StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow AVF remote attestation to be disabled

Browse Source 
This CL adds a variable in makefile that allows the
AVF remote attestation feature to be disabled easily.

The remote attestation feature is opt-in by default, as it
is a strongly recommended feature from Android V. It will
be disabled if PRODUCT_AVF_REMOTE_ATTESTATION_DISABLED is
set to true in the Makefile, otherwise it will be enabled
when the feature flag
RELEASE_AVF_ENABLE_REMOTE_ATTESTATION is on.

Bug: 331269709
Bug: 341292601
Test: run VM remote attestation on Pixel 6 and check it is
disabled

Change-Id: Id48ebd0eacf0d7a6c69b9100aee5ab6e4f112fe5
This commit is contained in:
Alice Wang
2024-05-16 15:41:34 +00:00
parent 0ea5497ce4
commit 28a57dc1cc
2 changed files with 11 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
core/android_soong_config_vars.mk
View File

@@ -77,6 +77,12 @@ ifdef PRODUCT_AVF_ENABLED
$(call add_soong_config_var_value,ANDROID,avf_enabled,$(PRODUCT_AVF_ENABLED))
endif
# Enable AVF remote attestation according to the flag value if PRODUCT_AVF_REMOTE_ATTESTATION_DISABLED is not
# set to true explicitly.
ifneq (true,$(PRODUCT_AVF_REMOTE_ATTESTATION_DISABLED))
$(call add_soong_config_var_value,ANDROID,avf_remote_attestation_enabled,$(RELEASE_AVF_ENABLE_REMOTE_ATTESTATION))
endif
ifdef PRODUCT_AVF_MICRODROID_GUEST_GKI_VERSION
$(call add_soong_config_var_value,ANDROID,avf_microdroid_guest_gki_version,$(PRODUCT_AVF_MICRODROID_GUEST_GKI_VERSION))
endif
@@ -95,6 +101,8 @@ $(call add_soong_config_var_value,ANDROID,release_avf_enable_dice_changes,$(RELE
$(call add_soong_config_var_value,ANDROID,release_avf_enable_llpvm_changes,$(RELEASE_AVF_ENABLE_LLPVM_CHANGES))
$(call add_soong_config_var_value,ANDROID,release_avf_enable_multi_tenant_microdroid_vm,$(RELEASE_AVF_ENABLE_MULTI_TENANT_MICRODROID_VM))
$(call add_soong_config_var_value,ANDROID,release_avf_enable_network,$(RELEASE_AVF_ENABLE_NETWORK))
# TODO(b/341292601): This flag is needed until the V release. We with clean it up after V together
# with most of the release_avf_ flags here.
$(call add_soong_config_var_value,ANDROID,release_avf_enable_remote_attestation,$(RELEASE_AVF_ENABLE_REMOTE_ATTESTATION))
$(call add_soong_config_var_value,ANDROID,release_avf_enable_vendor_modules,$(RELEASE_AVF_ENABLE_VENDOR_MODULES))
$(call add_soong_config_var_value,ANDROID,release_avf_enable_virt_cpufreq,$(RELEASE_AVF_ENABLE_VIRT_CPUFREQ))

3
core/product.mk
View File

@@ -426,6 +426,9 @@ _product_single_value_vars += PRODUCT_MODULE_BUILD_FROM_SOURCE
# If true, installs a full version of com.android.virt APEX.
_product_single_value_vars += PRODUCT_AVF_ENABLED
# If false, disable the AVF remote attestaton feature.
_product_single_value_vars += PRODUCT_AVF_REMOTE_ATTESTATION_DISABLED
# If true, kernel with modules will be used for Microdroid VMs.
_product_single_value_vars += PRODUCT_AVF_KERNEL_MODULES_ENABLED