Prebuilt bootloader embeds its own public key, which is exposed as
microdroid_crosvm_bootloader.avbpubkey from prebuilt repo. When building
the virt apex, it's replaced with microdroid_sign_key's pubkey.
Bug: 193504286
Test: sign_virt_apex_test
Change-Id: I034558d31ea2907b8000f558425d32f642ec2987
This reverts commit aea73f82a0.
Relanding with the fix for arm & x86 builds.
apex: use the same key for all microdroid items
The pubkey embedded in bootloader should match with the key signing
VBmeta. The updated build graph is to ensure bootloader and VBmeta to be
generated with the same key.
All other filesystem images are signed with the same key for
convenience even though it's not necessary.
Bug: 193504286
Bug: 203726593
Test: atest MicrodroidHostTestCases
Change-Id: Iae93934b18955e86ee6b73ad204c68a3f7456102
The pubkey embedded in bootloader should match with the key signing
VBmeta. The updated build graph is to ensure bootloader and VBmeta to be
generated with the same key.
All other filesystem images are signed with the same key for
convenience even though it's not necessary.
Bug: 193504286
Bug: 203726593
Test: atest MicrodroidHostTestCases
Change-Id: I4ecb9e2c00d739aba84677036edf256f141767ac
We need to verify the bootconfig partitions. Otherwise, attackers can
compose a random bootconfig partition, and use it instead of the
prebuilt ones. Then they would be able to modify the behavior of the VM.
Now, bootconfig partitions are signed using avb just like other
partitions. In addition, the disk 1 where the bootconfig is in has
a new vbmeta partition. The partition has the bootconfig partition as
the chained partition. This vbmeta partition can be used to add more
bootconfig-like partitions in the future.
Bug: 203031847
Test: run microdroid test app
Change-Id: I66c7defd07785fcb13180a368786151bd973cc65
VBmeta's key should match with pubkey embedded in bootloader. The
bootloader pubkey is added to the APEX so that sign_virt_apex can
replace it with a new pubkey.
Bug: 193504286
Test: sign_apex --sign_tool sign_virt_apex ...
& install & run a VM
Change-Id: Ic8e5ec9cb45434691c8dce0ca09243e181dc59cc
Since we don't need to update partitions separately, a single vbmeta is
enough for all partitions.
Bug: 193504286
Test: atest MicrodroidHostTestCases
Change-Id: I4f0e84dc0132c8f3ff9262e11bfc68eaf7863169
A VM is now provided with two
serial devices. One is the uart device which is used as the output
device for the cases where virtio-console device driver is not
available. In the case of Microdroid, it's used by bootloader (u-boot)
and by the kernel as earlycon. The other is the virtio-serial device. It
is used as the console for the kernel.
This CL has two X86 specific hacks though.
1. The PCI addresses of the boot devices were adjusted. This is because
we have added one more PCI device (the virtio-serial device) and crosvm
for x86_64 puts serial devices prior to the block devices and they all
share the same bus ID. As a result, the block device addresses are all
shifted by 1.
2. The kernel command line embedded in boot.img now has `console=none`.
This is to prevent u-boot from automatically adding `console=ttyS0`. If
we let u-boot do that, then we will have console=ttyS0 together with
console=hvc0. Then each kernel message is printed twice; once to ttyS0
and once again to hvc0.
Bug: 200914564
Test: run a VM
Change-Id: I4349c4d70ac76c1b4ddc77bbff6c9b697b2f1f4e
So far, Microdroid used ueventd.rc from Android. Although ueventd.rc for
Android has some device nodes that are not relevant to microdroid (e.g.
gpu, input, etc.) but that wasn't harmful. However, we will soon have
/dev/hvc* entries for the virtualized console which is exclusive for
Microdroid.
Forking the file in preparation for the change.
Bug: 200914564
Test: atest MicrodroidHostTestCases
Change-Id: I3d42203f4835b8058249ef0783d0509d693e81e0
Microdroid's bootloader is locked and cuttlefish is unlocked. Hence the
split.
