Revert "[tee][devfs] switching to services"

This reverts commit c820680.

Reason for revert: breaks build due to `fuchsia.driver.compat.Service` was not offered.

Original change's description:
> [tee][devfs] switching to services
>
> Converts the tee drivers and clients to use
> services instead of devfs.
>
> Run-All-Tests: true
>
> Cq-Include-Trybots: luci.turquoise.global.try:run-postsubmit-tryjobs
>
> Bug: 324273348
>
> Change-Id: I2b3ba970cd5a2e7d6be5dc378a58583c7230e54f
> Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/1221585
> Reviewed-by: Ali Zhang <[email protected]>
> Reviewed-by: Aaron Wood <[email protected]>
> Commit-Queue: Garratt Gallagher <[email protected]>

Bug: 324273348
Cq-Include-Trybots: luci.turquoise.global.try:run-postsubmit-tryjobs
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Change-Id: I3d1843faeed85800bcbc43ada423f96776848939
Reviewed-on: https://fuchsia-review.googlesource.com/c/fuchsia/+/1224704
Commit-Queue: Marie Janssen <[email protected]>
Reviewed-by: RubberStamper 🤖 <[email protected]>
Reviewed-by: Garratt Gallagher <[email protected]>

Author: jamuraa

src/devices/bin/driver_manager/devfs/class_names.h

@@ -121,6 +121,7 @@ const std::unordered_map<std::string_view, ServiceEntry> kClassNameToService = {
     {"skip-block",
      {ServiceEntry::kDevfsAndService, "fuchsia.hardware.skipblock.Service", "skipblock"}},
     {"spi", {ServiceEntry::kDevfsAndService, "fuchsia.hardware.spi.ControllerService", "device"}},
+    {"tee", {ServiceEntry::kDevfsAndService, "fuchsia.hardware.tee.Service", "device_connector"}},
     {"temperature",
      {ServiceEntry::kDevfsAndService, "fuchsia.hardware.temperature.Service", "device"}},
     {"test", {ServiceEntry::kDevfs, "", ""}},

src/devices/bin/driver_manager/devfs/meta/devfs-driver.cml

@@ -51,6 +51,7 @@
                 "fuchsia.hardware.Serial.ProxyService",
                 "fuchsia.hardware.skipblock.Service",
                 "fuchsia.hardware.spi.ControllerService",
+                "fuchsia.hardware.tee.Service",
                 "fuchsia.hardware.temperature.Service",
                 "fuchsia.hardware.thermal.Service",
                 "fuchsia.hardware.trippoint.TripPointService",
@@ -111,6 +112,7 @@
                 "fuchsia.hardware.Serial.ProxyService",
                 "fuchsia.hardware.skipblock.Service",
                 "fuchsia.hardware.spi.ControllerService",
+                "fuchsia.hardware.tee.Service",
                 "fuchsia.hardware.temperature.Service",
                 "fuchsia.hardware.thermal.Service",
                 "fuchsia.hardware.trippoint.TripPointService",

src/media/codec/examples/use_media_decoder/meta/decoder_secure_input_output_test.shard.cml

@@ -56,18 +56,10 @@
     ],
     offer: [
         {
-            // TODO(https://fxbug.dev/324273348): Remove this capability once the clients have
-            // been migrated to services. The service capability has been added below.
             directory: "dev-tee",
             from: "parent",
             to: "#tee_manager",
         },
-        {
-            // This service replaces the directory capability above.
-            service: "fuchsia.hardware.tee.Service",
-            from: "parent",
-            to: "#tee_manager",
-        },
         {
             directory: "config-data",
             from: "parent",

src/media/testing/drm_test_realm.shard.cml

@@ -60,9 +60,10 @@
             rights: [ "r*" ],
         },
         {
-            service: "fuchsia.hardware.tee.Service",
+            directory: "dev-tee",
             from: "parent",
             to: "#drm-tests",
+            rights: [ "r*" ],
         },
         {
             directory: "boot",

