Merge "Add a function to determine cow op size" into main
diff --git a/bootstat/OWNERS b/bootstat/OWNERS
index f66b309..71b4e0b 100644
--- a/bootstat/OWNERS
+++ b/bootstat/OWNERS
@@ -1,2 +1,3 @@
-jhawkins@google.com
dvander@google.com
+achant@google.com
+markcheng@google.com
diff --git a/bootstat/bootstat.cpp b/bootstat/bootstat.cpp
index 687ffe4..96c5b81 100644
--- a/bootstat/bootstat.cpp
+++ b/bootstat/bootstat.cpp
@@ -467,7 +467,7 @@
{"reboot,longkey,master_dc", 235},
{"reboot,ocp2,pmic,if", 236},
{"reboot,ocp,pmic,if", 237},
- {"reboot,fship", 238},
+ {"reboot,fship.*", 238},
{"reboot,ocp,.*", 239},
{"reboot,ntc,pmic,sub", 240},
};
@@ -913,6 +913,19 @@
void BootReasonAddToHistory(const std::string& system_boot_reason) {
if (system_boot_reason.empty()) return;
LOG(INFO) << "Canonical boot reason: " << system_boot_reason;
+
+ // skip system_boot_reason(factory_reset, ota) shift since device boot up from shipmode
+ const auto bootloader_boot_reason =
+ android::base::GetProperty(bootloader_reboot_reason_property, "");
+ const char reg_fship[] = ".*fship.*";
+ if (std::regex_search(bootloader_boot_reason, std::regex(reg_fship)) != 0) {
+ if (system_boot_reason == "reboot,factory_reset" || system_boot_reason == "reboot,ota") {
+ LOG(INFO) << "skip boot reason (" << system_boot_reason
+ << ") shift since device boot up from shipmode.";
+ return;
+ }
+ }
+
auto old_system_boot_reason = android::base::GetProperty(system_reboot_reason_property, "");
if (!android::base::SetProperty(system_reboot_reason_property, system_boot_reason)) {
android::base::SetProperty(system_reboot_reason_property,
@@ -954,6 +967,14 @@
std::string BootReasonStrToReason(const std::string& boot_reason) {
auto ret = android::base::GetProperty(system_reboot_reason_property, "");
std::string reason(boot_reason);
+
+ // skip BootReasonStrToReason() if device boot up from shipmode
+ const char reg_fship[] = ".*fship.*";
+ if (reason == ret && std::regex_search(reason, std::regex(reg_fship)) != 0) {
+ LOG(INFO) << "skip boot reason enhancement if device boot up from shipmode";
+ return ret;
+ }
+
// If sys.boot.reason == ro.boot.bootreason, let's re-evaluate
if (reason == ret) ret = "";
diff --git a/debuggerd/debuggerd_test.cpp b/debuggerd/debuggerd_test.cpp
index 04a7df8..858956a 100644
--- a/debuggerd/debuggerd_test.cpp
+++ b/debuggerd/debuggerd_test.cpp
@@ -2788,6 +2788,10 @@
void* start_ptr =
mmap(nullptr, 3 * getpagesize(), PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
ASSERT_NE(MAP_FAILED, start_ptr);
+ // Add a name to guarantee that this map is distinct and not combined in the map listing.
+ EXPECT_EQ(
+ prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, start_ptr, 3 * getpagesize(), "debuggerd map start"),
+ 0);
// Unmap the page in the middle.
void* middle_ptr =
reinterpret_cast<void*>(reinterpret_cast<uintptr_t>(start_ptr) + getpagesize());
@@ -2834,6 +2838,8 @@
// Create a map before the fork so it will be present in the child.
void* ptr = mmap(nullptr, getpagesize(), 0, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
ASSERT_NE(MAP_FAILED, ptr);
+ // Add a name to guarantee that this map is distinct and not combined in the map listing.
+ EXPECT_EQ(prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ptr, getpagesize(), "debuggerd map"), 0);
StartProcess([ptr]() {
ASSERT_EQ(0, crash_call(reinterpret_cast<uintptr_t>(ptr)));
@@ -2905,7 +2911,7 @@
mmap(nullptr, sizeof(kDexData), PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
ASSERT_TRUE(ptr != MAP_FAILED);
memcpy(ptr, kDexData, sizeof(kDexData));
- prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ptr, sizeof(kDexData), "dex");
+ EXPECT_EQ(prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, ptr, sizeof(kDexData), "dex"), 0);
JITCodeEntry dex_entry = {.symfile_addr = reinterpret_cast<uintptr_t>(ptr),
.symfile_size = sizeof(kDexData)};
@@ -3006,12 +3012,18 @@
// Create multiple maps to make sure that the map data is formatted properly.
void* none_map = mmap(nullptr, getpagesize(), 0, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
ASSERT_NE(MAP_FAILED, none_map);
+ // Add names to guarantee that the maps are distinct and not combined in the map listing.
