build/microdroid/Android.bp

package {
    default_applicable_licenses: ["Android-Apache-2.0"],
}

microdroid_shell_and_utilities = [
    "reboot",
    "sh",
    "strace",
    "toolbox",
    "toybox",
]

microdroid_rootdirs = [
    "dev",
    "proc",
    "sys",

    "system",
    "debug_ramdisk",
    "mnt",
    "data",

    "apex",
    "linkerconfig",
    "second_stage_resources",

    // Ideally we should only create the /vendor for Microdroid VMs that will mount /vendor, but
    // for the time being we will just create it unconditionally.
    "vendor",
]

microdroid_symlinks = [
    {
        target: "/sys/kernel/debug",
        name: "d",
    },
    {
        target: "/system/etc",
        name: "etc",
    },
    {
        target: "/system/bin",
        name: "bin",
    },
]

android_system_image {
    name: "microdroid",
    use_avb: true,
    avb_private_key: ":microdroid_sign_key",
    avb_algorithm: "SHA256_RSA4096",
    avb_hash_algorithm: "sha256",
    use_fec: false,
    partition_name: "system",
    deps: [
        "init_second_stage.microdroid",
        "microdroid_build_prop",
        "microdroid_init_debug_policy",
        "microdroid_init_rc",
        "microdroid_ueventd_rc",
        "microdroid_launcher",

        "libbinder_ndk",
        "libstdc++",

        // "com.android.adbd" requires these,
        "libadbd_auth",
        "libadbd_fs",

        // "com.android.art" requires
        "heapprofd_client_api",
        "libartpalette-system",

        "apexd.microdroid",
        "debuggerd",
        "linker",
        "cgroups.json",
        "task_profiles.json",
        "public.libraries.android.txt",

        "microdroid_event-log-tags",
        "microdroid_file_contexts",
        "microdroid_manifest",
        "microdroid_property_contexts",
        "e2fsck.microdroid",
        "mke2fs.microdroid",
        "resize2fs.microdroid",
        "microdroid_fstab",

        "libvm_payload", // used by payload to interact with microdroid manager

        "prng_seeder_microdroid",

        // Binaries required to capture traces in Microdroid.
        "atrace",
        "traced",
        "traced_probes",
        "perfetto",
    ] + select(release_flag("RELEASE_AVF_ENABLE_MULTI_TENANT_MICRODROID_VM"), {
        true: [
            "microdroid_etc_passwd",
            "microdroid_etc_group",
        ],
        default: [],
    }) + microdroid_shell_and_utilities,
    multilib: {
        common: {
            deps: [
                // non-updatable & mandatory apexes
                "com.android.runtime",

                "microdroid_crashdump_initrd",
                "microdroid_precompiled_sepolicy",
            ],
        },
        lib64: {
            deps: [
                "apkdmverity",
                "authfs",
                "authfs_service",
                "encryptedstore",
                "microdroid_kexec",
                "microdroid_manager",
                "zipfuse",
            ] + select(release_flag("RELEASE_AVF_ENABLE_DICE_CHANGES"), {
                true: ["derive_microdroid_vendor_dice_node"],
                default: [],
            }),
        },
    },
    arch: {
        // b/273792258: These could be in multilib.lib64 except that
        // microdroid_crashdump_kernel doesn't exist for riscv64 yet
        arm64: {
            deps: [
                "microdroid_crashdump_kernel",
            ],
        },
        x86_64: {
            deps: [
                "microdroid_crashdump_kernel",
            ],
        },
    },
    linker_config: {
        gen_linker_config: true,
        linker_config_srcs: ["linker.config.json"],
    },
    base_dir: "system",
    dirs: microdroid_rootdirs + select(release_flag("RELEASE_AVF_ENABLE_DICE_CHANGES"), {
        true: ["microdroid_resources"],
        default: [],
    }),
    symlinks: microdroid_symlinks,
    file_contexts: ":microdroid_file_contexts.gen",
    // For deterministic output, use fake_timestamp, hard-coded uuid
    fake_timestamp: "1611569676",
    // python -c "import uuid; print(uuid.uuid5(uuid.NAMESPACE_URL, 'www.android.com/avf/microdroid/system'))"
    uuid: "5fe079c6-f01a-52be-87d3-d415231a72ad",
}

