• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright (C) 2025 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//      http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15python_binary_host {
16    name: "build_trusty",
17    srcs: ["*.py"],
18    main: "build.py",
19}
20
21dirgroup {
22    name: "trusty_aosp_dirgroups",
23    dirs: [
24        ":trusty_dirgroup_external_boringssl",
25        ":trusty_dirgroup_external_dtc",
26        ":trusty_dirgroup_external_freetype",
27        ":trusty_dirgroup_external_googletest",
28        ":trusty_dirgroup_external_libcxx",
29        ":trusty_dirgroup_external_libcxxabi",
30        ":trusty_dirgroup_external_nanopb-c",
31        ":trusty_dirgroup_external_open-dice",
32        ":trusty_dirgroup_external_python_jinja",
33        ":trusty_dirgroup_external_python_markupsafe",
34        ":trusty_dirgroup_external_python_six",
35        ":trusty_dirgroup_external_rust_crates_acpi",
36        ":trusty_dirgroup_external_rust_crates_arrayvec",
37        ":trusty_dirgroup_external_rust_crates_async-trait",
38        ":trusty_dirgroup_external_rust_crates_bit_field",
39        ":trusty_dirgroup_external_rust_crates_bitflags",
40        ":trusty_dirgroup_external_rust_crates_byteorder",
41        ":trusty_dirgroup_external_rust_crates_cfg-if",
42        ":trusty_dirgroup_external_rust_crates_ciborium",
43        ":trusty_dirgroup_external_rust_crates_ciborium-io",
44        ":trusty_dirgroup_external_rust_crates_ciborium-ll",
45        ":trusty_dirgroup_external_rust_crates_const-oid",
46        ":trusty_dirgroup_external_rust_crates_coset",
47        ":trusty_dirgroup_external_rust_crates_der",
48        ":trusty_dirgroup_external_rust_crates_der_derive",
49        ":trusty_dirgroup_external_rust_crates_downcast-rs",
50        ":trusty_dirgroup_external_rust_crates_either",
51        ":trusty_dirgroup_external_rust_crates_enumn",
52        ":trusty_dirgroup_external_rust_crates_flagset",
53        ":trusty_dirgroup_external_rust_crates_foreign-types",
54        ":trusty_dirgroup_external_rust_crates_foreign-types-shared",
55        ":trusty_dirgroup_external_rust_crates_half",
56        ":trusty_dirgroup_external_rust_crates_hex",
57        ":trusty_dirgroup_external_rust_crates_itertools",
58        ":trusty_dirgroup_external_rust_crates_lazy_static",
59        ":trusty_dirgroup_external_rust_crates_libc",
60        ":trusty_dirgroup_external_rust_crates_log",
61        ":trusty_dirgroup_external_rust_crates_num-derive",
62        ":trusty_dirgroup_external_rust_crates_num-integer",
63        ":trusty_dirgroup_external_rust_crates_num-traits",
64        ":trusty_dirgroup_external_rust_crates_once_cell",
65        ":trusty_dirgroup_external_rust_crates_openssl",
66        ":trusty_dirgroup_external_rust_crates_openssl-macros",
67        ":trusty_dirgroup_external_rust_crates_pkcs1",
68        ":trusty_dirgroup_external_rust_crates_pkcs8",
69        ":trusty_dirgroup_external_rust_crates_proc-macro2",
70        ":trusty_dirgroup_external_rust_crates_protobuf",
71        ":trusty_dirgroup_external_rust_crates_protobuf-support",
72        ":trusty_dirgroup_external_rust_crates_quote",
73        ":trusty_dirgroup_external_rust_crates_sec1",
74        ":trusty_dirgroup_external_rust_crates_serde",
75        ":trusty_dirgroup_external_rust_crates_serde_derive",
76        ":trusty_dirgroup_external_rust_crates_smccc",
77        ":trusty_dirgroup_external_rust_crates_spin",
78        ":trusty_dirgroup_external_rust_crates_spki",
79        ":trusty_dirgroup_external_rust_crates_static_assertions",
80        ":trusty_dirgroup_external_rust_crates_syn",
81        ":trusty_dirgroup_external_rust_crates_synstructure",
82        ":trusty_dirgroup_external_rust_crates_thiserror",
83        ":trusty_dirgroup_external_rust_crates_thiserror-impl",
84        ":trusty_dirgroup_external_rust_crates_unicode-ident",
85        ":trusty_dirgroup_external_rust_crates_unicode-xid",