src/security/bin/tee_manager/meta/optee_smoke_test.cml

@@ -27,7 +27,7 @@
     ],
     offer: [
         {
-            service: "fuchsia.hardware.tee.Service",
+            directory: "dev-tee",
             from: "parent",
             to: "#tee_manager",
         },

src/security/bin/tee_manager/meta/optee_test.cml

@@ -27,7 +27,7 @@
     ],
     offer: [
         {
-            service: "fuchsia.hardware.tee.Service",
+            directory: "dev-tee",
             from: "parent",
             to: "#tee_manager",
         },

src/security/bin/tee_manager/meta/tee_manager.base.cml

@@ -14,7 +14,11 @@
         { protocol: "fuchsia.tee.DeviceInfo" },
     ],
     use: [
-        { service: "fuchsia.hardware.tee.Service" },
+        {
+            directory: "dev-tee",
+            rights: [ "r*" ],
+            path: "/dev/class/tee",
+        },
         {
             directory: "config-data",
             rights: [ "r*" ],

src/security/bin/tee_manager/meta/tee_manager.core_shard.cml

@@ -16,9 +16,11 @@
     ],
     offer: [
         {
-            service: "fuchsia.hardware.tee.Service",
+            directory: "dev-class",
             from: "parent",
+            as: "dev-tee",
             to: "#tee_manager",
+            subdir: "tee",
         },
         {
             storage: "data",

src/security/bin/tee_manager/src/main.rs

@@ -22,8 +22,7 @@ use futures::stream::FusedStream;
 use std::path::{Path, PathBuf};
 use uuid::Uuid;
 
-const DEV_TEE_PATH: &str = "/svc/fuchsia.hardware.tee.Service";
-const TEE_SERVICE_MEMBER: &str = "/device_connector";
+const DEV_TEE_PATH: &str = "/dev/class/tee";
 
 enum IncomingRequest {
     Application(ServerEnd<fuchsia_tee::ApplicationMarker>, fuchsia_tee::Uuid),
@@ -111,9 +110,7 @@ async fn enumerate_tee_devices() -> Result<Vec<PathBuf>, Error> {
                 if msg.filename == Path::new(".") {
                     continue;
                 }
-                device_list.push(
-                    PathBuf::new().join(DEV_TEE_PATH).join(msg.filename).join(TEE_SERVICE_MEMBER),
-                );
+                device_list.push(PathBuf::new().join(DEV_TEE_PATH).join(msg.filename));
             }
             vfs::WatchEvent::IDLE => {
                 break;

src/security/lib/kms-stateless/kms-stateless.cc

@@ -26,10 +26,9 @@ namespace kms_stateless {
 namespace {
 
 const size_t kDerivedKeySize = 16;
-const char kServicePath[] = "/svc/fuchsia.hardware.tee.Service";
-const char kServiceMemberName[] = "device_connector";
-
-const size_t kMaxPathLen = 264;
+const char kDeviceClass[] = "/dev/class/tee";
+// Path estimated to be "/dev/class/tee/XXX".
+const size_t kMaxPathLen = 64;
 
 // UUID of the keysafe TA.
 const TEEC_UUID kKeysafeTaUuid = TA_KEYSAFE_UUID;
@@ -184,11 +183,7 @@ zx_status_t WatchTee(int dirfd, int event, const char* filename, void* cookie) {
     return ZX_OK;
   }
   fbl::StringBuffer<kMaxPathLen> device_path;
-  device_path.Append(kServicePath)
-      .Append("/")
-      .Append(filename)
-      .Append("/")
-      .Append(kServiceMemberName);
+  device_path.Append(kDeviceClass).Append("/").Append(filename);
   // Hardware derived key is expected to be 128-bit AES key.
   std::unique_ptr<uint8_t[]> key_buffer(new uint8_t[kDerivedKeySize]);
   size_t key_size = 0;
@@ -215,7 +210,7 @@ zx_status_t WatchTee(int dirfd, int event, const char* filename, void* cookie) {
 
