1*4d7e907cSAndroid Build Coastguard Workerpackage { 2*4d7e907cSAndroid Build Coastguard Worker // See: http://go/android-license-faq 3*4d7e907cSAndroid Build Coastguard Worker // A large-scale-change added 'default_applicable_licenses' to import 4*4d7e907cSAndroid Build Coastguard Worker // all of the 'license_kinds' from "hardware_interfaces_license" 5*4d7e907cSAndroid Build Coastguard Worker // to get the below license kinds: 6*4d7e907cSAndroid Build Coastguard Worker // SPDX-license-identifier-Apache-2.0 7*4d7e907cSAndroid Build Coastguard Worker default_applicable_licenses: ["hardware_interfaces_license"], 8*4d7e907cSAndroid Build Coastguard Worker} 9*4d7e907cSAndroid Build Coastguard Worker 10*4d7e907cSAndroid Build Coastguard Workervintf_fragment { 11*4d7e907cSAndroid Build Coastguard Worker name: "android.hardware.security.keymint-service.xml", 12*4d7e907cSAndroid Build Coastguard Worker src: "android.hardware.security.keymint-service.xml", 13*4d7e907cSAndroid Build Coastguard Worker vendor: true, 14*4d7e907cSAndroid Build Coastguard Worker} 15*4d7e907cSAndroid Build Coastguard Worker 16*4d7e907cSAndroid Build Coastguard Workervintf_fragment { 17*4d7e907cSAndroid Build Coastguard Worker name: "android.hardware.security.sharedsecret-service.xml", 18*4d7e907cSAndroid Build Coastguard Worker src: "android.hardware.security.sharedsecret-service.xml", 19*4d7e907cSAndroid Build Coastguard Worker vendor: true, 20*4d7e907cSAndroid Build Coastguard Worker} 21*4d7e907cSAndroid Build Coastguard Worker 22*4d7e907cSAndroid Build Coastguard Workervintf_fragment { 23*4d7e907cSAndroid Build Coastguard Worker name: "android.hardware.security.secureclock-service.xml", 24*4d7e907cSAndroid Build Coastguard Worker src: "android.hardware.security.secureclock-service.xml", 25*4d7e907cSAndroid Build Coastguard Worker vendor: true, 26*4d7e907cSAndroid Build Coastguard Worker} 27*4d7e907cSAndroid Build Coastguard Worker 28*4d7e907cSAndroid Build Coastguard Worker// The following target has an insecure implementation of KeyMint where the 29*4d7e907cSAndroid Build Coastguard Worker// trusted application (TA) code runs in-process alongside the HAL service 30*4d7e907cSAndroid Build Coastguard Worker// code. 31*4d7e907cSAndroid Build Coastguard Worker// 32*4d7e907cSAndroid Build Coastguard Worker// A real device is required to run the TA code in a secure environment, as 33*4d7e907cSAndroid Build Coastguard Worker// per CDD 9.11 [C-1-1]: "MUST back up the keystore implementation with an 34*4d7e907cSAndroid Build Coastguard Worker// isolated execution environment." 35*4d7e907cSAndroid Build Coastguard Workercc_binary { 36*4d7e907cSAndroid Build Coastguard Worker name: "android.hardware.security.keymint-service", 37*4d7e907cSAndroid Build Coastguard Worker relative_install_path: "hw", 38*4d7e907cSAndroid Build Coastguard Worker init_rc: ["android.hardware.security.keymint-service.rc"], 39*4d7e907cSAndroid Build Coastguard Worker vendor: true, 40*4d7e907cSAndroid Build Coastguard Worker cflags: [ 41*4d7e907cSAndroid Build Coastguard Worker "-Wall", 42*4d7e907cSAndroid Build Coastguard Worker "-Wextra", 43*4d7e907cSAndroid Build Coastguard Worker ], 44*4d7e907cSAndroid Build Coastguard Worker defaults: [ 45*4d7e907cSAndroid Build Coastguard Worker "keymint_use_latest_hal_aidl_ndk_shared", 46*4d7e907cSAndroid Build Coastguard Worker ], 47*4d7e907cSAndroid Build Coastguard Worker shared_libs: [ 48*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.rkp-V3-ndk", 49*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.sharedsecret-V1-ndk", 50*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.secureclock-V1-ndk", 51*4d7e907cSAndroid Build Coastguard Worker "libbase", 52*4d7e907cSAndroid Build Coastguard Worker "libbinder_ndk", 53*4d7e907cSAndroid Build Coastguard Worker "libcppbor", 54*4d7e907cSAndroid Build Coastguard Worker "libcrypto", 55*4d7e907cSAndroid Build Coastguard Worker "libkeymaster_portable", 56*4d7e907cSAndroid Build Coastguard Worker "libkeymint", 57*4d7e907cSAndroid Build Coastguard Worker "liblog", 58*4d7e907cSAndroid Build Coastguard Worker "libpuresoftkeymasterdevice", 59*4d7e907cSAndroid Build Coastguard Worker "libutils", 60*4d7e907cSAndroid Build Coastguard Worker ], 61*4d7e907cSAndroid Build Coastguard Worker srcs: [ 62*4d7e907cSAndroid Build Coastguard Worker "service.cpp", 63*4d7e907cSAndroid Build Coastguard Worker ], 64*4d7e907cSAndroid Build Coastguard Worker required: [ 65*4d7e907cSAndroid Build Coastguard Worker "android.hardware.hardware_keystore.xml", 66*4d7e907cSAndroid Build Coastguard Worker ], 67*4d7e907cSAndroid Build Coastguard Worker vintf_fragment_modules: [ 68*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.keymint-service.xml", 69*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.sharedsecret-service.xml", 70*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.secureclock-service.xml", 71*4d7e907cSAndroid Build Coastguard Worker ], 72*4d7e907cSAndroid Build Coastguard Worker} 73*4d7e907cSAndroid Build Coastguard Worker 74*4d7e907cSAndroid Build Coastguard Worker// The following target has an insecure implementation of KeyMint where the 75*4d7e907cSAndroid Build Coastguard Worker// trusted application (TA) code runs in-process alongside the HAL service 76*4d7e907cSAndroid Build Coastguard Worker// code. 77*4d7e907cSAndroid Build Coastguard Worker// 78*4d7e907cSAndroid Build Coastguard Worker// A real device is required to run the TA code in a secure environment, as 79*4d7e907cSAndroid Build Coastguard Worker// per CDD 9.11 [C-1-1]: "MUST back up the keystore implementation with an 80*4d7e907cSAndroid Build Coastguard Worker// isolated execution environment." 81*4d7e907cSAndroid Build Coastguard Workerrust_binary { 82*4d7e907cSAndroid Build Coastguard Worker name: "android.hardware.security.keymint-service.nonsecure", 83*4d7e907cSAndroid Build Coastguard Worker relative_install_path: "hw", 84*4d7e907cSAndroid Build Coastguard Worker vendor: true, 85*4d7e907cSAndroid Build Coastguard Worker init_rc: ["android.hardware.security.keymint-service.nonsecure.rc"], 86*4d7e907cSAndroid Build Coastguard Worker defaults: [ 87*4d7e907cSAndroid Build Coastguard Worker "keymint_use_latest_hal_aidl_rust", 88*4d7e907cSAndroid Build Coastguard Worker ], 89*4d7e907cSAndroid Build Coastguard Worker srcs: [ 90*4d7e907cSAndroid Build Coastguard Worker "main.rs", 91*4d7e907cSAndroid Build Coastguard Worker ], 92*4d7e907cSAndroid Build Coastguard Worker rustlibs: [ 93*4d7e907cSAndroid Build Coastguard Worker "libandroid_logger", 94*4d7e907cSAndroid Build Coastguard Worker "libbinder_rs", 95*4d7e907cSAndroid Build Coastguard Worker "liblog_rust", 96*4d7e907cSAndroid Build Coastguard Worker "libkmr_hal", 97*4d7e907cSAndroid Build Coastguard Worker "libkmr_hal_nonsecure", 98*4d7e907cSAndroid Build Coastguard Worker "libkmr_ta_nonsecure", 99*4d7e907cSAndroid Build Coastguard Worker ], 100*4d7e907cSAndroid Build Coastguard Worker vintf_fragment_modules: [ 101*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.keymint-service.xml", 102*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.sharedsecret-service.xml", 103*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.secureclock-service.xml", 104*4d7e907cSAndroid Build Coastguard Worker ], 105*4d7e907cSAndroid Build Coastguard Worker} 106*4d7e907cSAndroid Build Coastguard Worker 107*4d7e907cSAndroid Build Coastguard Worker// The following target declares the latest version of KeyMint. 