// Copyright (C) 2025 The Android Open Source Project // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. python_binary_host { name: "build_trusty", srcs: ["*.py"], main: "build.py", } dirgroup { name: "trusty_aosp_dirgroups", dirs: [ ":trusty_dirgroup_external_boringssl", ":trusty_dirgroup_external_dtc", ":trusty_dirgroup_external_freetype", ":trusty_dirgroup_external_googletest", ":trusty_dirgroup_external_libcxx", ":trusty_dirgroup_external_libcxxabi", ":trusty_dirgroup_external_nanopb-c", ":trusty_dirgroup_external_open-dice", ":trusty_dirgroup_external_python_jinja", ":trusty_dirgroup_external_python_markupsafe", ":trusty_dirgroup_external_python_six", ":trusty_dirgroup_external_rust_crates_acpi", ":trusty_dirgroup_external_rust_crates_arrayvec", ":trusty_dirgroup_external_rust_crates_async-trait", ":trusty_dirgroup_external_rust_crates_bit_field", ":trusty_dirgroup_external_rust_crates_bitflags", ":trusty_dirgroup_external_rust_crates_byteorder", ":trusty_dirgroup_external_rust_crates_cfg-if", ":trusty_dirgroup_external_rust_crates_ciborium", ":trusty_dirgroup_external_rust_crates_ciborium-io", ":trusty_dirgroup_external_rust_crates_ciborium-ll", ":trusty_dirgroup_external_rust_crates_const-oid", ":trusty_dirgroup_external_rust_crates_coset", ":trusty_dirgroup_external_rust_crates_der", ":trusty_dirgroup_external_rust_crates_der_derive", ":trusty_dirgroup_external_rust_crates_downcast-rs", ":trusty_dirgroup_external_rust_crates_either", ":trusty_dirgroup_external_rust_crates_enumn", ":trusty_dirgroup_external_rust_crates_flagset", ":trusty_dirgroup_external_rust_crates_foreign-types", ":trusty_dirgroup_external_rust_crates_foreign-types-shared", ":trusty_dirgroup_external_rust_crates_half", ":trusty_dirgroup_external_rust_crates_hex", ":trusty_dirgroup_external_rust_crates_itertools", ":trusty_dirgroup_external_rust_crates_lazy_static", ":trusty_dirgroup_external_rust_crates_libc", ":trusty_dirgroup_external_rust_crates_log", ":trusty_dirgroup_external_rust_crates_num-derive", ":trusty_dirgroup_external_rust_crates_num-integer", ":trusty_dirgroup_external_rust_crates_num-traits", ":trusty_dirgroup_external_rust_crates_once_cell", ":trusty_dirgroup_external_rust_crates_openssl", ":trusty_dirgroup_external_rust_crates_openssl-macros", ":trusty_dirgroup_external_rust_crates_pkcs1", ":trusty_dirgroup_external_rust_crates_pkcs8", ":trusty_dirgroup_external_rust_crates_proc-macro2", ":trusty_dirgroup_external_rust_crates_protobuf", ":trusty_dirgroup_external_rust_crates_protobuf-support", ":trusty_dirgroup_external_rust_crates_quote", ":trusty_dirgroup_external_rust_crates_sec1", ":trusty_dirgroup_external_rust_crates_serde", ":trusty_dirgroup_external_rust_crates_serde_derive", ":trusty_dirgroup_external_rust_crates_smccc", ":trusty_dirgroup_external_rust_crates_spin", ":trusty_dirgroup_external_rust_crates_spki", ":trusty_dirgroup_external_rust_crates_static_assertions", ":trusty_dirgroup_external_rust_crates_syn", ":trusty_dirgroup_external_rust_crates_synstructure", ":trusty_dirgroup_external_rust_crates_thiserror", ":trusty_dirgroup_external_rust_crates_thiserror-impl", ":trusty_dirgroup_external_rust_crates_unicode-ident", ":trusty_dirgroup_external_rust_crates_unicode-xid", ":trusty_dirgroup_external_rust_crates_uuid", ":trusty_dirgroup_external_rust_crates_virtio-drivers-and-devices", ":trusty_dirgroup_external_rust_crates_vm-memory", ":trusty_dirgroup_external_rust_crates_x509-cert", ":trusty_dirgroup_external_rust_crates_zerocopy