microdroid/Android.bp

package {
    default_applicable_licenses: ["Android-Apache-2.0"],
}

microdroid_shell_and_utilities = [
    "reboot",
    "sh",
    "strace",
    "toolbox",
    "toybox",
]

microdroid_rootdirs = [
    "dev",
    "proc",
    "sys",

    "system",
    "vendor",
    "debug_ramdisk",
    "mnt",
    "data",

    "apex",
    "linkerconfig",
    "second_stage_resources",
]

microdroid_symlinks = [
    {
        target: "/sys/kernel/debug",
        name: "d",
    },
    {
        target: "/system/etc",
        name: "etc",
    },
    {
        target: "/system/bin",
        name: "bin",
    },
]

android_system_image {
    name: "microdroid",
    use_avb: true,
    avb_private_key: ":microdroid_sign_key",
    avb_algorithm: "SHA256_RSA4096",
    partition_name: "system",
    deps: [
        "init_second_stage",
        "microdroid_build_prop",
        "microdroid_init_rc",
        "microdroid_ueventd_rc",
        "microdroid_launcher",

        "libbinder",
        "libbinder_ndk",
        "libstdc++",
        "logcat",
        "logd",
        "run-as",
        "secilc",

        // "com.android.adbd" requires these,
        "libadbd_auth",
        "libadbd_fs",

        // "com.android.art" requires
        "heapprofd_client_api",
        "libartpalette-system",

        "apexd",
        "debuggerd",
        "keystore2_microdroid",
        "linker",
        "linkerconfig",
        "servicemanager",
        "tombstoned",
        "cgroups.json",
        "public.libraries.android.txt",

        // TODO(b/185767624): remove hidl after full keymint support
        "hwservicemanager",

        "microdroid_plat_sepolicy_and_mapping.sha256",
        "microdroid_file_contexts",
        "microdroid_hwservice_contexts",
        "microdroid_property_contexts",
        "microdroid_service_contexts",
        "microdroid_keystore2_key_contexts",
        "microdroid_compatibility_matrix",
        "microdroid_manifest",

        // TODO(b/195425111) these four should be added automatically
        "android.hardware.security.secureclock-V1-ndk",
        "android.hardware.security.sharedsecret-V1-ndk",
        "libcrypto",
        "liblzma",
    ] + microdroid_shell_and_utilities,
    multilib: {
        common: {
            deps: [
                // non-updatable & mandatory apexes
                "com.android.runtime",

                "microdroid_plat_sepolicy.cil",
                "microdroid_plat_mapping_file",
            ],
        },
        lib64: {
            deps: [
                "apkdmverity",
                "authfs",
                "authfs_service",
                "microdroid_manager",
                "zipfuse",

                // TODO(b/184872979): Needed by authfs. Remove once the Rust API is created.
                "libbinder_rpc_unstable",
            ],
        },
    },
    linker_config_src: "linker.config.json",
    base_dir: "system",
    dirs: microdroid_rootdirs,
    symlinks: microdroid_symlinks,
    file_contexts: ":microdroid_file_contexts.gen",
}

prebuilt_etc {
    name: "microdroid_init_rc",
    filename: "init.rc",
    src: "init.rc",
    relative_install_path: "init/hw",
    installable: false, // avoid collision with system partition's init.rc
}

prebuilt_etc {
    name: "microdroid_ueventd_rc",
    filename: "ueventd.rc",
    src: "ueventd.rc",
    installable: false, // avoid collision with system partition's ueventd.rc
}

prebuilt_root {
    name: "microdroid_build_prop",
    filename: "build.prop",
    src: "build.prop",
    arch: {
        x86_64: {
            src: ":microdroid_build_prop_gen_x86_64",
        },
        arm64: {
            src: ":microdroid_build_prop_gen_arm64",
        },
    },
    installable: false,
}

genrule {
    name: "microdroid_build_prop_gen_x86_64",
    srcs: ["build.prop"],
    out: ["build.prop.out"],
    cmd: "cp $(in) $(out); echo ro.product.cpu.abilist=x86_64 >> $(out)",
}

genrule {
    name: "microdroid_build_prop_gen_arm64",
    srcs: ["build.prop"],
    out: ["build.prop.out"],
    cmd: "cp $(in) $(out); echo ro.product.cpu.abilist=arm64-v8a >> $(out)",
}

