• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2023, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15// Rust bindgen wrappers to allow calling into libavb from Rust.
16//
17// The auto-generated wrappers are Rust unsafe and somewhat difficult to work
18// with so are not exposed outside of this directory; instead we will provide
19// a safe higher-level Rust API.
20rust_defaults {
21    name: "libavb_bindgen.common.defaults",
22    wrapper_src: "bindgen/avb.h",
23    crate_name: "avb_bindgen",
24    edition: "2021",
25    visibility: [
26        ":__subpackages__",
27        // TODO(b/290110273): add the Rust public API layer here and adjust
28        // Virtualization packages to depend on it instead of the raw bindgen.
29        "//packages/modules/Virtualization:__subpackages__",
30    ],
31    source_stem: "bindings",
32    bindgen_flags: [
33        "--constified-enum-module=AvbDescriptorTag",
34        "--bitfield-enum=Avb.*Flags",
35        "--default-enum-style rust",
36        "--with-derive-default",
37        "--with-derive-custom=Avb.*Descriptor=FromZeroes,FromBytes",
38        "--with-derive-custom=AvbCertPermanentAttributes=FromZeroes,FromBytes,AsBytes",
39        "--with-derive-custom=AvbCertCertificate.*=FromZeroes,FromBytes,AsBytes",
40        "--with-derive-custom=AvbCertUnlock.*=FromZeroes,FromBytes,AsBytes",
41        "--allowlist-type=AvbDescriptorTag",
42        "--allowlist-type=Avb.*Flags",
43        "--allowlist-function=.*",
44        "--allowlist-var=AVB.*",
45        "--use-core",
46        "--raw-line=#![no_std]",
47        "--raw-line=use zerocopy::{AsBytes, FromBytes, FromZeroes};",
48        "--ctypes-prefix=core::ffi",
49    ],
50    cflags: ["-DBORINGSSL_NO_CXX"],
51}
52
53// Full bindgen defaults for std targets.
54rust_defaults {
55    name: "libavb_bindgen.std.defaults",
56    defaults: ["libavb_bindgen.common.defaults"],
57    host_supported: true,
58    static_libs: ["libavb_cert"],
59    shared_libs: ["libcrypto"],
60    rustlibs: ["libzerocopy"],
61    apex_available: ["com.android.virt"],
62}
63
64// Full bindgen default for nostd targets.
65rust_defaults {
66    name: "libavb_bindgen.nostd.defaults",
67    defaults: ["libavb_bindgen.common.defaults"],
68    static_libs: [
69        "libavb_cert_baremetal",
70        "libcrypto_baremetal",
71    ],
72    rustlibs: ["libzerocopy_nostd_noalloc"],
73}
74
75// Internal source-only bindgen with std.
76//
77// This target should only be used as `srcs`, not `rustlibs` or `rlibs`. This
78// is because the `rust_bindgen` rule intentionally only generates rlibs
79// (b/166332519), and also forces its dependencies to use rlibs. However, this
80// can create mismatched library types if the depenency is also used elsewhere
81// in a build rule as a dylib. In particular for us, libzerocopy and its own
82// dependency libbyteorder trigger this problem like so:
83//
84//              build target (prefer dylib)
85//                  /                 \
86//          libavb_rs (dylib)          \
87//               /                      \
88//       libavb_bindgen (rlib)    ... arbitrary dependency chain (dylib) ...
89//            /                             \
90//     libzerocopy (rlib)                    \
91//         /                                  \
92//   libbyteorder (rlib)               libbyteorder (dylib)
93//
94// By using it as a `srcs` instead, we can wrap it in a `rust_library` which
95// allows selecting either library type and fixes the conflict:
96//
97//              build target (prefer dylib)
98//                  /                 \
99//          libavb_rs (dylib)          \
100//               /                      \
101//       libavb_bindgen (dylib)    ... arbitrary dependency chain (dylib) ...
102//            /                         /
103//     libzerocopy (dylib)             /
104//                 \                  /
105//                  libbyteorder (dylib)
106//
107rust_bindgen {
108    name: "libavb_bindgen_for_srcs_only",
109    defaults: ["libavb_bindgen.std.defaults"],
110}
111
112// Bindgen with std.
