Gitiles
Code Review Sign In
gerrit.omnirom.org / android_build_soong / 4e9f5923c0e7cf0d7f845b90c7da65c24e44bcee / . / filesystem / fsverity_metadata.go
blob: 3119f2f287bc6f4f7485eff696888f48c55e7aca [file] [log] [blame]
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]1// Copyright (C) 2024 The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15package filesystem
16
17import (
Spandan Dasd86882b2024-10-17 21:10:48 +0000[diff] [blame]18 "fmt"
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]19 "path/filepath"
20 "strings"
21
22 "android/soong/android"
23)
24
25type fsverityProperties struct {
26 // Patterns of files for fsverity metadata generation. For each matched file, a .fsv_meta file
27 // will be generated and included to the filesystem image.
28 // etc/security/fsverity/BuildManifest.apk will also be generated which contains information
29 // about generated .fsv_meta files.
30 Inputs []string
Inseob Kim1e6afed2024-04-03 17:24:54 +0900[diff] [blame]31
32 // APK libraries to link against, for etc/security/fsverity/BuildManifest.apk
33 Libs []string `android:"path"`
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]34}
35
Cole Faust4e9f5922024-11-13 16:09:23 -0800[diff] [blame^]36func (f *filesystem) writeManifestGeneratorListFile(ctx android.ModuleContext, outputPath android.WritablePath, matchedSpecs []android.PackagingSpec, rebasedDir android.OutputPath) {
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]37 var buf strings.Builder
38 for _, spec := range matchedSpecs {
39 buf.WriteString(rebasedDir.Join(ctx, spec.RelPathInPackage()).String())
40 buf.WriteRune('\n')
41 }
42 android.WriteFileRuleVerbatim(ctx, outputPath, buf.String())
43}
44
45func (f *filesystem) buildFsverityMetadataFiles(ctx android.ModuleContext, builder *android.RuleBuilder, specs map[string]android.PackagingSpec, rootDir android.OutputPath, rebasedDir android.OutputPath) {
46 match := func(path string) bool {
47 for _, pattern := range f.properties.Fsverity.Inputs {
48 if matched, err := filepath.Match(pattern, path); matched {
49 return true
50 } else if err != nil {
51 ctx.PropertyErrorf("fsverity.inputs", "bad pattern %q", pattern)
52 return false
53 }
54 }
55 return false
56 }
57
58 var matchedSpecs []android.PackagingSpec
59 for _, relPath := range android.SortedKeys(specs) {
60 if match(relPath) {
61 matchedSpecs = append(matchedSpecs, specs[relPath])
62 }
63 }
64
65 if len(matchedSpecs) == 0 {
66 return
67 }
68
69 fsverityBuilderPath := android.PathForModuleOut(ctx, "fsverity_builder.sh")
70 metadataGeneratorPath := ctx.Config().HostToolPath(ctx, "fsverity_metadata_generator")
71 fsverityPath := ctx.Config().HostToolPath(ctx, "fsverity")
72
73 cmd := builder.Command().Tool(fsverityBuilderPath)
74
75 // STEP 1: generate .fsv_meta
76 var sb strings.Builder
77 sb.WriteString("set -e\n")
78 cmd.Implicit(metadataGeneratorPath).Implicit(fsverityPath)
79 for _, spec := range matchedSpecs {
80 // srcPath is copied by CopySpecsToDir()
81 srcPath := rebasedDir.Join(ctx, spec.RelPathInPackage())
82 destPath := rebasedDir.Join(ctx, spec.RelPathInPackage()+".fsv_meta")
83 sb.WriteString(metadataGeneratorPath.String())
84 sb.WriteString(" --fsverity-path ")
85 sb.WriteString(fsverityPath.String())
86 sb.WriteString(" --signature none --hash-alg sha256 --output ")
87 sb.WriteString(destPath.String())
88 sb.WriteRune(' ')
89 sb.WriteString(srcPath.String())
90 sb.WriteRune('\n')
Kiyoung Kim99a954d2024-06-21 14:22:20 +0900[diff] [blame]91 f.appendToEntry(ctx, destPath)
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]92 }
93
94 // STEP 2: generate signed BuildManifest.apk
95 // STEP 2-1: generate build_manifest.pb
96 assetsPath := android.PathForModuleOut(ctx, "fsverity_manifest/assets")
97 manifestPbPath := assetsPath.Join(ctx, "build_manifest.pb")
98 manifestGeneratorPath := ctx.Config().HostToolPath(ctx, "fsverity_manifest_generator")
99 cmd.Implicit(manifestGeneratorPath)
100 sb.WriteString("rm -rf ")
101 sb.WriteString(assetsPath.String())
102 sb.WriteString(" && mkdir -p ")
103 sb.WriteString(assetsPath.String())
104 sb.WriteRune('\n')
105 sb.WriteString(manifestGeneratorPath.String())
106 sb.WriteString(" --fsverity-path ")
107 sb.WriteString(fsverityPath.String())
108 sb.WriteString(" --base-dir ")
109 sb.WriteString(rootDir.String())