android_filesystem {
    name: "microdroid_vendor",
    partition_name: "vendor",
    use_avb: true,
    deps: [
        "android.hardware.security.keymint-service.microdroid",
        "microdroid_fstab",
        "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
        "microdroid_vendor_manifest",
        "microdroid_vendor_compatibility_matrix",
    ],
    multilib: {
        common: {
            deps: [
                "microdroid_vendor_sepolicy.cil",
                "microdroid_plat_pub_versioned.cil",
                "microdroid_plat_sepolicy_vers.txt",
                "microdroid_precompiled_sepolicy",
            ],
        },
    },
    avb_private_key: ":microdroid_sign_key",
    avb_algorithm: "SHA256_RSA4096",
    file_contexts: ":microdroid_vendor_file_contexts.gen",
}

logical_partition {
    name: "microdroid_super",
    sparse: true,
    size: "auto",
    default_group: [
        {
            name: "system_a",
            filesystem: ":microdroid",
        },
        {
            name: "vendor_a",
            filesystem: ":microdroid_vendor",
        },
    ],
}

microdroid_boot_cmdline = [
    "panic=-1",
    "bootconfig",
]

bootimg {
    name: "microdroid_boot-5.10",
    ramdisk_module: "microdroid_ramdisk-5.10",
    // We don't have kernel for arm and x86. But Soong demands one when it builds for
    // arm or x86 target. Satisfy that by providing an empty file as the kernel.
    kernel_prebuilt: "empty_kernel",
    arch: {
        arm64: {
            kernel_prebuilt: ":kernel_prebuilts-5.10-arm64",
            cmdline: microdroid_boot_cmdline,
        },
        x86_64: {
            kernel_prebuilt: ":kernel_prebuilts-5.10-x86_64",
            cmdline: microdroid_boot_cmdline + [
                // console=none is to work around the x86 specific u-boot behavior which when
                // console= option is not found in the kernel commandline console=ttyS0 is
                // automatically added. By adding console=none, we can prevent u-boot from doing
                // that. Note that console is set to hvc0 by bootconfig if the VM is configured as
                // debuggable.
                "console=none",
                "acpi=noirq",
            ],
        },
    },

    dtb_prebuilt: "dummy_dtb.img",
    header_version: "4",
    partition_name: "boot",
    use_avb: true,
    avb_private_key: ":microdroid_sign_key",
}

android_filesystem {
    name: "microdroid_ramdisk-5.10",
    deps: [
        "init_first_stage",
    ],
    dirs: [
        "dev",
        "proc",
        "sys",

        // TODO(jiyong): remove these
        "mnt",
        "debug_ramdisk",
        "second_stage_resources",
    ],
    type: "compressed_cpio",
}

bootimg {
    name: "microdroid_vendor_boot-5.10",
    ramdisk_module: "microdroid_vendor_ramdisk-5.10",
    dtb_prebuilt: "dummy_dtb.img",
    header_version: "4",
    vendor_boot: true,
    arch: {
        arm64: {
            bootconfig: ":microdroid_bootconfig_arm64_gen",
        },
        x86_64: {
            bootconfig: ":microdroid_bootconfig_x86_64_gen",
        },
    },
    partition_name: "vendor_boot",
    use_avb: true,
    avb_private_key: ":microdroid_sign_key",
}

android_filesystem {
    name: "microdroid_vendor_ramdisk-5.10",
    arch: {
        arm64: {
            deps: ["virt_device_prebuilts_kernel_modules-5.10-arm64"],
        },
        x86_64: {
            deps: ["virt_device_prebuilts_kernel_modules-5.10-x86_64"],
        },
    },
    deps: [
        "microdroid_fstab",
    ],
    base_dir: "first_stage_ramdisk",
    type: "compressed_cpio",
    symlinks: [
        {
            target: "etc/fstab.microdroid",
            name: "first_stage_ramdisk/fstab.microdroid",
        },
        {
            target: "first_stage_ramdisk/lib",
            name: "lib",
        },
    ],
}

genrule {
    name: "microdroid_bootconfig_arm64_gen",
    srcs: [
        "bootconfig.common",
        "bootconfig.arm64",
    ],
    out: ["bootconfig"],
    cmd: "cat $(in) > $(out)",
}

genrule {
    name: "microdroid_bootconfig_x86_64_gen",
    srcs: [
        "bootconfig.common",
        "bootconfig.x86_64",
    ],
    out: ["bootconfig"],
    cmd: "cat $(in) > $(out)",
}

vbmeta {
    name: "microdroid_vbmeta_bootconfig",
    partition_name: "vbmeta",
    private_key: ":microdroid_sign_key",
    chained_partitions: [
        {
            name: "bootconfig",
            private_key: ":microdroid_sign_key",
        },
    ],
}

