xref: /aosp_15_r20/hardware/interfaces/security/keymint/aidl/default/Android.bp (revision 4d7e907c777eeecc4c5bd7cf640a754fac206ff7) 
1package {
2    // See: http://go/android-license-faq
3    // A large-scale-change added 'default_applicable_licenses' to import
4    // all of the 'license_kinds' from "hardware_interfaces_license"
5    // to get the below license kinds:
6    //   SPDX-license-identifier-Apache-2.0
7    default_applicable_licenses: ["hardware_interfaces_license"],
8}
9
10vintf_fragment {
11    name: "android.hardware.security.keymint-service.xml",
12    src: "android.hardware.security.keymint-service.xml",
13    vendor: true,
14}
15
16vintf_fragment {
17    name: "android.hardware.security.sharedsecret-service.xml",
18    src: "android.hardware.security.sharedsecret-service.xml",
19    vendor: true,
20}
21
22vintf_fragment {
23    name: "android.hardware.security.secureclock-service.xml",
24    src: "android.hardware.security.secureclock-service.xml",
25    vendor: true,
26}
27
28// The following target has an insecure implementation of KeyMint where the
29// trusted application (TA) code runs in-process alongside the HAL service
30// code.
31//
32// A real device is required to run the TA code in a secure environment, as
33// per CDD 9.11 [C-1-1]: "MUST back up the keystore implementation with an
34// isolated execution environment."
35cc_binary {
36    name: "android.hardware.security.keymint-service",
37    relative_install_path: "hw",
38    init_rc: ["android.hardware.security.keymint-service.rc"],
39    vendor: true,
40    cflags: [
41        "-Wall",
42        "-Wextra",
43    ],
44    defaults: [
45        "keymint_use_latest_hal_aidl_ndk_shared",
46    ],
47    shared_libs: [
48        "android.hardware.security.rkp-V3-ndk",
49        "android.hardware.security.sharedsecret-V1-ndk",
50        "android.hardware.security.secureclock-V1-ndk",
51        "libbase",
52        "libbinder_ndk",
53        "libcppbor",
54        "libcrypto",
55        "libkeymaster_portable",
56        "libkeymint",
57        "liblog",
58        "libpuresoftkeymasterdevice",
59        "libutils",
60    ],
61    srcs: [
62        "service.cpp",
63    ],
64    required: [
65        "android.hardware.hardware_keystore.xml",
66    ],
67    vintf_fragment_modules: [
68        "android.hardware.security.keymint-service.xml",
69        "android.hardware.security.sharedsecret-service.xml",
70        "android.hardware.security.secureclock-service.xml",
71    ],
72}
73
74// The following target has an insecure implementation of KeyMint where the
75// trusted application (TA) code runs in-process alongside the HAL service
76// code.
77//
78// A real device is required to run the TA code in a secure environment, as
79// per CDD 9.11 [C-1-1]: "MUST back up the keystore implementation with an
80// isolated execution environment."
81rust_binary {
82    name: "android.hardware.security.keymint-service.nonsecure",
83    relative_install_path: "hw",
84    vendor: true,
85    init_rc: ["android.hardware.security.keymint-service.nonsecure.rc"],
86    defaults: [
87        "keymint_use_latest_hal_aidl_rust",
88    ],
89    srcs: [
90        "main.rs",
91    ],
92    rustlibs: [
93        "libandroid_logger",
94        "libbinder_rs",
95        "liblog_rust",
96        "libkmr_hal",
97        "libkmr_hal_nonsecure",
98        "libkmr_ta_nonsecure",
99    ],
100    vintf_fragment_modules: [
101        "android.hardware.security.keymint-service.xml",
102        "android.hardware.security.sharedsecret-service.xml",
103        "android.hardware.security.secureclock-service.xml",
104    ],
105}
106
107// The following target declares the latest version of KeyMint.
108prebuilt_etc {
109    name: "android.hardware.hardware_keystore.xml",
110    sub_dir: "permissions",
111    vendor: true,
112    src: "android.hardware.hardware_keystore.xml",
113}
114
115// The following targets (and underlying XML files) declare specific
116// versions of KeyMint.  Vendors should use the version that matches the
117// version of the KeyMint HAL that the device implements.
118
119prebuilt_etc {
120    name: "android.hardware.hardware_keystore_V1.xml",
121    sub_dir: "permissions",
122    vendor: true,
123    src: "android.hardware.hardware_keystore_V1.xml",
124}
125
126prebuilt_etc {
127    name: "android.hardware.hardware_keystore_V2.xml",
128    sub_dir: "permissions",
129    vendor: true,
130    src: "android.hardware.hardware_keystore_V2.xml",
131}
132
133prebuilt_etc {
134    name: "android.hardware.hardware_keystore_V3.xml",
135    sub_dir: "permissions",
136    vendor: true,
137    src: "android.hardware.hardware_keystore_V3.xml",
138}
139
140prebuilt_etc {
141    name: "android.hardware.hardware_keystore_V4.xml",
142    sub_dir: "permissions",
143    vendor: true,
144    src: "android.hardware.hardware_keystore_V4.xml",
145}
146
147rust_library {
148    name: "libkmr_hal_nonsecure",
149    crate_name: "kmr_hal_nonsecure",
150    vendor_available: true,
151    lints: "android",
152    rustlibs: [
153        "libbinder_rs",
154        "libhex",
155        "liblibc",
156        "liblog_rust",
157        "libkmr_hal",
158        "libkmr_wire",
159    ],
160    srcs: ["hal/lib.rs"],
161
162}
163
164rust_library {
165    name: "libkmr_ta_nonsecure",
166    crate_name: "kmr_ta_nonsecure",
167    vendor_available: true,
168    host_supported: true,
169    lints: "android",
170    rustlibs: [
171        "libhex",
172        "liblibc",
173        "liblog_rust",
174        "libkmr_common",
175        "libkmr_crypto_boring",
176        "libkmr_ta",
177        "libkmr_wire",
178    ],
179    srcs: ["ta/lib.rs"],
180}
181
182apex {
183    name: "com.android.hardware.keymint.rust_nonsecure",
184    manifest: "manifest.json",
185    file_contexts: "file_contexts",
186    key: "com.google.cf.apex.key",
187    certificate: ":com.android.hardware.certificate",
188    soc_specific: true,
189    updatable: false,
190    binaries: [
191        "android.hardware.security.keymint-service.nonsecure",
192    ],
193    prebuilts: [
194        "keymint_aidl_nonsecure_init_rc",
195        "keymint_aidl_nonsecure_vintf",
196        "android.hardware.hardware_keystore.xml", // permissions
197    ],
198}
199
200prebuilt_etc {
201    name: "keymint_aidl_nonsecure_init_rc",
202    filename_from_src: true,
203    vendor: true,
204    src: ":gen-keymint_aidl_nonsecure_init_rc",
205}
206
207genrule {
208    name: "gen-keymint_aidl_nonsecure_init_rc",
209    srcs: ["android.hardware.security.keymint-service.nonsecure.rc"],
210    out: ["android.hardware.security.keymint-service.nonsecure.apex.rc"],
211    cmd: "sed -E 's%/vendor/bin/%/apex/com.android.hardware.keymint/bin/%' $(in) > $(out)",
212}
213
214prebuilt_etc {
215    name: "keymint_aidl_nonsecure_vintf",
216    sub_dir: "vintf",
217    vendor: true,
218    srcs: [
219        "android.hardware.security.keymint-service.xml",
220        "android.hardware.security.sharedsecret-service.xml",
221        "android.hardware.security.secureclock-service.xml",
222    ],
223}
224