BASELINE: Update Chromium to 85.0.4183.14085-based

Change-Id: Iaa42f4680837c57725b1344f108c0196741f6057
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

28 files changed, 633 insertions, 111 deletions

diff --git a/chromium/third_party/cros_system_api/BUILD.gn b/chromium/third_party/cros_system_api/BUILD.gn
index 594b1de69c6..4c4a314cc67 100644
--- a/chromium/third_party/cros_system_api/BUILD.gn
+++ b/chromium/third_party/cros_system_api/BUILD.gn
@@ -22,6 +22,7 @@ group("all") {
     ":system_api-kerberos-protos",
     ":system_api-login_manager-goprotos",
     ":system_api-login_manager-protos",
+    ":system_api-lorgnette-protos",
     ":system_api-metrics_event-goprotos",
     ":system_api-metrics_event-protos",
     ":system_api-oobe_config-protos",
@@ -44,6 +45,7 @@ group("all") {
     ":system_api-vm_cicerone-protos",
     ":system_api-vm_concierge-goprotos",
     ":system_api-vm_concierge-protos",
+    ":system_api-vm_permission_service-protos",
     ":system_api-vm_plugin_dispatcher-goprotos",
     ":system_api-vm_plugin_dispatcher-protos",
   ]
@@ -174,11 +176,21 @@ goproto_library("system_api-login_manager-goprotos") {
   ]
 }
 
+proto_library("system_api-lorgnette-protos") {
+  proto_in_dir = "dbus/lorgnette"
+  proto_out_dir = "include/lorgnette/proto_bindings"
+  sources = [
+    "${proto_in_dir}/lorgnette_service.proto",
+  ]
+  standalone = true
+}
+
 proto_library("system_api-chaps-protos") {
   proto_in_dir = "dbus/chaps"
   proto_out_dir = "include/chaps/proto_bindings"
   sources = [
     "${proto_in_dir}/ck_structs.proto",
+    "${proto_in_dir}/key_permissions.proto",
   ]
   standalone = true
 
@@ -209,6 +221,8 @@ goproto_library("system_api-attestation-goprotos") {
   proto_out_dir = "go/src/chromiumos/system_api/attestation_proto"
   sources = [
     "${proto_in_dir}/attestation_ca.proto",
+    "${proto_in_dir}/interface.proto",
+    "${proto_in_dir}/keystore.proto",
   ]
 }
 
@@ -443,3 +457,10 @@ proto_library("system_api-system_proxy-protos") {
   ]
   standalone = true
 }
+
+proto_library("system_api-vm_permission_service-protos") {
+  proto_in_dir = "dbus/vm_permission_service"
+  proto_out_dir = "include/vm_permission_service/proto_bindings"
+  sources = [ "${proto_in_dir}/vm_permission_service.proto" ]
+  standalone = true
+}
diff --git a/chromium/third_party/cros_system_api/dbus/attestation/interface.proto b/chromium/third_party/cros_system_api/dbus/attestation/interface.proto
index 30fd6499095..097970562c3 100644
--- a/chromium/third_party/cros_system_api/dbus/attestation/interface.proto
+++ b/chromium/third_party/cros_system_api/dbus/attestation/interface.proto
@@ -10,6 +10,7 @@ import "attestation_ca.proto";
 import "keystore.proto";
 
 package attestation;
+option go_package = "attestation_proto";
 
 enum AttestationStatus {
   STATUS_SUCCESS = 0;
diff --git a/chromium/third_party/cros_system_api/dbus/attestation/keystore.proto b/chromium/third_party/cros_system_api/dbus/attestation/keystore.proto
index 75537da3983..9e81710d432 100644
--- a/chromium/third_party/cros_system_api/dbus/attestation/keystore.proto
+++ b/chromium/third_party/cros_system_api/dbus/attestation/keystore.proto
@@ -7,6 +7,7 @@ syntax = "proto2";
 option optimize_for = LITE_RUNTIME;
 
 package attestation;
+option go_package = "attestation_proto";
 
 // Describes key type.
 enum KeyType {
diff --git a/chromium/third_party/cros_system_api/dbus/cfm/dbus-constants.h b/chromium/third_party/cros_system_api/dbus/cfm/dbus-constants.h
new file mode 100644
index 00000000000..e98301e0019
--- /dev/null
+++ b/chromium/third_party/cros_system_api/dbus/cfm/dbus-constants.h
@@ -0,0 +1,23 @@
+// Copyright 2020 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Constants for the D-Bus API exposed by the cfm mojo broker.
+// The browser is 'normally' the consumer of this API.
+
+#ifndef SYSTEM_API_DBUS_CFM_DBUS_CONSTANTS_H_
+#define SYSTEM_API_DBUS_CFM_DBUS_CONSTANTS_H_
+
+namespace cfm {
+namespace broker {
+constexpr char kServiceInterfaceName[] = "org.chromium.CfmHotlined";
+constexpr char kServicePath[] = "/org/chromium/CfmHotlined";
+constexpr char kServiceName[] = "org.chromium.CfmHotlined";
+
+// Method names
+constexpr char kBootstrapMojoConnectionMethod[] = "BootstrapMojoConnection";
+
+}  // namespace broker
+}  // namespace cfm
+
+#endif  // SYSTEM_API_DBUS_CFM_DBUS_CONSTANTS_H_
diff --git a/chromium/third_party/cros_system_api/dbus/chaps/key_permissions.proto b/chromium/third_party/cros_system_api/dbus/chaps/key_permissions.proto
new file mode 100644
index 00000000000..0c24440ae60
--- /dev/null
+++ b/chromium/third_party/cros_system_api/dbus/chaps/key_permissions.proto
@@ -0,0 +1,23 @@
+// Copyright 2020 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+syntax = "proto3";
+
+option optimize_for = LITE_RUNTIME;
+
+package chaps;
+
+// A KeyPermissions message encodes contexts in which a key can be used. For
+// keys managed by chaps, kCkaChromeOsKeyPermissions attribute key (see
+// system_api/constants/pkcs11_custom_attributes.h for more details) can be used
+// to save the corresponding KeyPermissions value.
+message KeyPermissions {
+  message KeyUsages {
+    // The key is marked for corporate usage.
+    bool corporate = 1;
+    // The key can be used by ARC.
+    bool arc = 2;
+  }
+  KeyUsages key_usages = 1;
+}
diff --git a/chromium/third_party/cros_system_api/dbus/cryptohome/UserDataAuth.proto b/chromium/third_party/cros_system_api/dbus/cryptohome/UserDataAuth.proto
index 4e35c457904..f2b33b08035 100644
--- a/chromium/third_party/cros_system_api/dbus/cryptohome/UserDataAuth.proto
+++ b/chromium/third_party/cros_system_api/dbus/cryptohome/UserDataAuth.proto
@@ -369,6 +369,51 @@ message MigrateKeyReply {
   CryptohomeErrorCode error = 1;
 }
 
