package { default_applicable_licenses: ["Android-Apache-2.0"], } microdroid_shell_and_utilities = [ "reboot", "sh", "strace", "toolbox", "toybox", ] microdroid_rootdirs = [ "dev", "proc", "sys", "system", "debug_ramdisk", "mnt", "data", "apex", "linkerconfig", "second_stage_resources", // Ideally we should only create the /vendor for Microdroid VMs that will mount /vendor, but // for the time being we will just create it unconditionally. "vendor", ] microdroid_symlinks = [ { target: "/sys/kernel/debug", name: "d", }, { target: "/system/etc", name: "etc", }, { target: "/system/bin", name: "bin", }, ] android_system_image { name: "microdroid", use_avb: true, avb_private_key: ":microdroid_sign_key", avb_algorithm: "SHA256_RSA4096", avb_hash_algorithm: "sha256", partition_name: "system", deps: [ "init_second_stage.microdroid", "microdroid_build_prop", "microdroid_init_debug_policy", "microdroid_init_rc", "microdroid_ueventd_rc", "microdroid_launcher", "libbinder_ndk", "libstdc++", // "com.android.adbd" requires these, "libadbd_auth", "libadbd_fs", // "com.android.art" requires "heapprofd_client_api", "libartpalette-system", "apexd.microdroid", "debuggerd", "linker", "cgroups.json", "task_profiles.json", "public.libraries.android.txt", "microdroid_event-log-tags", "microdroid_file_contexts", "microdroid_manifest", "microdroid_property_contexts", "mke2fs.microdroid", "microdroid_fstab", "libvm_payload", // used by payload to interact with microdroid manager "prng_seeder_microdroid", // Binaries required to capture traces in Microdroid. "atrace", "traced", "traced_probes", "perfetto", ] + select(release_flag("RELEASE_AVF_ENABLE_MULTI_TENANT_MICRODROID_VM"), { true: [ "microdroid_etc_passwd", "microdroid_etc_group", ], default: [], }) + microdroid_shell_and_utilities, multilib: { common: { deps: [ // non-updatable & mandatory apexes "com.android.runtime", "microdroid_crashdump_initrd", "microdroid_precompiled_sepolicy", ], }, lib64: { deps: [ "apkdmverity", "authfs", "authfs_service", "encryptedstore", "microdroid_kexec", "microdroid_manager", "zipfuse", ] + select(release_flag("RELEASE_AVF_ENABLE_DICE_CHANGES"), { true: ["derive_microdroid_vendor_dice_node"], default: [], }), }, }, arch: { // b/273792258: These could be in multilib.lib64 except that // microdroid_crashdump_kernel doesn't exist for riscv64 yet arm64: { deps: [ "microdroid_crashdump_kernel", ], }, x86_64: { deps: [ "microdroid_crashdump_kernel", ], }, }, linker_config: { gen_linker_config: true, linker_config_srcs: ["linker.config.json"], }, base_dir: "system", dirs: microdroid_rootdirs + select(release_flag("RELEASE_AVF_ENABLE_DICE_CHANGES"), { true: ["microdroid_resources"], default: [], }), symlinks: microdroid_symlinks, file_contexts: ":microdroid_file_contexts.gen", // For deterministic output, use fake_timestamp, hard-coded uuid fake_timestamp: "1611569676", // python -c "import uuid; print(uuid.uuid5(uuid.NAMESPACE_URL, 'www.android.com/avf/microdroid/system'))" uuid: "5fe079c6-f01a-52be-87d3-d415231a72ad", } prebuilt_etc { name: "microdroid_init_rc", filename: "init.rc", src: "init.rc", relative_install_path: "init/hw", no_full_install: true, // avoid collision with system partition's init.rc } prebuilt_etc { name: "microdroid_ueventd_rc", filename: "ueventd.rc", src: "ueventd.rc", no_full_install: true, // avoid collision with system partition's ueventd.rc } prebuilt_etc { name: "microdroid_etc_passwd", src: "microdroid_passwd", filename: "passwd", no_full_install: true, } prebuilt_etc { name: "microdroid_etc_group", src: "microdroid_group", filename: "group", no_full_install: true, } prebuilt_root { name: "microdroid_build_prop", filename: "build.prop", src: "build.prop", arch: { x86_64: { src: ":microdroid_build_prop_gen_x86_64", }, arm64: { src: ":microdroid_build_prop_gen_arm64", }, }, no_full_install: true, } java_genrule { name: "microdroid_build_prop_gen_x86_64", srcs: [ "build.prop", ":system-build.prop", ], out: ["build.prop.out"], cmd: "(echo '# build properties from system/build.prop' && " + "grep ro\\.build\\.version\\.codename= $(location :system-build.prop) && " + "grep ro\\.build\\.version\\.release= $(location :system-build.prop) && " + "grep ro\\.build\\.version\\.sdk= $(location :system-build.prop) && " + "grep ro\\.build\\.version\\.security_patch= $(location :system-build.prop) && " + "grep ro\\.build\\.version\\.known_codenames= $(location :system-build.prop) && " + "cat $(location build.prop) && " + "echo ro.product.cpu.abilist=x86_64 && " + "echo ro.product.cpu.abi=x86_64) > $(out)", } java_genrule { name: "microdroid_build_prop_gen_arm64", srcs: [ "build.prop", ":system-build.prop", ], out: ["build.prop.out"], cmd: "(echo '# build properties from system/build.prop' && " + "grep ro\\.build\\.version\\.codename= $(location :system-build.prop) && " + "grep ro\\.build\\.version\\.release= $(location :system-build.prop) && " + "grep ro\\.build\\.version\\.sdk= $(location :system-build.prop) && " + "grep ro\\.build\\.version\\.security_patch= $(location :system-build.prop) && " + "grep ro\\.build\\.version\\.known_codenames= $(location :system-build.prop) && " + "cat $(location build.prop) && " + "echo ro.product.cpu.abilist=arm64-v8a && " + "echo ro.product.cpu.abi=arm64-v8a) > $(out)", } // Need to keep microdroid_vendor for the release configurations that don't // have RELEASE_AVF_ENABLE_VENDOR_MODULES build flag enabled. android_filesystem { name: "microdroid_vendor", partition_name: "vendor", use_avb: true, avb_private_key: ":microdroid_sign_key", avb_algorithm: "SHA256_RSA4096", avb_hash_algorithm: "sha256", file_contexts: ":microdroid_vendor_file_contexts.gen", // For deterministic output, use fake_timestamp, hard-coded uuid fake_timestamp: "1611569676", // python -c "import uuid; print(uuid.uuid5(uuid.NAMESPACE_URL, 'www.android.com/avf/microdroid/vendor'))" uuid: "156d40d7-8d8e-5c99-8913-ec82de549a70", } soong_config_module_type { name: "flag_aware_microdroid_super_partition", module_type: "logical_partition", config_namespace: "ANDROID", bool_variables: [ "release_avf_enable_vendor_modules", ], properties: [ "default_group", ], } flag_aware_microdroid_super_partition { name: "microdroid_super", sparse: true, size: "auto", default_group: [ { name: "system_a", filesystem: ":microdroid", }, ], soong_config_variables: { release_avf_enable_vendor_modules: { conditions_default: { default_group: [ { name: "vendor_a", filesystem: ":microdroid_vendor", }, ], }, }, }, } android_filesystem { name: "microdroid_ramdisk", deps: [ "init_first_stage.microdroid", ], dirs: [ "dev", "proc", "sys", "mnt", "debug_ramdisk", "second_stage_resources", ] + select(release_flag("RELEASE_AVF_ENABLE_DICE_CHANGES"), { true: ["microdroid_resources"], default: [], }), type: "compressed_cpio", } android_filesystem { name: "microdroid_first_stage_ramdisk", deps: [ "microdroid_fstab", ], base_dir: "first_stage_ramdisk", type: "compressed_cpio", symlinks: [ { target: "etc/fstab.microdroid", name: "first_stage_ramdisk/fstab.microdroid", }, { target: "first_stage_ramdisk/lib", name: "lib", }, ], } genrule { name: "microdroid_bootconfig_arm64_gen", srcs: [ "bootconfig.common", "bootconfig.arm64", ], out: ["bootconfig"], cmd: "cat $(in) > $(out)", } genrule { name: "microdroid_bootconfig_x86_64_gen", srcs: [ "bootconfig.common", "bootconfig.x86_64", ], out: ["bootconfig"], cmd: "cat $(in) > $(out)", } filegroup { name: "microdroid_16k_bootconfig_x86_64_gen", srcs: ["bootconfig.x86_64_16k"], } prebuilt_etc { name: "microdroid_fstab", src: "fstab.microdroid", filename: "fstab.microdroid", no_full_install: true, } // python -c "import hashlib; print(hashlib.sha256(b'bootloader').hexdigest())" bootloader_salt = "3b4a12881d11f33cff968a24d7c53723a8232cde9a8d91e29fdbd6a95ae6adf0" filegroup { name: "microdroid_sign_key", srcs: [":pvmfw_embedded_key"], } vbmeta { name: "microdroid_vbmeta", partition_name: "vbmeta", private_key: ":microdroid_sign_key", partitions: [ "microdroid", ] + select(release_flag("RELEASE_AVF_ENABLE_VENDOR_MODULES"), { true: [], default: ["microdroid_vendor"], }), } prebuilt_etc { name: "microdroid.json", src: "microdroid.json", } prebuilt_etc { name: "microdroid_16k.json", src: "microdroid_16k.json", } prebuilt_etc { name: "microdroid_manifest", src: "microdroid_manifest.xml", filename: "manifest.xml", relative_install_path: "vintf", no_full_install: true, } prebuilt_etc { name: "microdroid_event-log-tags", src: "microdroid_event-log-tags", filename: "event-log-tags", no_full_install: true, } filegroup { name: "microdroid_bootconfig_debuggable_src", srcs: ["bootconfig.debuggable"], } filegroup { name: "microdroid_bootconfig_normal_src", srcs: ["bootconfig.normal"], } // python -c "import hashlib; print(hashlib.sha256(b'initrd_normal').hexdigest())" initrd_normal_salt = "8041a07d54ac82290f6d90bac1fa8d7fdbc4db974d101d60faf294749d1ebaf8" avb_gen_vbmeta_image_defaults { name: "microdroid_initrd_defaults", enabled: false, arch: { // Microdroid kernel is only available in these architectures. arm64: { enabled: true, }, x86_64: { enabled: true, }, }, } avb_gen_vbmeta_image_defaults { name: "microdroid_initrd_normal_defaults", defaults: ["microdroid_initrd_defaults"], partition_name: "initrd_normal", salt: initrd_normal_salt, } avb_gen_vbmeta_image { name: "microdroid_initrd_normal_hashdesc", defaults: ["microdroid_initrd_normal_defaults"], src: ":microdroid_initrd_normal", } avb_gen_vbmeta_image { name: "microdroid_16k_initrd_normal_hashdesc", defaults: ["microdroid_initrd_normal_defaults"], src: ":microdroid_16k_initrd_normal", } // python -c "import hashlib; print(hashlib.sha256(b'initrd_debug').hexdigest())" initrd_debug_salt = "8ab9dc9cb7e6456700ff6ef18c6b4c3acc24c5fa5381b829563f8d7a415d869a" avb_gen_vbmeta_image_defaults { name: "microdroid_initrd_debug_defaults", defaults: ["microdroid_initrd_defaults"], partition_name: "initrd_debug", salt: initrd_debug_salt, } avb_gen_vbmeta_image { name: "microdroid_initrd_debug_hashdesc", defaults: ["microdroid_initrd_debug_defaults"], src: ":microdroid_initrd_debuggable", } avb_gen_vbmeta_image { name: "microdroid_16k_initrd_debug_hashdesc", defaults: ["microdroid_initrd_debug_defaults"], src: ":microdroid_16k_initrd_debuggable", } soong_config_module_type { name: "flag_aware_avb_add_hash_footer_defaults", module_type: "avb_add_hash_footer_defaults", config_namespace: "ANDROID", bool_variables: [ "release_avf_enable_llpvm_changes", ], properties: [ "rollback_index", "props", ], } flag_aware_avb_add_hash_footer_defaults { name: "microdroid_kernel_signed_defaults", src: ":empty_file", partition_name: "boot", private_key: ":microdroid_sign_key", salt: bootloader_salt, enabled: false, arch: { arm64: { enabled: true, }, x86_64: { enabled: true, }, }, // Below are properties that are conditionally set depending on value of build flags. soong_config_variables: { release_avf_enable_llpvm_changes: { rollback_index: 1, props: [ { name: "com.android.virt.cap", value: "secretkeeper_protection", }, ], }, }, } avb_add_hash_footer { name: "microdroid_kernel_signed", defaults: ["microdroid_kernel_signed_defaults"], filename: "microdroid_kernel", arch: { arm64: { src: ":microdroid_kernel_prebuilt-arm64", }, x86_64: { src: ":microdroid_kernel_prebuilt-x86_64", }, }, include_descriptors_from_images: [ ":microdroid_initrd_normal_hashdesc", ":microdroid_initrd_debug_hashdesc", ], } prebuilt_etc { name: "microdroid_kernel", src: ":empty_file", relative_install_path: "fs", arch: { arm64: { src: ":microdroid_kernel_signed", }, x86_64: { src: ":microdroid_kernel_signed", }, }, } avb_add_hash_footer { name: "microdroid_kernel_16k_signed", defaults: ["microdroid_kernel_signed_defaults"], filename: "microdroid_kernel_16k", arch: { arm64: { src: ":microdroid_kernel_16k_prebuilt-arm64", }, // There is no 16k x86_64 kernel. Instead the 16k emulation is triggered by adding // `page_shift=14` to the kernel cmdline or bootconfig. x86_64: { src: ":microdroid_kernel_prebuilt-x86_64", }, }, include_descriptors_from_images: [ ":microdroid_16k_initrd_normal_hashdesc", ":microdroid_16k_initrd_debug_hashdesc", ], } prebuilt_etc { name: "microdroid_kernel_16k", src: ":empty_file", relative_install_path: "fs", arch: { arm64: { src: ":microdroid_kernel_16k_signed", }, x86_64: { src: ":microdroid_kernel_16k_signed", }, }, } /////////////////////////////////////// // GKI-android15-6.6 /////////////////////////////////////// prebuilt_etc { name: "microdroid_gki-android15-6.6.json", src: "microdroid_gki-android15-6.6.json", } avb_add_hash_footer { name: "microdroid_gki-android15-6.6_kernel_signed", defaults: ["microdroid_kernel_signed_defaults"], filename: "microdroid_gki-android15-6.6_kernel_signed", arch: { arm64: { src: ":microdroid_gki_kernel_prebuilts-android15-6.6-arm64", }, x86_64: { src: ":microdroid_gki_kernel_prebuilts-android15-6.6-x86_64", }, }, include_descriptors_from_images: [ ":microdroid_gki-android15-6.6_initrd_normal_hashdesc", ":microdroid_gki-android15-6.6_initrd_debug_hashdesc", ], } // HACK: use cc_genrule for arch-specific properties cc_genrule { name: "microdroid_gki-android15-6.6_kernel_signed-lz4", out: ["microdroid_gki-android15-6.6_kernel_signed-lz4"], srcs: [":empty_file"], arch: { arm64: { srcs: [":microdroid_gki-android15-6.6_kernel_signed"], exclude_srcs: [":empty_file"], }, }, tools: ["lz4"], cmd: "$(location lz4) -9 $(in) $(out)", } prebuilt_etc { name: "microdroid_gki-android15-6.6_kernel", filename: "microdroid_gki-android15-6.6_kernel", src: ":empty_file", relative_install_path: "fs", arch: { arm64: { src: ":microdroid_gki-android15-6.6_kernel_signed", }, x86_64: { src: ":microdroid_gki-android15-6.6_kernel_signed", }, }, } avb_gen_vbmeta_image { name: "microdroid_gki-android15-6.6_initrd_normal_hashdesc", defaults: ["microdroid_initrd_normal_defaults"], src: ":microdroid_gki-android15-6.6_initrd_normal", } avb_gen_vbmeta_image { name: "microdroid_gki-android15-6.6_initrd_debug_hashdesc", defaults: ["microdroid_initrd_debug_defaults"], src: ":microdroid_gki-android15-6.6_initrd_debuggable", } python_binary_host { name: "extract_microdroid_kernel_hashes", srcs: ["extract_microdroid_kernel_hashes.py"], } // HACK: use cc_genrule for arch-specific properties cc_genrule { name: "microdroid_kernel_hashes_rs", compile_multilib: "first", srcs: [":microdroid_kernel"], arch: { arm64: { srcs: [ ":microdroid_gki-android15-6.6_kernel_signed", ], }, x86_64: { srcs: [ ":microdroid_gki-android15-6.6_kernel_signed", ], }, }, out: ["lib.rs"], tools: [ "extract_microdroid_kernel_hashes", "avbtool", ], cmd: "$(location extract_microdroid_kernel_hashes) --avbtool $(location avbtool) " + "--kernel $(in) > $(out)", } rust_library_rlib { name: "libmicrodroid_kernel_hashes", compile_multilib: "first", srcs: [":microdroid_kernel_hashes_rs"], crate_name: "microdroid_kernel_hashes", prefer_rlib: true, no_stdlibs: true, stdlibs: [ "libcompiler_builtins.rust_sysroot", "libcore.rust_sysroot", ], }