Bug: 155019925
Test: MicrodroidTestCases and Treehugger
Change-Id: I2adf1298145c02c9863b0376fee92f231feb92ae
Previously, a VM can be configured as running in debug mode or not.
However, the debug mode was not defined clearly and debugging features
like logging and adb-shell were actually left enabled even when the
debug mode is off.
This CL re-defines the debuggability of a VM. A VM has a debug level
which can be either of these three:
1. None: In this level, VM is not debuggable at all. No log is exported
from the VM, and debugger can't be attached to any process in the VM.
adb-shell of course is not supported.
2. App-only: In this level, only the app payload is debuggable. Logs
from the app process is exported to the host and the process can be
attached to debugger. adb-shell is not supported.
3. Full: In this level, the VM is fully debuggable. All logs including
kernel logs are exported to the VM and developers can adb-shell into the
VM.
Note that this CL doesn't fully implement all the levels yet, but
implements the framework around supporting multiple debug levels.
Specifically, each debug level is associated with a bootconfig image.
Each image has config values each of which enables or disables a
debugging feature. For example, bootconfig images for the none and
app-only levels have "kernel.console = none" to not show kernel console
output.
The `vm` tool and the Java APIs are also amended accordingly. The debug
level can be set via `--debug <level>` flag and the `DebugLevel(...)`
method.
Future work:
* Implement each debug level
* Each level uses different vm-instance image. Debug level is stored in
the instance image and is compared against the given level when
microdroid boots.
* Sign bootconfig images with avb and let uboot verify them
(b/203031847)
Bug: 201362865
Test: atest MicrodroidHostTestCases
Test: adb shell /apex/com.android.virt/bin/vm run-app
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img assets/vm_config.json
shows ...
Created VM from
"/data/local/tmp/virt/MicrodroidDemoApp.apk"!"assets/vm_config.json"
with CID 13, state is NOT_STARTED.
Started VM, state now STARTING.
Hello Microdroid /mnt/apk/lib/arm64-v8a/MicrodroidTestNativeLib.so hello
microdroid
, which is without logs from the bootloader and the kernel
Change-Id: I897dcd88723f014524d2cd2b6ffaa6f9fb5696d6
keystore2_microdroid is a variant of keystore2 which uses libsqlite
which doesn't depend on the i18n APEX. Previously, the same keystore2
module was used across Android and microdroid. However, the use of the
new libsqlite variant caused a small regression (6ms) to the boot time -
because it couldn't make use of the original libsqlite which was already
pre-loaded by zygote.
To fix the regression, keystore2 for Android goes back to use the
original libsqlite, and keystore2_microdroid is created to use the
no-icu version of libsqlite.
Bug: 201344281
Test: measure SystemServerTiming_StartLockSettingsService-total
Change-Id: I01de5d803479b48ec407e97c193d7e093cdc0ac9
It was used only by keystore2 via libsqlite. keystore2 now depends on
libsqlite_noicu which is a variant of libsqlite built without the ICU
extension [1].
[1] https://www.sqlite.org/src/file?name=ext/icu/README.txt
Bug: 199674764
Test: du -sh com.android.virt.apex 162MB -> 97MB
Change-Id: Iac25e11bb63509c0518b56597dd422c60c08fb60
i18n apex is non-updatable and has no-hashtree in its payload image.
Without hashtree, apex can't be dm-verity mounted. So microroid should
have the apex as a built-in (in /system/apex) so that it can be directly
loop-mounted.
Bug: n/a
Test: MicrodroidHostTestCases
Change-Id: Iea5d9cd7b39e909259ed452258395cfb20804f70
This CL fixes a series of mistakes which let the system and the vendor
partition be mounted without dm-verity.