+// StartFingerprintAuthSession sets BiometricsDaemon and the Fingerprint MCU to
+// match mode. EndFingerprintAuthSession sets them back to non-match mode.
+// A typical call sequence involves one or more other calls that actually wait
+// for fingerprint scan result, between StartFingerprintAuthSession and
+// EndFingerprintAuthSession.
+//
+// Example 1: successful fingerprint match at first attempt.
+// --> StartFingerprintAuthSession
+// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan success
+// --> EndFingerprintAuthSession
+//
+// Example 2: successful fingerprint match at third attempt.
+// --> StartFingerprintAuthSession
+// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan no match
+// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan no match
+// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan success
+// --> EndFingerprintAuthSession
+//
+// Example 3: client chooses to cancel before success.
+// --> StartFingerprintAuthSession
+// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan no match
+// --> CheckKey(KEY_TYPE_FINGERPRINT), fingerprint scan no match
+// --> EndFingerprintAuthSession
+
+// Input parameters to StartFingerprintAuthSession()
+message StartFingerprintAuthSessionRequest {
+  // This represents the "single user" that we are will be fingerprint for.
+  cryptohome.AccountIdentifier account_id = 1;
+}
+
+// Output parameters for StartFingerprintAuthSession()
+message StartFingerprintAuthSessionReply {
+  // Indicates an error if |error| is not empty.
+  CryptohomeErrorCode error = 1;
+}
+
+// Input parameters to EndFingerprintAuthSession()
+message EndFingerprintAuthSessionRequest {}
+
+// Output parameters for EndFingerprintAuthSession()
+message EndFingerprintAuthSessionReply {
+  // Indicates an error if |error| is not empty.
+  CryptohomeErrorCode error = 1;
+}
+
 // TODO(b/126307305): For the messages, below, we'll need to add the documentations
 // for them.
 
diff --git a/chromium/third_party/cros_system_api/dbus/cryptohome/rpc.proto b/chromium/third_party/cros_system_api/dbus/cryptohome/rpc.proto
index 04253f08642..ad1b88269f1 100644
--- a/chromium/third_party/cros_system_api/dbus/cryptohome/rpc.proto
+++ b/chromium/third_party/cros_system_api/dbus/cryptohome/rpc.proto
@@ -549,3 +549,9 @@ message CheckHealthReply {
   // Flag indicating powerwash request
   optional bool requires_powerwash = 1;
 }
+
+// Starts fingerprint auth session by calling Biometrics Daemon.
+message StartFingerprintAuthSessionRequest {}
+
+// Ends fingerprint auth session by calling Biometrics Daemon.
+message EndFingerprintAuthSessionRequest {}
diff --git a/chromium/third_party/cros_system_api/dbus/debugd/dbus-constants.h b/chromium/third_party/cros_system_api/dbus/debugd/dbus-constants.h
index 81e08e8a5b2..40b518d1aa3 100644
--- a/chromium/third_party/cros_system_api/dbus/debugd/dbus-constants.h
+++ b/chromium/third_party/cros_system_api/dbus/debugd/dbus-constants.h
@@ -89,6 +89,7 @@ namespace scheduler_configuration {
 
 // Keys which should be given to SetSchedulerConfiguration.
 constexpr char kConservativeScheduler[] = "conservative";
+constexpr char kCoreIsolationScheduler[] = "core-scheduling";
 constexpr char kPerformanceScheduler[] = "performance";
 
 }  // namespace scheduler_configuration
diff --git a/chromium/third_party/cros_system_api/dbus/dlcservice/dbus-constants.h b/chromium/third_party/cros_system_api/dbus/dlcservice/dbus-constants.h
index f712a4fdc17..44fba8a802a 100644
--- a/chromium/third_party/cros_system_api/dbus/dlcservice/dbus-constants.h
+++ b/chromium/third_party/cros_system_api/dbus/dlcservice/dbus-constants.h
@@ -11,13 +11,12 @@ constexpr char kDlcServiceInterface[] = "org.chromium.DlcServiceInterface";
 constexpr char kDlcServiceServicePath[] = "/org/chromium/DlcService";
 constexpr char kDlcServiceServiceName[] = "org.chromium.DlcService";
 
-constexpr char kGetInstalledMethod[] = "GetInstalled";
-constexpr char kInstallMethod[] = "Install";
+constexpr char kInstallMethod[] = "InstallDlc";
 constexpr char kInstallDlcMethod[] = "InstallDlc";
 constexpr char kUninstallMethod[] = "Uninstall";
 constexpr char kPurgeMethod[] = "Purge";
 constexpr char kGetExistingDlcsMethod[] = "GetExistingDlcs";
-constexpr char kOnInstallStatusSignal[] = "OnInstallStatus";
+constexpr char kDlcStateChangedSignal[] = "DlcStateChanged";
 
 // Error Codes from dlcservice.
 constexpr char kErrorNone[] = "org.chromium.DlcServiceInterface.NONE";
diff --git a/chromium/third_party/cros_system_api/dbus/dlcservice/dlcservice.proto b/chromium/third_party/cros_system_api/dbus/dlcservice/dlcservice.proto
index 44fccc1bee3..d3be19c7d77 100644
--- a/chromium/third_party/cros_system_api/dbus/dlcservice/dlcservice.proto
+++ b/chromium/third_party/cros_system_api/dbus/dlcservice/dlcservice.proto
@@ -8,45 +8,6 @@ option optimize_for = LITE_RUNTIME;
 
 package dlcservice;
 
-// This contains info Update Engine needs to update or install a DLC
-// (Downloadable Content) module.
-// https://chromium.googlesource.com/chromiumos/platform2/+/HEAD/dlcservice
-message DlcModuleInfo {
-  // ID of the DLC module.
-  // This has to be set.
-  // dlc_id is used to construct the DLC module install path and Omaha App ID.
-  // Omaha App ID is used to query update from Omaha server. Omaha responds
-  // with payload that corresponds to the App ID based on a preset rule.
-  // Omaha responds with error if the provided App ID does not exist on
-  // Omaha.
-  string dlc_id = 1;
-  // Path to the DLC module content. This parameter should not be used as input.
-  // If passed in with a value set, there will be no effect. Only an output use
-  // parameter.
-  string dlc_root = 2;
-}
-
-// This is the message used in:
-//
-// - The update_engine queries the dlcservice to get the list of available DLCs
-//   to be updated (This is done through a D-Bus signal and restricted to
-//   update_engine only.) The DLC service constructs the list of available DLCs
-//   based on installed DLCs on the stateful partition and returns it to the
-//   update_engine.
-//
-// - The dlcservice sends the list of DLCs it wants to install to the
-//   update_engine (similarly, through a D-Bus signal that is restricted to only
-//   dlcservice.) Optionally dlcservice can pass a custom Omaha URL (for
-//   autotests, QA tests, etc) to download the DLCs from. update_engine checks
-//   the validity of this request and starts the installation process.
-message DlcModuleList {
-  // A list of DLC modules that needs to be installed or updated.
-  repeated DlcModuleInfo dlc_module_infos = 1;
-  // Omaha URL to query for update. Only used when trying to force the
-  // update_engine to download the DLC payloads from a specific address.
-  string omaha_url = 2;
-}
-
 // This message is used to query the DLCs that have data on disk. This allows
 // Chrome UI to show this list to the users and users can decide whether to
 // delete unused DLCs or not.
@@ -60,6 +21,8 @@ message DlcsWithContent {
     string description = 3;
     // The amount of disk space used by this DLC (bytes).
     uint64 used_bytes_on_disk = 4;
+    // True if the DLC can be purged by anyone other than its users.
+    bool is_removable = 5;
   }
   // The list of DLCs that have used disk space.
   repeated DlcInfo dlc_infos = 1;
@@ -70,38 +33,24 @@ message DlcsWithContent {
 // TODO(crbug.com/1056269): Propagate error code as well to know reason for
 // failure when state is |NOT_INSTALLED|.
 message DlcState {
-  // This is the message that indicates what state a DLC is in.
+  // Indicates what state a DLC is in.
   enum State {
     NOT_INSTALLED = 0;
     INSTALLING = 1;
     INSTALLED = 2;
   }
   State state = 1;
-}
 