prebuilt_etc {
    name: "microdroid_init_rc",
    filename: "init.rc",
    src: "init.rc",
    relative_install_path: "init/hw",
    no_full_install: true, // avoid collision with system partition's init.rc
}

prebuilt_etc {
    name: "microdroid_ueventd_rc",
    filename: "ueventd.rc",
    src: "ueventd.rc",
    no_full_install: true, // avoid collision with system partition's ueventd.rc
}

prebuilt_etc {
    name: "microdroid_etc_passwd",
    src: "microdroid_passwd",
    filename: "passwd",
    no_full_install: true,
}

prebuilt_etc {
    name: "microdroid_etc_group",
    src: "microdroid_group",
    filename: "group",
    no_full_install: true,
}

prebuilt_root {
    name: "microdroid_build_prop",
    filename: "build.prop",
    src: "build.prop",
    arch: {
        x86_64: {
            src: ":microdroid_build_prop_gen_x86_64",
        },
        arm64: {
            src: ":microdroid_build_prop_gen_arm64",
        },
    },
    no_full_install: true,
}

java_genrule {
    name: "microdroid_build_prop_gen_x86_64",
    srcs: [
        "build.prop",
        ":system-build.prop",
    ],
    out: ["build.prop.out"],
    cmd: "(echo '# build properties from system/build.prop' && " +
        "grep ro\\.build\\.version\\.codename= $(location :system-build.prop) && " +
        "grep ro\\.build\\.version\\.release= $(location :system-build.prop) && " +
        "grep ro\\.build\\.version\\.sdk= $(location :system-build.prop) && " +
        "grep ro\\.build\\.version\\.security_patch= $(location :system-build.prop) && " +
        "grep ro\\.build\\.version\\.known_codenames= $(location :system-build.prop) && " +
        "cat $(location build.prop) && " +
        "echo ro.product.cpu.abilist=x86_64 && " +
        "echo ro.product.cpu.abi=x86_64) > $(out)",
}

java_genrule {
    name: "microdroid_build_prop_gen_arm64",
    srcs: [
        "build.prop",
        ":system-build.prop",
    ],
    out: ["build.prop.out"],
    cmd: "(echo '# build properties from system/build.prop' && " +
        "grep ro\\.build\\.version\\.codename= $(location :system-build.prop) && " +
        "grep ro\\.build\\.version\\.release= $(location :system-build.prop) && " +
        "grep ro\\.build\\.version\\.sdk= $(location :system-build.prop) && " +
        "grep ro\\.build\\.version\\.security_patch= $(location :system-build.prop) && " +
        "grep ro\\.build\\.version\\.known_codenames= $(location :system-build.prop) && " +
        "cat $(location build.prop) && " +
        "echo ro.product.cpu.abilist=arm64-v8a && " +
        "echo ro.product.cpu.abi=arm64-v8a) > $(out)",
}

// Need to keep microdroid_vendor for the release configurations that don't
// have RELEASE_AVF_ENABLE_VENDOR_MODULES build flag enabled.
android_filesystem {
    name: "microdroid_vendor",
    partition_name: "vendor",
    use_avb: true,
    avb_private_key: ":microdroid_sign_key",
    avb_algorithm: "SHA256_RSA4096",
    avb_hash_algorithm: "sha256",
    use_fec: false,
    file_contexts: ":microdroid_vendor_file_contexts.gen",
    // For deterministic output, use fake_timestamp, hard-coded uuid
    fake_timestamp: "1611569676",
    // python -c "import uuid; print(uuid.uuid5(uuid.NAMESPACE_URL, 'www.android.com/avf/microdroid/vendor'))"
    uuid: "156d40d7-8d8e-5c99-8913-ec82de549a70",
}

soong_config_module_type {
    name: "flag_aware_microdroid_super_partition",
    module_type: "logical_partition",
    config_namespace: "ANDROID",
    bool_variables: [
        "release_avf_enable_vendor_modules",
    ],
    properties: [
        "default_group",
    ],
}

flag_aware_microdroid_super_partition {
    name: "microdroid_super",
    sparse: true,
    size: "auto",
    default_group: [
        {
            name: "system_a",
            filesystem: ":microdroid",
        },
    ],
    soong_config_variables: {
        release_avf_enable_vendor_modules: {
            conditions_default: {
                default_group: [
                    {
                        name: "vendor_a",
                        filesystem: ":microdroid_vendor",
                    },
                ],
            },
        },
    },
}

android_filesystem {
    name: "microdroid_ramdisk",
    deps: [
        "init_first_stage.microdroid",
    ],
    dirs: [
        "dev",
        "proc",
        "sys",

