Add support for multiple GKI versions on VM
virt apex can now have multiple GKI versions for microdroid. Here are
behavior changes.
- OS name with "microdroid_gki-{ver}" is used to specify GKI.
- vm info shows available versions.
- gki option of vm tool gets a parameter, e.g. "--gki 6.1".
Some codes are refactored.
- Android.bp: defaults modules are added for deduplication.
- sign_virt_apex.py: gki_versions are added to remove hard-coded
version (6.1).
Bug: 302465542
Test: vm info, vm run-microdroid --gki 6.1
Test: sign_virt_apex_test
Change-Id: I443a9e5a98d20d3c9337f2c13156590b4538c90b
diff --git a/apex/Android.bp b/apex/Android.bp
index f2a0d64..d3e736f 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -142,10 +142,10 @@
},
release_avf_enable_vendor_modules: {
prebuilts: [
- "microdroid_gki_initrd_debuggable",
- "microdroid_gki_initrd_normal",
- "microdroid_gki_kernel",
- "microdroid_gki.json",
+ "microdroid_gki-6.1_initrd_debuggable",
+ "microdroid_gki-6.1_initrd_normal",
+ "microdroid_gki-6.1_kernel",
+ "microdroid_gki-6.1.json",
],
},
},
diff --git a/apex/sign_virt_apex.py b/apex/sign_virt_apex.py
index 7393636..0c5bc72 100644
--- a/apex/sign_virt_apex.py
+++ b/apex/sign_virt_apex.py
@@ -410,21 +410,35 @@
'--output_vbmeta_image', output]
RunCommand(args, cmd)
+
+gki_versions = ['6.1']
+
# dict of (key, file) for re-sign/verification. keys are un-versioned for readability.
-virt_apex_files = {
+virt_apex_non_gki_files = {
'kernel': 'etc/fs/microdroid_kernel',
- 'gki_kernel': 'etc/fs/microdroid_gki_kernel',
'vbmeta.img': 'etc/fs/microdroid_vbmeta.img',
'super.img': 'etc/fs/microdroid_super.img',
'initrd_normal.img': 'etc/microdroid_initrd_normal.img',
- 'gki_initrd_normal.img': 'etc/microdroid_gki_initrd_normal.img',
'initrd_debuggable.img': 'etc/microdroid_initrd_debuggable.img',
- 'gki_initrd_debuggable.img': 'etc/microdroid_gki_initrd_debuggable.img',
}
-
def TargetFiles(input_dir):
- return {k: os.path.join(input_dir, v) for k, v in virt_apex_files.items()}
+ ret = {k: os.path.join(input_dir, v) for k, v in virt_apex_non_gki_files.items()}
+
+ for ver in gki_versions:
+ kernel = os.path.join(input_dir, f'etc/fs/microdroid_gki-{ver}_kernel')
+ initrd_normal = os.path.join(input_dir, f'etc/microdroid_gki-{ver}_initrd_normal.img')
+ initrd_debug = os.path.join(input_dir, f'etc/microdroid_gki-{ver}_initrd_debuggable.img')
+
+ if os.path.isfile(kernel):
+ ret[f'gki-{ver}_kernel'] = kernel
+ ret[f'gki-{ver}_initrd_normal.img'] = initrd_normal
+ ret[f'gki-{ver}_initrd_debuggable.img'] = initrd_debug
+
+ return ret
+
+def IsInitrdImage(path):
+ return path.endswith('initrd_normal.img') or path.endswith('initrd_debuggable.img')
def SignVirtApex(args):
@@ -461,13 +475,9 @@
images=images,
wait=images_f)
- has_gki_kernel = os.path.isfile(files['gki_kernel'])
-
vbmeta_bc_f = None
if not args.do_not_update_bootconfigs:
- initrd_files = [files['initrd_normal.img'], files['initrd_debuggable.img']]
- if has_gki_kernel:
- initrd_files += [files['gki_initrd_normal.img'], files['gki_initrd_debuggable.img']]
+ initrd_files = [v for k, v in files.items() if IsInitrdImage(k)]
vbmeta_bc_f = Async(UpdateVbmetaBootconfig, args, initrd_files,
files['vbmeta.img'],
wait=[vbmeta_f])
@@ -493,8 +503,12 @@
resign_kernel('kernel', 'initrd_normal.img', 'initrd_debuggable.img')
- if has_gki_kernel:
- resign_kernel('gki_kernel', 'gki_initrd_normal.img', 'gki_initrd_debuggable.img')
+ for ver in gki_versions:
+ if f'gki-{ver}_kernel' in files:
+ resign_kernel(
+ f'gki-{ver}_kernel',
+ f'gki-{ver}_initrd_normal.img',
+ f'gki-{ver}_initrd_debuggable.img')
def VerifyVirtApex(args):
@@ -518,12 +532,11 @@
assert info is not None, f'no avbinfo: {file}'
assert info['Public key (sha1)'] == pubkey_digest, f'pubkey mismatch: {file}'
- for f in files.values():
- if f in (files['initrd_normal.img'], files['initrd_debuggable.img'],
- files['gki_initrd_normal.img'], files['gki_initrd_debuggable.img']):
+ for k, f in files.items():
+ if IsInitrdImage(k):
# TODO(b/245277660): Verify that ramdisks contain the correct vbmeta digest
continue
- if f == files['super.img']:
+ if k == 'super.img':
Async(check_avb_pubkey, system_a_img)
else:
# Check pubkey for other files using avbtool
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index c93cb4c..76de93b 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -332,22 +332,6 @@
],
}
-android_filesystem {
- name: "microdroid_gki_modules-6.1-arm64",
- deps: [
- "microdroid_gki_kernel_modules-6.1-arm64",
- ],
- type: "compressed_cpio",
-}
-
-android_filesystem {
- name: "microdroid_gki_modules-6.1-x86_64",
- deps: [
- "microdroid_gki_kernel_modules-6.1-x86_64",
- ],
- type: "compressed_cpio",
-}
-
genrule {
name: "microdroid_bootconfig_arm64_gen",
srcs: [
@@ -418,11 +402,6 @@
}
prebuilt_etc {
- name: "microdroid_gki.json",
- src: "microdroid_gki.json",
-}
-
-prebuilt_etc {
name: "microdroid_manifest",
src: "microdroid_manifest.xml",
filename: "manifest.xml",
@@ -450,11 +429,8 @@
// python -c "import hashlib; print(hashlib.sha256(b'initrd_normal').hexdigest())"
initrd_normal_salt = "8041a07d54ac82290f6d90bac1fa8d7fdbc4db974d101d60faf294749d1ebaf8"
-avb_gen_vbmeta_image {
- name: "microdroid_initrd_normal_hashdesc",
- src: ":microdroid_initrd_normal",
- partition_name: "initrd_normal",
- salt: initrd_normal_salt,
+avb_gen_vbmeta_image_defaults {
+ name: "microdroid_initrd_defaults",
enabled: false,
arch: {
// Microdroid kernel is only available in these architectures.
@@ -467,63 +443,38 @@
},
}
-avb_gen_vbmeta_image {
- name: "microdroid_gki_initrd_normal_hashdesc",
- src: ":microdroid_gki_initrd_normal",
+avb_gen_vbmeta_image_defaults {
+ name: "microdroid_initrd_normal_defaults",
+ defaults: ["microdroid_initrd_defaults"],
partition_name: "initrd_normal",
salt: initrd_normal_salt,
- enabled: false,
- arch: {
- // Microdroid kernel is only available in these architectures.
- arm64: {
- enabled: true,
- },
- x86_64: {
- enabled: true,
- },
- },
+}
+
+avb_gen_vbmeta_image {
+ name: "microdroid_initrd_normal_hashdesc",
+ defaults: ["microdroid_initrd_normal_defaults"],
+ src: ":microdroid_initrd_normal",
}
// python -c "import hashlib; print(hashlib.sha256(b'initrd_debug').hexdigest())"
initrd_debug_salt = "8ab9dc9cb7e6456700ff6ef18c6b4c3acc24c5fa5381b829563f8d7a415d869a"
-avb_gen_vbmeta_image {
- name: "microdroid_initrd_debug_hashdesc",
- src: ":microdroid_initrd_debuggable",
+avb_gen_vbmeta_image_defaults {
+ name: "microdroid_initrd_debug_defaults",
+ defaults: ["microdroid_initrd_defaults"],
partition_name: "initrd_debug",
salt: initrd_debug_salt,
- enabled: false,
- arch: {
- // Microdroid kernel is only available in these architectures.
