Microdroid init will start the tombstone_transmit service which will
connect to a server (thread of virtualization service).
virtualizationservice listens for incoming connections from guests VMs.
The client (tombstone_transmit in guest) sends each tombstone file
content through a separate stream.
For each received connection, handle_tombstone would send a connect
request to tombstoned(via libtombstoned_client_rust), which provide a
file to write the content in (actually managed by the client libary).
Once write is complete notify_completion() would send completion
notification to tombstoned (which then will close the file and rename it).
Test: atest MicrodroidHostTestCases and/or crash a process in microdroid, take and check bugreport
Bug: 202153827
Change-Id: Ifcaa5da968ef39fdd05612d3e0baca4fd1c5eaf1
Previously we were rate limiting audit messages (i.e. selinux avc
denials) on boot complete, i.e. before the payload starts. This makes
it hard to diagnose selinux issues in the payload.
Bug: 218494522
Test: Run payload, see denials
Change-Id: I5fcc0e1ed23c259fd6fb53d531858cb0bdb8fe62
These have been replaced by diced so are no longer in microdroid. The
removal of keymint also allows for the removal of hwservicemanager.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: Id390e39558d93f4922481bc214a0c01a3a6c93ef
THe values are placeholders until true values are made available for the
HAL to pick up. Adding the HAL allows diced to connect to it and get
some values rather than it trying to connect to the HAL for a little
bit, failing and then generating its own fake values. The result is
still fake, but there it less waiting and the components are connecting
as they are expected to.
Bug: 214231981
Test: run microdroid
Change-Id: I3e6d2995e388418f99d1987fa1af22f9818bd745
microdroid_manager needs to access diced to get the per-VM secret that
it uses to encrypt/decrypt the instance disk. This is not trivial
because previously diced (and servicemanager it depends on) were not
bootstrap processes, which means they can start only after APEXes are
activated. However, microdroid_manager can't do that before the instance
disk is decrypted. So, there's a circular dependency between
microdroid_manager and diced.
This CL fixes the issue by making diced and servicemanager bootstrap
processes. They now can start before APEXes are activated. The start of
microdroid_manager is moved to after diced.
Bug: 214231981
Test: run microdroid
Change-Id: I8ada5324000f9731a5709982fbb45cbf101f94c6
virtualizationservice currently passes extra apks and corresponding
idsigs as block devices. microdroid_manager will read the payload config
and mount the apks to /mnt/extra-apk/{index} after verifying them.
Bug: 205224817
Test: atest ComposHostTestCases MicrodroidHostTestCases
Test: manually edit vm config and see apks mounted
Change-Id: I9afa03cb7fabe0ca16b7926c4480d0b32c8bcd04
To be in sync with Cuttlefish, have three virtio-console devices
(previously two) in Microdroid.
/dev/hvc0 is used as the kernel console where kmsg is redirected to
/dev/hvc1 is a new one and is used as the userspace console (set via
androidboot.console). This currently is not used; the backend is a sink.
/dev/hvc2 is used for logcat output
Bug: 200914564
Test: run MicrodroidDemoApp
Change-Id: Ib51be683cc2f8e19e09ae7a6b5707a196eb93ac5
When the debug level of a VM is not "none", logd logs from the VM is
sent to the host. This is done by running the VM with another virtual
console and running logcat as a daemon process whose output is set to
the new virtual console device. The launch of the daemon process is
controlled by microdroid. It starts the process only when the debug
level is set to above "none".
For now, the virtual console device is backed by the same file
descriptor as the kernel console logs. A follow-up change will introduce
a new dedicated file descriptor.
Bug: 200914564
Test: start microdroid using the `vm` tool. logcat logs are shown in
stdout.
Change-Id: I1748d30c5c997cda73f7b9f082ca84b0b3d25f1e
When debug_level is set to none, logd is not started at all.
Bug: 200914564
Test: run a VM with and without --debug full
Change-Id: Idb1ea3753067242eb0dcd53d3ae783e9e947ca32
* Debug level None: adb is not supported
* Debug level app_only: adb is supported, but rooting is prohibited
* Debug level full: adb is supported and can be rooted
Bug: 201362865
Test: start a VM with `--debug none` and try to connect to the VM via
adb. It doesn't work as expected.
Change-Id: I95fe01e722d974ff1eb29469ac96abe7d785288d
Microdroid_manager passes apex pubkeys from the instance.img so that
apexd uses them to verify APEXes.
Bug: 199371341
Test: MicrodroidHostTestCases
Change-Id: I9260e456a00e767a79c8121eb6b391978ece0ae3
Just like APK's root hash, APEX pubkeys are stored in instance.img so
that in subsequent boots, pubkeys from payload APEXes are checked
against ones in instance.img.