", ":trusty_dirgroup_external_rust_crates_zerocopy-derive", ":trusty_dirgroup_external_rust_crates_zeroize", ":trusty_dirgroup_external_rust_crates_zeroize_derive", ":trusty_dirgroup_external_scudo", ":trusty_dirgroup_external_trusty_arm-trusted-firmware", ":trusty_dirgroup_external_trusty_bootloader", ":trusty_dirgroup_external_trusty_headers", ":trusty_dirgroup_external_trusty_lk", ":trusty_dirgroup_external_trusty_musl", ":trusty_dirgroup_frameworks_hardware_interfaces", ":trusty_dirgroup_frameworks_native", ":trusty_dirgroup_hardware_interfaces_security_see", ":trusty_dirgroup_hardware_interfaces_staging_security_see", ":trusty_dirgroup_hardware_libhardware", ":trusty_dirgroup_packages_modules_virtualization_libs_dice_sample_inputs", ":trusty_dirgroup_packages_modules_virtualization_libs_libhypervisor_backends", ":trusty_dirgroup_packages_modules_virtualization_libs_open_dice", ":trusty_dirgroup_prebuilts_build-tools", ":trusty_dirgroup_prebuilts_clang-tools", ":trusty_dirgroup_prebuilts_clang_host_linux-x86", ":trusty_dirgroup_prebuilts_gcc_linux-x86_host_x86_64-linux-glibc2.17-4.8", ":trusty_dirgroup_prebuilts_misc", ":trusty_dirgroup_prebuilts_rust", ":trusty_dirgroup_system_authgraph", ":trusty_dirgroup_system_core", ":trusty_dirgroup_system_gatekeeper", ":trusty_dirgroup_system_keymaster", ":trusty_dirgroup_system_keymint", ":trusty_dirgroup_system_libbase", ":trusty_dirgroup_system_libcppbor", ":trusty_dirgroup_system_secretkeeper", ":trusty_dirgroup_system_see_authmgr", ":trusty_dirgroup_system_teeui", ":trusty_dirgroup_system_tools_aidl", ":trusty_dirgroup_trusty_device_arm_generic-arm64", ":trusty_dirgroup_trusty_device_common", ":trusty_dirgroup_trusty_device_desktop", ":trusty_dirgroup_trusty_device_x86_generic-x86_64", ":trusty_dirgroup_trusty_kernel", ":trusty_dirgroup_trusty_user_app_authmgr", ":trusty_dirgroup_trusty_user_app_avb", ":trusty_dirgroup_trusty_user_app_cast-auth", ":trusty_dirgroup_trusty_user_app_confirmationui", ":trusty_dirgroup_trusty_user_app_gatekeeper", ":trusty_dirgroup_trusty_user_app_keymaster", ":trusty_dirgroup_trusty_user_app_keymint", ":trusty_dirgroup_trusty_user_app_sample", ":trusty_dirgroup_trusty_user_app_secretkeeper", ":trusty_dirgroup_trusty_user_app_storage", ":trusty_dirgroup_trusty_user_base", ":trusty_dirgroup_trusty_user_desktop", ":trusty_dirgroup_trusty_vendor_google_aosp", ], visibility: [ "//trusty/vendor/google/aosp/scripts", "//trusty/vendor/google/proprietary/scripts", ], } filegroup { name: "trusty_aosp_filegroups", srcs: [":trusty_filegroup_external_libcxx"], } genrule_defaults { name: "trusty_aosp.gen.defaults", use_nsjail: true, dir_srcs: [ ":trusty_aosp_dirgroups", ], srcs: [":trusty_aosp_filegroups"], tools: [ "aidl_rust_glue", "aprotoc", "build_trusty", "trusty_metrics_atoms_protoc_plugin", ], keep_gendir: true, } // TODO(b/375543636): determine whether we'll include the Android build ID or not. genrule_cmd_template = "(mkdir -p $(genDir)/build-root && " + "cp -t . external/trusty/lk/makefile trusty/vendor/google/aosp/lk_inc.mk && " + "AIDL_RUST_GLUE_TOOL=$(location aidl_rust_glue) PROTOC_TOOL=$(location aprotoc) " + "PROTOC_PLUGIN_BINARY=$(location trusty_metrics_atoms_protoc_plugin) TRUSTY_SKIP_DOCS=true " + "$(location build_trusty) --script-dir trusty/vendor/google/aosp/scripts --buildid AVF_BUILTIN --verbose $$PROJECT_NAME " + "--build-root $(genDir)/build-root 1>$(genDir)/stdout.log 2>$(genDir)/stderr.log || (" + "echo Trusty build FAILED; echo stdout:; cat $(genDir)/stdout.log; echo stderr:; cat $(genDir)/stderr.log; false)) && " + "cp -f $(genDir)/build-root/build-$$PROJECT_NAME/lk.