+ EXPECT_EQ(prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, none_map, getpagesize(), "debuggerd map none"),
+ 0);
void* r_map = mmap(nullptr, getpagesize(), PROT_READ, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
ASSERT_NE(MAP_FAILED, r_map);
+ EXPECT_EQ(prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, r_map, getpagesize(), "debuggerd map r"), 0);
void* w_map = mmap(nullptr, getpagesize(), PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+ EXPECT_EQ(prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, w_map, getpagesize(), "debuggerd map w"), 0);
ASSERT_NE(MAP_FAILED, w_map);
void* x_map = mmap(nullptr, getpagesize(), PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
ASSERT_NE(MAP_FAILED, x_map);
+ EXPECT_EQ(prctl(PR_SET_VMA, PR_SET_VMA_ANON_NAME, x_map, getpagesize(), "debuggerd map x"), 0);
TemporaryFile tf;
ASSERT_EQ(0x2000, lseek(tf.fd, 0x2000, SEEK_SET));
@@ -3046,7 +3058,7 @@
std::string match_str;
// Verify none.
match_str = android::base::StringPrintf(
- " %s-%s --- 0 %x\\n",
+ " %s-%s --- 0 %x \\[anon:debuggerd map none\\]\\n",
format_map_pointer(reinterpret_cast<uintptr_t>(none_map)).c_str(),
format_map_pointer(reinterpret_cast<uintptr_t>(none_map) + getpagesize() - 1).c_str(),
getpagesize());
@@ -3054,7 +3066,7 @@
// Verify read-only.
match_str = android::base::StringPrintf(
- " %s-%s r-- 0 %x\\n",
+ " %s-%s r-- 0 %x \\[anon:debuggerd map r\\]\\n",
format_map_pointer(reinterpret_cast<uintptr_t>(r_map)).c_str(),
format_map_pointer(reinterpret_cast<uintptr_t>(r_map) + getpagesize() - 1).c_str(),
getpagesize());
@@ -3062,7 +3074,7 @@
// Verify write-only.
match_str = android::base::StringPrintf(
- " %s-%s -w- 0 %x\\n",
+ " %s-%s -w- 0 %x \\[anon:debuggerd map w\\]\\n",
format_map_pointer(reinterpret_cast<uintptr_t>(w_map)).c_str(),
format_map_pointer(reinterpret_cast<uintptr_t>(w_map) + getpagesize() - 1).c_str(),
getpagesize());
@@ -3070,7 +3082,7 @@
// Verify exec-only.
match_str = android::base::StringPrintf(
- " %s-%s --x 0 %x\\n",
+ " %s-%s --x 0 %x \\[anon:debuggerd map x\\]\\n",
format_map_pointer(reinterpret_cast<uintptr_t>(x_map)).c_str(),
format_map_pointer(reinterpret_cast<uintptr_t>(x_map) + getpagesize() - 1).c_str(),
getpagesize());
diff --git a/debuggerd/tombstoned/tombstoned.cpp b/debuggerd/tombstoned/tombstoned.cpp
index 2c72379..dd20dc5 100644
--- a/debuggerd/tombstoned/tombstoned.cpp
+++ b/debuggerd/tombstoned/tombstoned.cpp
@@ -144,7 +144,6 @@
CrashArtifact create_temporary_file() const {
CrashArtifact result;
- std::optional<std::string> path;
result.fd.reset(openat(dir_fd_, ".", O_WRONLY | O_APPEND | O_TMPFILE | O_CLOEXEC, 0660));
if (result.fd == -1) {
PLOG(FATAL) << "failed to create temporary tombstone in " << dir_path_;
diff --git a/fastboot/fastboot.cpp b/fastboot/fastboot.cpp
index 156dc3b..1c52da2 100644
--- a/fastboot/fastboot.cpp
+++ b/fastboot/fastboot.cpp
@@ -638,7 +638,10 @@
" --disable-verification Sets disable-verification when flashing vbmeta.\n"
" --disable-super-optimization\n"
" Disables optimizations on flashing super partition.\n"
- " --disable-fastboot-info Will collects tasks from image list rather than $OUT/fastboot-info.txt.\n"
+ " --exclude-dynamic-partitions\n"
+ " Excludes flashing of dynamic partitions.\n"
+ " --disable-fastboot-info Will collects tasks from image list rather than \n"
+ " $OUT/fastboot-info.txt.\n"
" --fs-options=OPTION[,OPTION]\n"
" Enable filesystem features. OPTION supports casefold, projid, compress\n"
// TODO: remove --unbuffered?
diff --git a/fs_mgr/fs_mgr.cpp b/fs_mgr/fs_mgr.cpp
index 88e26cf..a30d9c0 100644
--- a/fs_mgr/fs_mgr.cpp
+++ b/fs_mgr/fs_mgr.cpp
@@ -2335,6 +2335,7 @@
if (!fs_mgr_filesystem_available("overlay")) {
return {.supported = false};
}
+
struct utsname uts;
if (uname(&uts) == -1) {
return {.supported = false};
@@ -2343,6 +2344,14 @@
if (sscanf(uts.release, "%d.%d", &major, &minor) != 2) {
return {.supported = false};
}
+
+ if (!use_override_creds) {
+ if (major > 5 || (major == 5 && minor >= 15)) {
+ return {.supported = true, ",userxattr"};
+ }
+ return {.supported = true};
+ }
+
// Overlayfs available in the kernel, and patched for override_creds?
if (access("/sys/module/overlay/parameters/override_creds", F_OK) == 0) {
auto mount_flags = ",override_creds=off"s;
diff --git a/fs_mgr/fs_mgr_overlayfs_mount.cpp b/fs_mgr/fs_mgr_overlayfs_mount.cpp
index b63b9e7..69d3161 100644
--- a/fs_mgr/fs_mgr_overlayfs_mount.cpp
+++ b/fs_mgr/fs_mgr_overlayfs_mount.cpp
@@ -194,9 +194,8 @@
static bool fs_mgr_overlayfs_enabled(FstabEntry* entry) {
// readonly filesystem, can not be mount -o remount,rw
- // for squashfs, erofs or if free space is (near) zero making such a remount
- // virtually useless, or if there are shared blocks that prevent remount,rw
- if (!fs_mgr_filesystem_has_space(entry->mount_point)) {
+ // for squashfs, erofs, or if there are shared blocks that prevent remount,rw
+ if (entry->fs_type == "erofs" || entry->fs_type == "squashfs") {
return true;
}
diff --git a/fs_mgr/include/fs_mgr_overlayfs.h b/fs_mgr/include/fs_mgr_overlayfs.h
index bf68b2c..253013b 100644
--- a/fs_mgr/include/fs_mgr_overlayfs.h
+++ b/fs_mgr/include/fs_mgr_overlayfs.h
@@ -43,5 +43,11 @@
// overlays if any partition is flashed or updated.
void TeardownAllOverlayForMountPoint(const std::string& mount_point = {});
+// Are we using overlayfs's non-upstreamed override_creds feature?
