hardware_interfaces/security/keymint/aidl/default/Android.bp

package {
    // See: http://go/android-license-faq
    // A large-scale-change added 'default_applicable_licenses' to import
    // all of the 'license_kinds' from "hardware_interfaces_license"
    // to get the below license kinds:
    //   SPDX-license-identifier-Apache-2.0
    default_applicable_licenses: ["hardware_interfaces_license"],
}

vintf_fragment {
    name: "android.hardware.security.keymint-service.xml",
    src: "android.hardware.security.keymint-service.xml",
    vendor: true,
}

vintf_fragment {
    name: "android.hardware.security.sharedsecret-service.xml",
    src: "android.hardware.security.sharedsecret-service.xml",
    vendor: true,
}

vintf_fragment {
    name: "android.hardware.security.secureclock-service.xml",
    src: "android.hardware.security.secureclock-service.xml",
    vendor: true,
}

// The following target has an insecure implementation of KeyMint where the
// trusted application (TA) code runs in-process alongside the HAL service
// code.
//
// A real device is required to run the TA code in a secure environment, as
// per CDD 9.11 [C-1-1]: "MUST back up the keystore implementation with an
// isolated execution environment."
cc_binary {
    name: "android.hardware.security.keymint-service",
    relative_install_path: "hw",
    init_rc: ["android.hardware.security.keymint-service.rc"],
    vendor: true,
    cflags: [
        "-Wall",
        "-Wextra",
    ],
    defaults: [
        "keymint_use_latest_hal_aidl_ndk_shared",
    ],
    shared_libs: [
        "android.hardware.security.rkp-V3-ndk",
        "android.hardware.security.sharedsecret-V1-ndk",
        "android.hardware.security.secureclock-V1-ndk",
        "libbase",
        "libbinder_ndk",
        "libcppbor",
        "libcrypto",
        "libkeymaster_portable",
        "libkeymint",
        "liblog",
        "libpuresoftkeymasterdevice",
        "libutils",
    ],
    srcs: [
        "service.cpp",
    ],
    required: [
        "android.hardware.hardware_keystore.xml",
    ],
    vintf_fragment_modules: [
        "android.hardware.security.keymint-service.xml",
        "android.hardware.security.sharedsecret-service.xml",
        "android.hardware.security.secureclock-service.xml",
    ],
}

// The following target has an insecure implementation of KeyMint where the
// trusted application (TA) code runs in-process alongside the HAL service
// code.
//
// A real device is required to run the TA code in a secure environment, as
// per CDD 9.11 [C-1-1]: "MUST back up the keystore implementation with an
// isolated execution environment."
rust_binary {
    name: "android.hardware.security.keymint-service.nonsecure",
    relative_install_path: "hw",
    vendor: true,
    init_rc: ["android.hardware.security.keymint-service.nonsecure.rc"],
    defaults: [
        "keymint_use_latest_hal_aidl_rust",
    ],
    srcs: [
        "main.rs",
    ],
    rustlibs: [
        "libandroid_logger",
        "libbinder_rs",
        "liblog_rust",
        "libkmr_hal",
        "libkmr_hal_nonsecure",
        "libkmr_ta_nonsecure",
    ],
    required: [
        "android.hardware.hardware_keystore.xml",
    ],
    vintf_fragment_modules: [
        "android.hardware.security.keymint-service.xml",
        "android.hardware.security.sharedsecret-service.xml",
        "android.hardware.security.secureclock-service.xml",
    ],
}

prebuilt_etc {
    name: "android.hardware.hardware_keystore.xml",
    sub_dir: "permissions",
    vendor: true,
    src: "android.hardware.hardware_keystore.xml",
}

rust_library {
    name: "libkmr_hal_nonsecure",
    crate_name: "kmr_hal_nonsecure",
    vendor_available: true,
    lints: "android",
    rustlibs: [
        "libbinder_rs",
        "libhex",
        "liblibc",
        "liblog_rust",
        "libkmr_hal",
        "libkmr_wire",
    ],
    srcs: ["hal/lib.rs"],

}

rust_library {
    name: "libkmr_ta_nonsecure",
    crate_name: "kmr_ta_nonsecure",
    vendor_available: true,
    host_supported: true,
    lints: "android",
    rustlibs: [
        "libhex",
        "liblibc",
        "liblog_rust",
        "libkmr_common",
        "libkmr_crypto_boring",
        "libkmr_ta",
        "libkmr_wire",
    ],
    srcs: ["ta/lib.rs"],
}

apex {
    name: "com.android.hardware.keymint.rust_nonsecure",
    manifest: "manifest.json",
    file_contexts: "file_contexts",
    key: "com.google.cf.apex.key",
    certificate: ":com.android.hardware.certificate",
    soc_specific: true,
    updatable: false,
    binaries: [
        "android.hardware.security.keymint-service.nonsecure",
    ],
    prebuilts: [
        "keymint_aidl_nonsecure_init_rc",
        "keymint_aidl_nonsecure_vintf",
        "android.hardware.hardware_keystore.xml", // permissions
    ],
}

prebuilt_etc {
    name: "keymint_aidl_nonsecure_init_rc",
    filename_from_src: true,
    vendor: true,
    src: ":gen-keymint_aidl_nonsecure_init_rc",
}

genrule {
    name: "gen-keymint_aidl_nonsecure_init_rc",
    srcs: ["android.hardware.security.keymint-service.nonsecure.rc"],
    out: ["android.hardware.security.keymint-service.nonsecure.apex.rc"],
    cmd: "sed -E 's%/vendor/bin/%/apex/com.android.hardware.keymint/bin/%' $(in) > $(out)",
}

prebuilt_etc {
    name: "keymint_aidl_nonsecure_vintf",
    sub_dir: "vintf",
    vendor: true,
    srcs: [
        "android.hardware.security.keymint-service.xml",
        "android.hardware.security.sharedsecret-service.xml",
        "android.hardware.security.secureclock-service.xml",
    ],
}