- arm64: {
- enabled: true,
- },
- x86_64: {
- enabled: true,
- },
- },
}
avb_gen_vbmeta_image {
- name: "microdroid_gki_initrd_debug_hashdesc",
- src: ":microdroid_gki_initrd_debuggable",
- partition_name: "initrd_debug",
- salt: initrd_debug_salt,
- enabled: false,
- arch: {
- // Microdroid kernel is only available in these architectures.
- arm64: {
- enabled: true,
- },
- x86_64: {
- enabled: true,
- },
- },
+ name: "microdroid_initrd_debug_hashdesc",
+ defaults: ["microdroid_initrd_debug_defaults"],
+ src: ":microdroid_initrd_debuggable",
}
soong_config_module_type {
- name: "flag_aware_avb_add_hash_footer",
- module_type: "avb_add_hash_footer",
+ name: "flag_aware_avb_add_hash_footer_defaults",
+ module_type: "avb_add_hash_footer_defaults",
config_namespace: "ANDROID",
bool_variables: [
"release_avf_enable_llpvm_changes",
@@ -534,28 +485,21 @@
],
}
-flag_aware_avb_add_hash_footer {
- name: "microdroid_kernel_signed",
+flag_aware_avb_add_hash_footer_defaults {
+ name: "microdroid_kernel_signed_defaults",
src: ":empty_file",
- filename: "microdroid_kernel",
partition_name: "boot",
private_key: ":microdroid_sign_key",
salt: bootloader_salt,
enabled: false,
arch: {
arm64: {
- src: ":microdroid_kernel_prebuilts-6.1-arm64",
enabled: true,
},
x86_64: {
- src: ":microdroid_kernel_prebuilts-6.1-x86_64",
enabled: true,
},
},
- include_descriptors_from_images: [
- ":microdroid_initrd_normal_hashdesc",
- ":microdroid_initrd_debug_hashdesc",
- ],
// Below are properties that are conditionally set depending on value of build flags.
soong_config_variables: {
release_avf_enable_llpvm_changes: {
@@ -570,40 +514,22 @@
},
}
-flag_aware_avb_add_hash_footer {
- name: "microdroid_gki_kernel_signed",
- src: ":empty_file",
- filename: "microdroid_gki_kernel",
- partition_name: "boot",
- private_key: ":microdroid_sign_key",
- salt: bootloader_salt,
- enabled: false,
+avb_add_hash_footer {
+ name: "microdroid_kernel_signed",
+ defaults: ["microdroid_kernel_signed_defaults"],
+ filename: "microdroid_kernel",
arch: {
arm64: {
- src: ":microdroid_gki_kernel_prebuilts-6.1-arm64",
- enabled: true,
+ src: ":microdroid_kernel_prebuilts-6.1-arm64",
},
x86_64: {
- src: ":microdroid_gki_kernel_prebuilts-6.1-x86_64",
- enabled: true,
+ src: ":microdroid_kernel_prebuilts-6.1-x86_64",
},
},
include_descriptors_from_images: [
- ":microdroid_gki_initrd_normal_hashdesc",
- ":microdroid_gki_initrd_debug_hashdesc",
+ ":microdroid_initrd_normal_hashdesc",
+ ":microdroid_initrd_debug_hashdesc",
],
- // Below are properties that are conditionally set depending on value of build flags.