+// b/388912628 removes the need for override_creds
+// Once this bug is fixed and has had enough soak time, remove this variable and hard code to false
+// where it used
+constexpr bool use_override_creds = false;
+
} // namespace fs_mgr
} // namespace android
diff --git a/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h b/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
index 165ecef..e613d54 100644
--- a/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
+++ b/fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
@@ -418,9 +418,16 @@
// first-stage to decide whether to launch snapuserd.
bool IsSnapuserdRequired();
- // This is primarily used to device reboot. If OTA update is in progress,
- // init will avoid killing processes
- bool IsUserspaceSnapshotUpdateInProgress();
+ // This is primarily invoked during device reboot after an OTA update.
+ //
+ // a: Check if the partitions are mounted off snapshots.
+ //
+ // b: Store all dynamic partitions which are mounted off snapshots. This
+ // is used to unmount the partition.
+ bool IsUserspaceSnapshotUpdateInProgress(std::vector<std::string>& dynamic_partitions);
+
+ // Pause the snapshot merge.
+ bool PauseSnapshotMerge();
enum class SnapshotDriver {
DM_SNAPSHOT,
diff --git a/fs_mgr/libsnapshot/libsnapshot_cow/create_cow.cpp b/fs_mgr/libsnapshot/libsnapshot_cow/create_cow.cpp
index 4f8bfd2..b15e6ab 100644
--- a/fs_mgr/libsnapshot/libsnapshot_cow/create_cow.cpp
+++ b/fs_mgr/libsnapshot/libsnapshot_cow/create_cow.cpp
@@ -478,11 +478,12 @@
if (create_snapshot_patch_ && use_merkel_tree_) {
std::vector<uint8_t> digest(32, 0);
- CalculateDigest(bufptr, BLOCK_SZ, target_salt_.data(), target_salt_.size(),
+ CalculateDigest(bufptr, BLOCK_SZ, source_salt_.data(), source_salt_.size(),
digest.data());
std::vector<uint8_t> final_digest(32, 0);
- CalculateDigest(digest.data(), digest.size(), source_salt_.data(),
- source_salt_.size(), final_digest.data());
+ CalculateDigest(digest.data(), digest.size(), target_salt_.data(),
+ target_salt_.size(), final_digest.data());
+
hash = ToHexString(final_digest.data(), final_digest.size());
} else {
uint8_t checksum[32];
diff --git a/fs_mgr/libsnapshot/scratch_super.cpp b/fs_mgr/libsnapshot/scratch_super.cpp
index 2036905..2d19123 100644
--- a/fs_mgr/libsnapshot/scratch_super.cpp
+++ b/fs_mgr/libsnapshot/scratch_super.cpp
@@ -396,7 +396,7 @@
}
// Entry point to create a scratch device on super partition
-// This will create a 1MB space in super. The space will be
+// This will create a 2MB space in super. The space will be
// from the current active slot. Ext4 filesystem will be created
// on this scratch device and all the OTA related directories
// will be created.
diff --git a/fs_mgr/libsnapshot/scratch_super.h b/fs_mgr/libsnapshot/scratch_super.h
index 3e6fe70..7a16f97 100644
--- a/fs_mgr/libsnapshot/scratch_super.h
+++ b/fs_mgr/libsnapshot/scratch_super.h
@@ -20,7 +20,7 @@
constexpr char kMkExt4[] = "/system/bin/mke2fs";
constexpr char kOtaMetadataFileContext[] = "u:object_r:ota_metadata_file:s0";
constexpr char kOtaMetadataMount[] = "/mnt/scratch_ota_metadata_super";
-const size_t kOtaMetadataPartitionSize = uint64_t(1 * 1024 * 1024);
+const size_t kOtaMetadataPartitionSize = uint64_t(2 * 1024 * 1024);
constexpr char kPhysicalDevice[] = "/dev/block/by-name/";
bool IsScratchOtaMetadataOnSuper();
diff --git a/fs_mgr/libsnapshot/snapshot.cpp b/fs_mgr/libsnapshot/snapshot.cpp
index 83787df..d456197 100644
--- a/fs_mgr/libsnapshot/snapshot.cpp
+++ b/fs_mgr/libsnapshot/snapshot.cpp
@@ -4687,7 +4687,17 @@
return status.source_build_fingerprint();
}
-bool SnapshotManager::IsUserspaceSnapshotUpdateInProgress() {
+bool SnapshotManager::PauseSnapshotMerge() {
+ auto snapuserd_client = SnapuserdClient::TryConnect(kSnapuserdSocket, 5s);
+ if (snapuserd_client) {
+ // Pause the snapshot-merge
+ return snapuserd_client->PauseMerge();
+ }
+ return false;
+}
+
+bool SnapshotManager::IsUserspaceSnapshotUpdateInProgress(
+ std::vector<std::string>& dynamic_partitions) {
// We cannot grab /metadata/ota lock here as this
// is in reboot path. See b/308900853
//
@@ -4701,18 +4711,22 @@
LOG(ERROR) << "No dm-enabled block device is found.";
return false;
}
+
+ bool is_ota_in_progress = false;
for (auto& partition : dm_block_devices) {
std::string partition_name = partition.first + current_suffix;
DeviceMapper::TargetInfo snap_target;
if (!GetSingleTarget(partition_name, TableQuery::Status, &snap_target)) {
- return false;
+ continue;
}
auto type = DeviceMapper::GetTargetType(snap_target.spec);
+ // Partition is mounted off snapshots
if (type == "user") {
- return true;
+ dynamic_partitions.emplace_back("/" + partition.first);
+ is_ota_in_progress = true;
}
}
- return false;
+ return is_ota_in_progress;
}
bool SnapshotManager::BootFromSnapshotsWithoutSlotSwitch() {
diff --git a/fs_mgr/libsnapshot/snapshot_test.cpp b/fs_mgr/libsnapshot/snapshot_test.cpp
index e04e429..7719a29 100644
--- a/fs_mgr/libsnapshot/snapshot_test.cpp
+++ b/fs_mgr/libsnapshot/snapshot_test.cpp
@@ -3112,8 +3112,10 @@
// thereby interfering with the update and snapshot-merge progress.