-// TODO(crbug.com/1071260): Deprecate Status
-// This is the message that indicates how the install progress is running and
-// dlcservice will always end with |COMPLETE| or |FAILED| when finished.
-enum Status {
-  COMPLETED = 0;
-  RUNNING = 1;
-  FAILED = 2;
-}
+  // The unique identifier of a DLC.
+  string id = 2;
+
+  // The path that DLC user can access their content. This path is available
+  // only when the state is INSTALLED.
+  string root_path = 3;
 
-// This message is sent from DLC Service via OnInstallStatus signal.
-// Throughout the install progress, dlcservice will signal out this message.
-message InstallStatus {
-  // TODO(crbug.com/1071260): Deprecate dlc_module_list.
-  DlcModuleList dlc_module_list = 1;
-  string error_code = 2;
-  // TODO(crbug.com/1071260): Deprecate status.
-  Status status = 3;
+  // The progress of installation. The value is between 0.0 and 1.0.
   double progress = 4;
 
-  // The current state of dlcservice.
-  enum State {
-    IDLE = 0;
-    INSTALLING = 1;
-  }
-  State state = 5;
+  // The last error code happened on for this DLC.
+  string last_error_code = 5;
 }
diff --git a/chromium/third_party/cros_system_api/dbus/hermes/dbus-constants.h b/chromium/third_party/cros_system_api/dbus/hermes/dbus-constants.h
index e77f2c2f45d..4dcc8d95a96 100644
--- a/chromium/third_party/cros_system_api/dbus/hermes/dbus-constants.h
+++ b/chromium/third_party/cros_system_api/dbus/hermes/dbus-constants.h
@@ -7,16 +7,18 @@
 
 namespace hermes {
 
-const char kHermesInterface[] = "org.chromium.Hermes";
-const char kHermesServicePath[] = "/org/chromium/Hermes";
+// Hermes D-Bus service identifiers.
 const char kHermesServiceName[] = "org.chromium.Hermes";
+const char kHermesManagerInterface[] = "org.chromium.Hermes.Manager";
+const char kHermesManagerPath[] = "/org/chromium/Hermes";
+const char kHermesProfileInterface[] = "org.chromium.Hermes.Profile";
 
 namespace manager {
 
 // Manager methods.
 const char kInstallProfileFromActivationCode[] =
     "InstallProfileFromActivationCode";
-const char kInstallProfileFromEvent[] = "InstallProfileFromEvent";
+const char kInstallPendingProfile[] = "InstallPendingProfile";
 const char kUninstallProfile[] = "UninstallProfile";
 const char kRequestPendingEvents[] = "RequestPendingEvents";
 const char kSetTestMode[] = "SetTestMode";
@@ -42,19 +44,57 @@ const char kProfileClassProperty[] = "ProfileClass";
 const char kServiceProviderProperty[] = "ServiceProvider";
 const char kStateProperty[] = "State";
 
+// Values for kProfileClassProperty.
+enum ProfileClass {
+  kTesting = 0,
+  // Profile for provisioning a non-kProvisioning Profile. Should NOT be shown
+  // to users normally. From the spec:
+  //
+  // Provisioning Profiles and their associated Profile Metadata SHALL not be
+  // visible to the End User in the LUI. As a result, Provisioning Profiles
+  // SHALL not be selectable by the End User nor deletable through any End User
+  // action, including eUICC Memory Reset.
+  kProvisioning = 1,
+  // Profile available for normal servicing of user connectivity needs.
+  kOperational = 2,
+};
+
+// Values for kStateProperty.
+enum State {
+  // Notified about from SM-DS but not installed.
+  kPending = 0,
+  // Installed on eUICC but not active.
+  kInactive = 1,
+  // Installed and active. Only one Profile may be active on a single eUICC.
+  kActive = 2,
+};
+
 }  // namespace profile
 
 // Error codes.
 const char kErrorAlreadyDisabled[] =
     "org.chromium.Hermes.Error.AlreadyDisabled";
 const char kErrorAlreadyEnabled[] = "org.chromium.Hermes.Error.AlreadyEnabled";
+const char kErrorBadNotification[] =
+    "org.chromium.Hermes.Error.BadNotification";
+const char kErrorBadRequest[] = "org.chromium.Hermes.Error.BadRequest";
+const char kErrorInternalLpaFailure[] =
+    "org.chromium.Hermes.Error.InternalLpaFailure";
 const char kErrorInvalidActivationCode[] =
     "org.chromium.Hermes.Error.InvalidActivationCode";
 const char kErrorInvalidIccid[] = "org.chromium.Hermes.Error.InvalidIccid";
 const char kErrorInvalidParameter[] =
     "org.chromium.Hermes.Error.InvalidParameter";
+const char kErrorMalformedResponse[] =
+    "org.chromium.Hermes.Error.MalformedResponse";
 const char kErrorNeedConfirmationCode[] =
     "org.chromium.Hermes.Error.NeedConfirmationCode";
+const char kErrorNoResponse[] = "org.chromium.Hermes.Error.NoResponse";
+const char kErrorPendingProfile[] = "org.chromium.Hermes.Error.PendingProfile";
+const char kErrorSendApduFailure[] =
+    "org.chromium.Hermes.Error.SendApduFailure";
+const char kErrorSendHttpsFailure[] =
+    "org.chromium.Hermes.Error.SendHttpsFailure";
 const char kErrorSendNotificationFailure[] =
     "org.chromium.Hermes.Error.SendNotificationFailure";
 const char kErrorTestProfileInProd[] =
diff --git a/chromium/third_party/cros_system_api/dbus/lorgnette/OWNERS b/chromium/third_party/cros_system_api/dbus/lorgnette/OWNERS
new file mode 100644
index 00000000000..90d649e998e
--- /dev/null
+++ b/chromium/third_party/cros_system_api/dbus/lorgnette/OWNERS
@@ -0,0 +1 @@
+include /lorgnette/OWNERS
diff --git a/chromium/third_party/cros_system_api/dbus/lorgnette/dbus-constants.h b/chromium/third_party/cros_system_api/dbus/lorgnette/dbus-constants.h
index ac2e8ac360b..29aa65136d2 100644
--- a/chromium/third_party/cros_system_api/dbus/lorgnette/dbus-constants.h
+++ b/chromium/third_party/cros_system_api/dbus/lorgnette/dbus-constants.h
@@ -13,13 +13,9 @@ const char kManagerServiceError[] = "org.chromium.lorgnette.Error";
 