$$OUT_EXT $(out)" genrule { name: "trusty_test_vm_arm64.bin", defaults: [ "trusty_aosp.gen.defaults", ], out: [ "trusty_test_vm_arm64.bin", ], // IMPORTANT: OUT_EXT=bin for arm64 // the raw binary (not the elf) is needed for the avb signature process cmd: "PROJECT_NAME=vm-arm64-test" + select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), { true: "-placeholder-trusted-hal", default: "", }) + select(soong_config_variable("trusty_system_vm", "buildtype"), { "userdebug": "-userdebug", "eng": "-userdebug", default: "-user", }) + "; OUT_EXT=bin;" + genrule_cmd_template, } genrule { name: "trusty_test_vm_x86_64.elf", defaults: [ "trusty_aosp.gen.defaults", ], out: [ "trusty_test_vm_x86_64.elf", ], // IMPORTANT: OUT_EXT=elf for x86_64 // x86_64 VM payloads are not yet signed; crosvm consumes the elf cmd: "PROJECT_NAME=vm-x86_64-test" + select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), { true: "-placeholder-trusted-hal", default: "", }) + select(soong_config_variable("trusty_system_vm", "buildtype"), { "userdebug": "-userdebug", "eng": "-userdebug", default: "-user", }) + "; OUT_EXT=elf;" + genrule_cmd_template, } genrule { name: "trusty_test_vm_os_arm64.bin", defaults: [ "trusty_aosp.gen.defaults", ], out: [ "trusty_test_vm_os_arm64.bin", ], // IMPORTANT: OUT_EXT=bin for arm64 // the raw binary (not the elf) is needed for the avb signature process cmd: "PROJECT_NAME=vm-arm64-test_os" + select(soong_config_variable("trusty_system_vm", "buildtype"), { "userdebug": "-userdebug", "eng": "-userdebug", default: "-user", }) + "; OUT_EXT=bin;" + genrule_cmd_template, } genrule { name: "trusty_test_vm_os_x86_64.elf", defaults: [ "trusty_aosp.gen.defaults", ], out: [ "trusty_test_vm_os_x86_64.elf", ], // IMPORTANT: OUT_EXT=elf for x86_64 // x86_64 VM payloads are not yet signed; crosvm consumes the elf cmd: "PROJECT_NAME=vm-x86_64-test_os" + select(soong_config_variable("trusty_system_vm", "buildtype"), { "userdebug": "-userdebug", "eng": "-userdebug", default: "-user", }) + "; OUT_EXT=elf;" + genrule_cmd_template, } genrule { name: "trusty_security_vm_arm64.bin", defaults: [ "trusty_aosp.gen.defaults", ], out: [ "trusty_security_vm_arm64.bin", ], // IMPORTANT: OUT_EXT=bin for arm64 // the raw binary (not the elf) is needed for the avb signature process cmd: "PROJECT_NAME=vm-arm64-security" + select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), { true: "-placeholder-trusted-hal", default: "", }) + select(soong_config_variable("trusty_system_vm", "buildtype"), { "userdebug": "-userdebug", "eng": "-userdebug", default: "-user", }) + "; OUT_EXT=bin;" + genrule_cmd_template, } genrule { name: "trusty_security_vm_x86_64.elf", defaults: [ "trusty_aosp.gen.defaults", ], out: [ "trusty_security_vm_x86_64.elf", ], // IMPORTANT: OUT_EXT=elf for x86_64 // x86_64 VM payloads are not yet signed; crosvm consumes the elf cmd: "PROJECT_NAME=vm-x86_64-security" + select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), { true: "-placeholder-trusted-hal", default: "", }) + select(soong_config_variable("trusty_system_vm", "buildtype"), { "userdebug": "-userdebug", "eng": "-userdebug", default: "-user", }) + "; OUT_EXT=elf;" + genrule_cmd_template, } genrule { name: "trusty_desktop_vm_arm64.bin", defaults: [ "trusty_aosp.gen.defaults", ], out: [ "trusty_desktop_vm_arm64.bin", ], cmd: "PROJECT_NAME=desktop-arm64; OUT_EXT=bin;" + genrule_cmd_template, } genrule { name: "trusty_desktop_test_vm_arm64.bin", defaults: [ "trusty_aosp.gen.defaults", ], out: [ "trusty_desktop_test_vm_arm64.bin", ], cmd: "PROJECT_NAME=desktop-arm64-test; OUT_EXT=bin;" + genrule_cmd_template, } genrule { name: "trusty_desktop_vm_x86_64.bin", defaults: [ "trusty_aosp.gen.defaults", ], out: [ "trusty_desktop_vm_x86_64.bin", ], cmd: "PROJECT_NAME=desktop-x86_64; OUT_EXT=bin;" + genrule_cmd_template, } genrule { name: "trusty_desktop_test_vm_x86_64.bin", defaults: [ "trusty_aosp.gen.defaults", ], out: [ "trusty_desktop_test_vm_x86_64.bin", ], cmd: "PROJECT_NAME=desktop-x86_64-test; OUT_EXT=bin;" + genrule_cmd_template, } // - Trusty VM payloads on arm64 are pvmfw enabled // AVF VM build system uses the raw binary image, // adds pvmfw footer and generates a pvmfw-compliant signed elf file) // - Trusty VM payload on x86 are for now loaded in Cuttlefish unsigned // the unsigned generated elf is used directly by AV // // see packages/modules/Virtualization/guest/trusty prebuilt_etc { name: "trusty_test_vm_unsigned", enabled: false, arch: { arm64: { src: ":trusty_test_vm_arm64.bin", filename: "trusty-test_vm.bin", enabled: true, }, x86_64: { src: ":trusty_test_vm_x86_64.elf", filename: "trusty-test_vm.elf", enabled: true, }, }, } prebuilt_etc { name: "trusty_test_vm_os_unsigned", enabled: false, arch: { arm64: { src: ":trusty_test_vm_os_arm64.bin", filename: "trusty-test_vm_os.bin", enabled: true, }, x86_64: { src: ":trusty_test_vm_os_x86_64.elf", filename: "trusty-test_vm_os.elf", enabled: true, }, }, } prebuilt_etc { name: "trusty_security_vm_unsigned", enabled: select((os(), arch(), soong_config_variable("trusty_system_vm", "enabled")), { ("android", "arm64", true): true, ("android", "x86_64", true): true, (default, default, default): false, }), relative_install_path: "vm/trusty_vm", system_ext_specific: true, arch: { arm64: { src: ":trusty_security_vm_arm64.bin", filename: "trusty_security_vm_unsigned.bin", }, x86_64: { src: ":trusty_security_vm_x86_64.elf", filename: "trusty_security_vm_unsigned.elf", }, }, } // Trusty TEE image with Widevine OPK TA // TODO(b/375543636): determine whether we'll include the Android build ID or not. genrule_tee_cmd_template = "(mkdir -p $(genDir)/build-root && " + "cp -t . external/trusty/lk/makefile trusty/vendor/google/aosp/lk_inc.mk && " + "AIDL_RUST_GLUE_TOOL=$(location aidl_rust_glue) PROTOC_TOOL=$(location aprotoc) " + "PROTOC_PLUGIN_BINARY=$(location trusty_metrics_atoms_protoc_plugin) " + "QEMU_PREBUILTS_DIR=$(location trusty_qemu_system_aarch64) " + "MKE2FS=$(location mke2fs) " + "TRUSTY_SKIP_DOCS=true " + "PACKAGE_TRUSTY_IMAGES_ONLY=true " + "$(location build_trusty) --script-dir trusty/vendor/google/aosp/scripts --buildid AVF_BUILTIN --verbose $$PROJECT_NAME " + "--skip-tests --build-root $(genDir)/build-root 1>$(genDir)/stdout.log 2>$(genDir)/stderr.log || (" + "echo Trusty build FAILED; echo stdout:; cat $(genDir)/stdout.log; echo stderr:; cat $(genDir)/stderr.log; false)) && " + "cp -f $(genDir)/build-root/build-$$PROJECT_NAME/trusty_image_package.tar.gz $(out)" genrule { name: "trusty_tee_package", enabled: select(soong_config_variable("trusty_tee", "enabled"), { true: true, default: false, }), defaults: [ "trusty_aosp.gen.defaults", ], tools: [ "trusty_qemu_system_aarch64", "mke2fs", ], out: [ "trusty_tee_package.tar.gz", ], dist: { targets: ["trusty-tee_package"], }, cmd: "PROJECT_NAME=qemu-generic-arm64-gicv3-test-debug; " + genrule_tee_cmd_template, }