// Hence, wait until the update is complete.
auto sm = android::snapshot::SnapshotManager::New();
- while (sm->IsUserspaceSnapshotUpdateInProgress()) {
- LOG(INFO) << "Snapshot update is in progress. Waiting...";
+ std::vector<std::string> snapshot_partitions;
+ while (sm->IsUserspaceSnapshotUpdateInProgress(snapshot_partitions)) {
+ LOG(INFO) << "Waiting for: " << snapshot_partitions.size()
+ << " partitions to finish snapshot-merge";
std::this_thread::sleep_for(std::chrono::milliseconds(1000));
}
diff --git a/fs_mgr/libsnapshot/snapuserd/include/snapuserd/snapuserd_client.h b/fs_mgr/libsnapshot/snapuserd/include/snapuserd/snapuserd_client.h
index ede92dd..453627c 100644
--- a/fs_mgr/libsnapshot/snapuserd/include/snapuserd/snapuserd_client.h
+++ b/fs_mgr/libsnapshot/snapuserd/include/snapuserd/snapuserd_client.h
@@ -108,6 +108,9 @@
// Notify init that snapuserd daemon is ready post selinux transition
void NotifyTransitionDaemonIsReady();
+
+ // Pause Merge threads
+ bool PauseMerge();
};
} // namespace snapshot
diff --git a/fs_mgr/libsnapshot/snapuserd/snapuserd_client.cpp b/fs_mgr/libsnapshot/snapuserd/snapuserd_client.cpp
index 7c820f3..0497c65 100644
--- a/fs_mgr/libsnapshot/snapuserd/snapuserd_client.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/snapuserd_client.cpp
@@ -52,6 +52,7 @@
return false;
}
}
+
if (!android::base::WaitForProperty("snapuserd.ready", "true", 10s)) {
LOG(ERROR) << "Timed out waiting for snapuserd to be ready.";
return false;
@@ -389,5 +390,13 @@
}
}
+bool SnapuserdClient::PauseMerge() {
+ if (!Sendmsg("pause_merge")) {
+ LOG(ERROR) << "Failed to pause snapshot merge.";
+ return false;
+ }
+ return true;
+}
+
} // namespace snapshot
} // namespace android
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/handler_manager.cpp b/fs_mgr/libsnapshot/snapuserd/user-space-merge/handler_manager.cpp
index fdd9cce..cf507e3 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/handler_manager.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/handler_manager.cpp
@@ -383,5 +383,25 @@
return dm_users_.end();
}
+void SnapshotHandlerManager::PauseMerge() {
+ std::lock_guard<std::mutex> guard(lock_);
+
+ for (auto iter = dm_users_.begin(); iter != dm_users_.end(); iter++) {
+ if (!(*iter)->ThreadTerminated()) {
+ (*iter)->snapuserd()->PauseMergeThreads();
+ }
+ }
+}
+
+void SnapshotHandlerManager::ResumeMerge() {
+ std::lock_guard<std::mutex> guard(lock_);
+
+ for (auto iter = dm_users_.begin(); iter != dm_users_.end(); iter++) {
+ if (!(*iter)->ThreadTerminated()) {
+ (*iter)->snapuserd()->ResumeMergeThreads();
+ }
+ }
+}
+
} // namespace snapshot
} // namespace android
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/handler_manager.h b/fs_mgr/libsnapshot/snapuserd/user-space-merge/handler_manager.h
index c6301d4..89f3461 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/handler_manager.h
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/handler_manager.h
@@ -86,6 +86,12 @@
// Disable partition verification
virtual void DisableVerification() = 0;
+
+ // Pause Merge threads
+ virtual void PauseMerge() = 0;
+
+ // Resume Merge threads
+ virtual void ResumeMerge() = 0;
};
class SnapshotHandlerManager final : public ISnapshotHandlerManager {
@@ -107,6 +113,8 @@
double GetMergePercentage() override;
bool GetVerificationStatus() override;
void DisableVerification() override { perform_verification_ = false; }
+ void PauseMerge() override;
+ void ResumeMerge() override;
private:
bool StartHandler(const std::shared_ptr<HandlerThread>& handler);
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp b/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp
index febb484..660082f 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp
@@ -191,6 +191,9 @@
"down merge";
return false;
}
+
+ // Safe to check if there is a pause request.
+ snapuserd_->PauseMergeIfRequired();
}
// Any left over ops not flushed yet.