 // Methods.
 const char kListScannersMethod[] = "ListScanners";
+const char kGetScannerCapabilitiesMethod[] = "GetScannerCapabilities";
 const char kScanImageMethod[] = "ScanImage";
 
-// Attributes of scanners returned from "ListScanners".
-const char kScannerPropertyManufacturer[] = "Manufacturer";
-const char kScannerPropertyModel[] = "Model";
-const char kScannerPropertyType[] = "Type";
-
 // Parameters supplied to a "ScanImage" request.
 const char kScanPropertyMode[] = "Mode";
 const char kScanPropertyModeColor[] = "Color";
diff --git a/chromium/third_party/cros_system_api/dbus/lorgnette/lorgnette_service.proto b/chromium/third_party/cros_system_api/dbus/lorgnette/lorgnette_service.proto
new file mode 100644
index 00000000000..80c5b3af9d5
--- /dev/null
+++ b/chromium/third_party/cros_system_api/dbus/lorgnette/lorgnette_service.proto
@@ -0,0 +1,67 @@
+// Copyright 2020 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+syntax = "proto3";
+option optimize_for = LITE_RUNTIME;
+
+// This file defines messages used for interacting with the document scanner
+// utility, lorgnette.
+package lorgnette;
+
+// Describes possible types of sources that can be supported by a scanner.
+enum SourceType {
+  SOURCE_UNSPECIFIED = 0;
+  SOURCE_PLATEN = 1;
+  SOURCE_ADF_SIMPLEX = 2;
+  SOURCE_ADF_DUPLEX = 3;
+}
+
+// A source that can be scanned from for a scanner.
+message DocumentSource {
+  // The type of this source.
+  SourceType type = 1;
+
+  // The name for this source used by the scanner backend.
+  string name = 2;
+}
+
+// The color modes that may be supported for a particular scanner.
+enum ColorMode {
+  MODE_UNSPECIFIED = 0;
+  MODE_LINEART = 1;
+  MODE_GRAYSCALE = 2;
+  MODE_COLOR = 3;
+}
+
+// An object representing one scanner.
+message ScannerInfo {
+  // The name of the scanner, as reported by SANE.
+  string name = 1;
+
+  // The manufacturer of the scanner.
+  string manufacturer = 2;
+
+  // The particular model of scanner.
+  string model = 3;
+
+  // The type of the scanner, e.g. "video camera", "flatbed scanner".
+  string type = 4;
+}
+
+// Information returned from a ListScanners dbus request.
+message ListScannersResponse {
+  repeated ScannerInfo scanners = 1;
+}
+
+// Information returned from a GetScannerCapabilities dbus request.
+message ScannerCapabilities {
+  // Discrete scanning resolutions.
+  repeated uint32 resolutions = 1;
+
+  // Sources to scan a document from.
+  repeated DocumentSource sources = 2;
+
+  // Color modes to use for a document.
+  repeated ColorMode color_modes = 3;
+}
diff --git a/chromium/third_party/cros_system_api/dbus/permission_broker/dbus-constants.h b/chromium/third_party/cros_system_api/dbus/permission_broker/dbus-constants.h
index 47bf0eafd11..060e8feb2e1 100644
--- a/chromium/third_party/cros_system_api/dbus/permission_broker/dbus-constants.h
+++ b/chromium/third_party/cros_system_api/dbus/permission_broker/dbus-constants.h
@@ -13,6 +13,7 @@ const char kPermissionBrokerServiceName[] = "org.chromium.PermissionBroker";
 // Methods
 const char kCheckPathAccess[] = "CheckPathAccess";
 const char kOpenPath[] = "OpenPath";
+const char kOpenPathWithDroppedPrivileges[] = "OpenPathWithDroppedPrivileges";
 const char kRequestAdbPortForward[] = "RequestAdbPortForward";
 const char kRequestLoopbackTcpPortLockdown[] = "RequestLoopbackTcpPortLockdown";
 const char kRequestTcpPortAccess[] = "RequestTcpPortAccess";
diff --git a/chromium/third_party/cros_system_api/dbus/runtime_probe/runtime_probe.proto b/chromium/third_party/cros_system_api/dbus/runtime_probe/runtime_probe.proto
index b78d5f79e35..9044fcd91cb 100644
--- a/chromium/third_party/cros_system_api/dbus/runtime_probe/runtime_probe.proto
+++ b/chromium/third_party/cros_system_api/dbus/runtime_probe/runtime_probe.proto
@@ -27,7 +27,6 @@ enum ErrorCode {
 // Request from client that indicates what categories to probe. Category must
 // be existed on the per-board probe statement in rootfs.
 message ProbeRequest {
-  // Next tag: 5
   enum SupportCategory {
     // The name style here is on purposely align with factory probe output.
     audio_codec = 0;
@@ -35,6 +34,10 @@ message ProbeRequest {
     storage = 2;
     vpd_cached = 3;
     network = 4;
+    camera = 5;
+    stylus = 6;
+    touchpad = 7;
+    touchscreen = 8;
   }
   repeated SupportCategory categories = 1;
   // This option allows clients to retrieve data with privacy implication from
@@ -45,17 +48,29 @@ message ProbeRequest {
   bool probe_default_category = 3;
 }
 
-// Things about audio_codec
+// Extra information for each probe result.
+message Information {
+  // comp_group, used for grouping different probed components.
+  string comp_group = 1;
+}
+
+// TODO(b/158765173): Collect the possible HW interface types into an enum.
+
+// Things about audio_codec.
 message AudioCodec {
   message Fields {
     // The name of the codec presents in sysfs.
     string name = 1;
   }
-  string name = 1;    // Component alias
-  Fields values = 2;  // Component's details
+  // Component alias.
+  string name = 1;
+  // Component's details.
+  Fields values = 2;
+  // Component probe info.
+  Information information = 3;
 }
 
-// Things about battery
+// Things about battery.
 message Battery {
   // TODO(itspeter): Add more fileds for battery.
   message Fields {
@@ -95,12 +110,20 @@ message Battery {
     // http://sbs-forum.org/specs/sbdat110.pdf.
     // The value is calculated by ((year-1980) * 512 + month * 32 + day).
     int32 manufacture_date_smart = 14;
+    // Technology is defined in
+    // /sys/class/power_supply/<supply_name>/technology section in
+    // https://www.kernel.org/doc/Documentation/ABI/testing/sysfs-class-power.
+    string technology = 15;
   }
-  string name = 1;    // Component alias
-  Fields values = 2;  // Component's details
+  // Component alias.
+  string name = 1;
+  // Component's details.
+  Fields values = 2;
+  // Component probe info.
+  Information information = 3;
 }
 
-// Things about storage
+// Things about storage.
 message Storage {
   message Fields {
     // The path of this storage in system. It is useful if caller needs to
@@ -151,8 +174,12 @@ message Storage {
     // Model name, 16 bytes
     string ata_model = 14;
   }
-  string name = 1;    // Component alias
-  Fields values = 2;  // Component's details
+  // Component alias.
+  string name = 1;
+  // Component's details.
+  Fields values = 2;
+  // Component probe info.
+  Information information = 3;
 }
 
