# service started when selecting `com.android.hardware.keymint.trusty_system_vm` vendor apex
service system.keymint-service.trusty_system_vm \
  /system_ext/bin/hw/android.hardware.security.keymint-service.trusty_system_vm \
  --dev ${system.keymint.trusty_ipc_dev}
    disabled
    user nobody
    group drmrpc
    # The keymint service is not allowed to restart.
    # If it crashes, a device restart is required.
    oneshot

# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM
# has a mechanism to notify the host.
on post-fs && property:trusty.security_vm.keymint.enabled=1 && \
   property:trusty.security_vm.vm_cid=*
    setprop system.keymint.trusty_ipc_dev VSOCK:${trusty.security_vm.vm_cid}:1
    start system.keymint-service.trusty_system_vm