86        ":trusty_dirgroup_external_rust_crates_uuid",
87        ":trusty_dirgroup_external_rust_crates_virtio-drivers-and-devices",
88        ":trusty_dirgroup_external_rust_crates_vm-memory",
89        ":trusty_dirgroup_external_rust_crates_x509-cert",
90        ":trusty_dirgroup_external_rust_crates_zerocopy",
91        ":trusty_dirgroup_external_rust_crates_zerocopy-derive",
92        ":trusty_dirgroup_external_rust_crates_zeroize",
93        ":trusty_dirgroup_external_rust_crates_zeroize_derive",
94        ":trusty_dirgroup_external_scudo",
95        ":trusty_dirgroup_external_trusty_arm-trusted-firmware",
96        ":trusty_dirgroup_external_trusty_bootloader",
97        ":trusty_dirgroup_external_trusty_headers",
98        ":trusty_dirgroup_external_trusty_lk",
99        ":trusty_dirgroup_external_trusty_musl",
100        ":trusty_dirgroup_frameworks_hardware_interfaces",
101        ":trusty_dirgroup_frameworks_native",
102        ":trusty_dirgroup_hardware_interfaces_security_see",
103        ":trusty_dirgroup_hardware_interfaces_staging_security_see",
104        ":trusty_dirgroup_hardware_libhardware",
105        ":trusty_dirgroup_packages_modules_virtualization_libs_dice_sample_inputs",
106        ":trusty_dirgroup_packages_modules_virtualization_libs_libhypervisor_backends",
107        ":trusty_dirgroup_packages_modules_virtualization_libs_open_dice",
108        ":trusty_dirgroup_prebuilts_build-tools",
109        ":trusty_dirgroup_prebuilts_clang-tools",
110        ":trusty_dirgroup_prebuilts_clang_host_linux-x86",
111        ":trusty_dirgroup_prebuilts_gcc_linux-x86_host_x86_64-linux-glibc2.17-4.8",
112        ":trusty_dirgroup_prebuilts_misc",
113        ":trusty_dirgroup_prebuilts_rust",
114        ":trusty_dirgroup_system_authgraph",
115        ":trusty_dirgroup_system_core",
116        ":trusty_dirgroup_system_gatekeeper",
117        ":trusty_dirgroup_system_keymaster",
118        ":trusty_dirgroup_system_keymint",
119        ":trusty_dirgroup_system_libbase",
120        ":trusty_dirgroup_system_libcppbor",
121        ":trusty_dirgroup_system_secretkeeper",
122        ":trusty_dirgroup_system_see_authmgr",
123        ":trusty_dirgroup_system_teeui",
124        ":trusty_dirgroup_system_tools_aidl",
125        ":trusty_dirgroup_trusty_device_arm_generic-arm64",
126        ":trusty_dirgroup_trusty_device_common",
127        ":trusty_dirgroup_trusty_device_desktop",
128        ":trusty_dirgroup_trusty_device_x86_generic-x86_64",
129        ":trusty_dirgroup_trusty_kernel",
130        ":trusty_dirgroup_trusty_user_app_authmgr",
131        ":trusty_dirgroup_trusty_user_app_avb",
132        ":trusty_dirgroup_trusty_user_app_cast-auth",
133        ":trusty_dirgroup_trusty_user_app_confirmationui",
134        ":trusty_dirgroup_trusty_user_app_gatekeeper",
135        ":trusty_dirgroup_trusty_user_app_keymaster",
136        ":trusty_dirgroup_trusty_user_app_keymint",
137        ":trusty_dirgroup_trusty_user_app_sample",
138        ":trusty_dirgroup_trusty_user_app_secretkeeper",
139        ":trusty_dirgroup_trusty_user_app_storage",
140        ":trusty_dirgroup_trusty_user_base",
141        ":trusty_dirgroup_trusty_user_desktop",
142        ":trusty_dirgroup_trusty_vendor_google_aosp",
143    ],
144    visibility: [
145        "//trusty/vendor/google/aosp/scripts",
146        "//trusty/vendor/google/proprietary/scripts",
147    ],
148}
149
150filegroup {
151    name: "trusty_aosp_filegroups",
152    srcs: [":trusty_filegroup_external_libcxx"],
153}
154
155genrule_defaults {
156    name: "trusty_aosp.gen.defaults",
157    use_nsjail: true,
158    dir_srcs: [
159        ":trusty_aosp_dirgroups",
160    ],
161    srcs: [":trusty_aosp_filegroups"],
162    tools: [
163        "aidl_rust_glue",
164        "aprotoc",
165        "build_trusty",
166        "trusty_metrics_atoms_protoc_plugin",
167    ],
168    keep_gendir: true,
169}
170
171// TODO(b/375543636): determine whether we'll include the Android build ID or not.
