1# Service VM
2
3The Service VM is a lightweight, bare-metal virtual machine specifically
4designed to run various services for other virtual machines. It fulfills the
5following requirements:
6
7-   Only one instance of the Service VM is allowed to run at any given time.
8-   The instance ID of the Service VM remains unchanged during updates of
9    both the client VMs and the Service VM.
10
11The instance ID is incorporated into the [CDI values][cdi] calculation of
12each VM loaded by pVM Firmware to ensure consistent CDI values for the VM
13across all reboots.
14
15[cdi]: https://android.googlesource.com/platform/external/open-dice/+/main/docs/specification.md#CDI-Values
16
17## Architecture
18
19[Rialto](../rialto) is used as the bare-metal kernel for the Service VM. It
20shares some low-level setup, such as memory management and virtio device
21parsing, with pvmfw. The common setup code is grouped in [vmbase/](../vmbase).
22
23## Functionality
24
25The main functionality of the Service VM is to process requests from the host
26and provide responses for each request. The requests and responses are
27serialized in CBOR format and transmitted over a virtio-vsock device.
28
29-   [./comm](./comm) contains the definitions for the requests and responses.
30-   [./requests](./requests) contains the library that processes the requests.
31-   [./manager](./manager) manages the Service VM session, ensuring that only
32    one Service VM is active at any given time. The
33    [virtualizationservice](../virtualizationservice) process owns and manages
34    the Service VM instance.
35
36### RKP VM (Remote Key Provisioning Virtual Machine)
37
38Currently, the Service VM only supports VM remote attestation, and in that
39context we refer to it as the RKP VM. The RKP VM undergoes validation by the
40[RKP][rkp] Server and functions as a remotely provisioned component responsible
41for verifying the integrity of other virtual machines. See
42[VM remote attestation][vm-attestation] for more details about the role of RKP
43VM in remote attestation.
44
45[rkp]: https://source.android.com/docs/core/ota/modular-system/remote-key-provisioning
46[vm-attestation]: https://android.googlesource.com/platform/packages/modules/Virtualization/+/main/docs/vm_remote_attestation.md
47