108*4d7e907cSAndroid Build Coastguard Workerprebuilt_etc { 109*4d7e907cSAndroid Build Coastguard Worker name: "android.hardware.hardware_keystore.xml", 110*4d7e907cSAndroid Build Coastguard Worker sub_dir: "permissions", 111*4d7e907cSAndroid Build Coastguard Worker vendor: true, 112*4d7e907cSAndroid Build Coastguard Worker src: "android.hardware.hardware_keystore.xml", 113*4d7e907cSAndroid Build Coastguard Worker} 114*4d7e907cSAndroid Build Coastguard Worker 115*4d7e907cSAndroid Build Coastguard Worker// The following targets (and underlying XML files) declare specific 116*4d7e907cSAndroid Build Coastguard Worker// versions of KeyMint. Vendors should use the version that matches the 117*4d7e907cSAndroid Build Coastguard Worker// version of the KeyMint HAL that the device implements. 118*4d7e907cSAndroid Build Coastguard Worker 119*4d7e907cSAndroid Build Coastguard Workerprebuilt_etc { 120*4d7e907cSAndroid Build Coastguard Worker name: "android.hardware.hardware_keystore_V1.xml", 121*4d7e907cSAndroid Build Coastguard Worker sub_dir: "permissions", 122*4d7e907cSAndroid Build Coastguard Worker vendor: true, 123*4d7e907cSAndroid Build Coastguard Worker src: "android.hardware.hardware_keystore_V1.xml", 124*4d7e907cSAndroid Build Coastguard Worker} 125*4d7e907cSAndroid Build Coastguard Worker 126*4d7e907cSAndroid Build Coastguard Workerprebuilt_etc { 127*4d7e907cSAndroid Build Coastguard Worker name: "android.hardware.hardware_keystore_V2.xml", 128*4d7e907cSAndroid Build Coastguard Worker sub_dir: "permissions", 129*4d7e907cSAndroid Build Coastguard Worker vendor: true, 130*4d7e907cSAndroid Build Coastguard Worker src: "android.hardware.hardware_keystore_V2.xml", 131*4d7e907cSAndroid Build Coastguard Worker} 132*4d7e907cSAndroid Build Coastguard Worker 133*4d7e907cSAndroid Build Coastguard Workerprebuilt_etc { 134*4d7e907cSAndroid Build Coastguard Worker name: "android.hardware.hardware_keystore_V3.xml", 135*4d7e907cSAndroid Build Coastguard Worker sub_dir: "permissions", 136*4d7e907cSAndroid Build Coastguard Worker vendor: true, 137*4d7e907cSAndroid Build Coastguard Worker src: "android.hardware.hardware_keystore_V3.xml", 138*4d7e907cSAndroid Build Coastguard Worker} 139*4d7e907cSAndroid Build Coastguard Worker 140*4d7e907cSAndroid Build Coastguard Workerprebuilt_etc { 141*4d7e907cSAndroid Build Coastguard Worker name: "android.hardware.hardware_keystore_V4.xml", 142*4d7e907cSAndroid Build Coastguard Worker sub_dir: "permissions", 143*4d7e907cSAndroid Build Coastguard Worker vendor: true, 144*4d7e907cSAndroid Build Coastguard Worker src: "android.hardware.hardware_keystore_V4.xml", 145*4d7e907cSAndroid Build Coastguard Worker} 146*4d7e907cSAndroid Build Coastguard Worker 147*4d7e907cSAndroid Build Coastguard Workerrust_library { 148*4d7e907cSAndroid Build Coastguard Worker name: "libkmr_hal_nonsecure", 149*4d7e907cSAndroid Build Coastguard Worker crate_name: "kmr_hal_nonsecure", 150*4d7e907cSAndroid Build Coastguard Worker vendor_available: true, 151*4d7e907cSAndroid Build Coastguard Worker lints: "android", 152*4d7e907cSAndroid Build Coastguard Worker rustlibs: [ 153*4d7e907cSAndroid Build Coastguard Worker "libbinder_rs", 154*4d7e907cSAndroid Build Coastguard Worker "libhex", 155*4d7e907cSAndroid Build Coastguard Worker "liblibc", 156*4d7e907cSAndroid Build Coastguard Worker "liblog_rust", 157*4d7e907cSAndroid Build Coastguard Worker "libkmr_hal", 158*4d7e907cSAndroid Build Coastguard Worker "libkmr_wire", 159*4d7e907cSAndroid Build Coastguard Worker ], 160*4d7e907cSAndroid Build Coastguard Worker srcs: ["hal/lib.rs"], 161*4d7e907cSAndroid Build Coastguard Worker 162*4d7e907cSAndroid Build Coastguard Worker} 163*4d7e907cSAndroid Build Coastguard Worker 164*4d7e907cSAndroid Build Coastguard Workerrust_library { 165*4d7e907cSAndroid Build Coastguard Worker name: "libkmr_ta_nonsecure", 166*4d7e907cSAndroid Build Coastguard Worker crate_name: "kmr_ta_nonsecure", 167*4d7e907cSAndroid Build Coastguard