Effective in 2026, to align with our trunk stable development model and ensure platform stability for the ecosystem, we will publish source code to AOSP in Q2 and Q4. For building and contributing to AOSP, we recommend utilizing android-latest-release instead of aosp-main. The android-latest-release manifest branch will always reference the most recent release pushed to AOSP. For more information, see Changes to AOSP.

vvmconfig and vvmtruststore

The SDV Service Discovery agent needs two sets of configuration information:

The Vehicle Virtual Machine Configuration (VVM Config), which contains information common to all vehicles of the same model or platform.
The Vehicle Virtual Machine Trust Store (VVM Trust Store), which contains information unique to that particular vehicle.

**Figure 1:** vvmtruststore and vvmconfig contents.

Vehicle VM Config

The Vehicle VM Config is a file named vvmconfig[.SUFFIX] located in the /etc directory of the product partition. The vvmconfig file suffix is optional and has no meaning to Android SDV. Partners can add any information in the vvmconfig suffix they find useful, such as the vehicle platform name or the product name.

If the system has multiple Vehicle VM Config files, the bootloader should specify the chosen file using the androidboot.sdv.vvmconfig kernel parameter. This parameter should contain only the filename (e.g., vvmconfig.example), without any path component. For example, /etc/vvmconfig.example would be an invalid value.

The Vehicle VM Config file is provided in a CBOR format defined in the following CDDL fragment:

VvmConfig = [
  version: 1,
  ; Public key of the UDS root provisioning authority
  udsCaPub: COSE_Key,
  ; Revocation list of intermediate CAs of UDS certificates
  udsCaRevList: KeyList,
  policies: DicePolicies,
  vmConfigs: VmConfigMap,
]

DicePolicies = [+ DicePolicy]

KeyList = [* COSE_Key]

; Maps a VM instance name to its configuration
VmConfigMap = {
  VmInstanceName => VmConfig
}

VmConfig = [
  ; IP addresses of this virtual machine.
  ips: [+ IpAndPort],
  ; Index of the DICE policy for the Android SDV VM DICE chain.
  android: PolicyIndex,
  ; Index of the DICE policy for the Secure World DICE chain used by the Android SDV VM.
  secureWorld: PolicyIndex,
]

IpAndPort = [
    ip: IpAddress,
    ; If not specified, the default Service Discovery agent port will be used.
    ? port: uint
]

IpAddress = ipv4-address / ipv6-address

; Index of a DicePolicy in the DicePolicies array.
PolicyIndex = uint

; The VM Name (as defind in the VVM Config). This must comply with VM Name identifier
; definition in Service Identity docs.
VmInstanceName = tstr

; INCLUDE /hardware/interfaces/security/authgraph/aidl/android/hardware/security/authgraph/DicePolicy.cddl for: DicePolicy

COSE_Key is defined in RFC 8152, CBOR Object Signing and Encryption (COSE).

ipv4-address and ipv6-address are defined in RFC 9164, Concise Binary Object Representation (CBOR) Tags for IPv4 and IPv6 Addresses and Prefixes.

DICE Policies

The OEM provides Android SDV with a collection of DICE policies defining the constraints that valid (and trustworthy) DICE chains must comply with. This policy collection must cover all the DICE chains related to all SDV VMs in the vehicle.

All Secure World DICE chains must fail an Android SDV DICE Policy. Conversely, all Android SDV DICE chains must fail a Secure World DICE policy. This means that it must not be possible to successfully pass an Android SDV DICE Chain as a Secure World DICE chain and vice-versa.

Vehicle VM Trust Store

The Vehicle VM Trust Store contains the UDS public keys of all participants of the SDV Secure Mesh. It's an unsigned partition named vvmtruststore with an ext4 file system and mounted on the /vvmtruststore directory. Those public keys can optionally be certified by the root authority specified in the VVM Config.

This partition is mounted either as read-and-write, when the Android HLOS is booted with SDV Boot Mode unlocked, or as read-only, when the SDV Boot Mode is locked. It may have up to two files: uds_pubs and uds_certs.

uds_pubs is a CBOR file containing all the UDS public keys from all the ECUs that are hosting SDV VMs in the current SDV Mesh. Those UDS public keys are collected from the DICE chains provided by the peer SDV VMs during provisioning. This file is created by the sdv_provisioning_tool during the provisioning flow.

uds_certs is a CBOR file defined in the following CDDL fragment:

UdsCertificates = [
  1, ; version
  *   UdsCertChain
]

UdsCertChain = [
  2* X509Certificate ; Root -> ... -> Leaf. "Root" is the vendor self-signed
                     ; cert, "Leaf" contains UDS_Public. There may also be
                     ; intermediate certificates between Root and Leaf.
]

; A bstr containing a DER-encoded X.509 certificate.
X509Certificate = bstr

uds_certs holds the CA-signed UDS certificates only of the UDS Public keys of the local device (as opposed to all keys listed in uds_pubs). This file must be provided by the OEM and is mandatory only for the parts replacement provisioning flow.

The UDS certificates in the uds_certs must follow the specifications defined in the Remote Provisioning HAL. Additionally, the digital signatures signing certificates must be Ed25519 or ECDSA with curves P-256 or P-384. Following the Remote Provisioning HAL means, in particular, that the leaf certificate of the UDS cert chain should have BasicConstraints and KeyUsage as specified for the UDS certificate, while all intermediate and root certificates should follow the rules for CA certificates.

vvmconfig and vvmtruststore Stay organized with collections Save and categorize content based on your preferences.

Vehicle VM Config

DICE Policies

Vehicle VM Trust Store

vvmconfig and vvmtruststore