android_packages_modules_Vi.../microdroid/Android.bp

482 lines
12 KiB
Plaintext
Raw Normal View History

package {
default_applicable_licenses: ["Android-Apache-2.0"],
}
microdroid_shell_and_utilities = [
"reboot",
"sh",
"strace",
"toolbox",
"toybox",
]
microdroid_rootdirs = [
"dev",
"proc",
"sys",
"system",
"vendor",
"debug_ramdisk",
"mnt",
"data",
"apex",
"linkerconfig",
"second_stage_resources",
]
microdroid_symlinks = [
{
target: "/sys/kernel/debug",
name: "d",
},
{
target: "/system/etc",
name: "etc",
},
{
target: "/system/bin",
name: "bin",
},
]
android_system_image {
name: "microdroid",
use_avb: true,
avb_private_key: ":avb_testkey_rsa4096",
avb_algorithm: "SHA256_RSA4096",
partition_name: "system",
deps: [
"init_second_stage",
"microdroid_build_prop",
"microdroid_init_rc",
"microdroid_ueventd_rc",
"microdroid_launcher",
"libbinder",
"libbinder_ndk",
"libstdc++",
"logcat",
"logd",
"run-as",
"secilc",
// "com.android.adbd" requires these,
"libadbd_auth",
"libadbd_fs",
// "com.android.art" requires
"heapprofd_client_api",
"libartpalette-system",
"apexd",
"debuggerd",
"keystore2_microdroid",
"linker",
"linkerconfig",
"servicemanager",
"tombstoned",
"cgroups.json",
"public.libraries.android.txt",
// TODO(b/185767624): remove hidl after full keymint support
"hwservicemanager",
"microdroid_plat_sepolicy_and_mapping.sha256",
"microdroid_file_contexts",
"microdroid_hwservice_contexts",
"microdroid_property_contexts",
"microdroid_service_contexts",
"microdroid_keystore2_key_contexts",
"microdroid_compatibility_matrix",
"microdroid_manifest",
// TODO(b/195425111) these four should be added automatically
"android.hardware.security.secureclock-V1-ndk",
"android.hardware.security.sharedsecret-V1-ndk",
"libcrypto",
"liblzma",
] + microdroid_shell_and_utilities,
multilib: {
common: {
deps: [
// non-updatable & mandatory apexes
"com.android.runtime",
"microdroid_plat_sepolicy.cil",
"microdroid_plat_mapping_file",
],
},
lib64: {
deps: [
"apkdmverity",
"authfs",
"authfs_service",
"microdroid_manager",
"zipfuse",
// TODO(b/184872979): Needed by authfs. Remove once the Rust API is created.
"libbinder_rpc_unstable",
],
},
},
linker_config_src: "linker.config.json",
base_dir: "system",
dirs: microdroid_rootdirs,
symlinks: microdroid_symlinks,
file_contexts: ":microdroid_file_contexts.gen",
}
prebuilt_etc {
name: "microdroid_init_rc",
filename: "init.rc",
src: "init.rc",
relative_install_path: "init/hw",
installable: false, // avoid collision with system partition's init.rc
}
prebuilt_etc {
name: "microdroid_ueventd_rc",
filename: "ueventd.rc",
src: "ueventd.rc",
installable: false, // avoid collision with system partition's ueventd.rc
}
prebuilt_root {
name: "microdroid_build_prop",
filename: "build.prop",
src: "build.prop",
arch: {
x86_64: {
src: ":microdroid_build_prop_gen_x86_64",
},
arm64: {
src: ":microdroid_build_prop_gen_arm64",
},
},
installable: false,
}
genrule {
name: "microdroid_build_prop_gen_x86_64",
srcs: ["build.prop"],
out: ["build.prop.out"],
cmd: "cp $(in) $(out); echo ro.product.cpu.abilist=x86_64 >> $(out)",
}
genrule {
name: "microdroid_build_prop_gen_arm64",
srcs: ["build.prop"],
out: ["build.prop.out"],
cmd: "cp $(in) $(out); echo ro.product.cpu.abilist=arm64-v8a >> $(out)",
}
android_filesystem {
name: "microdroid_vendor",
Mount system and vendor over dm-verity This CL fixes a series of mistakes which let the system and the vendor partition be mounted without dm-verity. * avb=vbmeta and avb=vbmeta_system flags are added to fstab so that the partitions are mounted over dm-verity * uboot script is modified to append avb_bootargs into bootargs so that avb parameters like the root hash, etc. are passed to the kernel via cmdline * The boot partition is no longer a chained partition. Its hashtree is included in vbmeta.img directly. This is firstly because we don't have a need to update the kernel independently from other partitions. And secondly, boot as a chained partition requires us to create /dev/block/by-name/boot during the first stage init, which require additional-but-useless entry in fstab. * Name of the logical partitions in super.img is changed to system_a and vendor_a from system and vendor, respectively. Bug: 198303625 Test: boot microdroid. `ls /dev/block/mapper` shows ``` drwxr-xr-x 3 root root 160 2021-09-01 03:10 . drwxr-xr-x 5 root root 1180 2021-09-01 03:10 .. drwxr-xr-x 2 root root 140 2021-09-01 03:10 by-uuid lrwxrwxrwx 1 root root 15 2021-09-01 03:10 microdroid-apk -> /dev/block/dm-4 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 system-verity -> /dev/block/dm-2 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 system_a -> /dev/block/dm-0 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 vendor-verity -> /dev/block/dm-3 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 vendor_a -> /dev/block/dm-1 ``` Change-Id: I6b485d841d9bd774ab964fd9ae7d2e0a15795b14