Worker vendor_available: true, 168*4d7e907cSAndroid Build Coastguard Worker host_supported: true, 169*4d7e907cSAndroid Build Coastguard Worker lints: "android", 170*4d7e907cSAndroid Build Coastguard Worker rustlibs: [ 171*4d7e907cSAndroid Build Coastguard Worker "libhex", 172*4d7e907cSAndroid Build Coastguard Worker "liblibc", 173*4d7e907cSAndroid Build Coastguard Worker "liblog_rust", 174*4d7e907cSAndroid Build Coastguard Worker "libkmr_common", 175*4d7e907cSAndroid Build Coastguard Worker "libkmr_crypto_boring", 176*4d7e907cSAndroid Build Coastguard Worker "libkmr_ta", 177*4d7e907cSAndroid Build Coastguard Worker "libkmr_wire", 178*4d7e907cSAndroid Build Coastguard Worker ], 179*4d7e907cSAndroid Build Coastguard Worker srcs: ["ta/lib.rs"], 180*4d7e907cSAndroid Build Coastguard Worker} 181*4d7e907cSAndroid Build Coastguard Worker 182*4d7e907cSAndroid Build Coastguard Workerapex { 183*4d7e907cSAndroid Build Coastguard Worker name: "com.android.hardware.keymint.rust_nonsecure", 184*4d7e907cSAndroid Build Coastguard Worker manifest: "manifest.json", 185*4d7e907cSAndroid Build Coastguard Worker file_contexts: "file_contexts", 186*4d7e907cSAndroid Build Coastguard Worker key: "com.google.cf.apex.key", 187*4d7e907cSAndroid Build Coastguard Worker certificate: ":com.android.hardware.certificate", 188*4d7e907cSAndroid Build Coastguard Worker soc_specific: true, 189*4d7e907cSAndroid Build Coastguard Worker updatable: false, 190*4d7e907cSAndroid Build Coastguard Worker binaries: [ 191*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.keymint-service.nonsecure", 192*4d7e907cSAndroid Build Coastguard Worker ], 193*4d7e907cSAndroid Build Coastguard Worker prebuilts: [ 194*4d7e907cSAndroid Build Coastguard Worker "keymint_aidl_nonsecure_init_rc", 195*4d7e907cSAndroid Build Coastguard Worker "keymint_aidl_nonsecure_vintf", 196*4d7e907cSAndroid Build Coastguard Worker "android.hardware.hardware_keystore.xml", // permissions 197*4d7e907cSAndroid Build Coastguard Worker ], 198*4d7e907cSAndroid Build Coastguard Worker} 199*4d7e907cSAndroid Build Coastguard Worker 200*4d7e907cSAndroid Build Coastguard Workerprebuilt_etc { 201*4d7e907cSAndroid Build Coastguard Worker name: "keymint_aidl_nonsecure_init_rc", 202*4d7e907cSAndroid Build Coastguard Worker filename_from_src: true, 203*4d7e907cSAndroid Build Coastguard Worker vendor: true, 204*4d7e907cSAndroid Build Coastguard Worker src: ":gen-keymint_aidl_nonsecure_init_rc", 205*4d7e907cSAndroid Build Coastguard Worker} 206*4d7e907cSAndroid Build Coastguard Worker 207*4d7e907cSAndroid Build Coastguard Workergenrule { 208*4d7e907cSAndroid Build Coastguard Worker name: "gen-keymint_aidl_nonsecure_init_rc", 209*4d7e907cSAndroid Build Coastguard Worker srcs: ["android.hardware.security.keymint-service.nonsecure.rc"], 210*4d7e907cSAndroid Build Coastguard Worker out: ["android.hardware.security.keymint-service.nonsecure.apex.rc"], 211*4d7e907cSAndroid Build Coastguard Worker cmd: "sed -E 's%/vendor/bin/%/apex/com.android.hardware.keymint/bin/%' $(in) > $(out)", 212*4d7e907cSAndroid Build Coastguard Worker} 213*4d7e907cSAndroid Build Coastguard Worker 214*4d7e907cSAndroid Build Coastguard Workerprebuilt_etc { 215*4d7e907cSAndroid Build Coastguard Worker name: "keymint_aidl_nonsecure_vintf", 216*4d7e907cSAndroid Build Coastguard Worker sub_dir: "vintf", 217*4d7e907cSAndroid Build Coastguard Worker vendor: true, 218*4d7e907cSAndroid Build Coastguard Worker srcs: [ 219*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.keymint-service.xml", 220*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.sharedsecret-service.xml", 221*4d7e907cSAndroid Build Coastguard Worker "android.hardware.security.secureclock-service.xml", 222*4d7e907cSAndroid Build Coastguard Worker ], 223*4d7e907cSAndroid Build Coastguard Worker} 224