1# Service VM 2 3The Service VM is a lightweight, bare-metal virtual machine specifically 4designed to run various services for other virtual machines. It fulfills the 5following requirements: 6 7- Only one instance of the Service VM is allowed to run at any given time. 8- The instance ID of the Service VM remains unchanged during updates of 9 both the client VMs and the Service VM. 10 11The instance ID is incorporated into the [CDI values][cdi] calculation of 12each VM loaded by pVM Firmware to ensure consistent CDI values for the VM 13across all reboots. 14 15[cdi]: https://android.googlesource.com/platform/external/open-dice/+/main/docs/specification.md#CDI-Values 16 17## Architecture 18 19[Rialto][rialto] is used as the bare-metal kernel for the Service VM. It 20shares some low-level setup, such as memory management and virtio device 21parsing, with pvmfw. The common setup code is grouped in [libvmbase/][libvmbase]. 22 23## Functionality 24 25The main functionality of the Service VM is to process requests from the host 26and provide responses for each request. The requests and responses are 27serialized in CBOR format and transmitted over a virtio-vsock device. 28 29- [libservice_vm_comm][libservice_vm_comm] contains the definitions for the 30 requests and responses. 31- [libservice_vm_requests][libservice_vm_requests] contains the library that 32 processes the requests. 33- [libservice_vm_manager][libservice_vm_manager] manages the Service VM 34 session, ensuring that only one Service VM is active at any given time. The 35 [virtualizationservice][virtualizationservice] process owns and manages the 36 Service VM instance. 37 38[rialto]: ../guest/rialto 39[libvmbase]: ../libs/libvmbase 40[libservice_vm_comm]: ../libs/libservice_vm_comm 41[libservice_vm_requests]: ../libs/libservice_vm_requests 42[libservice_vm_manager]: ../libs/libservice_vm_manager 43[virtualizationservice]: ../android/virtualizationservice 44 45### RKP VM (Remote Key Provisioning Virtual Machine) 46 47Currently, the Service VM only supports VM remote attestation, and in that 48context we refer to it as the RKP VM. The RKP VM undergoes validation by the 49[RKP][rkp] Server and functions as a remotely provisioned component responsible 50for verifying the integrity of other virtual machines. See 51[VM remote attestation][vm-attestation] for more details about the role of RKP 52VM in remote attestation. 53 54[rkp]: https://source.android.com/docs/core/ota/modular-system/remote-key-provisioning 55[vm-attestation]: https://android.googlesource.com/platform/packages/modules/Virtualization/+/main/docs/vm_remote_attestation.md 56