 // Things about VPD (Vital Product Data) , cached version.
@@ -166,11 +193,15 @@ message VpdCached {
     // SKU number of the unit
     string vpd_sku_number = 1;
   }
-  string name = 1;    // Component alias
-  Fields values = 2;  // Component's details
+  // Component alias.
+  string name = 1;
+  // Component's details.
+  Fields values = 2;
+  // Component probe info.
+  Information information = 3;
 }
 
-// Things about network
+// Things about network.
 message Network {
   message Fields {
     // The path of this network in system. It is useful if caller needs to
@@ -211,13 +242,70 @@ message Network {
     // Product ID, 16 bits
     uint32 sdio_device_id = 11;
   }
-  string name = 1;    // Component alias
-  Fields values = 2;  // Component's details
+  // Component alias.
+  string name = 1;
+  // Component's details.
+  Fields values = 2;
+  // Component probe info.
+  Information information = 3;
+}
+
+// Things about cameras.
+message Camera {
+  message Fields {
+    // The device path of this camera (e.g. "/dev/video0").  It is useful
+    // if the caller needs to correlate with other information.
+    string path = 1;
+
+    // HW interface type, currently must be "usb".
+    string bus_type = 2;
+
+    // The following are fields for USB.  Every field name must start with
+    // prefix "usb_".
+
+    // Vendor ID, 16 bits.
+    uint32 usb_vendor_id = 3;
+    // Product ID, 16 bits.
+    uint32 usb_product_id = 4;
+    // Device Release Number, 16 bits.
+    uint32 usb_bcd_device = 5;
+  }
+  // Component alias.
+  string name = 1;
+  // Component's details.
+  Fields values = 2;
+  // Component probe info.
+  Information information = 3;
+}
+
+// Things about input_device.
+message InputDevice {
+  message Fields {
+    // The name of the device.
+    string name = 1;
+    // The pathname of the sysfs entry of that device.
+    string path = 2;
+    // The event of the device.
+    string event = 3;
+    // The bus number, 16 bits.
+    uint32 bus = 4;
+    // The vendor code, 16 bits.
+    uint32 vendor = 5;
+    // The product code, 16 bits.
+    uint32 product = 6;
+    // The version number, 16 bits.
+    uint32 version = 7;
+  }
+  // Component alias.
+  string name = 1;
+  // Component's details.
+  Fields values = 2;
+  // Component probe info.
+  Information information = 3;
 }
 
 // A ProbeResult contains all potential probe results. For category not
 // existed or not requested for probing, field is expected to be empty.
-// Next tag: 8
 message ProbeResult {
   // If a call was successful, error will not be defined.
   // If a call failed, it must set an error code.
@@ -231,4 +319,8 @@ message ProbeResult {
   repeated Storage storage = 4;
   repeated VpdCached vpd_cached = 5;
   repeated Network network = 7;
+  repeated Camera camera = 8;
+  repeated InputDevice stylus = 9;
+  repeated InputDevice touchpad = 10;
+  repeated InputDevice touchscreen = 11;
 }
diff --git a/chromium/third_party/cros_system_api/dbus/seneschal/seneschal_service.proto b/chromium/third_party/cros_system_api/dbus/seneschal/seneschal_service.proto
index 9b9fb1aa10f..7a601141f3d 100644
--- a/chromium/third_party/cros_system_api/dbus/seneschal/seneschal_service.proto
+++ b/chromium/third_party/cros_system_api/dbus/seneschal/seneschal_service.proto
@@ -58,6 +58,15 @@ message NetworkAddress {
 // should listen for requests.
 message FileDescriptor {}
 
+// An id mapping that the server should use when reporting ids to its clients.
+message IdMap {
+  // The id value on the server.
+  uint32 server = 1;
+  // The value that should be reported to the client instead of the value in
+  // `server`.
+  uint32 client = 2;
+}
+
 // Information that must be included with every StartServer dbus request.
 message StartServerRequest {
   // The address on which the server should listen for requests.
@@ -67,6 +76,12 @@ message StartServerRequest {
     NetworkAddress net = 3;
     FileDescriptor fd = 4;
   }
+
+  // Uid translations that should be performed by the server.
+  repeated IdMap uid_maps = 5;
+
+  // Gid translations to be performed by the server.
+  repeated IdMap gid_maps = 6;
 }
 
 // Information sent back by seneschal in response to a StartServer message.
@@ -111,6 +126,7 @@ message SharePathRequest {
   // The location where the path to be shared lives.
   enum StorageLocation {
     // The user's Downloads/ directory /home/user/<owner_id>/Downloads.
+    // Note: This field is deprecated.  MY_FILES should be used.
     DOWNLOADS = 0;
     // DriveFS directory /media/fuse/<drivefs_mount_name>/root.
     DRIVEFS_MY_DRIVE = 1;
@@ -127,15 +143,18 @@ message SharePathRequest {
     MY_FILES = 5;
     // The user's PlayFiles/ directory /run/arc/sdcard/write/emulated/0.
     PLAY_FILES = 6;
-    // The user's LinuxFiles/ directory /media/fuse/crostini_<username>_terminal_penguin.
+    // The user's LinuxFiles/ directory /media/fuse/crostini_<owner_id>_termina_penguin.
     LINUX_FILES = 7;
-    // The system fonts directory /usr/share/fonts
+    // The system fonts directory /usr/share/fonts.
     FONTS = 8;
+    // Archive mount directory /media/archive.
+    ARCHIVE = 9;
   }
   StorageLocation storage_location = 3;
 
   // The user's cryptohome.  This is the <hash> part of /home/user/<hash>.
-  // This field is required when storage_location=DOWNLOADS.
+  // This field is required when storage_location is DOWNLOADS, MY_FILES, or
+  // LINUX_FILES.
   string owner_id = 4;
 
   // DriveFS mount name.  This is the directory name mounted at /media/fuse with
diff --git a/chromium/third_party/cros_system_api/dbus/service_constants.h b/chromium/third_party/cros_system_api/dbus/service_constants.h
index 958319970a0..cdc101002ac 100644
--- a/chromium/third_party/cros_system_api/dbus/service_constants.h
+++ b/chromium/third_party/cros_system_api/dbus/service_constants.h
@@ -15,6 +15,7 @@
 #include "bluetooth/dbus-constants.h"
 #include "bootlockbox/dbus-constants.h"
 #include "cecservice/dbus-constants.h"
+#include "cfm/dbus-constants.h"
 #include "chunneld/dbus-constants.h"
 #include "cros-disks/dbus-constants.h"
 #include "cros_healthd/dbus-constants.h"
@@ -198,6 +199,9 @@ const char kChromeFeaturesServiceIsCryptohomeDistributedModelEnabledMethod[] =
     "IsCryptohomeDistributedModelEnabled";
 const char kChromeFeaturesServiceIsCryptohomeUserDataAuthEnabledMethod[] =
     "IsCryptohomeUserDataAuthEnabled";
+const char
+    kChromeFeaturesServiceIsCryptohomeUserDataAuthKillswitchEnabledMethod[] =
+        "IsCryptohomeUserDataAuthKillswitchEnabled";
 const char kChromeFeaturesServiceIsPluginVmEnabledMethod[] =
     "IsPluginVmEnabled";
 const char kChromeFeaturesServiceIsUsbguardEnabledMethod[] =
@@ -247,6 +251,16 @@ constexpr char kMlDecisionServiceInterface[] = "org.chromium.MlDecisionService";
 constexpr char kMlDecisionServiceShouldDeferScreenDimMethod[] =
     "ShouldDeferScreenDim";
 