172genrule_cmd_template = "(mkdir -p $(genDir)/build-root && " +
173    "cp -t . external/trusty/lk/makefile trusty/vendor/google/aosp/lk_inc.mk && " +
174    "AIDL_RUST_GLUE_TOOL=$(location aidl_rust_glue) PROTOC_TOOL=$(location aprotoc) " +
175    "PROTOC_PLUGIN_BINARY=$(location trusty_metrics_atoms_protoc_plugin) TRUSTY_SKIP_DOCS=true " +
176    "$(location build_trusty) --script-dir trusty/vendor/google/aosp/scripts --buildid AVF_BUILTIN --verbose $$PROJECT_NAME " +
177    "--build-root $(genDir)/build-root 1>$(genDir)/stdout.log 2>$(genDir)/stderr.log || (" +
178    "echo Trusty build FAILED; echo stdout:; cat $(genDir)/stdout.log; echo stderr:; cat $(genDir)/stderr.log; false)) && " +
179    "cp -f $(genDir)/build-root/build-$$PROJECT_NAME/lk.$$OUT_EXT $(out)"
180
181genrule {
182    name: "trusty_test_vm_arm64.bin",
183    defaults: [
184        "trusty_aosp.gen.defaults",
185    ],
186    out: [
187        "trusty_test_vm_arm64.bin",
188    ],
189    // IMPORTANT: OUT_EXT=bin for arm64
190    // the raw binary (not the elf) is needed for the avb signature process
191    cmd: "PROJECT_NAME=vm-arm64-test" + select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), {
192        true: "-placeholder-trusted-hal",
193        default: "",
194    }) + select(soong_config_variable("trusty_system_vm", "buildtype"), {
195        "userdebug": "-userdebug",
196        "eng": "-userdebug",
197        default: "-user",
198    }) + "; OUT_EXT=bin;" + genrule_cmd_template,
199}
200
201genrule {
202    name: "trusty_test_vm_x86_64.elf",
203    defaults: [
204        "trusty_aosp.gen.defaults",
205    ],
206    out: [
207        "trusty_test_vm_x86_64.elf",
208    ],
209    // IMPORTANT: OUT_EXT=elf for x86_64
210    // x86_64 VM payloads are not yet signed; crosvm consumes the elf
211    cmd: "PROJECT_NAME=vm-x86_64-test" + select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), {
212        true: "-placeholder-trusted-hal",
213        default: "",
214    }) + select(soong_config_variable("trusty_system_vm", "buildtype"), {
215        "userdebug": "-userdebug",
216        "eng": "-userdebug",
217        default: "-user",
218    }) + "; OUT_EXT=elf;" + genrule_cmd_template,
219}
220
221genrule {
222    name: "trusty_test_vm_os_arm64.bin",
223    defaults: [
224        "trusty_aosp.gen.defaults",
225    ],
226    out: [
227        "trusty_test_vm_os_arm64.bin",
228    ],
229    // IMPORTANT: OUT_EXT=bin for arm64
230    // the raw binary (not the elf) is needed for the avb signature process
231    cmd: "PROJECT_NAME=vm-arm64-test_os" + select(soong_config_variable("trusty_system_vm", "buildtype"), {
232        "userdebug": "-userdebug",
233        "eng": "-userdebug",
234        default: "-user",
235    }) + "; OUT_EXT=bin;" + genrule_cmd_template,
236}
237
238genrule {
239    name: "trusty_test_vm_os_x86_64.elf",
240    defaults: [
241        "trusty_aosp.gen.defaults",
242    ],
243    out: [
244        "trusty_test_vm_os_x86_64.elf",
245    ],
246    // IMPORTANT: OUT_EXT=elf for x86_64
247    // x86_64 VM payloads are not yet signed; crosvm consumes the elf
248    cmd: "PROJECT_NAME=vm-x86_64-test_os" + select(soong_config_variable("trusty_system_vm", "buildtype"), {