Bug: 198361718
Test: MicrodroidHostTestCases
Change-Id: I5385700e86b4962133df80b750208ce45cec2655
This CL completes the APK verification story in microdroid. Previously,
the roothash of an APK that apkdmverity uses came from the idsig file.
That file (and thus roothash in it) is untrusted because it's not signed
by anyone. It is generated by virtualization service when the VM is
created.
With this CL, the roothash becomes trustful. Specifically, the roothash
is from the instance disk which is encrypted and signed using the per-VM
secret key. When the roothash in the instance disk is none, which
could happen during the initial boot of the VM, we do the full APK verification (by
scanning every bits), and save the roothash in the instance disk. In the
subsequent boots, we skip the full APK verification, but instead compare
the roothash with the saved one. If they differ, the boot is halted.
1) The start of apkdmverity and zipfuse is controlled by
microdroid_manager. This is to NOT start them before the roothash is
read from the instance disk. Previously, this was impossible because
they are started by init while microdroid_manager is running in
background.
2) apkdmverity now uses the bootstrap bionic libraries, because it is
started far before APEXd activates APEXes.
3) microdroid_manager passes the roothash (read from instance disk) to
apkdmverity via a new system property `microdroid_manager.apk_roothash`.
This is preferred over to letting microdroid_manager directly execute
apkdmverity and pass the roothash as a commandline argument. We don't
want to allow microdroid_manager to fork/exec an executable other than
app payload; there already is a selinux neverallow rule for it.
4) microdroid_manager waits for a new sysprop `linkerconfig.ready` to
become `true` before it executes an app payload. Previously, this was
implied because microdroid_manager waits for /mnt/apk which is created
by zipfuse which in turn is executed after the linkerconfig is ready.
Since zipfuse now is started much earlier, we no longer can rely on the
implicit dependency.
Bug: 193504400
Test: atest MicrodroidHostTestCases
Test: run `adb shell /apex/com.android.virt/bin/vm run-app
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img assets/vm_config.json`
... two times.
In the first run:
microdroid_manager[128]: payload verification successful. took 85.705852ms
microdroid_manager[128]: Updating APK roothash: A4BC793C78E1A...
In the second run:
microdroid_manager[128]: payload verification successful. took 56.789795ms
microdroid_manager[128]: Saved roothash is trustful. Not updating
When the same command is invoked after the apk is intentionally
modified, it fails as expected:
init: Service 'microdroid_manager' (pid 128) exited with status 1
oneshot service took 0.202000 seconds in background
Bug: 193504400
Change-Id: I469116d806cf3dae66fe41c04fdfd6bdb843edab
keystore uses /data/misc/keystore, but /data/misc/keystore is created
after keystore2 is run. This causes a keystore2 crash on nested
virtualizaed microdroid.
This moves mounting /data and mkdir /data/misc/keystore in front of
keystore2 to make keystore2 happy.
Bug: 193118220
Test: atest MicrodroidHostTestCases on cuttlefish
Change-Id: I8ccf8abde2882c492058d1fe9207fe0192db82f1
Microdroid_manager should verify payloads (APEXes, APK) before anything
else (including apexd reading APEXes, apkdmverity/zipfuse reading APK).
In order to start before apexd, it should be "bootstrap" process (since
it can't rely on any apexes including bionic).
Bug: 190343842
Test: MicrodroidHostTestCases
Change-Id: I682555822fb8f73ea160c4a2ac379549dde35329
Since there's no two separate mount namespace, we don't need to
"enter_default_mount_ns".
Bug: 185991357
Test: MicrodroidHostTestCases
Change-Id: I0bea5ef51da95c378ade1288c36d4cab91266ab2
These nodes are not meaningful in Microdroid, but added here in order to
satisfy the existing code that tries to put a PID to one of the cpusets.
Bug: 193118995
Test: run microdroid. Check if errors like the below are not shown:
couldn't write 152 to /dev/cpuset/system-background/tasks
Change-Id: Ibafb25355936ef21b6517c5707d093d25fc2d247
com.android.sdkext is to decide the extension SDK level of the device
and set system properties so that apps can query it.
In microdroid we don't support it yet. So remove it from the mandatory
system APEX list.
Bug: 193118107
Test: MicrodroidHostTestCases
Change-Id: I1e913b0826d78f06439ec37889e390ef97c4623a
KeyMint in microdroid will initially be a specialized version of the
software KeyMint reference implementation. Begin this specialization by
removing the services that aren't needed within VMs.
Bug: 190578423
Test: atest MicrodroidHostTestCases
Change-Id: I6eee95944ccc555656868dad193f29b83ebf46a4
In microdroid, APK and its idsig is used to dm-verity mount before
zipfuse mounts it into a filesystem.
Bug: 190343842
Test: MicrodroidHostTestCases
Change-Id: Icd48fb823eabc087c0266e46f9b3d302e90fd208
No longer needed now init listens for property changes on a
separate thread.