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_core.h b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_core.h
index 2340b0b..924539f 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_core.h
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_core.h
@@ -175,6 +175,9 @@
bool MergeInitiated() { return merge_initiated_; }
bool MergeMonitored() { return merge_monitored_; }
double GetMergePercentage() { return merge_completion_percentage_; }
+ void PauseMergeThreads();
+ void ResumeMergeThreads();
+ void PauseMergeIfRequired();
// Merge Block State Transitions
void SetMergeCompleted(size_t block_index);
@@ -255,6 +258,11 @@
uint32_t cow_op_merge_size_ = 0;
std::unique_ptr<UpdateVerify> update_verify_;
std::shared_ptr<IBlockServerOpener> block_server_opener_;
+
+ // Pause merge threads
+ bool pause_merge_ = false;
+ std::mutex pause_merge_lock_;
+ std::condition_variable pause_merge_cv_;
};
std::ostream& operator<<(std::ostream& os, MERGE_IO_TRANSITION value);
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_server.cpp b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_server.cpp
index 3bb8a30..a40617b 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_server.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_server.cpp
@@ -227,6 +227,9 @@
return Sendmsg(fd, "fail");
}
return Sendmsg(fd, "success");
+ } else if (cmd == "pause_merge") {
+ handlers_->PauseMerge();
+ return true;
} else {
LOG(ERROR) << "Received unknown message type from client";
Sendmsg(fd, "fail");
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_test.cpp b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_test.cpp
index 469fd09..0790a19 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_test.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_test.cpp
@@ -934,6 +934,26 @@
read_future.wait();
}
+TEST_P(SnapuserdTest, Snapshot_MERGE_PAUSE_RESUME) {
+ if (!harness_->HasUserDevice()) {
+ GTEST_SKIP() << "Skipping snapshot read; not supported";
+ }
+ ASSERT_NO_FATAL_FAILURE(SetupDefault());
+ // Start the merge
+ ASSERT_TRUE(StartMerge());
+ std::this_thread::sleep_for(300ms);
+ // Pause merge
+ handlers_->PauseMerge();
+ // Issue I/O after pausing the merge and validate
+ auto read_future =
+ std::async(std::launch::async, &SnapuserdTest::ReadSnapshotDeviceAndValidate, this);
+ // Resume the merge
+ handlers_->ResumeMerge();
+ CheckMergeCompletion();
+ ValidateMerge();
+ read_future.wait();
+}
+
TEST_P(SnapuserdTest, Snapshot_Merge_Resume) {
ASSERT_NO_FATAL_FAILURE(SetupDefault());
ASSERT_NO_FATAL_FAILURE(MergeInterrupt());
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_transitions.cpp b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_transitions.cpp
index 714c641..90705f7 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_transitions.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_transitions.cpp
@@ -257,6 +257,19 @@
return true;
}
+void SnapshotHandler::PauseMergeIfRequired() {
+ {
+ std::unique_lock<std::mutex> lock(pause_merge_lock_);
+ while (pause_merge_) {
+ SNAP_LOG(INFO) << "Merge thread paused";
+ pause_merge_cv_.wait(lock);
+ if (!pause_merge_) {
+ SNAP_LOG(INFO) << "Merge thread resumed";
+ }
+ }
+ }
+}
+
// Invoked by RA thread - Waits for merge thread to finish merging
// RA Block N - RA thread would be ready will with Block N+1 but
// will wait to merge thread to finish Block N. Once Block N
@@ -281,8 +294,13 @@
}
return false;
}
- return true;
}
+
+ // This is a safe place to check if the RA thread should be
+ // paused. Since the scratch space isn't flushed yet, it is safe
+ // to wait here until resume is invoked.
+ PauseMergeIfRequired();
+ return true;
}
// Invoked by Merge thread - Notify RA thread about Merge completion
@@ -297,6 +315,11 @@
}
cv.notify_all();
+
+ // This is a safe place to check if the merge thread should be
+ // paused. The data from the scratch space is merged to disk and is safe
+ // to wait.
+ PauseMergeIfRequired();
}
// The following transitions are mostly in the failure paths
@@ -393,6 +416,20 @@
merge_complete_ = true;
}
+void SnapshotHandler::PauseMergeThreads() {
+ {
+ std::lock_guard<std::mutex> lock(pause_merge_lock_);
+ pause_merge_ = true;
+ }
+}
+
+void SnapshotHandler::ResumeMergeThreads() {
+ {
+ std::lock_guard<std::mutex> lock(pause_merge_lock_);
+ pause_merge_ = false;
+ }
+}
+
std::string SnapshotHandler::GetMergeStatus() {
bool merge_not_initiated = false;
bool merge_monitored = false;
diff --git a/fs_mgr/tests/adb-remount-test.sh b/fs_mgr/tests/adb-remount-test.sh
index 526c761..df9635e 100755
--- a/fs_mgr/tests/adb-remount-test.sh
+++ b/fs_mgr/tests/adb-remount-test.sh
@@ -1320,7 +1320,10 @@
for d in ${D}; do
if adb_sh tune2fs -l "${d}" </dev/null 2>&1 | grep -q "Filesystem features:.*shared_blocks" ||
adb_sh df -k "${d}" | grep -q " 100% "; then
- die "remount overlayfs missed a spot (rw)"
+ # See b/397158623
+ # The new overlayfs mounter is a bit more limited due to sepolicy. Since we know of no use
+ # cases for these mounts, disabling for now
+ LOG OK "remount overlayfs missed a spot (rw)"
fi
done
else
@@ -1360,6 +1363,14 @@
# Properties added by adb remount test
test.adb.remount.system.build.prop=true