249        "userdebug": "-userdebug",
250        "eng": "-userdebug",
251        default: "-user",
252    }) + "; OUT_EXT=elf;" + genrule_cmd_template,
253}
254
255genrule {
256    name: "trusty_security_vm_arm64.bin",
257    defaults: [
258        "trusty_aosp.gen.defaults",
259    ],
260    out: [
261        "trusty_security_vm_arm64.bin",
262    ],
263    // IMPORTANT: OUT_EXT=bin for arm64
264    // the raw binary (not the elf) is needed for the avb signature process
265    cmd: "PROJECT_NAME=vm-arm64-security" + select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), {
266        true: "-placeholder-trusted-hal",
267        default: "",
268    }) + select(soong_config_variable("trusty_system_vm", "buildtype"), {
269        "userdebug": "-userdebug",
270        "eng": "-userdebug",
271        default: "-user",
272    }) + "; OUT_EXT=bin;" + genrule_cmd_template,
273}
274
275genrule {
276    name: "trusty_security_vm_x86_64.elf",
277    defaults: [
278        "trusty_aosp.gen.defaults",
279    ],
280    out: [
281        "trusty_security_vm_x86_64.elf",
282    ],
283    // IMPORTANT: OUT_EXT=elf for x86_64
284    // x86_64 VM payloads are not yet signed; crosvm consumes the elf
285    cmd: "PROJECT_NAME=vm-x86_64-security" + select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), {
286        true: "-placeholder-trusted-hal",
287        default: "",
288    }) + select(soong_config_variable("trusty_system_vm", "buildtype"), {
289        "userdebug": "-userdebug",
290        "eng": "-userdebug",
291        default: "-user",
292    }) + "; OUT_EXT=elf;" + genrule_cmd_template,
293}
294
295genrule {
296    name: "trusty_desktop_vm_arm64.bin",
297    defaults: [
298        "trusty_aosp.gen.defaults",
299    ],
300    out: [
301        "trusty_desktop_vm_arm64.bin",
302    ],
303    cmd: "PROJECT_NAME=desktop-arm64; OUT_EXT=bin;" + genrule_cmd_template,
304}
305
306genrule {
307    name: "trusty_desktop_test_vm_arm64.bin",
308    defaults: [
309        "trusty_aosp.gen.defaults",
310    ],
311    out: [
312        "trusty_desktop_test_vm_arm64.bin",
313    ],
314    cmd: "PROJECT_NAME=desktop-arm64-test; OUT_EXT=bin;" + genrule_cmd_template,
315}
316
317genrule {
318    name: "trusty_desktop_vm_x86_64.bin",
319    defaults: [
320        "trusty_aosp.gen.defaults",
321    ],
322    out: [
323        "trusty_desktop_vm_x86_64.bin",
324    ],
325    cmd: "PROJECT_NAME=desktop-x86_64; OUT_EXT=bin;" + genrule_cmd_template,
326}
327
328genrule {
329    name: "trusty_desktop_test_vm_x86_64.bin",
330    defaults: [
331        "trusty_aosp.gen.defaults",
332    ],
333    out: [
334        "trusty_desktop_test_vm_x86_64.bin",
335    ],
336    cmd: "PROJECT_NAME=desktop-x86_64-test; OUT_EXT=bin;" + genrule_cmd_template,
337}
338
339// - Trusty VM payloads on arm64 are pvmfw enabled
340//   AVF VM build system uses the raw binary image,
341//   adds pvmfw footer and generates a pvmfw-compliant signed elf file)
342// - Trusty VM payload on x86 are for now loaded in Cuttlefish unsigned
343//   the unsigned generated elf is used directly by AV
344//
345// see packages/modules/Virtualization/guest/trusty
346
347prebuilt_etc {
348    name: "trusty_test_vm_unsigned",