// See external/avb/avbtool.py
// MAX_VBMETA_SIZE=64KB, MAX_FOOTER_SIZE=4KB
avb_hash_footer_kb = "68"

// TODO(b/203031847) sign these bootconfig images using avb
prebuilt_etc {
    name: "microdroid_bootconfig_normal",
    src: ":microdroid_bootconfig_normal_gen",
    filename: "microdroid_bootconfig.normal",
}

prebuilt_etc {
    name: "microdroid_bootconfig_app_debuggable",
    src: ":microdroid_bootconfig_app_debuggable_gen",
    filename: "microdroid_bootconfig.app_debuggable",
}

prebuilt_etc {
    name: "microdroid_bootconfig_full_debuggable",
    src: ":microdroid_bootconfig_full_debuggable_gen",
    filename: "microdroid_bootconfig.full_debuggable",
}

// TODO(jiyong): make a new module type that does the avb signing
genrule {
    name: "microdroid_bootconfig_normal_gen",
    tools: ["avbtool"],
    srcs: [
        "bootconfig.normal",
        ":microdroid_sign_key",
    ],
    out: ["microdroid_bootconfig.normal"],
    cmd: "cp $(location bootconfig.normal) $(out) && " +
        "$(location avbtool) add_hash_footer " +
        "--algorithm SHA256_RSA4096 " +
        "--partition_name bootconfig " +
        "--key $(location :microdroid_sign_key) " +
        "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
        "--image $(out)",
}

genrule {
    name: "microdroid_bootconfig_app_debuggable_gen",
    tools: ["avbtool"],
    srcs: [
        "bootconfig.app_debuggable",
        ":microdroid_sign_key",
    ],
    out: ["microdroid_bootconfig.app_debuggable"],
    cmd: "cp $(location bootconfig.app_debuggable) $(out) && " +
        "$(location avbtool) add_hash_footer " +
        "--algorithm SHA256_RSA4096 " +
        "--partition_name bootconfig " +
        "--key $(location :microdroid_sign_key) " +
        "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
        "--image $(out)",
}

genrule {
    name: "microdroid_bootconfig_full_debuggable_gen",
    tools: ["avbtool"],
    srcs: [
        "bootconfig.full_debuggable",
        ":microdroid_sign_key",
    ],
    out: ["microdroid_bootconfig.full_debuggable"],
    cmd: "cp $(location bootconfig.full_debuggable) $(out) && " +
        "$(location avbtool) add_hash_footer " +
        "--algorithm SHA256_RSA4096 " +
        "--partition_name bootconfig " +
        "--key $(location :microdroid_sign_key) " +
        "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
        "--image $(out)",
}

prebuilt_etc {
    name: "microdroid_fstab",
    src: "fstab.microdroid",
    filename: "fstab.microdroid",
    installable: false,
}

prebuilt_etc {
    name: "microdroid_bootloader",
    src: ":microdroid_bootloader_gen",
    arch: {
        x86_64: {
            // For unknown reason, the signed bootloader doesn't work on x86_64. Until the problem
            // is fixed, let's use the unsigned bootloader for the architecture.
            // TODO(b/185115783): remove this
            src: ":microdroid_bootloader_pubkey_replaced",
        },
    },
    filename: "microdroid_bootloader",
}

genrule {
    name: "microdroid_bootloader_gen",
    tools: ["avbtool"],
    srcs: [
        ":microdroid_bootloader_pubkey_replaced",
        ":microdroid_sign_key",
    ],
    out: ["bootloader-signed"],
    // 1. Copy the input to the output becaise avbtool modifies --image in
    // place.
    // 2. Check if the file is big enough. For arm and x86 we have fake
    // bootloader file whose size is 1. It can't pass avbtool.
    // 3. Add the hash footer. The partition size is set to (image size + 68KB)
    // rounded up to 4KB boundary.
    cmd: "cp $(location :microdroid_bootloader_pubkey_replaced) $(out) && " +
        "if [ $$(stat --format=%s $(out)) -gt 4096 ]; then " +
        "$(location avbtool) add_hash_footer " +
        "--algorithm SHA256_RSA4096 " +
        "--partition_name bootloader " +
        "--key $(location :microdroid_sign_key) " +
        "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
        "--image $(out)" +
        "; fi",
}

