package { default_applicable_licenses: ["Android-Apache-2.0"], } microdroid_shell_and_utilities = [ "reboot", "sh", "strace", "toolbox", "toybox", ] microdroid_rootdirs = [ "dev", "proc", "sys", "system", "vendor", "debug_ramdisk", "mnt", "data", "apex", "linkerconfig", "second_stage_resources", ] microdroid_symlinks = [ { target: "/sys/kernel/debug", name: "d", }, { target: "/system/etc", name: "etc", }, { target: "/system/bin", name: "bin", }, ] android_system_image { name: "microdroid", use_avb: true, avb_private_key: ":microdroid_sign_key", avb_algorithm: "SHA256_RSA4096", avb_hash_algorithm: "sha256", partition_name: "system", deps: [ "init_second_stage", "microdroid_build_prop", "microdroid_init_rc", "microdroid_ueventd_rc", "microdroid_launcher", "libbinder", "libbinder_ndk", "libstdc++", "logcat", "logd", "secilc", // "com.android.adbd" requires these, "libadbd_auth", "libadbd_fs", // "com.android.art" requires "heapprofd_client_api", "libartpalette-system", "apexd", "atrace", "debuggerd", "diced.microdroid", "linker", "linkerconfig", "servicemanager.microdroid", "tombstoned", "tombstone_transmit.microdroid", "cgroups.json", "task_profiles.json", "public.libraries.android.txt", "microdroid_compatibility_matrix", "microdroid_event-log-tags", "microdroid_file_contexts", "microdroid_manifest", "microdroid_plat_sepolicy_and_mapping.sha256", "microdroid_property_contexts", "microdroid_service_contexts", // TODO(b/195425111) these should be added automatically "libcrypto", // used by many (init_second_stage, microdroid_manager, toybox, etc) "liblzma", // used by init_second_stage ] + microdroid_shell_and_utilities, multilib: { common: { deps: [ // non-updatable & mandatory apexes "com.android.runtime", "microdroid_plat_sepolicy.cil", "microdroid_plat_mapping_file", ], }, lib64: { deps: [ "apkdmverity", "authfs", "authfs_service", "microdroid_manager", "zipfuse", ], }, }, linker_config_src: "linker.config.json", base_dir: "system", dirs: microdroid_rootdirs, symlinks: microdroid_symlinks, file_contexts: ":microdroid_file_contexts.gen", } prebuilt_etc { name: "microdroid_init_rc", filename: "init.rc", src: "init.rc", relative_install_path: "init/hw", installable: false, // avoid collision with system partition's init.rc } prebuilt_etc { name: "microdroid_ueventd_rc", filename: "ueventd.rc", src: "ueventd.rc", installable: false, // avoid collision with system partition's ueventd.rc } prebuilt_root { name: "microdroid_build_prop", filename: "build.prop", src: "build.prop", arch: { x86_64: { src: ":microdroid_build_prop_gen_x86_64", }, arm64: { src: ":microdroid_build_prop_gen_arm64", }, }, installable: false, } genrule { name: "microdroid_build_prop_gen_x86_64", srcs: [ "build.prop", ":buildinfo.prop", ], out: ["build.prop.out"], cmd: "(echo '# build properties from buildinfo.prop module' && " + "grep ro\\.build\\.version\\.codename= $(location :buildinfo.prop) && " + "grep ro\\.build\\.version\\.release= $(location :buildinfo.prop) && " + "grep ro\\.build\\.version\\.sdk= $(location :buildinfo.prop) && " + "grep ro\\.build\\.version\\.security_patch= $(location :buildinfo.prop) && " + "cat $(location build.prop) && " + "echo ro.product.cpu.abilist=x86_64) > $(out)", } genrule { name: "microdroid_build_prop_gen_arm64", srcs: [ "build.prop", ":buildinfo.prop", ], out: ["build.prop.out"], cmd: "(echo '# build properties from buildinfo.prop module' && " + "grep ro\\.build\\.version\\.codename= $(location :buildinfo.prop) && " + "grep ro\\.build\\.version\\.release= $(location :buildinfo.prop) && " + "grep ro\\.build\\.version\\.sdk= $(location :buildinfo.prop) && " + "grep