Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 2a788661e319c42177f7852c9d6985ad37619171^! / .
commit2a788661e319c42177f7852c9d6985ad37619171[log] [tgz]
authorShikha Panwar <shikhapanwar@google.com>Mon Sep 11 14:04:24 2023 +0000
committerShikha Panwar <shikhapanwar@google.com>Tue Sep 12 14:17:52 2023 +0000
treeb1fb9d07c1110985ed16a35435d6a3da1cd28479
parent3d3a70a04aae0e4d2362514d9843f997c8143cdd [diff]
Set rollback_index of microdroid_kernel to 1

This index (which will be part of vbmeta footer of kernel image) will be
used as the security_version in Dice node of microdroid_kernel.

Also modify sign_virt_apex.py to include the flag, for signing prod
builds.

TrunkStableCompliance: We create flag_aware_avb_add_hash_footer target
which allows for conditionally including rollback_index for target. We
have enabled it only if release_avf_enable_llpvm_changes is true.

Test: avbtool info_image --image [path_to_built_image]
Bug: 296830692
Change-Id: I64f2732fc0cb405799e523fc7ded772270179986

diff --git a/apex/sign_virt_apex.py b/apex/sign_virt_apex.py
index a42f5ec..8257aae 100644
--- a/apex/sign_virt_apex.py
+++ b/apex/sign_virt_apex.py

@@ -231,6 +231,9 @@
         if additional_descriptors:
             for image in additional_descriptors:
                 cmd.extend(['--include_descriptors_from_image', image])
+
+        if 'Rollback Index' in info:
+            cmd.extend(['--rollback_index', info['Rollback Index']])
         RunCommand(args, cmd)
 
 

diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 00831dd..bac93a4 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp

@@ -409,7 +409,19 @@
     },
 }
 
-avb_add_hash_footer {
+soong_config_module_type {
+    name: "flag_aware_avb_add_hash_footer",
+    module_type: "avb_add_hash_footer",
+    config_namespace: "ANDROID",
+    bool_variables: [
+        "release_avf_enable_llpvm_changes",
+    ],
+    properties: [
+        "rollback_index",
+    ],
+}
+
+flag_aware_avb_add_hash_footer {
     name: "microdroid_kernel_signed",
     src: ":empty_file",
     filename: "microdroid_kernel",
@@ -431,6 +443,12 @@
         ":microdroid_initrd_normal_hashdesc",
         ":microdroid_initrd_debug_hashdesc",
     ],
+    // Below are properties that are conditionally set depending on value of build flags.
+    soong_config_variables: {
+        release_avf_enable_llpvm_changes: {
+            rollback_index: 1,
+        },
+    },
 }
 
 prebuilt_etc {
@@ -447,7 +465,7 @@
     },
 }
 
-avb_add_hash_footer {
+flag_aware_avb_add_hash_footer {
     name: "microdroid_kernel_with_modules_signed",
     src: ":empty_file",
     filename: "microdroid_kernel_with_modules",
@@ -465,6 +483,12 @@
         ":microdroid_initrd_normal_hashdesc",
         ":microdroid_initrd_debug_hashdesc",
     ],
+    // Below are properties that are conditionally set depending on value of build flags.
+    soong_config_variables: {
+        release_avf_enable_llpvm_changes: {
+            rollback_index: 1,
+        },
+    },
 }
 
 prebuilt_etc {