1 /* 2 * Copyright 2022 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 package android.system.virtualizationservice_internal; 17 18 import android.system.virtualizationcommon.Certificate; 19 import android.system.virtualizationservice.AssignableDevice; 20 import android.system.virtualizationservice.VirtualMachineDebugInfo; 21 import android.system.virtualizationservice_internal.AtomVmBooted; 22 import android.system.virtualizationservice_internal.AtomVmCreationRequested; 23 import android.system.virtualizationservice_internal.AtomVmExited; 24 import android.system.virtualizationservice_internal.IBoundDevice; 25 import android.system.virtualizationservice_internal.IGlobalVmContext; 26 27 interface IVirtualizationServiceInternal { 28 /** 29 * Removes the memlock rlimit of the calling process. 30 * 31 * The SELinux policy only allows this to succeed for virtmgr callers. 32 */ removeMemlockRlimit()33 void removeMemlockRlimit(); 34 35 /** 36 * Allocates global context for a new VM. 37 * 38 * This allocates VM's globally unique resources such as the CID. 39 * The resources will not be recycled as long as there is a strong reference 40 * to the returned object. 41 */ allocateGlobalVmContext(int requesterDebugPid)42 IGlobalVmContext allocateGlobalVmContext(int requesterDebugPid); 43 44 /** Forwards a VmBooted atom to statsd. */ atomVmBooted(in AtomVmBooted atom)45 void atomVmBooted(in AtomVmBooted atom); 46 47 /** Forwards a VmCreationRequested atom to statsd. */ atomVmCreationRequested(in AtomVmCreationRequested atom)48 void atomVmCreationRequested(in AtomVmCreationRequested atom); 49 50 /** Forwards a VmExited atom to statsd. */ atomVmExited(in AtomVmExited atom)51 void atomVmExited(in AtomVmExited atom); 52 53 /** Get a list of all currently running VMs. */ debugListVms()54 VirtualMachineDebugInfo[] debugListVms(); 55 56 /** 57 * Requests a certificate chain for the provided certificate signing request (CSR). 58 * 59 * @param csr The certificate signing request. 60 * @param requesterUid The UID of the app that requests remote attestation. The client VM to be 61 * attested is owned by this app. 62 * The uniqueness of the UID ensures that no two VMs owned by different apps 63 * are able to correlate keys. 64 * @param testMode Whether the request is for testing purposes. 65 * @return A sequence of DER-encoded X.509 certificates that make up the attestation 66 * key's certificate chain. The attestation key is provided in the CSR. 67 */ requestAttestation(in byte[] csr, int requesterUid, in boolean testMode)68 Certificate[] requestAttestation(in byte[] csr, int requesterUid, in boolean testMode); 69 70 /** 71 * Provisions a key pair for the VM attestation testing, a fake certificate will be 72 * associated to the fake key pair when the VM requests attestation in testing mode. 73 * 74 * The provisioned key pair will be used in the subsequent call to {@link #requestAttestation} 75 * with testMode set to true. 76 */ enableTestAttestation()77 void enableTestAttestation(); 78 79 /** 80 * Returns {@code true} if the pVM remote attestation feature is supported 81 */ isRemoteAttestationSupported()82 boolean isRemoteAttestationSupported(); 83 84 /** 85 * Get a list of assignable devices. 86 */ getAssignableDevices()87 AssignableDevice[] getAssignableDevices(); 88 89 /** 90 * Bind given devices to vfio driver. 91 * 92 * @param devices paths of sysfs nodes of devices to assign. 93 * @return a list of IBoundDevices representing VFIO bound devices. 94 */ bindDevicesToVfioDriver(in String[] devices)95 IBoundDevice[] bindDevicesToVfioDriver(in String[] devices); 96 97 /** Returns a read-only file descriptor of the VM DTBO file. */ getDtboFile()98 ParcelFileDescriptor getDtboFile(); 99 100 /** 101 * Allocate an instance_id to the (newly created) VM. 102 */ allocateInstanceId()103 byte[64] allocateInstanceId(); 104 105 /** 106 * Notification that state associated with a VM should be removed. 107 * 108 * @param instanceId The ID for the VM. 109 */ removeVmInstance(in byte[64] instanceId)110 void removeVmInstance(in byte[64] instanceId); 111 112 /** 113 * Notification that ownership of a VM has been claimed by the caller. Note that no permission 114 * checks (with respect to the previous owner) are performed. 115 * 116 * @param instanceId The ID for the VM. 117 */ claimVmInstance(in byte[64] instanceId)118 void claimVmInstance(in byte[64] instanceId); 119 120 // TODO(b/330257000): Remove these functions when a display service is running with binder RPC. setDisplayService(IBinder ibinder)121 void setDisplayService(IBinder ibinder); clearDisplayService()122 void clearDisplayService(); waitDisplayService()123 IBinder waitDisplayService(); 124 125 /** 126 * Create TAP network interface for a VM. 127 * @param suffix of network interface name. 128 * @return file descriptor of the TAP network interface. 129 */ createTapInterface(String ifaceNameSuffix)130 ParcelFileDescriptor createTapInterface(String ifaceNameSuffix); 131 132 /** 133 * Delete TAP network interface created for a VM. 134 * @param file descriptor of the TAP network interface. 135 */ deleteTapInterface(in ParcelFileDescriptor tapFd)136 void deleteTapInterface(in ParcelFileDescriptor tapFd); 137 } 138