+const char kVmPermissionServiceName[] = "org.chromium.VmPermissionService";
+const char kVmPermissionServicePath[] = "/org/chromium/VmPermissionService";
+const char kVmPermissionServiceInterface[] =
+    "org.chromium.VmPermissionServiceInterface";
+
+const char kVmPermissionServiceRegisterVmMethod[] = "RegisterVm";
+const char kVmPermissionServiceUnregisterVmMethod[] = "UnregisterVm";
+const char kVmPermissionServiceGetPermissionsMethod[] = "GetPermissions";
+const char kVmPermissionServiceSetPermissionsMethod[] = "SetPermissions";
+
 }  // namespace chromeos
 
 namespace media_perception {
@@ -447,8 +461,14 @@ namespace arc_oemcrypto {
 const char kArcOemCryptoServiceInterface[] = "org.chromium.ArcOemCrypto";
 const char kArcOemCryptoServiceName[] = "org.chromium.ArcOemCrypto";
 const char kArcOemCryptoServicePath[] = "/org/chromium/ArcOemCrypto";
+const char kCdmFactoryDaemonServiceInterface[] =
+    "org.chromium.CdmFactoryDaemon";
+const char kCdmFactoryDaemonServiceName[] = "org.chromium.CdmFactoryDaemon";
+const char kCdmFactoryDaemonServicePath[] = "/org/chromium/CdmFactoryDaemon";
 // Methods
 const char kBootstrapMojoConnection[] = "BootstrapMojoConnection";
+const char kBootstrapCdmFactoryDaemonMojoConnection[] =
+    "BootstrapCdmFactoryDaemonMojoConnection";
 }  // namespace arc_oemcrypto
 
 namespace midis {
@@ -566,14 +586,6 @@ constexpr char kArcCameraServiceInterface[] = "org.chromium.ArcCamera";
 constexpr char kStartServiceMethod[] = "StartService";
 }  // namespace arc_camera
 
-// DEPRECATED, DO NOT USE
-namespace machine_learning {
-constexpr char kMlDecisionServiceName[] = "org.chromium.MlDecisionService";
-constexpr char kMlDecisionServicePath[] = "/org/chromium/MlDecisionService";
-constexpr char kMlDecisionServiceInterface[] = "org.chromium.MlDecisionService";
-constexpr char kShouldDeferScreenDimMethod[] = "ShouldDeferScreenDim";
-}  // namespace machine_learning
-
 namespace modemfwd {
 const char kModemfwdInterface[] = "org.chromium.Modemfwd";
 const char kModemfwdServicePath[] = "/org/chromium/Modemfwd";
diff --git a/chromium/third_party/cros_system_api/dbus/shill/dbus-constants.h b/chromium/third_party/cros_system_api/dbus/shill/dbus-constants.h
index 9e4f5d22bb8..c893dc295b0 100644
--- a/chromium/third_party/cros_system_api/dbus/shill/dbus-constants.h
+++ b/chromium/third_party/cros_system_api/dbus/shill/dbus-constants.h
@@ -110,7 +110,6 @@ const char kCheckPortalListProperty[] = "CheckPortalList";
 const char kIgnoredDNSSearchPathsProperty[] = "IgnoredDNSSearchPaths";
 const char kLinkMonitorTechnologiesProperty[] = "LinkMonitorTechnologies";
 const char kNoAutoConnectTechnologiesProperty[] = "NoAutoConnectTechnologies";
-const char kOfflineModeProperty[] = "OfflineMode";
 const char kProhibitedTechnologiesProperty[] = "ProhibitedTechnologies";
 
 // DHCP property names for both Manager and Service.
@@ -216,9 +215,6 @@ const char kWifiFrequency[] = "WiFi.Frequency";
 const char kWifiHexSsid[] = "WiFi.HexSSID";
 const char kWifiHiddenSsid[] = "WiFi.HiddenSSID";
 const char kWifiPhyMode[] = "WiFi.PhyMode";
-const char kWifiPreferredDeviceProperty[] = "WiFi.PreferredDevice";
-const char kWifiProtectedManagementFrameRequiredProperty[] =
-    "WiFi.ProtectedManagementFrameRequired";
 const char kWifiVendorInformationProperty[] = "WiFi.VendorInformation";
 
 // Base VPN Service property names.
@@ -537,12 +533,13 @@ const char kTypePPPoE[] = "pppoe";
 const char kModeManaged[] = "managed";
 
 // Flimflam security options.
-const char kSecurityWpa[] = "wpa";
+const char kSecurityNone[] = "none";
 const char kSecurityWep[] = "wep";
+const char kSecurityPsk[] = "psk";
+const char kSecurityWpa[] = "wpa";
 const char kSecurityRsn[] = "rsn";
+const char kSecurityWpa3[] = "wpa3";
 const char kSecurity8021x[] = "802_1x";
-const char kSecurityPsk[] = "psk";
-const char kSecurityNone[] = "none";
 
 // Compress option values as expected by OpenVPN.
 const char kOpenVPNCompressFramingOnly[] = "";
diff --git a/chromium/third_party/cros_system_api/dbus/system_proxy/system_proxy_service.proto b/chromium/third_party/cros_system_api/dbus/system_proxy/system_proxy_service.proto
index 333e02c7396..a7e5fa754a8 100644
--- a/chromium/third_party/cros_system_api/dbus/system_proxy/system_proxy_service.proto
+++ b/chromium/third_party/cros_system_api/dbus/system_proxy/system_proxy_service.proto
@@ -53,6 +53,8 @@ enum TrafficOrigin {
   SYSTEM = 1;
 
   USER = 2;
+
+  BOTH = 3;
 }
 
 message SetAuthenticationDetailsRequest {
@@ -68,6 +70,9 @@ message SetAuthenticationDetailsRequest {
   // The domain for which the credentials can be applied without asking again
   // for authentication.
   optional ProtectionSpace protection_space = 4;
+  // Used by System-proxy to request the ticket cache and configuration files
+  // with kerberosd.
+  optional string active_principal_name = 5;
 }
 
 message SetAuthenticationDetailsResponse {
diff --git a/chromium/third_party/cros_system_api/dbus/u2f/u2f_interface.proto b/chromium/third_party/cros_system_api/dbus/u2f/u2f_interface.proto
index 67b1fdfd8f6..130199e8f11 100644
--- a/chromium/third_party/cros_system_api/dbus/u2f/u2f_interface.proto
+++ b/chromium/third_party/cros_system_api/dbus/u2f/u2f_interface.proto
@@ -32,6 +32,9 @@ message MakeCredentialRequest {
   bool resident_credential = 3;
   // Resident credentials not implemented yet; this field will be ignored.
   bytes user_entity = 4;
+  // MakeCredential should fail if any excluded credential belongs to this
+  // device.
+  repeated bytes excluded_credential_id = 5;
 }
 
 message MakeCredentialResponse {
@@ -42,6 +45,8 @@ message MakeCredentialResponse {
     VERIFICATION_TIMEOUT = 3;
     INVALID_REQUEST = 4;
     INTERNAL_ERROR = 5;
+    // An excluded credential belongs to this device.
+    EXCLUDED_CREDENTIAL_ID = 6;
   }
 