        "mnt",
        "debug_ramdisk",
        "second_stage_resources",
    ] + select(release_flag("RELEASE_AVF_ENABLE_DICE_CHANGES"), {
        true: ["microdroid_resources"],
        default: [],
    }),
    type: "compressed_cpio",
}

android_filesystem {
    name: "microdroid_first_stage_ramdisk",
    deps: [
        "microdroid_fstab",
    ],
    base_dir: "first_stage_ramdisk",
    type: "compressed_cpio",
    symlinks: [
        {
            target: "etc/fstab.microdroid",
            name: "first_stage_ramdisk/fstab.microdroid",
        },
        {
            target: "first_stage_ramdisk/lib",
            name: "lib",
        },
    ],
}

genrule {
    name: "microdroid_bootconfig_arm64_gen",
    srcs: [
        "bootconfig.common",
        "bootconfig.arm64",
    ],
    out: ["bootconfig"],
    cmd: "cat $(in) > $(out)",
}

genrule {
    name: "microdroid_bootconfig_x86_64_gen",
    srcs: [
        "bootconfig.common",
        "bootconfig.x86_64",
    ],
    out: ["bootconfig"],
    cmd: "cat $(in) > $(out)",
}

filegroup {
    name: "microdroid_16k_bootconfig_x86_64_gen",
    srcs: ["bootconfig.x86_64_16k"],
}

prebuilt_etc {
    name: "microdroid_fstab",
    src: "fstab.microdroid",
    filename: "fstab.microdroid",
    no_full_install: true,
}

// python -c "import hashlib; print(hashlib.sha256(b'bootloader').hexdigest())"
bootloader_salt = "3b4a12881d11f33cff968a24d7c53723a8232cde9a8d91e29fdbd6a95ae6adf0"

filegroup {
    name: "microdroid_sign_key",
    srcs: [":pvmfw_embedded_key"],
}

vbmeta {
    name: "microdroid_vbmeta",
    partition_name: "vbmeta",
    private_key: ":microdroid_sign_key",
    partitions: [
        "microdroid",
    ] + select(release_flag("RELEASE_AVF_ENABLE_VENDOR_MODULES"), {
        true: [],
        default: ["microdroid_vendor"],
    }),
}

prebuilt_etc {
    name: "microdroid.json",
    src: "microdroid.json",
}

prebuilt_etc {
    name: "microdroid_16k.json",
    src: "microdroid_16k.json",
}

prebuilt_etc {
    name: "microdroid_manifest",
    src: "microdroid_manifest.xml",
    filename: "manifest.xml",
    relative_install_path: "vintf",
    no_full_install: true,
}

prebuilt_etc {
    name: "microdroid_event-log-tags",
    src: "microdroid_event-log-tags",
    filename: "event-log-tags",
    no_full_install: true,
}

filegroup {
    name: "microdroid_bootconfig_debuggable_src",
    srcs: ["bootconfig.debuggable"],
}

filegroup {
    name: "microdroid_bootconfig_normal_src",
    srcs: ["bootconfig.normal"],
}