113//
114// See above for why we need a `rust_library` wrapper here.
115rust_library {
116    name: "libavb_bindgen",
117    defaults: ["libavb_bindgen.std.defaults"],
118    srcs: [":libavb_bindgen_for_srcs_only"],
119}
120
121// Bindgen nostd.
122//
123// Nostd targets always use rlibs, so we don't need a `rust_library` wrapper in
124// this case; the rlib-only bindgen target is sufficient.
125rust_bindgen {
126    name: "libavb_bindgen_nostd",
127    defaults: ["libavb_bindgen.nostd.defaults"],
128}
129
130// Bindgen auto-generated tests.
131rust_test {
132    name: "libavb_bindgen_test",
133    srcs: [":libavb_bindgen_for_srcs_only"],
134    crate_name: "avb_bindgen_test",
135    edition: "2021",
136    test_suites: ["general-tests"],
137    auto_gen_config: true,
138    clippy_lints: "none",
139    lints: "none",
140    rustlibs: ["libzerocopy"],
141}
142
143// Rust library wrapping libavb C implementation.
144
145// Common defaults for all variations.
146rust_defaults {
147    name: "libavb_rs_common.defaults",
148    crate_name: "avb",
149    srcs: ["src/lib.rs"],
150    clippy_lints: "android",
151    lints: "android",
152}
153
154// No std, no features.
155rust_defaults {
156    name: "libavb_rs_nostd.defaults",
157    defaults: ["libavb_rs_common.defaults"],
158    // Only rlib can build without the required nostd hooks (eh_personality,
159    // panic_handler, etc) to defer them for the final binary to implement.
160    prefer_rlib: true,
161    no_stdlibs: true,
162    rustlibs: [
163        "libavb_bindgen_nostd",
164        "libzerocopy_nostd_noalloc",
165    ],
166    whole_static_libs: [
167        "libavb_cert_baremetal",
168    ],
169    stdlibs: [
170        "libcore.rust_sysroot",
171    ],
172}
173
174// Std, no features.
175rust_defaults {
176    name: "libavb_rs.defaults",
177    defaults: ["libavb_rs_common.defaults"],
178    host_supported: true,
179    rustlibs: [
180        "libavb_bindgen",
181        "libzerocopy",
182    ],
183    whole_static_libs: [
184        "libavb_cert",
185    ],
186}
187
188// Adds UUID feature for nostd.
189rust_defaults {
190    name: "libavb_rs_nostd.uuid.defaults",
191    features: [
192        "uuid",
193    ],
194    rustlibs: [
195        "libuuid_nostd",
196    ],
197}
198
199// Adds UUID feature for std.
200rust_defaults {
201    name: "libavb_rs.uuid.defaults",
202    features: [
203        "uuid",
204    ],
205    rustlibs: [
206        "libuuid",
207    ],
208}
209
210// lib: no std, no features.
211rust_library_rlib {
212    name: "libavb_rs_nostd",
213    defaults: ["libavb_rs_nostd.defaults"],
214}
215
216// lib: no std, UUID feature.
217rust_library_rlib {
218    name: "libavb_rs_nostd_uuid",
219    defaults: [
220        "libavb_rs_nostd.defaults",
221        "libavb_rs_nostd.uuid.defaults",
222    ],
223}
224
225// lib: std, no features.
226rust_library {
227    name: "libavb_rs",
228    defaults: ["libavb_rs.defaults"],
229}
230
231// lib: std, UUID feature.
232rust_library {
233    name: "libavb_rs_uuid",
234    defaults: [
235        "libavb_rs.defaults",
236        "libavb_rs.uuid.defaults",
237    ],
238}
239
240// TestOps lib: std
241rust_library {
242    crate_name: "avb_test",
243    name: "libavb_test_rs_testops",
244    srcs: ["tests/test_ops.rs"],
245    clippy_lints: "android",
246    lints: "android",
247    host_supported: true,
248    rustlibs: [
249        "libavb_rs",
250    ],
251    whole_static_libs: [
252        "libavb_cert",
253    ],
254}
255
256// "libavb_rs.defaults" plus additional unit test defaults.