EOF
+
+# Move /system/build.prop to make sure we can move and then replace files
+# Note that as of kernel 6.1 mv creates the char_file that whites out the lower
+# file with different selabels than rm does
+# See b/394290609
+adb shell mv /system/build.prop /system/build.prop.backup >/dev/null ||
+ die "adb shell rm /system/build.prop"
+
adb push "${system_build_prop_modified}" /system/build.prop >/dev/null ||
die "adb push /system/build.prop"
adb pull /system/build.prop "${system_build_prop_fromdevice}" >/dev/null ||
diff --git a/healthd/BatteryMonitor.cpp b/healthd/BatteryMonitor.cpp
index b8bb586..b0a14bb 100644
--- a/healthd/BatteryMonitor.cpp
+++ b/healthd/BatteryMonitor.cpp
@@ -131,6 +131,7 @@
(int64_t)HealthInfo::BATTERY_CHARGE_TIME_TO_FULL_NOW_SECONDS_UNSUPPORTED,
.batteryStatus = BatteryStatus::UNKNOWN,
.batteryHealth = BatteryHealth::UNKNOWN,
+ .batteryHealthData = std::nullopt,
};
}
@@ -360,6 +361,14 @@
return (readFromFile(path, &scope) > 0 && scope == kScopeDevice);
}
+static BatteryHealthData *ensureBatteryHealthData(HealthInfo *info) {
+ if (!info->batteryHealthData.has_value()) {
+ return &info->batteryHealthData.emplace();
+ }
+
+ return &info->batteryHealthData.value();
+}
+
void BatteryMonitor::updateValues(void) {
initHealthInfo(mHealthInfo.get());
@@ -402,15 +411,15 @@
mBatteryHealthStatus = getIntField(mHealthdConfig->batteryHealthStatusPath);
if (!mHealthdConfig->batteryStateOfHealthPath.empty())
- mHealthInfo->batteryHealthData->batteryStateOfHealth =
+ ensureBatteryHealthData(mHealthInfo.get())->batteryStateOfHealth =
getIntField(mHealthdConfig->batteryStateOfHealthPath);
if (!mHealthdConfig->batteryManufacturingDatePath.empty())
- mHealthInfo->batteryHealthData->batteryManufacturingDateSeconds =
+ ensureBatteryHealthData(mHealthInfo.get())->batteryManufacturingDateSeconds =
getIntField(mHealthdConfig->batteryManufacturingDatePath);
if (!mHealthdConfig->batteryFirstUsageDatePath.empty())
- mHealthInfo->batteryHealthData->batteryFirstUsageSeconds =
+ ensureBatteryHealthData(mHealthInfo.get())->batteryFirstUsageSeconds =
getIntField(mHealthdConfig->batteryFirstUsageDatePath);
mHealthInfo->batteryTemperatureTenthsCelsius =
diff --git a/healthd/OWNERS b/healthd/OWNERS
index e64c33d..c436ba2 100644
--- a/healthd/OWNERS
+++ b/healthd/OWNERS
@@ -1 +1 @@
-elsk@google.com
+include platform/hardware/interfaces:/health/OWNERS
diff --git a/init/Android.bp b/init/Android.bp
index ed19b4b..dbdf80b 100644
--- a/init/Android.bp
+++ b/init/Android.bp
@@ -136,6 +136,8 @@
"-DWORLD_WRITABLE_KMSG=1",
"-UDUMP_ON_UMOUNT_FAILURE",
"-DDUMP_ON_UMOUNT_FAILURE=1",
+ "-UALLOW_REMOUNT_OVERLAYS",
+ "-DALLOW_REMOUNT_OVERLAYS=1",
],
},
eng: {
@@ -263,7 +265,10 @@
name: "init",
required: [
"init_second_stage",
- ],
+ ] + select(product_variable("debuggable"), {
+ true: ["overlay_remounter"],
+ false: [],
+ }),
}
cc_defaults {
diff --git a/init/README.md b/init/README.md
index 251fe98..89e20a4 100644
--- a/init/README.md
+++ b/init/README.md
@@ -454,44 +454,66 @@
Triggers
--------
-Triggers are strings which can be used to match certain kinds of
-events and used to cause an action to occur.
+Triggers of an action specifies one or more conditions when satisfied
+execute the commands in the action. A trigger encodes a single atomic
+condition, and multiple triggers can be combined using the `&&`
+operator to form a bigger AND condition.
-Triggers are subdivided into event triggers and property triggers.
-
-Event triggers are strings triggered by the 'trigger' command or by
-the QueueEventTrigger() function within the init executable. These
-take the form of a simple string such as 'boot' or 'late-init'.
-
-Property triggers are strings triggered when a named property changes
-value to a given new value or when a named property changes value to
-any new value. These take the form of 'property:<name>=<value>' and
-'property:<name>=\*' respectively. Property triggers are additionally
-evaluated and triggered accordingly during the initial boot phase of
-init.
-
-An Action can have multiple property triggers but may only have one
+There are two types of triggers: event triggers and action triggers.
+An action can have multiple property triggers but may have only one
event trigger.
-For example:
-`on boot && property:a=b` defines an action that is only executed when
-the 'boot' event trigger happens and the property a equals b at the moment. This
-will NOT be executed when the property a transitions to value b after the `boot`
-event was triggered.
+An event trigger takes the simple form of `<event>` where `<event>` is
+the name of a boot stage like `early-init` or `boot`. This trigger
+is satisfied when init reaches the stage via the `trigger` command or
+by the `QueueEventTrigger()` function in the init executable.
-`on property:a=b && property:c=d` defines an action that is executed
-at three times:
+A property trigger takes the form of `property:<name>=<value>`. This
+trigger is satisfied when the property of name `<name>` is found to
+have the value of `<value>` when the check is made. The `<value>` part
+can be `\*` to match with any value.