 zx_status_t GetHardwareDerivedKey(GetHardwareDerivedKeyCallback callback,
                                   uint8_t key_info[kExpectedKeyInfoSize]) {
-  zx::result channel = device_watcher::RecursiveWaitForFile(kServicePath, zx::sec(5));
+  zx::result channel = device_watcher::RecursiveWaitForFile(kDeviceClass, zx::sec(5));
   if (channel.is_error()) {
     fprintf(stderr, "Error waiting for tee device directory: %s\n", channel.status_string());
     return channel.error_value();

src/security/lib/kms-stateless/kms-stateless.h

@@ -21,7 +21,7 @@ const size_t kExpectedKeyInfoSize = 32;
 using GetHardwareDerivedKeyCallback =
     fit::function<zx_status_t(std::unique_ptr<uint8_t[]>, size_t)>;
 
-// Get a hardware derived key using the service path.
+// Get a hardware derived key using the device /dev/class/tee/000 .
 // This is useful in early boot when other services may not be up.
 zx_status_t GetHardwareDerivedKey(GetHardwareDerivedKeyCallback callback,
                                   uint8_t key_info[kExpectedKeyInfoSize]);

src/security/lib/kms-stateless/rust/src/lib.rs

@@ -120,25 +120,26 @@ fn rotate_key_from_tee_device(device: Option<&CStr>, info: KeyInfo) -> Result<()
     call_command(device, &mut op, TaKeysafeCommand::RotateHardwareDerivedKey)
 }
 
-/// Gets a hardware derived key using the first device found in /svc/fuchsia.hardware.tee.Service.
+/// Gets a hardware derived key using the first device found in /dev/class/tee.
 /// This is useful in early boot when other services may not be up.
 pub async fn get_hardware_derived_key(info: KeyInfo) -> Result<Vec<u8>, Error> {
-    const TEE_SERVICE: &str = "/svc/fuchsia.hardware.tee.Service";
-    const TEE_SERVICE_MEMBER: &str = "device_connector";
+    const DEV_CLASS_TEE: &str = "/dev/class/tee";
 
-    let dir = fuchsia_fs::directory::open_in_namespace(TEE_SERVICE, fuchsia_fs::Flags::empty())?;
+    let dir = fuchsia_fs::directory::open_in_namespace(DEV_CLASS_TEE, fuchsia_fs::Flags::empty())?;
     let mut stream = device_watcher::watch_for_files(&dir).await?;
     let first = stream
         .try_next()
         .map_err(Error::from)
         .on_timeout(std::time::Duration::from_secs(5), || Err(Error::TeeDeviceWaitTimeout))
         .await?;
     let first = first.ok_or_else(|| {
-        Error::TeeDeviceWaitFailure(anyhow::anyhow!("'{TEE_SERVICE}' watcher closed unexpectedly"))
+        Error::TeeDeviceWaitFailure(anyhow::anyhow!(
+            "'{DEV_CLASS_TEE}' watcher closed unexpectedly"
+        ))
     })?;
     let first = first.to_str().expect("paths are utf-8");
 
-    let dev = format!("{TEE_SERVICE}/{first}/{TEE_SERVICE_MEMBER}");
+    let dev = format!("{DEV_CLASS_TEE}/{first}");
     let dev = CString::new(dev).expect("paths do not contain nul bytes");
     get_key_from_tee_device(Some(&dev), info)
 }
@@ -149,25 +150,26 @@ pub async fn get_hardware_derived_key_from_service(info: KeyInfo) -> Result<Vec<
     get_key_from_tee_device(None, info)
 }
 
-/// Rotates the hardware derived key from a tee device at /svc/fuchsia.hardware.tee.Service.
+/// Rotates the hardware derived key from a tee device at the /dev/class/tee.
 /// This is useful in early boot when other services may not be up.
 pub async fn rotate_hardware_derived_key(info: KeyInfo) -> Result<(), Error> {
-    const TEE_SERVICE: &str = "/svc/fuchsia.hardware.tee.Service";
-    const TEE_SERVICE_MEMBER: &str = "device_connector";
+    const DEV_CLASS_TEE: &str = "/dev/class/tee";
 