* avb=vbmeta and avb=vbmeta_system flags are added to fstab so that the
partitions are mounted over dm-verity
* uboot script is modified to append avb_bootargs into bootargs so that
avb parameters like the root hash, etc. are passed to the kernel via
cmdline
* The boot partition is no longer a chained partition. Its hashtree is
included in vbmeta.img directly. This is firstly because we don't have a
need to update the kernel independently from other partitions. And
secondly, boot as a chained partition requires us to create
/dev/block/by-name/boot during the first stage init, which require
additional-but-useless entry in fstab.
* Name of the logical partitions in super.img is changed to system_a and
vendor_a from system and vendor, respectively.
Bug: 198303625
Test: boot microdroid. `ls /dev/block/mapper` shows
```
drwxr-xr-x 3 root root 160 2021-09-01 03:10 .
drwxr-xr-x 5 root root 1180 2021-09-01 03:10 ..
drwxr-xr-x 2 root root 140 2021-09-01 03:10 by-uuid
lrwxrwxrwx 1 root root 15 2021-09-01 03:10 microdroid-apk -> /dev/block/dm-4
lrwxrwxrwx 1 root root 15 2021-09-01 03:10 system-verity -> /dev/block/dm-2
lrwxrwxrwx 1 root root 15 2021-09-01 03:10 system_a -> /dev/block/dm-0
lrwxrwxrwx 1 root root 15 2021-09-01 03:10 vendor-verity -> /dev/block/dm-3
lrwxrwxrwx 1 root root 15 2021-09-01 03:10 vendor_a -> /dev/block/dm-1
```
Change-Id: I6b485d841d9bd774ab964fd9ae7d2e0a15795b14
The instance disk has been created, but hasn't actually been used. This
CL is the first step towards actually using it. Specifically, this CL
* provides routines for navigating the instance disk. The disk consists
of a disk header, followed by partitions each of which consists of a
header and payload. Each partition is dedicated to a program loader like
pVM firmware, Android Boot Loader, and microdroid_manager. A partition
is identified by UUID and this CL provides a routine to locate the
partition for a given UUID.
* provides routines for reading and writing on payload in a partition.
The data is stored encrypted when it is written and is decrypted when
read. The key is currently hard-coded but, it will eventually be derived
from the sealing CDI from the previous stage.
* Root hash of an apk extracted from the idsig file is stored to the
disk. Note that the stored root hash is not yet used by apkdmverity. It
shall be done in a follow-up change.
Bug: 193504400
Test: boot microdroid twice. check that the root hash is written to the
disk during the first boot, and then read during the second boot. Also
check that the two root hashes are the same.
Change-Id: Ia1afcda4d8444ad52a47ebcc659b2698159da816
The payload will be automatically run by microdroid_manager.
Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: I851bc7890ebfc27dadea1fa9ce09413e18aed07c
TARGET_BUILD_APPS build makes libs with sdk_version not included in
microdroid system image. Until fixing the build system, those missing
libs can be manually added to the list of microdroid's deps.
Bug: 195425111
Test: TARGET_BUILD_APPS=com.android.virt m apps_only dist
install the apex and run MicrodroidHostTestCases
Change-Id: Ied90997026e2ade327ef337109676aca5636e9b5
This hasn't worked because the path /mnt/apk/lib/<abi> wasn't in the
search paths of the linker namespace that the library is loaded (which
is the default namespace).
Fixing that by creating a new linker namespace 'microdroid' that
inherits the settings from the default namespace but adds the library
directory to the search paths, and loading the library from that
namespace.
Bug: N/A
Test: atest MicrodroidHostTestCases
Change-Id: I30c4ce86a48b80fa65e3b5ffeb90561fa1d2544e
KeyMint in microdroid will initially be a specialized version of the
software KeyMint reference implementation. Begin this specialization by
removing the services that aren't needed within VMs.
Bug: 190578423
Test: atest MicrodroidHostTestCases
Change-Id: I6eee95944ccc555656868dad193f29b83ebf46a4
file_contexts was copied from system/sepolicy/private. It's contained a
lot of redundant entries for microdroid.