2021-09-01 03:10:18 +00:00
partition_name: "vendor",
use_avb: true,
deps: [
"android.hardware.security.keymint-service.microdroid",
"microdroid_fstab",
"microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
"microdroid_vendor_manifest",
"microdroid_vendor_compatibility_matrix",
],
multilib: {
common: {
deps: [
"microdroid_vendor_sepolicy.cil",
"microdroid_plat_pub_versioned.cil",
"microdroid_plat_sepolicy_vers.txt",
"microdroid_precompiled_sepolicy",
],
},
},
avb_private_key: ":avb_testkey_rsa4096",
avb_algorithm: "SHA256_RSA4096",
file_contexts: ":microdroid_vendor_file_contexts.gen",
}
logical_partition {
name: "microdroid_super",
sparse: true,
size: "auto",
default_group: [
{
Mount system and vendor over dm-verity This CL fixes a series of mistakes which let the system and the vendor partition be mounted without dm-verity. * avb=vbmeta and avb=vbmeta_system flags are added to fstab so that the partitions are mounted over dm-verity * uboot script is modified to append avb_bootargs into bootargs so that avb parameters like the root hash, etc. are passed to the kernel via cmdline * The boot partition is no longer a chained partition. Its hashtree is included in vbmeta.img directly. This is firstly because we don't have a need to update the kernel independently from other partitions. And secondly, boot as a chained partition requires us to create /dev/block/by-name/boot during the first stage init, which require additional-but-useless entry in fstab. * Name of the logical partitions in super.img is changed to system_a and vendor_a from system and vendor, respectively. Bug: 198303625 Test: boot microdroid. `ls /dev/block/mapper` shows ``` drwxr-xr-x 3 root root 160 2021-09-01 03:10 . drwxr-xr-x 5 root root 1180 2021-09-01 03:10 .. drwxr-xr-x 2 root root 140 2021-09-01 03:10 by-uuid lrwxrwxrwx 1 root root 15 2021-09-01 03:10 microdroid-apk -> /dev/block/dm-4 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 system-verity -> /dev/block/dm-2 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 system_a -> /dev/block/dm-0 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 vendor-verity -> /dev/block/dm-3 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 vendor_a -> /dev/block/dm-1 ``` Change-Id: I6b485d841d9bd774ab964fd9ae7d2e0a15795b14
2021-09-01 03:10:18 +00:00
name: "system_a",
filesystem: ":microdroid",
},
{
Mount system and vendor over dm-verity This CL fixes a series of mistakes which let the system and the vendor partition be mounted without dm-verity. * avb=vbmeta and avb=vbmeta_system flags are added to fstab so that the partitions are mounted over dm-verity * uboot script is modified to append avb_bootargs into bootargs so that avb parameters like the root hash, etc. are passed to the kernel via cmdline * The boot partition is no longer a chained partition. Its hashtree is included in vbmeta.img directly. This is firstly because we don't have a need to update the kernel independently from other partitions. And secondly, boot as a chained partition requires us to create /dev/block/by-name/boot during the first stage init, which require additional-but-useless entry in fstab. * Name of the logical partitions in super.img is changed to system_a and vendor_a from system and vendor, respectively. Bug: 198303625 Test: boot microdroid. `ls /dev/block/mapper` shows ``` drwxr-xr-x 3 root root 160 2021-09-01 03:10 . drwxr-xr-x 5 root root 1180 2021-09-01 03:10 .. drwxr-xr-x 2 root root 140 2021-09-01 03:10 by-uuid lrwxrwxrwx 1 root root 15 2021-09-01 03:10 microdroid-apk -> /dev/block/dm-4 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 system-verity -> /dev/block/dm-2 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 system_a -> /dev/block/dm-0 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 vendor-verity -> /dev/block/dm-3 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 vendor_a -> /dev/block/dm-1 ``` Change-Id: I6b485d841d9bd774ab964fd9ae7d2e0a15795b14
2021-09-01 03:10:18 +00:00
name: "vendor_a",
filesystem: ":microdroid_vendor",
},
],
}
microdroid_boot_cmdline = [
"panic=-1",
"bootconfig",
]
bootimg {
name: "microdroid_boot-5.10",
ramdisk_module: "microdroid_ramdisk-5.10",
// We don't have kernel for arm and x86. But Soong demands one when it builds for
// arm or x86 target. Satisfy that by providing an empty file as the kernel.