// python -c "import hashlib; print(hashlib.sha256(b'initrd_normal').hexdigest())"
initrd_normal_salt = "8041a07d54ac82290f6d90bac1fa8d7fdbc4db974d101d60faf294749d1ebaf8"

avb_gen_vbmeta_image_defaults {
    name: "microdroid_initrd_defaults",
    enabled: false,
    arch: {
        // Microdroid kernel is only available in these architectures.
        arm64: {
            enabled: true,
        },
        x86_64: {
            enabled: true,
        },
    },
}

avb_gen_vbmeta_image_defaults {
    name: "microdroid_initrd_normal_defaults",
    defaults: ["microdroid_initrd_defaults"],
    partition_name: "initrd_normal",
    salt: initrd_normal_salt,
}

avb_gen_vbmeta_image {
    name: "microdroid_initrd_normal_hashdesc",
    defaults: ["microdroid_initrd_normal_defaults"],
    src: ":microdroid_initrd_normal",
}

avb_gen_vbmeta_image {
    name: "microdroid_16k_initrd_normal_hashdesc",
    defaults: ["microdroid_initrd_normal_defaults"],
    src: ":microdroid_16k_initrd_normal",
}

// python -c "import hashlib; print(hashlib.sha256(b'initrd_debug').hexdigest())"
initrd_debug_salt = "8ab9dc9cb7e6456700ff6ef18c6b4c3acc24c5fa5381b829563f8d7a415d869a"

avb_gen_vbmeta_image_defaults {
    name: "microdroid_initrd_debug_defaults",
    defaults: ["microdroid_initrd_defaults"],
    partition_name: "initrd_debug",
    salt: initrd_debug_salt,
}

avb_gen_vbmeta_image {
    name: "microdroid_initrd_debug_hashdesc",
    defaults: ["microdroid_initrd_debug_defaults"],
    src: ":microdroid_initrd_debuggable",
}

avb_gen_vbmeta_image {
    name: "microdroid_16k_initrd_debug_hashdesc",
    defaults: ["microdroid_initrd_debug_defaults"],
    src: ":microdroid_16k_initrd_debuggable",
}

avb_add_hash_footer_defaults {
    name: "microdroid_kernel_signed_defaults",
    src: ":empty_file",
    partition_name: "boot",
    private_key: ":microdroid_sign_key",
    salt: bootloader_salt,
    enabled: false,
    arch: {
        arm64: {
            enabled: true,
        },
        x86_64: {
            enabled: true,
        },
    },
}

MICRODROID_GKI_ROLLBACK_INDEX = 2

avb_add_hash_footer_defaults {
    name: "microdroid_kernel_cap_defaults",
    // Below are properties that are conditionally set depending on value of build flags.
    props: [
        {
            name: "com.android.virt.cap",
            value: "secretkeeper_protection",
        },
    ],
    rollback_index: MICRODROID_GKI_ROLLBACK_INDEX,
}

avb_add_hash_footer_defaults {
    name: "microdroid_kernel_cap_with_uefi_defaults",
    rollback_index: MICRODROID_GKI_ROLLBACK_INDEX,
    props: [
        {
            name: "com.android.virt.cap",
            value: "secretkeeper_protection|supports_uefi_boot",
        },
    ],
}

avb_add_hash_footer {
    name: "microdroid_kernel_signed",
    defaults: [
        "microdroid_kernel_signed_defaults",
        "microdroid_kernel_cap_defaults",
    ],
    filename: "microdroid_kernel",
    arch: {
        arm64: {
            src: ":microdroid_kernel_prebuilt-arm64",
        },
        x86_64: {
            src: ":microdroid_kernel_prebuilt-x86_64",
        },
    },
    include_descriptors_from_images: [
        ":microdroid_initrd_normal_hashdesc",
        ":microdroid_initrd_debug_hashdesc",
    ],
}

prebuilt_etc {
    name: "microdroid_kernel",
    src: ":empty_file",
    relative_install_path: "fs",
    arch: {
        arm64: {
            src: ":microdroid_kernel_signed",
        },
        x86_64: {
            src: ":microdroid_kernel_signed",
        },
    },
}

avb_add_hash_footer {
    name: "microdroid_kernel_16k_signed",
    defaults: [
        "microdroid_kernel_signed_defaults",
        "microdroid_kernel_cap_defaults",
    ],
    filename: "microdroid_kernel_16k",
    arch: {
        arm64: {
            src: ":microdroid_kernel_16k_prebuilt-arm64",
        },
        // There is no 16k x86_64 kernel. Instead the 16k emulation is triggered by adding
        // `page_shift=14` to the kernel cmdline or bootconfig.
        x86_64: {
            src: ":microdroid_kernel_prebuilt-x86_64",
        },
    },
    props: [
        {
            name: "com.android.virt.page_size",
            value: "16",
        },
    ],
    include_descriptors_from_images: [
        ":microdroid_16k_initrd_normal_hashdesc",
        ":microdroid_16k_initrd_debug_hashdesc",
    ],
}