257rust_defaults {
258    name: "libavb_rs_unittest.defaults",
259    defaults: ["libavb_rs.defaults"],
260    data: [":libavb_rs_example_descriptors"],
261    test_suites: ["general-tests"],
262}
263
264// Unit tests: std, no features.
265rust_test {
266    name: "libavb_rs_unittest",
267    defaults: ["libavb_rs_unittest.defaults"],
268}
269
270// Unit tests: std, UUID feature.
271rust_test {
272    name: "libavb_rs_uuid_unittest",
273    defaults: [
274        "libavb_rs_unittest.defaults",
275        "libavb_rs.uuid.defaults",
276    ],
277}
278
279// Example descriptors in binary format.
280filegroup {
281    name: "libavb_rs_example_descriptors",
282    srcs: [
283        "testdata/chain_partition_descriptor.bin",
284        "testdata/hash_descriptor.bin",
285        "testdata/hashtree_descriptor.bin",
286        "testdata/kernel_commandline_descriptor.bin",
287        "testdata/property_descriptor.bin",
288    ],
289}
290
291// Integration test defaults.
292rust_defaults {
293    name: "libavb_rs_test.defaults",
294    srcs: ["tests/tests.rs"],
295    data: [
296        ":avb_cert_test_permanent_attributes",
297        ":avb_cert_test_unlock_challenge",
298        ":avb_cert_test_unlock_credential",
299        ":avb_testkey_rsa4096_pub_bin",
300        ":avb_testkey_rsa8192_pub_bin",
301        ":avbrs_test_image",
302        ":avbrs_test_image_with_vbmeta_footer",
303        ":avbrs_test_image_with_vbmeta_footer_for_boot",
304        ":avbrs_test_image_with_vbmeta_footer_for_test_part_2",
305        ":avbrs_test_vbmeta",
306        ":avbrs_test_vbmeta_2_parts",
307        ":avbrs_test_vbmeta_cert",
308        ":avbrs_test_vbmeta_persistent_digest",
309        ":avbrs_test_vbmeta_with_chained_partition",
310        ":avbrs_test_vbmeta_with_commandline",
311        ":avbrs_test_vbmeta_with_hashtree",
312        ":avbrs_test_vbmeta_with_property",
313    ],
314    rustlibs: [
315        "libhex",
316        "libzerocopy",
317    ],
318    test_suites: ["general-tests"],
319    clippy_lints: "android",
320    lints: "android",
321}
322
323// Integration test: no features.
324rust_test {
325    name: "libavb_rs_test",
326    defaults: ["libavb_rs_test.defaults"],
327    rustlibs: ["libavb_rs"],
328}
329
330// Integration test: UUID feature.
331rust_test {
332    name: "libavb_rs_uuid_test",
333    defaults: [
334        "libavb_rs.uuid.defaults",
335        "libavb_rs_test.defaults",
336    ],
337    rustlibs: ["libavb_rs_uuid"],
338}
339
340// Test images for verification.
341
342// Unsigned 16KiB test image.
343genrule {
344    name: "avbrs_test_image",
345    tools: ["avbtool"],
346    out: ["test_image.img"],
347    cmd: "$(location avbtool) generate_test_image --image_size 16384 --output $(out)",
348}
349
350// Unsigned vbmeta blob containing the test image descriptor for partition name "test_part".
351avb_gen_vbmeta_image {
352    name: "avbrs_test_image_descriptor",
353    src: ":avbrs_test_image",
354    partition_name: "test_part",
355    salt: "1000",
356}
357
358// Unsigned vbmeta blob containing the test image descriptor for partition name "test_part_2".
359avb_gen_vbmeta_image {
360    name: "avbrs_test_image_descriptor_2",
361    src: ":avbrs_test_image",
362    partition_name: "test_part_2",
363    salt: "1001",
364}
365
366// Unsigned vbmeta blob containing a persistent digest descriptor for partition name
367// "test_part_persistent_digest".
368//
369// Currently this is the only in-tree usage of persistent digests, but if anyone else needs it
370// later on it may be worth folding support for this into the `avb_gen_vbmeta_image` rule.