ro\\.build\\.version\\.security_patch= $(location :buildinfo.prop) && " + "cat $(location build.prop) && " + "echo ro.product.cpu.abilist=arm64-v8a) > $(out)", } android_filesystem { name: "microdroid_vendor", partition_name: "vendor", use_avb: true, deps: [ "android.hardware.security.dice-service.microdroid", "microdroid_fstab", "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256", "microdroid_vendor_manifest", "microdroid_vendor_compatibility_matrix", ], multilib: { common: { deps: [ "microdroid_vendor_sepolicy.cil", "microdroid_plat_pub_versioned.cil", "microdroid_plat_sepolicy_vers.txt", "microdroid_precompiled_sepolicy", ], }, }, avb_private_key: ":microdroid_sign_key", avb_algorithm: "SHA256_RSA4096", avb_hash_algorithm: "sha256", file_contexts: ":microdroid_vendor_file_contexts.gen", } logical_partition { name: "microdroid_super", sparse: true, size: "auto", default_group: [ { name: "system_a", filesystem: ":microdroid", }, { name: "vendor_a", filesystem: ":microdroid_vendor", }, ], } microdroid_boot_cmdline = [ "panic=-1", "bootconfig", "ioremap_guard", ] bootimg { name: "microdroid_boot-5.10", // We don't have kernel for arm and x86. But Soong demands one when it builds for // arm or x86 target. Satisfy that by providing an empty file as the kernel. kernel_prebuilt: "empty_kernel", arch: { arm64: { kernel_prebuilt: ":kernel_prebuilts-5.10-arm64", cmdline: microdroid_boot_cmdline, }, x86_64: { kernel_prebuilt: ":kernel_prebuilts-5.10-x86_64", cmdline: microdroid_boot_cmdline + [ // console=none is to work around the x86 specific u-boot behavior which when // console= option is not found in the kernel commandline console=ttyS0 is // automatically added. By adding console=none, we can prevent u-boot from doing // that. Note that console is set to hvc0 by bootconfig if the VM is configured as // debuggable. "console=none", "acpi=noirq", ], }, }, dtb_prebuilt: "dummy_dtb.img", header_version: "4", partition_name: "boot", use_avb: true, avb_private_key: ":microdroid_sign_key", } bootimg { name: "microdroid_init_boot", ramdisk_module: "microdroid_ramdisk-5.10", kernel_prebuilt: "empty_kernel", header_version: "4", partition_name: "init_boot", use_avb: true, avb_private_key: ":microdroid_sign_key", } android_filesystem { name: "microdroid_ramdisk-5.10", deps: [ "init_first_stage", ], dirs: [ "dev", "proc", "sys", // TODO(jiyong): remove these "mnt", "debug_ramdisk", "second_stage_resources", ], type: "compressed_cpio", } bootimg { name: "microdroid_vendor_boot-5.10", ramdisk_module: "microdroid_vendor_ramdisk-5.10", dtb_prebuilt: "dummy_dtb.img", header_version: "4", vendor_boot: true, arch: { arm64: { bootconfig: ":microdroid_bootconfig_arm64_gen", }, x86_64: { bootconfig: ":microdroid_bootconfig_x86_64_gen", }, }, partition_name: "vendor_boot", use_avb: true, avb_private_key: ":microdroid_sign_key", } prebuilt_kernel_modules { name: "microdroid_kernel_modules", arch: { arm64: { srcs: [":virt_device_prebuilts_kernel_modules_microdroid-5.10-arm64"], }, x86_64: { srcs: [":virt_device_prebuilts_kernel_modules_microdroid-5.10-x86_64"], }, }, kernel_version: "5.10", } android_filesystem { name: "microdroid_vendor_ramdisk-5.10", deps: [ "microdroid_fstab", "microdroid_kernel_modules", ], base_dir: "first_stage_ramdisk", type: "compressed_cpio", symlinks: [ { target: "etc/fstab.microdroid", name: "first_stage_ramdisk/fstab.microdroid", }, { target: "first_stage_ramdisk/lib", name: "lib", }, ], } genrule { name: "microdroid_bootconfig_arm64_gen", srcs: [ "bootconfig.common", "bootconfig.arm64", ], out: ["bootconfig"], cmd: "cat $(in) > $(out)", } genrule { name: "microdroid_bootconfig_x86_64_gen", srcs: [ "bootconfig.common", "bootconfig.x86_64", ], out: ["bootconfig"], cmd: "cat $(in) > $(out)", } vbmeta { name: "microdroid_vbmeta_bootconfig", partition_name: "vbmeta", private_key: ":microdroid_sign_key", chained_partitions: [ { name: "bootconfig", private_key: ":microdroid_sign_key", }, { name: "uboot_env", private_key: ":microdroid_sign_key", }, ], } // See external/avb/avbtool.py // MAX_VBMETA_SIZE=64KB, MAX_FOOTER_SIZE=4KB avb_hash_footer_kb = "68" prebuilt_etc { name: "microdroid_bootconfig_normal", src: ":microdroid_bootconfig_normal_gen", filename: "microdroid_bootconfig.normal", } prebuilt_etc { name: "microdroid_bootconfig_app_debuggable", src: ":microdroid_bootconfig_app_debuggable_gen", filename: "microdroid_bootconfig.app_debuggable", } prebuilt_etc { name: "microdroid_bootconfig_full_debuggable", src: ":microdroid_bootconfig_full_debuggable_gen", filename: "microdroid_bootconfig.full_debuggable", } // TODO(jiyong): make a new module type that does the avb signing genrule { name: "microdroid_bootconfig_normal_gen", tools: ["avbtool"], srcs: [ "bootconfig.normal", ":microdroid_sign_key", ], out: ["microdroid_bootconfig.normal"], cmd: "cp $(location bootconfig.normal) $(out) && " + "$(location avbtool) add_hash_footer " + "--algorithm SHA256_RSA4096 " + "--partition_name bootconfig " + "--key $(location :microdroid_sign_key) " + "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " + "--image $(out)", } genrule { name: "microdroid_bootconfig_app_debuggable_gen", tools: ["avbtool"], srcs: [ "bootconfig.app_debuggable", ":microdroid_sign_key", ], out: ["microdroid_bootconfig.app_debuggable"], cmd: "cp $(location bootconfig.app_debuggable) $(out) && " + "$(location avbtool) add_hash_footer " + "--algorithm SHA256_RSA4096 " + "--partition_name bootconfig " + "--key $(location :microdroid_sign_key) " + "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " + "--image $(out)", } genrule { name: "microdroid_bootconfig_full_debuggable_gen", tools: ["avbtool"], srcs: [ "bootconfig.full_debuggable", ":microdroid_sign_key", ], out: ["microdroid_bootconfig.full_debuggable"], cmd: "cp $(location bootconfig.full_debuggable) $(out) && " + "$(location avbtool) add_hash_footer " + "--algorithm SHA256_RSA4096 " + "--partition_name bootconfig " + "--key $(location :microdroid_sign_key) " + "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " + "--image $(out)", } prebuilt_etc { name: "microdroid_fstab", src: "fstab.microdroid", filename: "fstab.microdroid", installable: false, } prebuilt_etc { name: "microdroid_bootloader", src: ":microdroid_bootloader_gen", arch: { x86_64: { // For unknown reason, the signed bootloader doesn't work on x86_64. Until the problem // is fixed, let's use the unsigned bootloader for the architecture. // TODO(b/185115783): remove this src: ":microdroid_bootloader_pubkey_replaced", }, }, filename: "microdroid_bootloader", } genrule { name: "microdroid_bootloader_gen", tools: ["avbtool"], srcs: [ ":microdroid_bootloader_pubkey_replaced", ":microdroid_sign_key", ], out: ["bootloader-signed"], // 1. Copy the input to the output becaise avbtool modifies --image in // place. // 2. Check if the file is big enough. For arm and x86 we have fake // bootloader file whose size is 1. It can't pass avbtool. // 3. Add the hash footer. The partition size is set to (image size + 68KB) // rounded up to 4KB boundary. cmd: "cp $(location :microdroid_bootloader_pubkey_replaced) $(out) && " + "if [ $$(stat --format=%s $(out)) -gt 4096 ]; then " + "$(location avbtool) add_hash_footer " + "--algorithm SHA256_RSA4096 " + "--partition_name bootloader " + "--key $(location :microdroid_sign_key) " + "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " + "--image $(out)" + "; fi", } // Replace avbpubkey of prebuilt bootloader with the avbpubkey of the signing key genrule { name: "microdroid_bootloader_pubkey_replaced", tools: ["replace_bytes"], srcs: [ ":microdroid_crosvm_bootloader", // input (bootloader) ":microdroid_crosvm_bootloader.avbpubkey", // old bytes (old pubkey) ":microdroid_bootloader_avbpubkey_gen", // new bytes (new pubkey) ], out: ["bootloader-pubkey-replaced"], // 1. Copy the input to the output (replace_bytes modifies the file in-place) // 2. Check if the file is big enough. For arm and x86 we have fake // bootloader file whose size is 1. (replace_bytes fails if key not found) // 3. Replace embedded pubkey with new one. cmd: "cp $(location :microdroid_crosvm_bootloader) $(out) && " + "if [ $$(stat --format=%s $(out)) -gt 4096 ]; then " + "$(location replace_bytes) $(out) " + "$(location :microdroid_crosvm_bootloader.avbpubkey) " + "$(location :microdroid_bootloader_avbpubkey_gen)" + "; fi", } // Apex keeps a copy of avbpubkey embedded in bootloader so that embedded avbpubkey can be replaced // while re-signing bootloader. prebuilt_etc { name: "microdroid_bootloader.avbpubkey", src: ":microdroid_bootloader_avbpubkey_gen", } // Generate avbpukey from the signing key genrule { name: "microdroid_bootloader_avbpubkey_gen", tools: ["avbtool"], srcs: [":microdroid_sign_key"], out: ["bootloader.pubkey"], cmd: "$(location avbtool) extract_public_key " + "--key $(location :microdroid_sign_key) " + "--output $(out)", } prebuilt_etc { name: "microdroid_uboot_env", src: ":microdroid_uboot_env_gen", filename: "uboot_env.img", } genrule { name: "microdroid_uboot_env_gen", tools: [ "mkenvimage_slim", "avbtool", ], srcs: [ "uboot-env.txt", ":microdroid_sign_key", ], out: ["output.img"], cmd: "$(location mkenvimage_slim) -output_path $(out) -input_path $(location uboot-env.txt) && " + "$(location avbtool) add_hash_footer " + "--algorithm SHA256_RSA4096 " + "--partition_name uboot_env " + "--key $(location :microdroid_sign_key) " + "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " + "--image $(out)", } // Note that keys can be different for filesystem images even though we're using the same key // for microdroid. However, the key signing VBmeta should match with the pubkey embedded in // bootloader. filegroup { name: "microdroid_sign_key", srcs: [":avb_testkey_rsa4096"], } vbmeta { name: "microdroid_vbmeta", partition_name: "vbmeta", private_key: ":microdroid_sign_key", partitions: [ "microdroid_vendor", "microdroid_vendor_boot-5.10", "microdroid", "microdroid_boot-5.10", "microdroid_init_boot", ], } prebuilt_etc { name: "microdroid.json", src: "microdroid.json", } prebuilt_etc { name: "microdroid_vendor_manifest", src: "microdroid_vendor_manifest.xml", filename: "manifest.xml", relative_install_path: "vintf", installable: false, } prebuilt_etc { name: "microdroid_vendor_compatibility_matrix", src: "microdroid_vendor_compatibility_matrix.xml", filename: "compatibility_matrix.xml", relative_install_path: "vintf", installable: false, } prebuilt_etc { name: "microdroid_compatibility_matrix", src: "microdroid_compatibility_matrix.xml", filename: "compatibility_matrix.current.xml", relative_install_path: "vintf", installable: false, } prebuilt_etc { name: "microdroid_manifest", src: "microdroid_manifest.xml", filename: "manifest.xml", relative_install_path: "vintf", installable: false, } prebuilt_etc { name: "microdroid_event-log-tags", src: "microdroid_event-log-tags", filename: "event-log-tags", installable: false, }