-    let dir = fuchsia_fs::directory::open_in_namespace(TEE_SERVICE, fuchsia_fs::Flags::empty())?;
+    let dir = fuchsia_fs::directory::open_in_namespace(DEV_CLASS_TEE, fuchsia_fs::Flags::empty())?;
     let mut stream = device_watcher::watch_for_files(&dir).await?;
     let first = stream
         .try_next()
         .map_err(Error::from)
         .on_timeout(std::time::Duration::from_secs(5), || Err(Error::TeeDeviceWaitTimeout))
         .await?;
     let first = first.ok_or_else(|| {
-        Error::TeeDeviceWaitFailure(anyhow::anyhow!("'{TEE_SERVICE}' watcher closed unexpectedly"))
+        Error::TeeDeviceWaitFailure(anyhow::anyhow!(
+            "'{DEV_CLASS_TEE}' watcher closed unexpectedly"
+        ))
     })?;
     let first = first.to_str().expect("paths are utf-8");
 
-    let dev = format!("{TEE_SERVICE}/{first}/{TEE_SERVICE_MEMBER}");
+    let dev = format!("{DEV_CLASS_TEE}/{first}");
     let dev = CString::new(dev).expect("paths do not contain nul bytes");
     rotate_key_from_tee_device(Some(&dev), info)
 }

src/security/lib/tee/tee-client-api/tee-client-api.cc

@@ -55,7 +55,7 @@ constexpr std::string_view kServiceDirectoryPath("/svc/");
 
 // Presently only used by clients that need to connect before the service is available / don't need
 // the TEE to be able to use file services.
-constexpr std::string_view kTeeServicePath("/svc/fuchsia.hardware.tee.Service");
+constexpr std::string_view kTeeDevClass("/dev/class/tee/");
 
 std::string GetApplicationServicePath(const fuchsia_tee::wire::Uuid& app_uuid) {
   constexpr std::string_view kApplicationServicePathPrefix = "/svc/fuchsia.tee.Application.";
@@ -791,7 +791,7 @@ TEEC_Result TEEC_InitializeContext(const char* name, TEEC_Context* context) {
   auto name_view = std::string_view(name != nullptr ? name : "");
   fidl::ClientEnd<fuchsia_hardware_tee::DeviceConnector> maybe_device_connector;
 
-  if (starts_with(name_view, kTeeServicePath)) {
+  if (starts_with(name_view, kTeeDevClass)) {
     if (zx_status_t status = ConnectToDeviceConnector(name, &maybe_device_connector);
         status != ZX_OK) {
       return TEEC_ERROR_COMMUNICATION;

src/sys/pkg/bin/system-update-configurator/meta/system-update-configurator-integration-test.cml

@@ -39,7 +39,7 @@
             to: "#system_update_configurator",
         },
         {
-            service: "fuchsia.hardware.tee.Service",
+            directory: "dev-tee",
             from: "parent",
             to: "#tee_manager",
         },

src/sys/test_manager/meta/test_manager.core_shard.cml

@@ -464,9 +464,11 @@
             to: "#test_manager",
         },
         {
-            service: "fuchsia.hardware.tee.Service",
+            directory: "dev-class",
             from: "parent",
+            as: "dev-tee",
             to: "#test_manager",
+            subdir: "tee",
         },
         {
             directory: "dev-class",

src/sys/testing/meta/system-tests.shard.cml

@@ -322,9 +322,10 @@
 
         // optee_test requires access to /dev/class/tee.
         {
-            service: "fuchsia.hardware.tee.Service",
+            directory: "dev-tee",
             from: "parent",
             to: [ "#system-tests" ],
+            rights: [ "r*" ],
         },
 
         // Tests of the media system want to test against the real hardware

src/sys/testing/meta/test_realm.core_shard.cml

@@ -488,9 +488,11 @@
             to: "#testing",
         },
         {
-            service: "fuchsia.hardware.tee.Service",
+            directory: "dev-class",
             from: "parent",
+            as: "dev-tee",
             to: "#testing",
+            subdir: "tee",
         },
         {
             directory: "dev-class",