   MakeCredentialStatus status = 1;
@@ -88,6 +93,8 @@ message GetAssertionResponse {
     VERIFICATION_TIMEOUT = 3;
     INVALID_REQUEST = 4;
     INTERNAL_ERROR = 5;
+    // No allowed credential belongs to this device.
+    UNKNOWN_CREDENTIAL_ID = 6;
   }
 
   GetAssertionStatus status = 1;
@@ -104,6 +111,16 @@ message HasCredentialsRequest {
 }
 
 message HasCredentialsResponse {
+  enum HasCredentialsStatus {
+    UNKNOWN = 0;
+    SUCCESS = 1;
+    INVALID_REQUEST = 2;
+    INTERNAL_ERROR = 3;
+    // No specified credential belongs to this device.
+    UNKNOWN_CREDENTIAL_ID = 4;
+  }
+
+  HasCredentialsStatus status = 1;
   // Valid or resident credentials for the specified rp_id.
-  repeated bytes credential_id = 1;
+  repeated bytes credential_id = 2;
 }
diff --git a/chromium/third_party/cros_system_api/dbus/update_engine/update_engine.proto b/chromium/third_party/cros_system_api/dbus/update_engine/update_engine.proto
index d034c38def7..77c5820d5f6 100644
--- a/chromium/third_party/cros_system_api/dbus/update_engine/update_engine.proto
+++ b/chromium/third_party/cros_system_api/dbus/update_engine/update_engine.proto
@@ -62,4 +62,8 @@ message StatusResult {
 
   // The end-of-life date of the device in the number of days since Unix Epoch.
   int64 eol_date = 8;
+
+  // If true, the system will powerwash once the update is applied and the
+  // system is rebooted. This value is reliable on |UPDATE_NEED_REBOOT|.
+  bool will_powerwash_after_reboot = 9;
 }
diff --git a/chromium/third_party/cros_system_api/dbus/vm_cicerone/cicerone_service.proto b/chromium/third_party/cros_system_api/dbus/vm_cicerone/cicerone_service.proto
index 81244948400..97d34eacb6d 100644
--- a/chromium/third_party/cros_system_api/dbus/vm_cicerone/cicerone_service.proto
+++ b/chromium/third_party/cros_system_api/dbus/vm_cicerone/cicerone_service.proto
@@ -632,6 +632,21 @@ message StartLxdContainerRequest {
 
   // Full path where drivefs is mounted (/media/fuse/drivefs-<drivefs-hash>).
   string drivefs_mount_path = 5;
+
+  // Represents the privilege level with which a container should be started. If
+  // the container is already running this should take effect on the next boot.
+  enum PrivilegeLevel {
+    // Don't change the privilege level of the container.
+    UNCHANGED = 0;
+
+    // Make the container unprivileged.
+    UNPRIVILEGED = 1;
+
+    // Make the container privileged.
+    PRIVILEGED = 2;
+  }
+
+  PrivilegeLevel privilege_level = 6;
 }
 
 // OsRelease encapsulates a subset of the os-release info as documented
@@ -1434,4 +1449,88 @@ message StartLxdProgressSignal {
 
   // The failure_reason if LXD could not be started.
   string failure_reason = 4;
-}
\ No newline at end of file
+}
+
+// Request to watch files and notify if there are changes. Used by FilesApp.
+message AddFileWatchRequest {
+  // Name of the VM the container is in.
+  string vm_name = 1;
+
+  // Name of the container within the VM.
+  string container_name = 2;
+
+  // The owner of the VM and container.
+  string owner_id = 3;
+
+  // Directory in container relative to $HOME to watch.
+  string path = 4;
+}
+
+message AddFileWatchResponse {
+  enum Status {
+    // The current status is unknown.
+    UNKNOWN = 0;
+
+    // Watch added successfully.
+    SUCCEEDED = 2;
+
+    // Add watch failed.
+    FAILED = 1;
+  }
+
+  // Add watch status.
+  Status status = 1;
+
+  // The failure_reason if the watcher could not be added.
+  string failure_reason = 2;
+}
+
+// Request to stop watching files.
+message RemoveFileWatchRequest {
+  // Name of the VM the container is in.
+  string vm_name = 1;
+
+  // Name of the container within the VM.
+  string container_name = 2;
+
+  // The owner of the VM and container.
+  string owner_id = 3;
+
+  // Directory in container relative to $HOME to stop watching.
+  string path = 4;
+}
+
+message RemoveFileWatchResponse {
+  enum Status {
+    // The current status is unknown.
+    UNKNOWN = 0;
+
+    // Watch removed successfully.
+    SUCCEEDED = 2;
+
+    // Remove watch failed.
+    FAILED = 1;
+  }
+
+  // Remove watch status.
+  Status status = 1;
+
+  // The failure_reason if the watcher could not be removed.
+  string failure_reason = 2;
+}
+
+// Sent by garcon to notify that a file in a watched directory has changed. Used
+// by FilesApp.
+message FileWatchTriggeredSignal {
+  // Name of the VM the container is in.
+  string vm_name = 1;
+
+  // Name of the container within the VM.
+  string container_name = 2;
+
+  // The owner of the VM and container.
+  string owner_id = 3;
+
+  // Path in container relative to $HOME that has changed.
+  string path = 4;
+}
diff --git a/chromium/third_party/cros_system_api/dbus/vm_cicerone/dbus-constants.h b/chromium/third_party/cros_system_api/dbus/vm_cicerone/dbus-constants.h
index 80fe0425311..f865db93e4e 100644
--- a/chromium/third_party/cros_system_api/dbus/vm_cicerone/dbus-constants.h
+++ b/chromium/third_party/cros_system_api/dbus/vm_cicerone/dbus-constants.h
@@ -39,6 +39,8 @@ const char kUpgradeContainerMethod[] = "UpgradeContainer";
 const char kCancelUpgradeContainerMethod[] = "CancelUpgradeContainer";
 const char kConfigureForArcSideloadMethod[] = "ConfigureForArcSideload";
 const char kStartLxdMethod[] = "StartLxd";
+const char kAddFileWatchMethod[] = "AddFileWatch";
+const char kRemoveFileWatchMethod[] = "RemoveFileWatch";
 
 // Methods to be called from chunneld.
 const char kConnectChunnelMethod[] = "ConnectChunnel";
@@ -63,6 +65,7 @@ const char kApplyAnsiblePlaybookProgressSignal[] =
     "ApplyAnsiblePlaybookProgress";
 const char kUpgradeContainerProgressSignal[] = "UpgradeContainerProgress";
 const char kStartLxdProgressSignal[] = "StartLxdProgress";
+const char kFileWatchTriggeredSignal[] = "FileWatchTriggered";
 