- soong_config_variables: {
- release_avf_enable_llpvm_changes: {
- rollback_index: 1,
- props: [
- {
- name: "com.android.virt.cap",
- value: "secretkeeper_protection",
- },
- ],
- },
- },
}
prebuilt_etc {
@@ -620,16 +546,54 @@
},
}
+///////////////////////////////////////
+// GKI-6.1 modules
+///////////////////////////////////////
prebuilt_etc {
- name: "microdroid_gki_kernel",
+ name: "microdroid_gki-6.1.json",
+ src: "microdroid_gki-6.1.json",
+}
+
+avb_add_hash_footer {
+ name: "microdroid_gki-6.1_kernel_signed",
+ defaults: ["microdroid_kernel_signed_defaults"],
+ filename: "microdroid_gki-6.1_kernel",
+ arch: {
+ arm64: {
+ src: ":microdroid_gki_kernel_prebuilts-6.1-arm64",
+ },
+ x86_64: {
+ src: ":microdroid_gki_kernel_prebuilts-6.1-x86_64",
+ },
+ },
+ include_descriptors_from_images: [
+ ":microdroid_gki-6.1_initrd_normal_hashdesc",
+ ":microdroid_gki-6.1_initrd_debug_hashdesc",
+ ],
+}
+
+prebuilt_etc {
+ name: "microdroid_gki-6.1_kernel",
src: ":empty_file",
relative_install_path: "fs",
arch: {
arm64: {
- src: ":microdroid_gki_kernel_signed",
+ src: ":microdroid_gki-6.1_kernel_signed",
},
x86_64: {
- src: ":microdroid_gki_kernel_signed",
+ src: ":microdroid_gki-6.1_kernel_signed",
},
},
}
+
+avb_gen_vbmeta_image {
+ name: "microdroid_gki-6.1_initrd_normal_hashdesc",
+ defaults: ["microdroid_initrd_normal_defaults"],
+ src: ":microdroid_gki-6.1_initrd_normal",
+}
+
+avb_gen_vbmeta_image {
+ name: "microdroid_gki-6.1_initrd_debug_hashdesc",
+ defaults: ["microdroid_initrd_debug_defaults"],
+ src: ":microdroid_gki-6.1_initrd_debuggable",
+}
diff --git a/microdroid/initrd/Android.bp b/microdroid/initrd/Android.bp
index 6cd84fa..8df4c0f 100644
--- a/microdroid/initrd/Android.bp
+++ b/microdroid/initrd/Android.bp
@@ -41,7 +41,7 @@
}
genrule {
- name: "microdroid_gki_initrd_gen_arm64",
+ name: "microdroid_gki-6.1_initrd_gen_arm64",
srcs: [
":microdroid_ramdisk",
":microdroid_fstab_ramdisk",
@@ -52,7 +52,7 @@
}
genrule {
- name: "microdroid_gki_initrd_gen_x86_64",
+ name: "microdroid_gki-6.1_initrd_gen_x86_64",
srcs: [
":microdroid_ramdisk",
":microdroid_fstab_ramdisk",
@@ -96,13 +96,13 @@
}
genrule {
- name: "microdroid_gki_initrd_debuggable_arm64",
+ name: "microdroid_gki-6.1_initrd_debuggable_arm64",
tools: ["initrd_bootconfig"],
srcs: [
- ":microdroid_gki_initrd_gen_arm64",
+ ":microdroid_gki-6.1_initrd_gen_arm64",
":microdroid_bootconfig_debuggable_src",
] + bootconfigs_arm64,
- out: ["microdroid_gki_initrd_debuggable_arm64"],
+ out: ["microdroid_gki-6.1_initrd_debuggable_arm64"],
cmd: "$(location initrd_bootconfig) attach --output $(out) $(in)",
}
@@ -118,13 +118,13 @@
}
genrule {
- name: "microdroid_gki_initrd_debuggable_x86_64",
+ name: "microdroid_gki-6.1_initrd_debuggable_x86_64",
tools: ["initrd_bootconfig"],
srcs: [
- ":microdroid_gki_initrd_gen_x86_64",
+ ":microdroid_gki-6.1_initrd_gen_x86_64",
":microdroid_bootconfig_debuggable_src",
] + bootconfigs_x86_64,
- out: ["microdroid_gki_initrd_debuggable_x86_64"],
+ out: ["microdroid_gki-6.1_initrd_debuggable_x86_64"],
cmd: "$(location initrd_bootconfig) attach --output $(out) $(in)",
}
@@ -140,13 +140,13 @@
}
genrule {
- name: "microdroid_gki_initrd_normal_arm64",
