Change /data to tmpfs
For security reason, we will use tmpfs for /data. It should contain only
small, temporary files for now.
vold is removed as it's redundant now. MicrodroidTestCase's boot marker
is also updated because logd reinit won't happen if vold is removed.
Bug: 185767624
Test: atest MicrodroidHostTestCases
Change-Id: I3f60d5dfad2519b6d593a3f514bb50c50019b526
diff --git a/apex/Android.bp b/apex/Android.bp
index 9c0ef23..3db4c1a 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -60,7 +60,6 @@
"com.android.virt.init.rc",
"microdroid_cdisk.json",
"microdroid_cdisk_env.json",
- "microdroid_cdisk_userdata.json",
"microdroid_payload.json",
"microdroid_uboot_env",
"microdroid_bootloader",
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 8ccced7..b878b3e 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -57,8 +57,6 @@
"logd",
"run-as",
"secilc",
- "mke2fs",
- "e2fsdroid",
// "com.android.adbd" requires these,
"libadbd_auth",
@@ -69,15 +67,11 @@
"apexd",
"debuggerd",
- "e2fsck",
"keystore2",
"linker",
"linkerconfig",
"servicemanager",
"tombstoned",
- "tune2fs",
- "vdc",
- "vold",
"wait_for_keymaster",
"cgroups.json",
"public.libraries.android.txt",
@@ -218,8 +212,7 @@
cmdline: microdroid_boot_cmdline +
"pci=noacpi " +
"androidboot.boot_devices=pci0000:00/0000:00:01.0," + // os
- "pci0000:00/0000:00:03.0," + // payload
- "pci0000:00/0000:00:04.0", // userdata
+ "pci0000:00/0000:00:03.0", // payload
},
},
dtb_prebuilt: "dummy_dtb.img",
@@ -404,11 +397,6 @@
}
prebuilt_etc {
- name: "microdroid_cdisk_userdata.json",
- src: "microdroid_cdisk_userdata.json",
-}
-
-prebuilt_etc {
name: "microdroid_payload.json",
src: "microdroid_payload.json",
}
diff --git a/microdroid/README.md b/microdroid/README.md
index 489791a..6b9f4b1 100644
--- a/microdroid/README.md
+++ b/microdroid/README.md
@@ -105,16 +105,6 @@
{
"image": "/data/local/tmp/microdroid/payload.img",
"writable": false
- },
- {
- "partitions": [
- {
- "label": "userdata",
- "path": "/data/local/tmp/microdroid/userdata.img",
- "writable": true
- }
- ],
- "writable": true
}
]
}
@@ -129,7 +119,6 @@
$ adb root
$ adb shell 'mkdir /data/local/tmp/microdroid'
$ adb shell 'dd if=/dev/zero of=/data/local/tmp/microdroid/misc.img bs=4k count=256'
-$ adb shell 'dd if=/dev/zero of=/data/local/tmp/microdroid/userdata.img bs=1 count=0 seek=4G'
$ adb shell 'cd /data/local/tmp/microdroid; /apex/com.android.virt/bin/mk_payload /apex/com.android.virt/etc/microdroid_payload.json payload.img'
$ adb shell 'chmod go+r /data/local/tmp/microdroid/payload*'
$ adb push microdroid.json /data/local/tmp/microdroid/microdroid.json
diff --git a/microdroid/fstab.microdroid b/microdroid/fstab.microdroid
index fd8d395..129718e 100644
--- a/microdroid/fstab.microdroid
+++ b/microdroid/fstab.microdroid
@@ -1,4 +1,2 @@
system /system ext4 noatime,ro,errors=panic wait,first_stage_mount,logical
vendor /vendor ext4 noatime,ro,errors=panic wait,first_stage_mount,logical
-
-/dev/block/by-name/userdata /data ext4 noatime,nosuid,nodev,errors=panic latemount,wait,check,formattable,fileencryption=aes-256-xts
diff --git a/microdroid/init.rc b/microdroid/init.rc
index 074e118..2385d8f 100644
--- a/microdroid/init.rc
+++ b/microdroid/init.rc
@@ -99,9 +99,6 @@
trigger early-boot
trigger boot
-on early-fs
- start vold
-
on post-fs
# Once everything is setup, no need to modify /.
# The bind+remount combination allows this to work in containers.
@@ -114,7 +111,8 @@
exec_start wait_for_keymaster
- mount_all /vendor/etc/fstab.microdroid --late
+ # TODO(b/185767624): change the hard-coded size?
+ mount tmpfs tmpfs /data noatime nosuid nodev rw size=128M
on post-fs-data
mark_post_data
@@ -126,25 +124,22 @@
# We restorecon /data in case the userdata partition has been reset.
restorecon /data
- # Make sure we have the device encryption key.