prebuilt_etc {
    name: "microdroid_kernel_16k",
    src: ":empty_file",
    relative_install_path: "fs",
    arch: {
        arm64: {
            src: ":microdroid_kernel_16k_signed",
        },
        x86_64: {
            src: ":microdroid_kernel_16k_signed",
        },
    },
}

///////////////////////////////////////
// GKI-android15-6.6
///////////////////////////////////////
prebuilt_etc {
    name: "microdroid_gki-android15-6.6.json",
    src: "microdroid_gki-android15-6.6.json",
}

avb_add_hash_footer_defaults {
    name: "microdroid_gki-android15-6.6_kernel_signed_defaults",
    defaults: ["microdroid_kernel_signed_defaults"],
    arch: {
        arm64: {
            src: ":microdroid_gki_kernel_prebuilts-android15-6.6-arm64",
        },
        x86_64: {
            src: ":microdroid_gki_kernel_prebuilts-android15-6.6-x86_64",
        },
    },
    include_descriptors_from_images: [
        ":microdroid_gki-android15-6.6_initrd_normal_hashdesc",
        ":microdroid_gki-android15-6.6_initrd_debug_hashdesc",
    ],
}

avb_add_hash_footer {
    name: "microdroid_gki-android15-6.6_kernel_signed",
    defaults: [
        "microdroid_gki-android15-6.6_kernel_signed_defaults",
        "microdroid_kernel_cap_defaults",
    ],
    filename: "microdroid_gki-android15-6.6_kernel_signed",
}

avb_add_hash_footer {
    name: "microdroid_gki-android15-6.6_kernel_signed_supports_uefi_boot",
    defaults: [
        "microdroid_gki-android15-6.6_kernel_signed_defaults",
        "microdroid_kernel_cap_with_uefi_defaults",
    ],
    filename: "microdroid_gki-android15-6.6_kernel_signed_supports_uefi_boot",
}

// HACK: use cc_genrule for arch-specific properties
cc_genrule {
    name: "microdroid_gki-android15-6.6_kernel_signed-lz4",
    out: ["microdroid_gki-android15-6.6_kernel_signed-lz4"],
    srcs: [":empty_file"],
    arch: {
        arm64: {
            srcs: [":microdroid_gki-android15-6.6_kernel_signed"],
            exclude_srcs: [":empty_file"],
        },
    },
    tools: ["lz4"],
    cmd: "$(location lz4) -9 $(in) $(out)",
}

prebuilt_etc {
    name: "microdroid_gki-android15-6.6_kernel",
    filename: "microdroid_gki-android15-6.6_kernel",
    src: ":empty_file",
    relative_install_path: "fs",
    arch: {
        arm64: {
            src: ":microdroid_gki-android15-6.6_kernel_signed",
        },
        x86_64: {
            src: ":microdroid_gki-android15-6.6_kernel_signed",
        },
    },
}

avb_gen_vbmeta_image {
    name: "microdroid_gki-android15-6.6_initrd_normal_hashdesc",
    defaults: ["microdroid_initrd_normal_defaults"],
    src: ":microdroid_gki-android15-6.6_initrd_normal",
}

avb_gen_vbmeta_image {
    name: "microdroid_gki-android15-6.6_initrd_debug_hashdesc",
    defaults: ["microdroid_initrd_debug_defaults"],
    src: ":microdroid_gki-android15-6.6_initrd_debuggable",
}