- 1. During initial boot if property a=b and property c=d.
- 2. Any time that property a transitions to value b, while property c already equals d.
- 3. Any time that property c transitions to value d, while property a already equals b.
+The check for property trigger is made in the following cases:
-Note that, for bootloader-provided properties (ro.boot.*), their action cannot be
-auto-triggered until `boot` stage. If they need to be triggered earlier, like at `early-boot`
-stage, they should be tied to the `event`. For example:
+* All property triggers get checked at least once when the `boot`
+ event is finished (i.e. when the last command under `on boot ...` is
+finished).
-`on early-boot && property:a=b`.
+* After the one-time check, `property:a=b` is checked when property `a`
+ is newly created, or when the property is set to a new value.
+* Property triggers are also checked when other triggers in the same
+ action are checked. For example, `property:a=b && property:c=d` is
+checked not only when property `a` gets a new value, but also when
+property `c` gets a new value (and of course when the one-time check
+is made).
+
+* Before the one-time check, `property:a=b` without an event trigger
+ is NOT checked, even if property `a` gets a new value. Care must be
+taken since this is a non-intuitive behavior, which unfortunately
+can't be changed due to compatibility concerns.
+
+Some examples:
+
+`on property:a=b` is executed in two cases:
+
+1. during the one-time check if property `a` is `b` at the moment.
+2. if property `a` is set to or changed to `b` after the one-time
+ check, but not before then.
+
+`on property:a=b && property:c=d` is executed in three cases:
+
+1. during the one-time check if property `a` is `b` and property `c`
+ is `d` at the moment.
+2. (after the one-time check) property `a` becomes `b` while property
+ `c` already equals to `d`.
+3. (after the one-time check) property `c` becomes `d` while property
+ `a` already equals to `b`.
+
+`on property:a=b && post-fs` is executed in one case only:
+
+1. `post-fs` is triggered while property `a` already equals to `b`.
+ This is NOT executed when property `a` becomes `b` AFTER `post-fs`.
Trigger Sequence
----------------
diff --git a/init/first_stage_init.cpp b/init/first_stage_init.cpp
index e06a645..6bb0ad7 100644
--- a/init/first_stage_init.cpp
+++ b/init/first_stage_init.cpp
@@ -402,7 +402,7 @@
// /second_stage_resources is used to preserve files from first to second
// stage init
- CHECKCALL(mount("tmpfs", kSecondStageRes, "tmpfs", MS_NOEXEC | MS_NOSUID | MS_NODEV,
+ CHECKCALL(mount("tmpfs", kSecondStageRes, "tmpfs", MS_NOSUID | MS_NODEV,
"mode=0755,uid=0,gid=0"));
if (IsMicrodroid() && android::virtualization::IsOpenDiceChangesFlagEnabled()) {
diff --git a/init/reboot.cpp b/init/reboot.cpp
index d6e37f7..d7ad861 100644
--- a/init/reboot.cpp
+++ b/init/reboot.cpp
@@ -394,6 +394,24 @@
}
}
+static bool UmountDynamicPartitions(const std::vector<std::string>& dynamic_partitions) {
+ bool ret = true;
+ for (auto device : dynamic_partitions) {
+ // Cannot unmount /system
+ if (device == "/system") {
+ continue;
+ }
+ int r = umount2(device.c_str(), MNT_FORCE);
+ if (r == 0) {
+ LOG(INFO) << "Umounted success: " << device;
+ } else {
+ PLOG(WARNING) << "Cannot umount: " << device;
+ ret = false;
+ }
+ }
+ return ret;
+}
+
/* Try umounting all emulated file systems R/W block device cfile systems.
* This will just try umount and give it up if it fails.
* For fs like ext4, this is ok as file system will be marked as unclean shutdown
@@ -408,14 +426,18 @@
Timer t;
std::vector<MountEntry> block_devices;
std::vector<MountEntry> emulated_devices;
+ std::vector<std::string> dynamic_partitions;
if (run_fsck && !FindPartitionsToUmount(&block_devices, &emulated_devices, false)) {
return UMOUNT_STAT_ERROR;
}
auto sm = snapshot::SnapshotManager::New();
bool ota_update_in_progress = false;
- if (sm->IsUserspaceSnapshotUpdateInProgress()) {
- LOG(INFO) << "OTA update in progress";
+ if (sm->IsUserspaceSnapshotUpdateInProgress(dynamic_partitions)) {
+ LOG(INFO) << "OTA update in progress. Pause snapshot merge";
+ if (!sm->PauseSnapshotMerge()) {
+ LOG(ERROR) << "Snapshot-merge pause failed";
+ }
ota_update_in_progress = true;
}
UmountStat stat = UmountPartitions(timeout - t.duration());
@@ -435,6 +457,17 @@
// still not doing fsck when all processes are killed.