- installkey /data
-
- mkdir /data/vendor 0771 root root encryption=Require
- mkdir /data/vendor_ce 0771 root root encryption=None
- mkdir /data/vendor_de 0771 root root encryption=None
+ mkdir /data/vendor 0771 root root
+ mkdir /data/vendor_ce 0771 root root
+ mkdir /data/vendor_de 0771 root root
mkdir /data/vendor/hardware 0771 root root
# Start tombstoned early to be able to store tombstones.
# microdroid doesn't have anr, but tombstoned requires it
- mkdir /data/anr 0775 system system encryption=Require
- mkdir /data/tombstones 0771 system system encryption=Require
+ mkdir /data/anr 0775 system system
+ mkdir /data/tombstones 0771 system system
mkdir /data/vendor/tombstones 0771 root root
start tombstoned
# set up keystore directory structure first so that we can end early boot
# and start apexd
- mkdir /data/misc 01771 system misc encryption=Require
+ mkdir /data/misc 01771 system misc
mkdir /data/misc/keystore 0700 keystore keystore
# work around b/183668221
restorecon /data/misc /data/misc/keystore
@@ -155,15 +150,9 @@
# to leave room for earlier levels.
setprop keystore.boot_level 30
- # Now that /data is mounted and we have created /data/misc/keystore,
- # we can tell keystore to stop allowing use of early-boot keys,
- # and access its database for the first time to support creation and
- # use of MAX_BOOT_LEVEL keys.
- exec - system system -- /system/bin/vdc keymaster earlyBootEnded
-
# For security reasons, /data/local/tmp should always be empty.
# Do not place files or directories in /data/local/tmp
- mkdir /data/local 0751 root root encryption=Require
+ mkdir /data/local 0751 root root
mkdir /data/local/tmp 0771 shell shell
service ueventd /system/bin/ueventd
@@ -189,6 +178,3 @@
on property:sys.boot_completed=1
start logd-auditctl
-
-on property:vold.decrypt=trigger_post_fs_data
- trigger post-fs-data
diff --git a/microdroid/microdroid_cdisk_userdata.json b/microdroid/microdroid_cdisk_userdata.json
deleted file mode 100644
index 04af3f2..0000000
--- a/microdroid/microdroid_cdisk_userdata.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
- "partitions": [
- {
- "label": "userdata",
- "path": "userdata.img",
- "writable": true
- }
- ]
-}
diff --git a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
index b3c3e27..a1043f7 100644
--- a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
+++ b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
@@ -78,13 +78,11 @@
+ "cp %setc/microdroid_bootloader bootloader && "
+ "cp %setc/fs/*.img . && "
+ "cp %setc/uboot_env.img . && "
- + "dd if=/dev/zero of=misc.img bs=4k count=256 && "
- + "dd if=/dev/zero of=userdata.img bs=1 count=0 seek=4G && "
- + "mkfs.ext4 userdata.img",
+ + "dd if=/dev/zero of=misc.img bs=4k count=256",
TEST_ROOT, TEST_ROOT, VIRT_APEX, VIRT_APEX, VIRT_APEX);
getDevice().executeShellCommand(prepareImagesCmd);
- // Create os_composite.img, env_composite.img, userdata.img, and payload.img
+ // Create os_composite.img, env_composite.img, and payload.img
String makeOsCompositeCmd =
String.format(
"cd %s; %sbin/mk_cdisk %setc/microdroid_cdisk.json os_composite.img",
@@ -95,12 +93,6 @@
"cd %s; %sbin/mk_cdisk %setc/microdroid_cdisk_env.json env_composite.img",
TEST_ROOT, VIRT_APEX, VIRT_APEX);
getDevice().executeShellCommand(makeEnvCompositeCmd);
- String makeDataCompositeCmd =
- String.format(
- "cd %s; %sbin/mk_cdisk %setc/microdroid_cdisk_userdata.json"
- + " userdata_composite.img",
- TEST_ROOT, VIRT_APEX, VIRT_APEX);
- getDevice().executeShellCommand(makeDataCompositeCmd);
String makePayloadCompositeCmd =
String.format(
"cd %s; %sbin/mk_payload %setc/microdroid_payload.json payload.img",
@@ -113,7 +105,6 @@
Arrays.asList(
TEST_ROOT + "/os_composite.img",
TEST_ROOT + "/env_composite.img",
- TEST_ROOT + "/userdata_composite.img",
TEST_ROOT + "/payload.img"));
CommandResult result =
getDevice().executeShellV2Command("du -b " + String.join(" ", compositeImages));
@@ -126,8 +117,7 @@
String.format(
"cd %s; %sbin/crosvm run --cid=%d --disable-sandbox --bios=bootloader"
+ " --serial=type=syslog --disk=os_composite.img"
- + " --disk=env_composite.img --disk=payload.img"
- + " --rwdisk=userdata_composite.img &",
+ + " --disk=env_composite.img --disk=payload.img &",
TEST_ROOT, VIRT_APEX, TEST_VM_CID);
executor.execute(
() -> {
@@ -193,7 +183,7 @@
private void waitForMicrodroidBoot(long timeoutMinutes) throws Exception {
// Wait for a specific log from logd
// TODO(jiyong): use a more reasonable marker
- final String pattern = "logd:\\ logd\\ reinit";
+ final String pattern = "logd.auditd: start";
getDevice()
.executeShellV2Command(
"logcat --regex=\"" + pattern + "\" -m 1",