 }  // namespace cicerone
 }  // namespace vm_tools
diff --git a/chromium/third_party/cros_system_api/dbus/vm_concierge/concierge_service.proto b/chromium/third_party/cros_system_api/dbus/vm_concierge/concierge_service.proto
index 80025bb40ca..05823f01257 100644
--- a/chromium/third_party/cros_system_api/dbus/vm_concierge/concierge_service.proto
+++ b/chromium/third_party/cros_system_api/dbus/vm_concierge/concierge_service.proto
@@ -695,6 +695,21 @@ message StartContainerRequest {
   // The cryptohome id for the user's encrypted storage. This is used for SSH
   // key storage.
   string cryptohome_id = 5;
+
+  // Represents the privilege level with which a container should be started. If
+  // the container is already running this should take effect on the next boot.
+  enum PrivilegeLevel {
+    // Don't change the privilege level of the container.
+    UNCHANGED = 0;
+
+    // Make the container unprivileged.
+    UNPRIVILEGED = 1;
+
+    // Make the container privileged.
+    PRIVILEGED = 2;
+  }
+
+  PrivilegeLevel privilege_level = 6;
 }
 
 enum ContainerStatus {
diff --git a/chromium/third_party/cros_system_api/dbus/vm_permission_service/vm_permission_service.proto b/chromium/third_party/cros_system_api/dbus/vm_permission_service/vm_permission_service.proto
new file mode 100644
index 00000000000..d68526fc04b
--- /dev/null
+++ b/chromium/third_party/cros_system_api/dbus/vm_permission_service/vm_permission_service.proto
@@ -0,0 +1,82 @@
+// Copyright 2020 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+syntax = "proto3";
+
+option optimize_for = LITE_RUNTIME;
+
+package vm_permission_service;
+
+// Request to register VM with given name.
+message RegisterVmRequest {
+  enum VmType {
+    CROSTINI_VM = 0;
+    PLUGIN_VM = 1;
+  };
+
+  // Name of the VM being registered with permission service.
+  string name = 1;
+
+  // The owner of the VM.
+  string owner_id = 2;
+
+  // Type of the VM being registered.
+  VmType type = 3;
+};
+
+// Response to RegisterVmRequest.
+message RegisterVmResponse {
+  // Token assigned to the VM if it was successfully registered.
+  // The token is used when retrieving permission data for the VM.
+  string token = 1;
+};
+
+// Request to unregister VM with given name.
+message UnregisterVmRequest {
+  // Name of the VM being unregistered.
+  string name = 1;
+
+  // The owner of the VM.
+  string owner_id = 2;
+};
+
+// Describes a single VM permission.
+message Permission {
+  enum Kind {
+    // Indicates whether a VM is allowed to access camera.
+    CAMERA = 0;
+
+    // Indicates whether a VM is allowed to access microphone.
+    MICROPHONE = 1;
+  };
+
+  Kind kind = 1;
+
+  // Value of permission setting.
+  bool allowed = 2;
+};
+
+// Request to set permissions for VM with given name.
+message SetPermissionsRequest {
+  // Name of the VM for which permissions are being adjusted.
+  string name = 1;
+
+  // The owner of the VM.
+  string owner_id = 2;
+
+  // Set of new permissions for the VM.
+  repeated Permission permissions = 3;
+};
+
+// Request to get permissions for VM with given token.
+message GetPermissionsRequest {
+  // Token assigned to the VM upon registration with the service.
+  string token = 1;
+};
+
+// Response to GetPermissionsRequest.
+message GetPermissionsResponse {
+  // Current set of permissions for the VM.
+  repeated Permission permissions = 1;
+};
diff --git a/chromium/third_party/cros_system_api/dbus/vm_plugin_dispatcher/vm_plugin_dispatcher.proto b/chromium/third_party/cros_system_api/dbus/vm_plugin_dispatcher/vm_plugin_dispatcher.proto
index a40f7cabecb..f7bb062cb5e 100644
--- a/chromium/third_party/cros_system_api/dbus/vm_plugin_dispatcher/vm_plugin_dispatcher.proto
+++ b/chromium/third_party/cros_system_api/dbus/vm_plugin_dispatcher/vm_plugin_dispatcher.proto
@@ -40,6 +40,9 @@ enum VmErrorCode {
   VM_ERR_LIC_EXPIRED = 3;
   // Unable to access web portal for license activation procedures.
   VM_ERR_LIC_WEB_PORTAL_UNAVAILABLE = 4;
+  // The dispatcher is in process of shutting down. Any currently
+  // running VMs will be suspended.
+  VM_ERR_SRV_SHUTDOWN_IN_PROGRESS = 5;
 }
 
 // Request to register VM residing at given path.
diff --git a/chromium/third_party/cros_system_api/system_api.pc b/chromium/third_party/cros_system_api/system_api.pc
index f65a315ada0..53fa58ff2e7 100644
--- a/chromium/third_party/cros_system_api/system_api.pc
+++ b/chromium/third_party/cros_system_api/system_api.pc
@@ -1,4 +1,4 @@
 Name: system_api
 Description: Protobuffers and headers shared by Chromium OS and Chromium.
 Version: 0.1
-Libs: -lsystem_api-power_manager-protos -lsystem_api-cryptohome-protos -lsystem_api-authpolicy-protos -lsystem_api-biod-protos -lsystem_api-bootlockbox-protos -lsystem_api-protos -lsystem_api-kerberos-protos -lsystem_api-login_manager-protos -lsystem_api-chaps-protos -lsystem_api-attestation-protos -lsystem_api-smbprovider-protos -lsystem_api-vm_concierge-protos -lsystem_api-vm_applications-protos -lsystem_api-vm_cicerone-protos -lsystem_api-seneschal-protos -lsystem_api-oobe_config-protos -lsystem_api-runtime_probe-protos -lsystem_api-dlcservice-protos -lsystem_api-update_engine-protos -lsystem_api-vm_plugin_dispatcher-protos -lsystem_api-u2f-protos -lsystem_api-tpm_manager-protos -lsystem_api-chunneld-protos -lsystem_api-patchpanel-protos -lsystem_api-system_proxy-protos
+Libs: -lsystem_api-power_manager-protos -lsystem_api-cryptohome-protos -lsystem_api-authpolicy-protos -lsystem_api-biod-protos -lsystem_api-bootlockbox-protos -lsystem_api-protos -lsystem_api-kerberos-protos -lsystem_api-login_manager-protos -lsystem_api-lorgnette-protos -lsystem_api-chaps-protos -lsystem_api-attestation-protos -lsystem_api-smbprovider-protos -lsystem_api-vm_concierge-protos -lsystem_api-vm_applications-protos -lsystem_api-vm_cicerone-protos -lsystem_api-seneschal-protos -lsystem_api-oobe_config-protos -lsystem_api-runtime_probe-protos -lsystem_api-dlcservice-protos -lsystem_api-update_engine-protos -lsystem_api-vm_plugin_dispatcher-protos -lsystem_api-u2f-protos -lsystem_api-tpm_manager-protos -lsystem_api-chunneld-protos -lsystem_api-patchpanel-protos -lsystem_api-system_proxy-protos -lsystem_api-vm_permission_service-protos