kernel_prebuilt: "empty_kernel",
arch: {
arm64: {
kernel_prebuilt: ":kernel_prebuilts-5.10-arm64",
cmdline: microdroid_boot_cmdline,
},
x86_64: {
kernel_prebuilt: ":kernel_prebuilts-5.10-x86_64",
cmdline: microdroid_boot_cmdline + [
// console=none is to work around the x86 specific u-boot behavior which when
// console= option is not found in the kernel commandline console=ttyS0 is
// automatically added. By adding console=none, we can prevent u-boot from doing
// that. Note that console is set to hvc0 by bootconfig if the VM is configured as
// debuggable.
"console=none",
"acpi=noirq",
],
},
},
dtb_prebuilt: "dummy_dtb.img",
header_version: "4",
partition_name: "boot",
use_avb: true,
avb_private_key: ":avb_testkey_rsa4096",
}
android_filesystem {
name: "microdroid_ramdisk-5.10",
deps: [
"init_first_stage",
],
dirs: [
"dev",
"proc",
"sys",
// TODO(jiyong): remove these
"mnt",
"debug_ramdisk",
"second_stage_resources",
],
type: "compressed_cpio",
}
bootimg {
name: "microdroid_vendor_boot-5.10",
ramdisk_module: "microdroid_vendor_ramdisk-5.10",
dtb_prebuilt: "dummy_dtb.img",
header_version: "4",
vendor_boot: true,
arch: {
arm64: {
bootconfig: ":microdroid_bootconfig_arm64_gen",
},
x86_64: {
bootconfig: ":microdroid_bootconfig_x86_64_gen",
},
},
partition_name: "vendor_boot",
use_avb: true,
avb_private_key: ":avb_testkey_rsa4096",
}
android_filesystem {
name: "microdroid_vendor_ramdisk-5.10",
arch: {
arm64: {
deps: ["virt_device_prebuilts_kernel_modules-5.10-arm64"],
},
x86_64: {
deps: ["virt_device_prebuilts_kernel_modules-5.10-x86_64"],
},
},
deps: [
"microdroid_fstab",
],
base_dir: "first_stage_ramdisk",
type: "compressed_cpio",
symlinks: [
{
target: "etc/fstab.microdroid",
name: "first_stage_ramdisk/fstab.microdroid",
},
{
target: "first_stage_ramdisk/lib",
name: "lib",
},
],
}
genrule {
name: "microdroid_bootconfig_arm64_gen",
srcs: [
"bootconfig.common",
"bootconfig.arm64",
],
out: ["bootconfig"],
cmd: "cat $(in) > $(out)",
}
genrule {
name: "microdroid_bootconfig_x86_64_gen",
srcs: [
"bootconfig.common",
"bootconfig.x86_64",
],
out: ["bootconfig"],
cmd: "cat $(in) > $(out)",
}
Define debug levels Previously, a VM can be configured as running in debug mode or not. However, the debug mode was not defined clearly and debugging features like logging and adb-shell were actually left enabled even when the debug mode is off. This CL re-defines the debuggability of a VM. A VM has a debug level which can be either of these three: 1. None: In this level, VM is not debuggable at all. No log is exported from the VM, and debugger can't be attached to any process in the VM. adb-shell of course is not supported. 2. App-only: In this level, only the app payload is debuggable. Logs from the app process is exported to the host and the process can be attached to debugger. adb-shell is not supported. 3. Full: In this level, the VM is fully debuggable. All logs including kernel logs are exported to the VM and developers can adb-shell into the VM. Note that this CL doesn't fully implement all the levels yet, but implements the framework around supporting multiple debug levels. Specifically, each debug level is associated with a bootconfig image. Each image has config values each of which enables or disables a debugging feature. For example, bootconfig images for the none and app-only levels have "kernel.console = none" to not show kernel console output. The `vm` tool and the Java APIs are also amended accordingly. The debug level can be set via `--debug <level>` flag and the `DebugLevel(...)