371genrule {
372    name: "avbrs_test_image_descriptor_persistent_digest",
373    tools: ["avbtool"],
374    srcs: [":avbrs_test_image"],
375    out: ["avbrs_test_image_descriptor_persistent_digest.img"],
376    cmd: "$(location avbtool) add_hash_footer --image $(location :avbrs_test_image) --partition_name test_part_persistent_digest --dynamic_partition_size --do_not_append_vbmeta_image --use_persistent_digest --output_vbmeta_image $(out)",
377}
378
379// Unsigned vbmeta blob containing a hastree descriptor for partition name
380// "test_part_hashtree".
381genrule {
382    name: "avbrs_test_image_descriptor_hashtree",
383    tools: ["avbtool"],
384    srcs: [":avbrs_test_image"],
385    out: ["avbrs_test_image_descriptor_hashtree.img"],
386    // Generating FEC values requires the `fec` tool to be on $PATH, which does
387    // not seems to be possible here. For now pass `--do_not_generate_fec`.
388    cmd: "$(location avbtool) add_hashtree_footer --image $(location :avbrs_test_image) --partition_name test_part_hashtree --partition_size 0 --salt B000 --do_not_append_vbmeta_image --output_vbmeta_image $(out) --do_not_generate_fec",
389}
390
391// Standalone vbmeta image signing the test image descriptor.
392genrule {
393    name: "avbrs_test_vbmeta",
394    tools: ["avbtool"],
395    srcs: [
396        ":avbrs_test_image_descriptor",
397        ":avb_testkey_rsa4096",
398    ],
399    out: ["test_vbmeta.img"],
400    cmd: "$(location avbtool) make_vbmeta_image --key $(location :avb_testkey_rsa4096) --algorithm SHA512_RSA4096 --include_descriptors_from_image $(location :avbrs_test_image_descriptor) --output $(out)",
401}
402
403// Standalone vbmeta image signing the test image descriptor with
404// `avb_cert_testkey_psk` and `avb_cert_test_metadata`.
405genrule {
406    name: "avbrs_test_vbmeta_cert",
407    tools: ["avbtool"],
408    srcs: [
409        ":avbrs_test_image_descriptor",
410        ":avb_cert_test_metadata",
411        ":avb_cert_testkey_psk",
412    ],
413    out: ["test_vbmeta_cert.img"],
414    cmd: "$(location avbtool) make_vbmeta_image --key $(location :avb_cert_testkey_psk) --public_key_metadata $(location :avb_cert_test_metadata) --algorithm SHA512_RSA4096 --include_descriptors_from_image $(location :avbrs_test_image_descriptor) --output $(out)",
415}
416
417// Standalone vbmeta image signing the test image descriptors for "test_part" and "test_part_2".
418genrule {
419    name: "avbrs_test_vbmeta_2_parts",
420    tools: ["avbtool"],
421    srcs: [
422        ":avbrs_test_image_descriptor",
423        ":avbrs_test_image_descriptor_2",
424        ":avb_testkey_rsa4096",
425    ],
426    out: ["test_vbmeta_2_parts.img"],
427    cmd: "$(location avbtool) make_vbmeta_image --key $(location :avb_testkey_rsa4096) --algorithm SHA512_RSA4096 --include_descriptors_from_image $(location :avbrs_test_image_descriptor) --include_descriptors_from_image $(location :avbrs_test_image_descriptor_2) --output $(out)",
428}
429
430// Standalone vbmeta image signing the test image persistent digest descriptor.
431genrule {
432    name: "avbrs_test_vbmeta_persistent_digest",
433    tools: ["avbtool"],
434    srcs: [
435        ":avbrs_test_image_descriptor_persistent_digest",
436        ":avb_testkey_rsa4096",
437    ],
438    out: ["test_vbmeta_persistent_digest.img"],
439    cmd: "$(location avbtool) make_vbmeta_image --key $(location :avb_testkey_rsa4096) --algorithm SHA512_RSA4096 --include_descriptors_from_image $(location :avbrs_test_image_descriptor_persistent_digest) --output $(out)",
440}
441
442// Standalone vbmeta image with property descriptor "test_prop_key" = "test_prop_value".
