Currently, tests for pKVM are written as hode-side tests which interact
with the platform using the `vm` tool. However, that approach has cause
many problems:
* Can't test Java APIs; we were testing the command line interface of
the tool actually.
* Unreliable connection to adb; we had to add busy loops to work around
some of the flakes.
We should move on to the device-side tests. There will be a
self-instrumened test apk which will be driven by tradefed.
However, one blocker to the plan is that the Java APIs are not available
to test apps, as we don't have a plan to make the APIs public in TM and
therefore we put the APIs behind signature-protected permissions
(com.android.MANAGE_VIRTUAL_MACHINE, com.android.DEBUG_VIRTUAL_MACHINE).
Since test apps can't be signed with the platform key, our test apk
can't have the permission.
This CL fixes the problem by turning on the `development` bit in the
protection level of the permissions. Then the permission can be granted
to the test apps satisfying following conditions (all):
* test app has `android:testOnly="true"` in its manifest. The flag
prevents the app from being uploaded to Play or installed from there.
* the app has to be installed with the "-t" (`INSTALL_ALLOW_TEST`) flag
* the permission has to be explicitly granted via `pm grant <package>
<perm>` command`.
Bug: 203483081
Test: TARGET_BUILD_APPS="MicrodroidDemoApp" m apps_only dist
adb install --no-streaming -t out/dist/MicrodroidDemoApp.apk
adb shell
$ su; setenforce 0 // will be fixed
$ pm grant com.android.microdroid.demo
android.permission.MANAGE_VIRTUAL_MACHINE
run the demo app
Change-Id: Ic163a3bc745fc310d690faddde638405faad686c
Previously, a VM can be configured as running in debug mode or not.
However, the debug mode was not defined clearly and debugging features
like logging and adb-shell were actually left enabled even when the
debug mode is off.
This CL re-defines the debuggability of a VM. A VM has a debug level
which can be either of these three:
1. None: In this level, VM is not debuggable at all. No log is exported
from the VM, and debugger can't be attached to any process in the VM.
adb-shell of course is not supported.
2. App-only: In this level, only the app payload is debuggable. Logs
from the app process is exported to the host and the process can be
attached to debugger. adb-shell is not supported.
3. Full: In this level, the VM is fully debuggable. All logs including
kernel logs are exported to the VM and developers can adb-shell into the
VM.
Note that this CL doesn't fully implement all the levels yet, but
implements the framework around supporting multiple debug levels.
Specifically, each debug level is associated with a bootconfig image.
Each image has config values each of which enables or disables a
debugging feature. For example, bootconfig images for the none and
app-only levels have "kernel.console = none" to not show kernel console
output.
The `vm` tool and the Java APIs are also amended accordingly. The debug
level can be set via `--debug <level>` flag and the `DebugLevel(...)`
method.
Future work:
* Implement each debug level
* Each level uses different vm-instance image. Debug level is stored in
the instance image and is compared against the given level when
microdroid boots.
* Sign bootconfig images with avb and let uboot verify them
(b/203031847)
Bug: 201362865
Test: atest MicrodroidHostTestCases
Test: adb shell /apex/com.android.virt/bin/vm run-app
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img assets/vm_config.json
shows ...
Created VM from
"/data/local/tmp/virt/MicrodroidDemoApp.apk"!"assets/vm_config.json"
with CID 13, state is NOT_STARTED.
Started VM, state now STARTING.
Hello Microdroid /mnt/apk/lib/arm64-v8a/MicrodroidTestNativeLib.so hello
microdroid
, which is without logs from the bootloader and the kernel
Change-Id: I897dcd88723f014524d2cd2b6ffaa6f9fb5696d6
This adds a simple integer addition service to the testapk's binary. The
demo app tries connecting the VM service once onPayloadReady is
triggered. Users can see the VM service's output.
Bug: 195381416
Test: launch MicrodroidDemoApp
Test: atest MicrodroidHostTestCases
Change-Id: I346084d08f753772cc00aa4c052e0b9b41d460ce
Because we'll now allow virtualizationservice permission only to
platform_apps.
Test: run demo app
Change-Id: I1d58403f363c777565f20ae81da447c2d6ce94b6
The guest VM can notify that its payload has finished initialization and
is ready to serve its own services, by onPayloadReady callback.
Bug: 195381416
Test: atest MicrodroidHostTestCases
Change-Id: I67fee655c410342452bc5ee990e36dfecb30b0cb
onPayloadFinished will be called from the VM when the payload has just
finished.
Bug: 195381416
Test: atest MicrodroidHostTestCases
Change-Id: I9bb68c2192ee19a40634d10ba77af9d4c3ec30d0
Guest VMs now directly call onPayloadStarted to tell the host that their
payload started. And the stream passed by onPayloadStarted is now duplex
so it can also be used as an input stream, which will be fed to the
payload's stdin.
Bug: 191845268
Bug: 195381416
Test: run MicrodroidDemoApp and see output
Test: atest MicrodroidHostTestCases ComposHostTestCases AuthFsHostTest
Change-Id: Ic72045b4e4d11ab1efb14cb2e95de319ca8f9f97
Before a VM is started, the idsig file is created (or updated) by the
virtualization service. This is needed because the idsig file is usually
not available, especially when the APK is downloaded from the store.
Note that the generated idsig file is not a signed one. Therefore, the
APK is first verified using the APK signature scheme V3 (or V2) over a
dm-verity device backed by the APK and the merkle tree (and root hash)
from the idsig file. Only if the verification is successful, the root
hash stored to the instance.img and then used for the subsequent boots
of the VM.
Bug: 193504400
Test: atest MicrodroidHostTestCases
Test: run MicrodroidDemoApp without having the idsig file in
/data/local/tmp/virt.
Change-Id: I9fad05ca9562ae0666431102a8147d0f76f04e6a
The access to the virtualizationservice is now controlled via Android
permissions:
* android.permission.MANAGE_VIRTUAL_MACHINE
* android.permission.DEBUG_VIRTUAL_MACHINE
The two permissions are defined in a resource-only APK
android.system.virtualmachine.res. Virtualizationservice is modified to
do the permission check by using the permission controller service.
Bug: 168588769
Test: /apex/com.android.virt/bin/vm run-app --log /dev/null
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig assets/vm_config.json
Change-Id: Id210d2a55bc57bf03200c3c8546e3c63aa2a4c52
The API is called back to the client when the payload starts in the VM.
The standard output from the payload is accessible via the
ParcelFileDescriptor argument as well.
Bug: 192904048
Test: run MicrodroidDemoApp and check that the payload output is shown.
Change-Id: Ie2afbb455496eec21617b94940ed4386a4865876
Jiyong Park
Inseob Kim