///////////////////////////////////////
// GKI-android16-6.12
///////////////////////////////////////
prebuilt_etc {
    name: "microdroid_gki-android16-6.12.json",
    src: "microdroid_gki-android16-6.12.json",
}

avb_add_hash_footer_defaults {
    name: "microdroid_gki-android16-6.12_kernel_signed_defaults",
    defaults: ["microdroid_kernel_signed_defaults"],
    arch: {
        arm64: {
            src: ":microdroid_gki_kernel_prebuilts-android16-6.12-arm64",
        },
        x86_64: {
            src: ":microdroid_gki_kernel_prebuilts-android16-6.12-x86_64",
        },
    },
    include_descriptors_from_images: [
        ":microdroid_gki-android16-6.12_initrd_normal_hashdesc",
        ":microdroid_gki-android16-6.12_initrd_debug_hashdesc",
    ],
}

avb_add_hash_footer {
    name: "microdroid_gki-android16-6.12_kernel_signed",
    defaults: [
        "microdroid_gki-android16-6.12_kernel_signed_defaults",
        "microdroid_kernel_cap_defaults",
    ],
    filename: "microdroid_gki-android16-6.12_kernel_signed",
}

avb_add_hash_footer {
    name: "microdroid_gki-android16-6.12_kernel_signed_supports_uefi_boot",
    defaults: [
        "microdroid_gki-android16-6.12_kernel_signed_defaults",
        "microdroid_kernel_cap_with_uefi_defaults",
    ],
    filename: "microdroid_gki-android16-6.12_kernel_signed_supports_uefi_boot",
}

// HACK: use cc_genrule for arch-specific properties
cc_genrule {
    name: "microdroid_gki-android16-6.12_kernel_signed-lz4",
    out: ["microdroid_gki-android16-6.12_kernel_signed-lz4"],
    srcs: [":empty_file"],
    arch: {
        arm64: {
            srcs: [":microdroid_gki-android16-6.12_kernel_signed"],
            exclude_srcs: [":empty_file"],
        },
    },
    tools: ["lz4"],
    cmd: "$(location lz4) -9 $(in) $(out)",
}

prebuilt_etc {
    name: "microdroid_gki-android16-6.12_kernel",
    filename: "microdroid_gki-android16-6.12_kernel",
    src: ":empty_file",
    relative_install_path: "fs",
    arch: {
        arm64: {
            src: ":microdroid_gki-android16-6.12_kernel_signed",
        },
        x86_64: {
            src: ":microdroid_gki-android16-6.12_kernel_signed",
        },
    },
}

avb_gen_vbmeta_image {
    name: "microdroid_gki-android16-6.12_initrd_normal_hashdesc",
    defaults: ["microdroid_initrd_normal_defaults"],
    src: ":microdroid_gki-android16-6.12_initrd_normal",
}

avb_gen_vbmeta_image {
    name: "microdroid_gki-android16-6.12_initrd_debug_hashdesc",
    defaults: ["microdroid_initrd_debug_defaults"],
    src: ":microdroid_gki-android16-6.12_initrd_debuggable",
}

python_binary_host {
    name: "extract_microdroid_kernel_hashes",
    srcs: ["extract_microdroid_kernel_hashes.py"],
}

// HACK: use cc_genrule for arch-specific properties
cc_genrule {
    name: "microdroid_kernel_hashes_rs",
    compile_multilib: "first",
    srcs: [":microdroid_kernel"],
    arch: {
        arm64: {
            srcs: [
                ":microdroid_gki-android15-6.6_kernel_signed",
                ":microdroid_gki-android16-6.12_kernel_signed",
            ],
        },
        x86_64: {
            srcs: [
                ":microdroid_gki-android15-6.6_kernel_signed",
                ":microdroid_gki-android16-6.12_kernel_signed",
            ],
        },
    },
    out: ["lib.rs"],
    tools: [
        "extract_microdroid_kernel_hashes",
        "avbtool",
    ],
    cmd: "$(location extract_microdroid_kernel_hashes) --avbtool $(location avbtool) " +
        "--kernel $(in) > $(out)",
}

rust_library_rlib {
    name: "libmicrodroid_kernel_hashes",
    compile_multilib: "first",
    srcs: [":microdroid_kernel_hashes_rs"],
    crate_name: "microdroid_kernel_hashes",
    prefer_rlib: true,
    no_stdlibs: true,
    stdlibs: [
        "libcompiler_builtins.rust_sysroot",
        "libcore.rust_sysroot",
    ],
}