443genrule {
444    name: "avbrs_test_vbmeta_with_property",
445    tools: ["avbtool"],
446    srcs: [
447        ":avbrs_test_image_descriptor",
448        ":avb_testkey_rsa4096",
449    ],
450    out: ["test_vbmeta_with_property.img"],
451    cmd: "$(location avbtool) make_vbmeta_image --prop test_prop_key:test_prop_value --key $(location :avb_testkey_rsa4096) --algorithm SHA512_RSA4096 --include_descriptors_from_image $(location :avbrs_test_image_descriptor) --output $(out)",
452}
453
454// Standalone vbmeta image with the test image hashtree descriptor.
455genrule {
456    name: "avbrs_test_vbmeta_with_hashtree",
457    tools: ["avbtool"],
458    srcs: [
459        ":avbrs_test_image_descriptor_hashtree",
460        ":avb_testkey_rsa4096",
461    ],
462    out: ["test_vbmeta_with_hashtree.img"],
463    cmd: "$(location avbtool) make_vbmeta_image --key $(location :avb_testkey_rsa4096) --algorithm SHA512_RSA4096 --include_descriptors_from_image $(location :avbrs_test_image_descriptor_hashtree) --output $(out)",
464}
465
466// Standalone vbmeta image with kernel commandline "test_cmdline_key=test_cmdline_value".
467genrule {
468    name: "avbrs_test_vbmeta_with_commandline",
469    tools: ["avbtool"],
470    srcs: [
471        ":avbrs_test_image_descriptor",
472        ":avb_testkey_rsa4096",
473    ],
474    out: ["test_vbmeta_with_commandline.img"],
475    cmd: "$(location avbtool) make_vbmeta_image --kernel_cmdline test_cmdline_key=test_cmdline_value --key $(location :avb_testkey_rsa4096) --algorithm SHA512_RSA4096 --include_descriptors_from_image $(location :avbrs_test_image_descriptor) --output $(out)",
476}
477
478// Standalone vbmeta image with chain descriptor to "test_part_2" with rollback
479// index 4, signed by avb_testkey_rsa8192.
480genrule {
481    name: "avbrs_test_vbmeta_with_chained_partition",
482    tools: ["avbtool"],
483    srcs: [
484        ":avbrs_test_image_descriptor",
485        ":avb_testkey_rsa4096",
486        ":avb_testkey_rsa8192_pub_bin",
487    ],
488    out: ["test_vbmeta_with_chained_partition.img"],
489    cmd: "$(location avbtool) make_vbmeta_image --chain_partition test_part_2:4:$(location :avb_testkey_rsa8192_pub_bin) --key $(location :avb_testkey_rsa4096) --algorithm SHA512_RSA4096 --include_descriptors_from_image $(location :avbrs_test_image_descriptor) --output $(out)",
490}
491
492// Combined test image + signed vbmeta footer for "test_part".
493avb_add_hash_footer {
494    name: "avbrs_test_image_with_vbmeta_footer",
495    src: ":avbrs_test_image",
496    partition_name: "test_part",
497    private_key: ":avb_testkey_rsa4096",
498    salt: "A000",
499}
500
501// Combined test image + signed vbmeta footer for "boot".
502avb_add_hash_footer {
503    name: "avbrs_test_image_with_vbmeta_footer_for_boot",
504    src: ":avbrs_test_image",
505    partition_name: "boot",
506    private_key: ":avb_testkey_rsa4096",
507    salt: "A001",
508}
509
510// Combined test image + signed vbmeta footer for "test_part_2" signed by
511// avb_testkey_rsa8192 with rollback index = 7.
512avb_add_hash_footer {
513    name: "avbrs_test_image_with_vbmeta_footer_for_test_part_2",
514    src: ":avbrs_test_image",
515    partition_name: "test_part_2",
516    private_key: ":avb_testkey_rsa8192",
517    algorithm: "SHA256_RSA8192",
518    salt: "A002",
519    rollback_index: 7,
520}
521