110 sb.WriteString(" --output ")
111 sb.WriteString(manifestPbPath.String())
112 sb.WriteRune(' ')
Kiyoung Kim99a954d2024-06-21 14:22:20 +0900[diff] [blame]113 f.appendToEntry(ctx, manifestPbPath)
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]114
115 manifestGeneratorListPath := android.PathForModuleOut(ctx, "fsverity_manifest.list")
Cole Faust4e9f5922024-11-13 16:09:23 -0800[diff] [blame^]116 f.writeManifestGeneratorListFile(ctx, manifestGeneratorListPath, matchedSpecs, rebasedDir)
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]117 sb.WriteRune('@')
118 sb.WriteString(manifestGeneratorListPath.String())
119 sb.WriteRune('\n')
120 cmd.Implicit(manifestGeneratorListPath)
Cole Faust4e9f5922024-11-13 16:09:23 -0800[diff] [blame^]121 f.appendToEntry(ctx, manifestGeneratorListPath)
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]122
123 // STEP 2-2: generate BuildManifest.apk (unsigned)
124 aapt2Path := ctx.Config().HostToolPath(ctx, "aapt2")
Spandan Dasd86882b2024-10-17 21:10:48 +0000[diff] [blame]125 apkNameSuffix := ""
126 if f.PartitionType() == "system_ext" {
127 //https://source.corp.google.com/h/googleplex-android/platform/build/+/e392d2b486c2d4187b20a72b1c67cc737ecbcca5:core/Makefile;l=3410;drc=ea8f34bc1d6e63656b4ec32f2391e9d54b3ebb6b;bpv=1;bpt=0
128 apkNameSuffix = "SystemExt"
129 }
130 apkPath := rebasedDir.Join(ctx, "etc", "security", "fsverity", fmt.Sprintf("BuildManifest%s.apk", apkNameSuffix))
131 idsigPath := rebasedDir.Join(ctx, "etc", "security", "fsverity", fmt.Sprintf("BuildManifest%s.apk.idsig", apkNameSuffix))
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]132 manifestTemplatePath := android.PathForSource(ctx, "system/security/fsverity/AndroidManifest.xml")
Inseob Kim1e6afed2024-04-03 17:24:54 +0900[diff] [blame]133 libs := android.PathsForModuleSrc(ctx, f.properties.Fsverity.Libs)
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]134 cmd.Implicit(aapt2Path)
135 cmd.Implicit(manifestTemplatePath)
Inseob Kim1e6afed2024-04-03 17:24:54 +0900[diff] [blame]136 cmd.Implicits(libs)
Kiyoung Kim99a954d2024-06-21 14:22:20 +0900[diff] [blame]137 cmd.ImplicitOutput(apkPath)
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]138
139 sb.WriteString(aapt2Path.String())
140 sb.WriteString(" link -o ")
141 sb.WriteString(apkPath.String())
142 sb.WriteString(" -A ")
143 sb.WriteString(assetsPath.String())
Inseob Kim1e6afed2024-04-03 17:24:54 +0900[diff] [blame]144 for _, lib := range libs {
145 sb.WriteString(" -I ")
146 sb.WriteString(lib.String())
147 }
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]148 minSdkVersion := ctx.Config().PlatformSdkCodename()
149 if minSdkVersion == "REL" {
150 minSdkVersion = ctx.Config().PlatformSdkVersion().String()
151 }
152 sb.WriteString(" --min-sdk-version ")
153 sb.WriteString(minSdkVersion)
154 sb.WriteString(" --version-code ")
155 sb.WriteString(ctx.Config().PlatformSdkVersion().String())
156 sb.WriteString(" --version-name ")
157 sb.WriteString(ctx.Config().AppsDefaultVersionName())
158 sb.WriteString(" --manifest ")
159 sb.WriteString(manifestTemplatePath.String())
160 sb.WriteString(" --rename-manifest-package com.android.security.fsverity_metadata.")
161 sb.WriteString(f.partitionName())
162 sb.WriteRune('\n')
163
Kiyoung Kim99a954d2024-06-21 14:22:20 +0900[diff] [blame]164 f.appendToEntry(ctx, apkPath)
165
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]166 // STEP 2-3: sign BuildManifest.apk
167 apksignerPath := ctx.Config().HostToolPath(ctx, "apksigner")
168 pemPath, keyPath := ctx.Config().DefaultAppCertificate(ctx)
169 cmd.Implicit(apksignerPath)
170 cmd.Implicit(pemPath)
171 cmd.Implicit(keyPath)
Kiyoung Kim99a954d2024-06-21 14:22:20 +0900[diff] [blame]172 cmd.ImplicitOutput(idsigPath)
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]173 sb.WriteString(apksignerPath.String())
174 sb.WriteString(" sign --in ")
175 sb.WriteString(apkPath.String())
176 sb.WriteString(" --cert ")
177 sb.WriteString(pemPath.String())
178 sb.WriteString(" --key ")
179 sb.WriteString(keyPath.String())
180 sb.WriteRune('\n')
181
Kiyoung Kim99a954d2024-06-21 14:22:20 +0900[diff] [blame]182 f.appendToEntry(ctx, idsigPath)
183
Inseob Kim53391842024-03-29 17:44:07 +0900[diff] [blame]184 android.WriteExecutableFileRuleVerbatim(ctx, fsverityBuilderPath, sb.String())
185}