` method. Future work: * Implement each debug level * Each level uses different vm-instance image. Debug level is stored in the instance image and is compared against the given level when microdroid boots. * Sign bootconfig images with avb and let uboot verify them (b/203031847) Bug: 201362865 Test: atest MicrodroidHostTestCases Test: adb shell /apex/com.android.virt/bin/vm run-app /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json shows ... Created VM from "/data/local/tmp/virt/MicrodroidDemoApp.apk"!"assets/vm_config.json" with CID 13, state is NOT_STARTED. Started VM, state now STARTING. Hello Microdroid /mnt/apk/lib/arm64-v8a/MicrodroidTestNativeLib.so hello microdroid , which is without logs from the bootloader and the kernel Change-Id: I897dcd88723f014524d2cd2b6ffaa6f9fb5696d6
2021-10-14 15:02:12 +00:00
// TODO(b/203031847) sign these bootconfig images using avb
prebuilt_etc {
name: "microdroid_bootconfig_normal",
src: "bootconfig.normal",
filename: "microdroid_bootconfig.normal",
}
prebuilt_etc {
name: "microdroid_bootconfig_app_debuggable",
src: "bootconfig.app_debuggable",
filename: "microdroid_bootconfig.app_debuggable",
}
prebuilt_etc {
Define debug levels Previously, a VM can be configured as running in debug mode or not. However, the debug mode was not defined clearly and debugging features like logging and adb-shell were actually left enabled even when the debug mode is off. This CL re-defines the debuggability of a VM. A VM has a debug level which can be either of these three: 1. None: In this level, VM is not debuggable at all. No log is exported from the VM, and debugger can't be attached to any process in the VM. adb-shell of course is not supported. 2. App-only: In this level, only the app payload is debuggable. Logs from the app process is exported to the host and the process can be attached to debugger. adb-shell is not supported. 3. Full: In this level, the VM is fully debuggable. All logs including kernel logs are exported to the VM and developers can adb-shell into the VM. Note that this CL doesn't fully implement all the levels yet, but implements the framework around supporting multiple debug levels. Specifically, each debug level is associated with a bootconfig image. Each image has config values each of which enables or disables a debugging feature. For example, bootconfig images for the none and app-only levels have "kernel.console = none" to not show kernel console output. The `vm` tool and the Java APIs are also amended accordingly. The debug level can be set via `--debug <level>` flag and the `DebugLevel(...)` method. Future work: * Implement each debug level * Each level uses different vm-instance image. Debug level is stored in the instance image and is compared against the given level when microdroid boots. * Sign bootconfig images with avb and let uboot verify them (b/203031847) Bug: 201362865 Test: atest MicrodroidHostTestCases Test: adb shell /apex/com.android.virt/bin/vm run-app /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json shows ... Created VM from "/data/local/tmp/virt/MicrodroidDemoApp.apk"!"assets/vm_config.json" with CID 13, state is NOT_STARTED. Started VM, state now STARTING. Hello Microdroid /mnt/apk/lib/arm64-v8a/MicrodroidTestNativeLib.so hello microdroid , which is without logs from the bootloader and the kernel Change-Id: I897dcd88723f014524d2cd2b6ffaa6f9fb5696d6
2021-10-14 15:02:12 +00:00
name: "microdroid_bootconfig_full_debuggable",
src: "bootconfig.full_debuggable",
filename: "microdroid_bootconfig.full_debuggable",
}
prebuilt_etc {
name: "microdroid_fstab",
src: "fstab.microdroid",
filename: "fstab.microdroid",
installable: false,
}
prebuilt_etc {
name: "microdroid_bootloader",
src: ":microdroid_bootloader_gen",
arch: {
x86_64: {
// For unknown reason, the signed bootloader doesn't work on x86_64. Until the problem
// is fixed, let's use the unsigned bootloader for the architecture.