349    enabled: false,
350    arch: {
351        arm64: {
352            src: ":trusty_test_vm_arm64.bin",
353            filename: "trusty-test_vm.bin",
354            enabled: true,
355        },
356        x86_64: {
357            src: ":trusty_test_vm_x86_64.elf",
358            filename: "trusty-test_vm.elf",
359            enabled: true,
360        },
361    },
362}
363
364prebuilt_etc {
365    name: "trusty_test_vm_os_unsigned",
366    enabled: false,
367    arch: {
368        arm64: {
369            src: ":trusty_test_vm_os_arm64.bin",
370            filename: "trusty-test_vm_os.bin",
371            enabled: true,
372        },
373        x86_64: {
374            src: ":trusty_test_vm_os_x86_64.elf",
375            filename: "trusty-test_vm_os.elf",
376            enabled: true,
377        },
378    },
379}
380
381prebuilt_etc {
382    name: "trusty_security_vm_unsigned",
383    enabled: select((os(), arch(), soong_config_variable("trusty_system_vm", "enabled")), {
384        ("android", "arm64", true): true,
385        ("android", "x86_64", true): true,
386        (default, default, default): false,
387    }),
388    relative_install_path: "vm/trusty_vm",
389    system_ext_specific: true,
390    arch: {
391        arm64: {
392            src: ":trusty_security_vm_arm64.bin",
393            filename: "trusty_security_vm_unsigned.bin",
394        },
395        x86_64: {
396            src: ":trusty_security_vm_x86_64.elf",
397            filename: "trusty_security_vm_unsigned.elf",
398        },
399    },
400}
401
402// Trusty TEE image with Widevine OPK TA
403// TODO(b/375543636): determine whether we'll include the Android build ID or not.
404genrule_tee_cmd_template = "(mkdir -p $(genDir)/build-root && " +
405    "cp -t . external/trusty/lk/makefile trusty/vendor/google/aosp/lk_inc.mk && " +
406    "AIDL_RUST_GLUE_TOOL=$(location aidl_rust_glue) PROTOC_TOOL=$(location aprotoc) " +
407    "PROTOC_PLUGIN_BINARY=$(location trusty_metrics_atoms_protoc_plugin) " +
408    "QEMU_PREBUILTS_DIR=$(location trusty_qemu_system_aarch64) " +
409    "MKE2FS=$(location mke2fs) " +
410    "TRUSTY_SKIP_DOCS=true " +
411    "PACKAGE_TRUSTY_IMAGES_ONLY=true " +
412    "$(location build_trusty) --script-dir trusty/vendor/google/aosp/scripts --buildid AVF_BUILTIN --verbose $$PROJECT_NAME " +
413    "--skip-tests --build-root $(genDir)/build-root 1>$(genDir)/stdout.log 2>$(genDir)/stderr.log || (" +
414    "echo Trusty build FAILED; echo stdout:; cat $(genDir)/stdout.log; echo stderr:; cat $(genDir)/stderr.log; false)) && " +
415    "cp -f $(genDir)/build-root/build-$$PROJECT_NAME/trusty_image_package.tar.gz $(out)"
416
417genrule {
418    name: "trusty_tee_package",
419    enabled: select(soong_config_variable("trusty_tee", "enabled"), {
420        true: true,
421        default: false,
422    }),
423    defaults: [
424        "trusty_aosp.gen.defaults",
425    ],
426    tools: [
427        "trusty_qemu_system_aarch64",
428        "mke2fs",
429    ],
430    out: [
431        "trusty_tee_package.tar.gz",
432    ],
433    dist: {
434        targets: ["trusty-tee_package"],
435    },
436    cmd: "PROJECT_NAME=qemu-generic-arm64-gicv3-test-debug; " + genrule_tee_cmd_template,
437}
438