// Replace avbpubkey of prebuilt bootloader with the avbpubkey of the signing key
genrule {
    name: "microdroid_bootloader_pubkey_replaced",
    tools: ["replace_bytes"],
    srcs: [
        ":microdroid_crosvm_bootloader", // input
        ":microdroid_bootloader_avbpubkey_gen", // new bytes
    ],
    out: ["bootloader-pubkey-replaced"],
    // 1. Copy the input to the output (replace_bytes modifies the file in-place)
    // 2. Check if the file is big enough. For arm and x86 we have fake
    // bootloader file whose size is 1. (replace_bytes fails if key not found)
    // 3. Replace embedded pubkey with new one.
    cmd: "cp $(location :microdroid_crosvm_bootloader) $(out) && " +
        "if [ $$(stat --format=%s $(out)) -gt 4096 ]; then " +
        "$(location replace_bytes) $(out) " +
        // TODO(b/193504286) use the avbpubkey exposed from the prebuilt.
        // For now, replacing it with the same key to ensure that "replace_bytes" works and
        // that microdroid_crosvm_bootloader embeds the same pubkey of microdroid_sign_key.
        "$(location :microdroid_bootloader_avbpubkey_gen) " +
        "$(location :microdroid_bootloader_avbpubkey_gen)" +
        "; fi",
}

// Apex keeps a copy of avbpubkey embedded in bootloader so that embedded avbpubkey can be replaced
// while re-signing bootloader.
prebuilt_etc {
    name: "microdroid_bootloader.avbpubkey",
    src: ":microdroid_bootloader_avbpubkey_gen",
}

// Generate avbpukey from the signing key
genrule {
    name: "microdroid_bootloader_avbpubkey_gen",
    tools: ["avbtool"],
    srcs: [":microdroid_sign_key"],
    out: ["bootloader.pubkey"],
    cmd: "$(location avbtool) extract_public_key " +
        "--key $(location :microdroid_sign_key) " +
        "--output $(out)",
}

prebuilt_etc {
    name: "microdroid_uboot_env",
    src: ":microdroid_uboot_env_gen",
    arch: {
        x86_64: {
            src: ":microdroid_uboot_env_gen_x86_64",
        },
    },
    filename: "uboot_env.img",
}

genrule {
    name: "microdroid_uboot_env_gen",
    tools: ["mkenvimage_host"],
    srcs: ["uboot-env.txt"],
    out: ["output.img"],
    cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(in)",
}

genrule {
    name: "microdroid_uboot_env_gen_x86_64",
    tools: ["mkenvimage_host"],
    srcs: ["uboot-env-x86_64.txt"],
    out: ["output.img"],
    cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(in)",
}

// Note that keys can be different for filesystem images even though we're using the same key
// for microdroid. However, the key signing VBmeta should match with the pubkey embedded in
// bootloader.
filegroup {
    name: "microdroid_sign_key",
    srcs: [":avb_testkey_rsa4096"],
}

vbmeta {
    name: "microdroid_vbmeta",
    partition_name: "vbmeta",
    private_key: ":microdroid_sign_key",
    partitions: [
        "microdroid_vendor",
        "microdroid_vendor_boot-5.10",
        "microdroid",
        "microdroid_boot-5.10",
    ],
}

prebuilt_etc {
    name: "microdroid.json",
    src: "microdroid.json",
}

prebuilt_etc {
    name: "microdroid_vendor_manifest",
    src: "microdroid_vendor_manifest.xml",
    filename: "manifest.xml",
    relative_install_path: "vintf",
    installable: false,
}

prebuilt_etc {
    name: "microdroid_vendor_compatibility_matrix",
    src: "microdroid_vendor_compatibility_matrix.xml",
    filename: "compatibility_matrix.xml",
    relative_install_path: "vintf",
    installable: false,
}

prebuilt_etc {
    name: "microdroid_compatibility_matrix",
    src: "microdroid_compatibility_matrix.xml",
    filename: "compatibility_matrix.current.xml",
    relative_install_path: "vintf",
    installable: false,
}

prebuilt_etc {
    name: "microdroid_manifest",
    src: "microdroid_manifest.xml",
    filename: "manifest.xml",
    relative_install_path: "vintf",
    installable: false,
}