Bug: 191131624
Test: atest MicrodroidHostTestCases
Change-Id: Ia4e2664822b9cb984dddb99c03faaa6f54f2dfc6
Loop up the Keystore service from the test payload to make sure it can
be found and communicated with.
Bug: 190578423
Test: atest MicrodroidHostTestCases
Change-Id: I1dd863202b7de5405658ee5e922b955e3cba6741
MicrodroidHostTestCases now uses the vm tool to create the VM. It no
longer directly interacts with crosvm and mk_cdisk.
The READMD.md file is rewritten to fully reflect the recent changes, and
also to add description about building an app for microdroid.
Bug: 185891097
Test: atest MicrodroidHostTestCases
Change-Id: I5fdc854390fd362ebead22a4a36af75c30500a81
This change adds a new flag --rpc-binder to authfs, and --cid to
fd_server. The flag allows both to communicate through vsock. The
capability of local binder is kept for now (and still the default),
but can be removed later.
The change relies on the newly introduced libbinder_rpc_unstable.so
and the corresponding bindgen, in order to access the unstable API from
Rust.
Also, add authfs and libbinder_rpc_unstable to microdroid.
Bug: 190547489
Bug: 189947807
Test: [Android shell] sh -c 'exec 9<>/data/local/tmp/output \
/apex/com.android.virt/bin/fd_server --rw-fds 9 --rpc-binder'
[VM shell] /apex/com.android.virt/bin/authfs \
/data/local/tmp --cid 2 --remote-new-rw-file 9:9
[VM shell 2] ps -A > /data/local/tmp/9
[Android shell] cat /data/local/tmp/output # see correct data
Change-Id: I200f746aa4078508a0f0d2498a1525bb898a6e3b
apkdmverity is added to microdroid as well.
Bug: 190343842
Test: MicrodroidHostTestCases (not changed)
Change-Id: If5d6608b52cc93cd13ace85c03b5b2891041b8b4
No longer needed now init listens for property changes on a
separate thread.
Bug: 186580823
Test: Cuttlefish boots successfully
Test: atest MicrodroidHostTestCases
Change-Id: I4953e1f9e596db6e8b5ecc49a05cbf4375b7f6c4
The file was the input to make the payload.img. Instead using the
hard-coded file, let the test make it from the vm_config file in the
test APK. This will eventually be done by the client-side library, but
since we don't have it, let the test do it.
Bug: 185891097
Test: atest MicrodroidHostTestCases
Change-Id: I677dff58abb1b49d76b53c39ec33ccc0c8b88dc4
For security reason, we will use tmpfs for /data. It should contain only
small, temporary files for now.
vold is removed as it's redundant now. MicrodroidTestCase's boot marker
is also updated because logd reinit won't happen if vold is removed.
Bug: 185767624
Test: atest MicrodroidHostTestCases
Change-Id: I3f60d5dfad2519b6d593a3f514bb50c50019b526
Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.
Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938
These are for encrypting /data partition. Also vintf related xmls are
added for the services.
Bug: 185767624
Bug: 188013319
Test: boot microdroid
Change-Id: Ie511e2b4f3565fef181cc57588c2e107182f1961
It is started by init in microdroid and executes a command specified in
a VM payload config.
Bug: 189301496
Test: MicrodroidHostTestCases
(in a microdroid, run /system/bin/microdroid_manager manulally)
Change-Id: I85c7e370d4a0dcf58b4aafbe6e9fba73e69c2a44
We provide a sparse file directly as a (writable) partition image and
format a filesystem on the partition inside the VM.
To format it only when it's not formatted, the option `formattable` is
added to the fstab entry for the userdata partition.
Bug: 185767624
Test: atest MicrodroidHostTestCases
Change-Id: Ia938fd60071e64170b8280d19c17c4413c769337
Jooyung Han
Ivana Chen
Jiyong Park
Ram Muthiah
Inseob Kim
Victor Hsieh
Alistair Delva
Treehugger Robot
Andrew Scull
Paul Crowley