• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17// By default this device uses hardware-wrapped keys for storage encryption,
18// which is intended to offer increased security over the traditional method
19// (software keys).  However, hardware-wrapped keys aren't compatible with
20// FIPS-140 certification of the encryption hardware, and hence we have to
21// disable the use of them in FIPS mode.  This requires having two fstab files:
22// one for the default mode, and one for FIPS mode selectable via
23// androidboot.fstab_suffix on the kernel command line.  These fstabs should be
24// identical with the exception of the encryption settings, so to keep them in
25// sync the rules below generate them from a template file.
26
27package {
28    // See: http://go/android-license-faq
29    // A large-scale-change added 'default_applicable_licenses' to import
30    // all of the 'license_kinds' from "device_google_zumapro_license"
31    // to get the below license kinds:
32    //   SPDX-license-identifier-Apache-2.0
33    default_applicable_licenses: ["device_google_zumapro_license"],
34}
35
36genrule {
37    name: "gen_fstab.zuma-hw-encrypt",
38    srcs: ["fstab.zumapro.in"],
39    out: ["fstab.zuma"],
40    cmd: "sed -e s/@fileencryption@/fileencryption=:aes-256-hctr2:inlinecrypt_optimized+wrappedkey_v0/" +
41        " -e s/@inlinecrypt@/inlinecrypt/ " +
42        " -e s/@metadata_encryption@/metadata_encryption=:wrappedkey_v0/ $(in) > $(out)",
43}
44
45genrule {
46    name: "gen_fstab.zumapro-hw-encrypt",
47    srcs: ["fstab.zumapro.in"],
48    out: ["fstab.zumapro"],
49    cmd: "sed -e s/@fileencryption@/fileencryption=:aes-256-hctr2:inlinecrypt_optimized+wrappedkey_v0/" +
50        " -e s/@inlinecrypt@/inlinecrypt/ " +
51        " -e s/@metadata_encryption@/metadata_encryption=:wrappedkey_v0/ $(in) > $(out)",
52}
53
54genrule {
55    name: "gen_fstab.zuma-sw-encrypt",
56    srcs: ["fstab.zumapro.in"],
57    out: ["fstab.zuma"],
58    cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts:aes-256-hctr2/" +
59        " -e s/@inlinecrypt@// " +
60        " -e s/@metadata_encryption@/metadata_encryption=/ $(in) > $(out)",
61}
62
63genrule {
64    name: "gen_fstab.zumapro-sw-encrypt",
65    srcs: ["fstab.zumapro.in"],
66    out: ["fstab.zumapro"],
67    cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts:aes-256-hctr2/" +
68        " -e s/@inlinecrypt@// " +
69        " -e s/@metadata_encryption@/metadata_encryption=/ $(in) > $(out)",
70}
71
72genrule {
73    name: "gen_fstab.zuma-no-encrypt",
74    srcs: ["fstab.zumapro.in"],
75    out: ["fstab.zuma"],
76    cmd: "sed -e s/@fileencryption@//" +
77        " -e s/@inlinecrypt@// " +
78        " -e s/@metadata_encryption@// $(in) > $(out)",
79}
80
81genrule {
82    name: "gen_fstab.zumapro-no-encrypt",
83    srcs: ["fstab.zumapro.in"],
84    out: ["fstab.zumapro"],
85    cmd: "sed -e s/@fileencryption@//" +
86        " -e s/@inlinecrypt@// " +
87        " -e s/@metadata_encryption@// $(in) > $(out)",
88}
89
90genrule {
91    name: "gen_fstab.zuma-fips",
92    srcs: ["fstab.zumapro.in"],
93    out: ["fstab.zuma-fips"],
94    cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts/" +
95        " -e s/@inlinecrypt@/inlinecrypt/ " +
96        " -e s/@metadata_encryption@/metadata_encryption=aes-256-xts/ $(in) > $(out)",
97}
98
99genrule {
100    name: "gen_fstab.zumapro-fips",
101    srcs: ["fstab.zumapro.in"],
102    out: ["fstab.zumapro-fips"],
103    cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts/" +
104        " -e s/@inlinecrypt@/inlinecrypt/ " +
105        " -e s/@metadata_encryption@/metadata_encryption=aes-256-xts/ $(in) > $(out)",
106}
107
108prebuilt_etc {
109    name: "fstab.zuma",
110    src: ":gen_fstab.zuma-hw-encrypt",
111    vendor: true,
112    vendor_ramdisk_available: true,
113}
114
115prebuilt_etc {
116    name: "fstab.zumapro",
117    src: ":gen_fstab.zumapro-hw-encrypt",
118    vendor: true,
119    vendor_ramdisk_available: true,
120}
121
122prebuilt_etc {
123    name: "fstab.zuma-fips",
124    src: ":gen_fstab.zuma-fips",
125    vendor: true,
126    vendor_ramdisk_available: true,
127}
128
129prebuilt_etc {
130    name: "fstab.zumapro-fips",
131    src: ":gen_fstab.zumapro-fips",
132    vendor: true,
133    vendor_ramdisk_available: true,
134}
135