced { get_attestation_chain derive };
+allow compos_key_helper dice_service:diced { get_attestation_chain derive };
 
 # Communicate with compos via stdin/stdout pipes
 allow compos_key_helper compos:fd use;

microdroid/system/private/dice_service.te

@@ -0,0 +1,24 @@
+type dice_service, domain, coredomain;
+type dice_service_exec, system_file_type, exec_type, file_type;
+
+# Block crash dumps to ensure the DICE secrets are not leaked.
+typeattribute dice_service no_crash_dump_domain;
+
+# dice_service can be started by init.
+init_daemon_domain(dice_service)
+
+# dice_service hosts AIDL services.
+binder_use(dice_service)
+binder_service(dice_service)
+add_service(dice_service, dice_node_service)
+add_service(dice_service, dice_maintenance_service)
+
+# dice_service can check SELinux permissions.
+selinux_check_access(dice_service)
+
+# dice_service is using bootstrap bionic.
+use_bootstrap_libs(dice_service)
+
+# Read config from the device tree and open-dice driver.
+allow dice_service sysfs_dt_avf:file r_file_perms;
+allow dice_service open_dice_device:chr_file rw_file_perms;

microdroid/system/private/diced.te

@@ -1,23 +0,0 @@
-type diced, domain, coredomain;
-type diced_exec, system_file_type, exec_type, file_type;
-
-# Block crash dumps to ensure the DICE secrets are not leaked.
-typeattribute diced no_crash_dump_domain;
-
-# diced can be started by init
-init_daemon_domain(diced)
-
-# diced can talk to dice HAL
-hal_client_domain(diced, hal_dice)
-
-# diced hosts AIDL services
-binder_use(diced)
-binder_service(diced)
-add_service(diced, dice_node_service)
-add_service(diced, dice_maintenance_service)
-
-# diced can check SELinux permissions.
-selinux_check_access(diced)
-
-# diced is using bootstrap bionic
-use_bootstrap_libs(diced)

microdroid/system/private/file_contexts

@@ -105,7 +105,7 @@
 /system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
 /system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
 /system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/diced.microdroid		u:object_r:diced_exec:s0
+/system/bin/dice-service.microdroid		u:object_r:dice_service_exec:s0
 /system/bin/servicemanager.microdroid	u:object_r:servicemanager_exec:s0
 /system/bin/init		u:object_r:init_exec:s0
 /system/bin/logcat	--	u:object_r:logcat_exec:s0

microdroid/system/private/microdroid_app.te

@@ -9,9 +9,9 @@
 type microdroid_app, domain, coredomain, microdroid_payload;
 type microdroid_app_exec, exec_type, file_type, system_file_type;
 
-# Talk to binder services (for diced)
+# Talk to binder services (for dice_service)
 binder_use(microdroid_app);
 
 allow microdroid_app dice_node_service:service_manager find;
-binder_call(microdroid_app, diced);
+binder_call(microdroid_app, dice_service);
-allow microdroid_app diced:diced { get_attestation_chain derive };
+allow microdroid_app dice_service:diced { get_attestation_chain derive };

microdroid/system/private/microdroid_manager.te

@@ -45,11 +45,11 @@ allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
 # microdroid_manager is using bootstrap bionic
 use_bootstrap_libs(microdroid_manager)
 
-# microdroid_manager can talk to diced over binder
+# microdroid_manager can talk to dice_service over binder
 binder_use(microdroid_manager)
-binder_call(microdroid_manager, diced)
+binder_call(microdroid_manager, dice_service)
 allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
-allow microdroid_manager diced:diced { derive demote_self };
+allow microdroid_manager dice_service:diced { derive demote_self };
 
 # microdroid_manager create /apex/vm-payload-metadata for apexd
 # TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.

microdroid/system/private/service_contexts

@@ -1,5 +1,3 @@
-android.hardware.security.dice.IDiceDevice/default                   u:object_r:hal_dice_service:s0
-
 adb                                       u:object_r:adb_service:s0
 android.security.dice.IDiceMaintenance    u:object_r:dice_maintenance_service:s0
 android.security.dice.IDiceNode           u:object_r:dice_node_service:s0

microdroid/system/public/hal_dice.te

@@ -1,4 +0,0 @@
-binder_call(hal_dice_client, hal_dice_server)
-
-hal_attribute_service(hal_dice, hal_dice_service)
-binder_call(hal_dice_server, servicemanager)

microdroid/vendor/file_contexts

@@ -3,6 +3,3 @@
 #
 (/.*)?                  u:object_r:vendor_file:s0
 /etc(/.*)?              u:object_r:vendor_configs_file:s0
-
-# HAL location
-/bin/hw/android\.hardware\.security\.dice-service\.microdroid u:object_r:hal_dice_default_exec:s0

microdroid/vendor/hal_dice_default.te

@@ -1,14 +0,0 @@
-type hal_dice_default, domain;
-hal_server_domain(hal_dice_default, hal_dice)
-
-# Block crash dumps to ensure the DICE secrets are not leaked.
-typeattribute hal_dice_default no_crash_dump_domain;
-
-type hal_dice_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_dice_default)
-
-# hal_dice_default is using bootstrap bionic
-use_bootstrap_libs(hal_dice_default)
-
-allow hal_dice_default sysfs_dt_avf:file r_file_perms;
-allow hal_dice_default open_dice_device:chr_file rw_file_perms;