// TODO(b/185115783): remove this
src: ":microdroid_crosvm_bootloader",
},
},
filename: "microdroid_bootloader",
}
// See external/avb/avbtool.py
// MAX_VBMETA_SIZE=64KB, MAX_FOOTER_SIZE=4KB
avb_hash_footer_kb = "68"
genrule {
name: "microdroid_bootloader_gen",
tools: ["avbtool"],
srcs: [
":microdroid_crosvm_bootloader",
":avb_testkey_rsa4096",
],
out: ["bootloader-signed"],
// 1. Copy the input to the output becaise avbtool modifies --image in
// place.
// 2. Check if the file is big enough. For arm and x86 we have fake
// bootloader file whose size is 1. It can't pass avbtool.
// 3. Add the hash footer. The partition size is set to (image size + 68KB)
// rounded up to 4KB boundary.
cmd: "cp $(location :microdroid_crosvm_bootloader) $(out) && " +
"if [ $$(stat --format=%s $(out)) -gt 4096 ]; then " +
"$(location avbtool) add_hash_footer " +
"--algorithm SHA256_RSA4096 " +
"--partition_name bootloader " +
"--key $(location :avb_testkey_rsa4096) " +
"--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
"--image $(out)" +
"; fi",
}
prebuilt_etc {
name: "microdroid_uboot_env",
src: ":microdroid_uboot_env_gen",
arch: {
x86_64: {
src: ":microdroid_uboot_env_gen_x86_64",
},
},
filename: "uboot_env.img",
}
genrule {
name: "microdroid_uboot_env_gen",
tools: ["mkenvimage_host"],
srcs: ["uboot-env.txt"],
out: ["output.img"],
cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(in)",
}
genrule {
name: "microdroid_uboot_env_gen_x86_64",
tools: ["mkenvimage_host"],
srcs: ["uboot-env-x86_64.txt"],
out: ["output.img"],
cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(in)",
}
vbmeta {
name: "microdroid_vbmeta",
partition_name: "vbmeta",
private_key: ":avb_testkey_rsa4096",
partitions: [
"microdroid_vendor",
"microdroid_vendor_boot-5.10",
"microdroid",
Mount system and vendor over dm-verity This CL fixes a series of mistakes which let the system and the vendor partition be mounted without dm-verity. * avb=vbmeta and avb=vbmeta_system flags are added to fstab so that the partitions are mounted over dm-verity * uboot script is modified to append avb_bootargs into bootargs so that avb parameters like the root hash, etc. are passed to the kernel via cmdline * The boot partition is no longer a chained partition. Its hashtree is included in vbmeta.img directly. This is firstly because we don't have a need to update the kernel independently from other partitions. And secondly, boot as a chained partition requires us to create /dev/block/by-name/boot during the first stage init, which require additional-but-useless entry in fstab. * Name of the logical partitions in super.img is changed to system_a and vendor_a from system and vendor, respectively. Bug: 198303625 Test: boot microdroid. `ls /dev/block/mapper` shows ``` drwxr-xr-x 3 root root 160 2021-09-01 03:10 . drwxr-xr-x 5 root root 1180 2021-09-01 03:10 .. drwxr-xr-x 2 root root 140 2021-09-01 03:10 by-uuid lrwxrwxrwx 1 root root 15 2021-09-01 03:10 microdroid-apk -> /dev/block/dm-4 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 system-verity -> /dev/block/dm-2 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 system_a -> /dev/block/dm-0 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 vendor-verity -> /dev/block/dm-3 lrwxrwxrwx 1 root root 15 2021-09-01 03:10 vendor_a -> /dev/block/dm-1 ``` Change-Id: I6b485d841d9bd774ab964fd9ae7d2e0a15795b14
2021-09-01 03:10:18 +00:00
"microdroid_boot-5.10",
],
}
prebuilt_etc {
name: "microdroid.json",
src: "microdroid.json",
}
prebuilt_etc {
name: "microdroid_vendor_manifest",
src: "microdroid_vendor_manifest.xml",
filename: "manifest.xml",
relative_install_path: "vintf",
installable: false,
}
prebuilt_etc {
name: "microdroid_vendor_compatibility_matrix",
src: "microdroid_vendor_compatibility_matrix.xml",
filename: "compatibility_matrix.xml",
relative_install_path: "vintf",
installable: false,
}
prebuilt_etc {
name: "microdroid_compatibility_matrix",
src: "microdroid_compatibility_matrix.xml",
filename: "compatibility_matrix.current.xml",
relative_install_path: "vintf",
installable: false,
}
prebuilt_etc {
name: "microdroid_manifest",
src: "microdroid_manifest.xml",
filename: "manifest.xml",
relative_install_path: "vintf",
installable: false,
}