+ name: "microdroid_gki-6.1_initrd_normal_arm64",
tools: ["initrd_bootconfig"],
srcs: [
- ":microdroid_gki_initrd_gen_arm64",
+ ":microdroid_gki-6.1_initrd_gen_arm64",
":microdroid_bootconfig_normal_src",
] + bootconfigs_arm64,
- out: ["microdroid_gki_initrd_normal_arm64"],
+ out: ["microdroid_gki-6.1_initrd_normal_arm64"],
cmd: "$(location initrd_bootconfig) attach --output $(out) $(in)",
}
@@ -162,13 +162,13 @@
}
genrule {
- name: "microdroid_gki_initrd_normal_x86_64",
+ name: "microdroid_gki-6.1_initrd_normal_x86_64",
tools: ["initrd_bootconfig"],
srcs: [
- ":microdroid_gki_initrd_gen_x86_64",
+ ":microdroid_gki-6.1_initrd_gen_x86_64",
":microdroid_bootconfig_normal_src",
] + bootconfigs_x86_64,
- out: ["microdroid_gki_initrd_normal_x86_64"],
+ out: ["microdroid_gki-6.1_initrd_normal_x86_64"],
cmd: "$(location initrd_bootconfig) attach --output $(out) $(in)",
}
@@ -188,18 +188,18 @@
}
prebuilt_etc {
- name: "microdroid_gki_initrd_debuggable",
+ name: "microdroid_gki-6.1_initrd_debuggable",
// We don't have ramdisk for architectures other than x86_64 & arm64
src: ":empty_file",
arch: {
x86_64: {
- src: ":microdroid_gki_initrd_debuggable_x86_64",
+ src: ":microdroid_gki-6.1_initrd_debuggable_x86_64",
},
arm64: {
- src: ":microdroid_gki_initrd_debuggable_arm64",
+ src: ":microdroid_gki-6.1_initrd_debuggable_arm64",
},
},
- filename: "microdroid_gki_initrd_debuggable.img",
+ filename: "microdroid_gki-6.1_initrd_debuggable.img",
}
prebuilt_etc {
@@ -218,16 +218,16 @@
}
prebuilt_etc {
- name: "microdroid_gki_initrd_normal",
+ name: "microdroid_gki-6.1_initrd_normal",
// We don't have ramdisk for architectures other than x86_64 & arm64
src: ":empty_file",
arch: {
x86_64: {
- src: ":microdroid_gki_initrd_normal_x86_64",
+ src: ":microdroid_gki-6.1_initrd_normal_x86_64",
},
arm64: {
- src: ":microdroid_gki_initrd_normal_arm64",
+ src: ":microdroid_gki-6.1_initrd_normal_arm64",
},
},
- filename: "microdroid_gki_initrd_normal.img",
+ filename: "microdroid_gki-6.1_initrd_normal.img",
}
diff --git a/microdroid/microdroid_gki.json b/microdroid/microdroid_gki-6.1.json
similarity index 84%
rename from microdroid/microdroid_gki.json
rename to microdroid/microdroid_gki-6.1.json
index d7ba53e..2115e51 100644
--- a/microdroid/microdroid_gki.json
+++ b/microdroid/microdroid_gki-6.1.json
@@ -1,5 +1,5 @@
{
- "kernel": "/apex/com.android.virt/etc/fs/microdroid_gki_kernel",
+ "kernel": "/apex/com.android.virt/etc/fs/microdroid_gki-6.1_kernel",
"disks": [
{
"partitions": [
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index 6ae3bbd..600c912 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -66,6 +66,7 @@
use log::{debug, error, info, warn};
use microdroid_payload_config::{OsConfig, Task, TaskType, VmPayloadConfig};
use nix::unistd::pipe;
+use regex::Regex;
use rpcbinder::RpcServer;
use rustutils::system_properties;
use semver::VersionReq;
@@ -101,8 +102,6 @@
const MICRODROID_OS_NAME: &str = "microdroid";
-const MICRODROID_GKI_OS_NAME: &str = "microdroid_gki";
-
const UNFORMATTED_STORAGE_MAGIC: &str = "UNFORMATTED-STORAGE";
/// Roughly estimated sufficient size for storing vendor public key into DTBO.
