1 //
2 // Copyright (C) 2019 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 
16 #include "host/commands/run_cvd/launch/launch.h"
17 
18 #include <unistd.h>
19 
20 #include <string>
21 #include <vector>
22 
23 #include <fruit/fruit.h>
24 
25 #include "common/libs/utils/result.h"
26 #include "host/commands/run_cvd/launch/snapshot_control_files.h"
27 #include "host/libs/config/command_source.h"
28 #include "host/libs/config/known_paths.h"
29 
30 namespace cuttlefish {
31 
SecureEnv(const CuttlefishConfig & config,const CuttlefishConfig::InstanceSpecific & instance,AutoSnapshotControlFiles::Type & snapshot_control_files,KernelLogPipeProvider & kernel_log_pipe_provider)32 Result<MonitorCommand> SecureEnv(
33     const CuttlefishConfig& config,
34     const CuttlefishConfig::InstanceSpecific& instance,
35     AutoSnapshotControlFiles::Type& snapshot_control_files,
36     KernelLogPipeProvider& kernel_log_pipe_provider) {
37   Command command(SecureEnvBinary());
38   command.AddParameter("-confui_server_fd=",
39                        snapshot_control_files->confui_server_fd);
40   command.AddParameter("-snapshot_control_fd=",
41                        snapshot_control_files->secure_env_snapshot_control_fd);
42 
43   std::vector<std::string> fifo_paths = {
44       instance.PerInstanceInternalPath("keymaster_fifo_vm.in"),
45       instance.PerInstanceInternalPath("keymaster_fifo_vm.out"),
46       instance.PerInstanceInternalPath("gatekeeper_fifo_vm.in"),
47       instance.PerInstanceInternalPath("gatekeeper_fifo_vm.out"),
48       instance.PerInstanceInternalPath("oemlock_fifo_vm.in"),
49       instance.PerInstanceInternalPath("oemlock_fifo_vm.out"),
50       instance.PerInstanceInternalPath("keymint_fifo_vm.in"),
51       instance.PerInstanceInternalPath("keymint_fifo_vm.out"),
52   };
53   std::vector<SharedFD> fifos;
54   for (const auto& path : fifo_paths) {
55     fifos.emplace_back(CF_EXPECT(SharedFD::Fifo(path, 0660)));
56   }
57   command.AddParameter("-keymaster_fd_out=", fifos[0]);
58   command.AddParameter("-keymaster_fd_in=", fifos[1]);
59   command.AddParameter("-gatekeeper_fd_out=", fifos[2]);
60   command.AddParameter("-gatekeeper_fd_in=", fifos[3]);
61   command.AddParameter("-oemlock_fd_out=", fifos[4]);
62   command.AddParameter("-oemlock_fd_in=", fifos[5]);
63   command.AddParameter("-keymint_fd_out=", fifos[6]);
64   command.AddParameter("-keymint_fd_in=", fifos[7]);
65 
66   const auto& secure_hals = CF_EXPECT(config.secure_hals());
67   bool secure_keymint = secure_hals.count(SecureHal::kHostKeymintSecure) > 0;
68   command.AddParameter("-keymint_impl=", secure_keymint ? "tpm" : "software");
69   bool secure_gatekeeper =
70       secure_hals.count(SecureHal::kHostGatekeeperSecure) > 0;
71   auto gatekeeper_impl = secure_gatekeeper ? "tpm" : "software";
72   command.AddParameter("-gatekeeper_impl=", gatekeeper_impl);
73 
74   bool secure_oemlock = secure_hals.count(SecureHal::kHostOemlockSecure) > 0;
75   auto oemlock_impl = secure_oemlock ? "tpm" : "software";
76   command.AddParameter("-oemlock_impl=", oemlock_impl);
77 
78   command.AddParameter("-kernel_events_fd=",
79                        kernel_log_pipe_provider.KernelLogPipe());
80 
81   return command;
82 }
83 
84 }  // namespace cuttlefish
85