diff --git a/private/system_server.te b/private/system_server.te
index 58a25e29cfd8a9ad653e056665ccd8cfb03f0bf4..60292434560ccb3364b3589016c453d83b969ef3 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -174,7 +174,6 @@ binder_service(system_server)
 # Perform HwBinder IPC.
 hwbinder_use(system_server)
 hwallocator_use(system_server)
-binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_contexthub)
 hal_client_domain(system_server, hal_fingerprint)
diff --git a/public/attributes b/public/attributes
index a0c1f9397bc3f3d294983de22cb4fa0f081a97d6..799a4fd78588b3c775c315db40b96f8513885004 100644
--- a/public/attributes
+++ b/public/attributes
@@ -110,11 +110,6 @@ attribute bluetoothdomain;
 # All domains used for binder service domains.
 attribute binderservicedomain;
 
-# All domains that access the boot_control HAL. The permissions the HAL
-# requires are specific to the implementation provided in each device, but
-# common daemons need to be aware of those when calling into the HAL.
-attribute boot_control_hal;
-
 # update_engine related domains that need to apply an update and run
 # postinstall. This includes the background daemon and the sideload tool from
 # recovery for A/B devices.
@@ -132,6 +127,9 @@ attribute hal_audio_server;
 attribute hal_bluetooth;
 attribute hal_bluetooth_client;
 attribute hal_bluetooth_server;
+attribute hal_bootctl;
+attribute hal_bootctl_client;
+attribute hal_bootctl_server;
 attribute hal_camera;
 attribute hal_camera_client;
 attribute hal_camera_server;
diff --git a/public/boot_control_hal.te b/public/boot_control_hal.te
deleted file mode 100644
index 2a670b39bf1c6e34cef08c56d594d5e44e2769ed..0000000000000000000000000000000000000000
--- a/public/boot_control_hal.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow read/write bootctrl block device, if one is defined.
-allow boot_control_hal bootctrl_block_device:blk_file rw_file_perms;
diff --git a/public/device.te b/public/device.te
index 633515fe9908190de44a413ccc442c713ea3bdc3..c9c64dc00dd0639c1772619cd8e89ec47612be7d 100644
--- a/public/device.te
+++ b/public/device.te
@@ -99,6 +99,3 @@ type metadata_block_device, dev_type;
 
 # The 'misc' partition used by recovery and A/B.
 type misc_block_device, dev_type;
-
-# Bootctrl block device used by A/B update (update_engine, update_verifier).
-type bootctrl_block_device, dev_type;
diff --git a/public/hal_boot.te b/public/hal_boot.te
deleted file mode 100644
index 870f1e4d7cb1e00445554eb82dd93df678dee65c..0000000000000000000000000000000000000000
--- a/public/hal_boot.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# boot_control subsystem
-type hal_boot, domain, boot_control_hal;
-
-# call into system_server process (callbacks)
-binder_call(hal_boot, system_server)
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
new file mode 100644
index 0000000000000000000000000000000000000000..b731fd69d5c70869c29a282ff517821902af7800
--- /dev/null
+++ b/public/hal_bootctl.te
@@ -0,0 +1,3 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_bootctl_client, hal_bootctl_server)
+binder_call(hal_bootctl_server, hal_bootctl_client)
diff --git a/public/recovery.te b/public/recovery.te
index 11c01ed50daf4e71e730f8e353150f2939158c0e..a61c8e94f9cf6cce52458d27b5a60272c00377a9 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -8,7 +8,8 @@ type recovery, domain, domain_deprecated;
 # Otherwise recovery is only allowed the domain rules.
 recovery_only(`
   # Allow recovery to perform an update as update_engine would do.
-  typeattribute recovery update_engine_common, boot_control_hal;
+  typeattribute recovery update_engine_common;
+  hal_client_domain(recovery, hal_bootctl)
 
   allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
 
diff --git a/public/update_engine.te b/public/update_engine.te
index 31ba14f741e89dcedc6a704a5b145b405ecfa36d..33eb2a80e681fb018b57dba115722a05f775a365 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -1,6 +1,5 @@
 # Domain for update_engine daemon.
-# update_engine uses the boot_control_hal.
-type update_engine, domain, domain_deprecated, update_engine_common, boot_control_hal;
+type update_engine, domain, domain_deprecated, update_engine_common;
 type update_engine_exec, exec_type, file_type;
 type update_engine_data_file, file_type, data_file_type;
 
@@ -39,6 +38,5 @@ binder_call(update_engine, priv_app)
 allow update_engine ota_package_file:file r_file_perms;
 allow update_engine ota_package_file:dir r_dir_perms;
 
-# Use binderized HAL
-hwbinder_use(update_engine)
-binder_call(update_engine, hal_boot)
+# Use Boot Control HAL
+hal_client_domain(update_engine, hal_bootctl)
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 848215945ac9d1c23ce98f67726193b93d104630..8c8e9a97699ad232d1076d0a9bd0726d10af5bcc 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -1,11 +1,7 @@
 # update_verifier
-# update_verifier uses the boot_control_hal.
-type update_verifier, domain, boot_control_hal;
+type update_verifier, domain;
 type update_verifier_exec, exec_type, file_type;
 
-# find the boot_control_hal
-allow update_verifier system_file:dir r_dir_perms;
-
 # Allow update_verifier to reach block devices in /dev/block.
 allow update_verifier block_device:dir search;
 
@@ -16,6 +12,5 @@ allow update_verifier ota_package_file:file r_file_perms;
 # Read all blocks in dm wrapped system partition.
 allow update_verifier dm_device:blk_file r_file_perms;
 
-# Use binderized HAL
-hwbinder_use(update_verifier)
-binder_call(update_verifier, hal_boot)
+# Use Boot Control HAL
+hal_client_domain(update_verifier, hal_bootctl)
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 98317e32c46f76d4ced85e3b8c55cf73df941909..4e74f009e457a2f493b1e468ebf9ed0893159463 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -4,7 +4,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_bootctl_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service          u:object_r:hal_camera_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.0-service    u:object_r:hal_configstore_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
diff --git a/vendor/hal_boot.te b/vendor/hal_boot.te
deleted file mode 100644
index 666eacdbf50940208de636b84c13f5e3166d7dd5..0000000000000000000000000000000000000000
--- a/vendor/hal_boot.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# boot_control subsystem
-
-hal_impl_domain(hal_boot)
-
-type hal_boot_exec, exec_type, file_type;
-init_daemon_domain(hal_boot)
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
new file mode 100644
index 0000000000000000000000000000000000000000..9986fb5c748ec7faf15e674146e34e92628a090d
--- /dev/null
+++ b/vendor/hal_bootctl_default.te
@@ -0,0 +1,6 @@
+# Boot control subsystem
+type hal_bootctl_default, domain;
+hal_server_domain(hal_bootctl_default, hal_bootctl)
+
+type hal_bootctl_default_exec, exec_type, file_type;
+init_daemon_domain(hal_bootctl_default)