Bug: 186580823
Test: Cuttlefish boots successfully
Test: atest MicrodroidHostTestCases
Change-Id: I4953e1f9e596db6e8b5ecc49a05cbf4375b7f6c4
For security reason, we will use tmpfs for /data. It should contain only
small, temporary files for now.
vold is removed as it's redundant now. MicrodroidTestCase's boot marker
is also updated because logd reinit won't happen if vold is removed.
Bug: 185767624
Test: atest MicrodroidHostTestCases
Change-Id: I3f60d5dfad2519b6d593a3f514bb50c50019b526
For now, the default implementation will be used. In the future,
microdroid-specific keymint HAL will be implemented.
Bug: 185767624
Test: atest MicrodroidHostTestCases
Test: mount userdata.img and see files encrypted
Change-Id: I593e659b60d6b33b153f8d614395755e83e597de
These are for encrypting /data partition. Also vintf related xmls are
added for the services.
Bug: 185767624
Bug: 188013319
Test: boot microdroid
Change-Id: Ie511e2b4f3565fef181cc57588c2e107182f1961
In microdroid, init enters "default" mount namespace from the beginning
and every process starts in it.
Bug: 185991357
Test: MicrodroidHostTestCases
Change-Id: I36262de8a6ff3bcf452e27c21716cfffe84d6d72
It is started by init in microdroid and executes a command specified in
a VM payload config.
Bug: 189301496
Test: MicrodroidHostTestCases
(in a microdroid, run /system/bin/microdroid_manager manulally)
Change-Id: I85c7e370d4a0dcf58b4aafbe6e9fba73e69c2a44
zipfuse now runs in microdroid as a service. The source zip file path
and the mount point are fixed to /dev/block/by-name/microdroid-apk and
/mnt/apk, respectively.
To support that, microdroid_payload.json is amended to add
MicrodroidTestAppk.apk to the payload.img file. This eventually should
be done dynamically by the virt manager.
Bug: 186377508
Test: atest MicrodroidHostTestCases
Change-Id: I7a031ad442995dbd3cdc00a51a0e939c1589a7b2
/data/anr is technically also redundant, but we have to fix tombstoned
to fix it. Leaving it as-is is simpler.
Bug: 185210957
Test: boot microdroid and run debuggerd
Change-Id: Ib8411143761109c94d3d476cf69679f06086849e
Many programs need /data (especially /data/local/tmp) to properly work.
This change adds a basic unencrypted ext4 userdata partition to
microdroid. Eventually microdroid will support userdata encryption so
only VM can access /data.
Bug: 185767624
Test: atest MicrodroidHostTestCases
Test: log in to microdroid and test writing to /data
Change-Id: I115a8083ad6741fea9dedd61eca7194b1b5e5712
Host apexes are passed to microdroid via the payload composite image.
The payload composite image can be created by either
mk_payload_signature/mk_cdisk or mk_payload.
For now, microdroid expects two APEXes from the host:
- com.android.adbd
- com.android.sdkext
The exact set of host apexes for microdroid is TBD. The current set is
only for demonstration.
Bug: 181093750
Test: MicrodroidTestCase
Change-Id: I7fe33fe03ac94799a4e109b83286bfb39e44b882
Previously, we ran only 'apexd-bootstrap' because 'apexd' crashes due to
the lack of /data/apex in microdroid.
Now apexd runs in "vm" mode. In vm mode, apexd only activates built-in
apexes and block apexes. No data apexes, no session handling.
Bug: 179342589
Test: MicrodroidTestCase
Change-Id: I8c6a16c3b08010fcb008d822d0ba0e311c0a9985
Now init_rc is packaged, so we don't need to define services in
microdroid's init.rc. The exception is adb, which is meant to be in
APEX.
Bug: 181747401
Test: boot and see logd, servicemanager, and apex-bootstrap work
Change-Id: I177bec881a595b30983b9e67d9f76c0865ff3863
The following system properties are forcibly set to make adbd function.
ro.apex.updatable=true : otherwise, apexd doesn't activate critical
APEXes like the runtime APEX
ro.adb.secure=0 : to bypass the adb authentication
ro.debuggable=1 : to be able to use ro.adb.secure=0
This change also updates README.md file for the instruction to use adb.
Bug: 181728474
Test: adb shell works towards microdroid. See microdroid/README.md
Change-Id: Ica405e8bd4d2d1ef03e545aef5ed07ddc4bea34c
This adds a minimized init.rc and services to microdroid, so microdroid
can boot and adb can work.
Bug: 179340780
Test: boot with manually added selinux stuffs and apexd session patch
Change-Id: I42ae13f3f2ac9ca22ed646564867da3931824682
Shikha Panwar
Treehugger Robot
Wei Wang
Oleg Matcovschi
Alan Stokes
Andrew Scull
Jiyong Park
Inseob Kim
Jooyung Han
Victor Hsieh
Paul Crowley