@@ -115,6 +114,8 @@
pub static ref GLOBAL_SERVICE: Strong<dyn IVirtualizationServiceInternal> =
wait_for_interface(BINDER_SERVICE_IDENTIFIER)
.expect("Could not connect to VirtualizationServiceInternal");
+ static ref MICRODROID_GKI_OS_NAME_PATTERN: Regex =
+ Regex::new(r"^microdroid_gki-\d+\.\d+$").expect("Failed to construct Regex");
}
fn create_or_update_idsig_file(
@@ -698,12 +699,12 @@
fn is_valid_os(os_name: &str) -> bool {
if os_name == MICRODROID_OS_NAME {
- return true;
+ true
+ } else if cfg!(vendor_modules) && MICRODROID_GKI_OS_NAME_PATTERN.is_match(os_name) {
+ PathBuf::from(format!("/apex/com.android.virt/etc/{}.json", os_name)).exists()
+ } else {
+ false
}
- if cfg!(vendor_modules) && os_name == MICRODROID_GKI_OS_NAME {
- return true;
- }
- false
}
fn load_app_config(
diff --git a/vm/src/main.rs b/vm/src/main.rs
index 87278bc..9a92f13 100644
--- a/vm/src/main.rs
+++ b/vm/src/main.rs
@@ -27,6 +27,7 @@
use clap::{Args, Parser};
use create_idsig::command_create_idsig;
use create_partition::command_create_partition;
+use glob::glob;
use run::{command_run, command_run_app, command_run_microdroid};
use std::num::NonZeroU16;
use std::path::{Path, PathBuf};
@@ -107,10 +108,10 @@
#[arg(long)]
devices: Vec<PathBuf>,
- /// If set, use GKI instead of microdroid kernel
+ /// Version of GKI to use. If set, use instead of microdroid kernel
#[cfg(vendor_modules)]
#[arg(long)]
- gki: bool,
+ gki: Option<String>,
}
impl MicrodroidConfig {
@@ -125,13 +126,13 @@
}
#[cfg(vendor_modules)]
- fn gki(&self) -> bool {
- self.gki
+ fn gki(&self) -> Option<&str> {
+ self.gki.as_deref()
}
#[cfg(not(vendor_modules))]
- fn gki(&self) -> bool {
- false
+ fn gki(&self) -> Option<&str> {
+ None
}
#[cfg(device_assignment)]
@@ -315,6 +316,12 @@
Ok(())
}
+fn extract_gki_version(gki_config: &Path) -> Option<&str> {
+ let name = gki_config.file_name()?;
+ let name_str = name.to_str()?;
+ name_str.strip_prefix("microdroid_gki-")?.strip_suffix(".json")
+}
+
/// Print information about supported VM types.
fn command_info() -> Result<(), Error> {
let non_protected_vm_supported = hypervisor_props::is_vm_supported()?;
@@ -354,6 +361,12 @@
let devices = devices.into_iter().map(|x| x.node).collect::<Vec<_>>();
println!("Assignable devices: {}", serde_json::to_string(&devices)?);
+ let gki_configs =
+ glob("/apex/com.android.virt/etc/microdroid_gki-*.json")?.collect::<Result<Vec<_>, _>>()?;
+ let gki_versions =
+ gki_configs.iter().filter_map(|x| extract_gki_version(x)).collect::<Vec<_>>();
+ println!("Available gki versions: {}", serde_json::to_string(&gki_versions)?);
+
Ok(())
}
diff --git a/vm/src/run.rs b/vm/src/run.rs
index 44ba9af..8721e71 100644
--- a/vm/src/run.rs
+++ b/vm/src/run.rs
@@ -111,8 +111,11 @@
}
Payload::ConfigPath(config_path)
} else if let Some(payload_binary_name) = config.payload_binary_name {
- let os_name =
- if config.microdroid.gki() { "microdroid_gki" } else { "microdroid" }.to_owned();
+ let os_name = if let Some(ver) = config.microdroid.gki() {
+ format!("microdroid_gki-{ver}")
+ } else {
+ "microdroid".to_owned()
+ };
Payload::PayloadConfig(VirtualMachinePayloadConfig {
payloadBinaryName: payload_binary_name,
osName: os_name,