//
if (ota_update_in_progress) {
+ bool umount_dynamic_partitions = UmountDynamicPartitions(dynamic_partitions);
+ LOG(INFO) << "Sending SIGTERM to all process";
+ // Send SIGTERM to all processes except init
+ WriteStringToFile("e", PROC_SYSRQ);
+ // Wait for processes to terminate
+ std::this_thread::sleep_for(1s);
+ // Try one more attempt to umount other partitions which failed
+ // earlier
+ if (!umount_dynamic_partitions) {
+ UmountDynamicPartitions(dynamic_partitions);
+ }
return stat;
}
KillAllProcesses();
diff --git a/init/selinux.cpp b/init/selinux.cpp
index 6316b4d..2a27c1d 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -69,6 +69,7 @@
#include <android/avf_cc_flags.h>
#include <fs_avb/fs_avb.h>
#include <fs_mgr.h>
+#include <fs_mgr_overlayfs.h>
#include <genfslabelsversion.h>
#include <libgsi/libgsi.h>
#include <libsnapshot/snapshot.h>
@@ -77,6 +78,7 @@
#include "block_dev_initializer.h"
#include "debug_ramdisk.h"
#include "reboot_utils.h"
+#include "second_stage_resources.h"
#include "snapuserd_transition.h"
#include "util.h"
@@ -698,6 +700,65 @@
}
}
+#ifdef ALLOW_REMOUNT_OVERLAYS
+void SetupOverlays() {
+ if (android::fs_mgr::use_override_creds) return;
+
+ bool has_overlays = false;
+ std::string contents;
+ auto result = android::base::ReadFileToString("/proc/mounts", &contents, true);
+
+ auto lines = android::base::Split(contents, "\n");
+ for (auto const& line : lines)
+ if (android::base::StartsWith(line, "overlay")) {
+ has_overlays = true;
+ break;
+ }
+
+ if (!has_overlays) return;
+
+ // After adb remount, we mount all r/o volumes with overlayfs to allow writing.
+ // However, since overlayfs performs its file operations in the context of the
+ // mounting process, this will not work as is - init is in the kernel domain in
+ // first stage, which has very limited permissions.
+
+ // In order to fix this, we need to unmount remount all these volumes from a process
+ // with sufficient privileges to be able to perform these operations. The
+ // overlay_remounter domain has those privileges on debuggable devices.
+ // We will call overlay_remounter which will do the unmounts/mounts.
+ // But for that to work, the volumes must not be busy, so we need to copy
+ // overlay_remounter from system to a ramdisk and run it from there.
+
+ const char* kOverlayRemounter = "overlay_remounter";
+ auto or_src = std::filesystem::path("/system/xbin/") / kOverlayRemounter;
+ auto or_dest = std::filesystem::path(kSecondStageRes) / kOverlayRemounter;
+ std::error_code ec;
+ std::filesystem::copy(or_src, or_dest, ec);
+ if (ec) {
+ LOG(FATAL) << "Failed to copy " << or_src << " to " << or_dest << " " << ec.message();
+ }
+
+ if (selinux_android_restorecon(or_dest.c_str(), 0) == -1) {
+ PLOG(FATAL) << "restorecon of " << or_dest << " failed";
+ }
+ auto dest = unique_fd(open(or_dest.c_str(), O_RDONLY | O_CLOEXEC));
+ if (dest.get() == -1) {
+ PLOG(FATAL) << "Failed to reopen " << or_dest;
+ }
+ if (unlink(or_dest.c_str()) == -1) {
+ PLOG(FATAL) << "Failed to unlink " << or_dest;
+ }
+ const char* args[] = {or_dest.c_str(), nullptr};
+ fexecve(dest.get(), const_cast<char**>(args), environ);
+
+ // execv() only returns if an error happened, in which case we
+ // panic and never return from this function.
+ PLOG(FATAL) << "execv(\"" << or_dest << "\") failed";
+}
+#else
+void SetupOverlays() {}
+#endif
+
int SetupSelinux(char** argv) {
SetStdioToDevNull(argv);
InitKernelLogging(argv);
@@ -738,6 +799,10 @@
setenv(kEnvSelinuxStartedAt, std::to_string(start_time.time_since_epoch().count()).c_str(), 1);
+ // SetupOverlays does not return if overlays exist, instead it execs overlay_remounter
+ // which then execs second stage init
+ SetupOverlays();
+
const char* path = "/system/bin/init";
const char* args[] = {path, "second_stage", nullptr};
execv(path, const_cast<char**>(args));
diff --git a/init/service_parser.cpp b/init/service_parser.cpp
index 4c31718..bd69300 100644
--- a/init/service_parser.cpp
+++ b/init/service_parser.cpp
@@ -315,6 +315,7 @@
}
Result<void> ServiceParser::ParseMemcgSwappiness(std::vector<std::string>&& args) {
+ LOG(WARNING) << "memcg.swappiness is unsupported with memcg v2 and will be deprecated";
if (!ParseInt(args[1], &service_->swappiness_, 0)) {
return Error() << "swappiness value must be equal or greater than 0";
}
diff --git a/init/test_upgrade_mte/OWNERS b/init/test_upgrade_mte/OWNERS
index c95d3cf..a49d9ce 100644
--- a/init/test_upgrade_mte/OWNERS
+++ b/init/test_upgrade_mte/OWNERS
@@ -1,4 +1,3 @@
fmayer@google.com
-eugenis@google.com
pcc@google.com
diff --git a/libcutils/ashmem-dev.cpp b/libcutils/ashmem-dev.cpp
index adf7e37..768db81 100644
--- a/libcutils/ashmem-dev.cpp
+++ b/libcutils/ashmem-dev.cpp
@@ -120,8 +120,11 @@
// permissions of the buffer (i.e. they cannot be changed by fchmod()).
//
// MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING.
+ const char *test_buf_name = "test_android_memfd";
+ size_t buf_size = getpagesize();
+
android::base::unique_fd fd(
- syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_NOEXEC_SEAL));
+ syscall(__NR_memfd_create, test_buf_name, MFD_CLOEXEC | MFD_NOEXEC_SEAL));
if (fd == -1) {
ALOGE("memfd_create failed: %m, no memfd support");
return false;
@@ -132,13 +135,20 @@
return false;
}
+ if (ftruncate(fd, buf_size) == -1) {
+ ALOGE("ftruncate(%s, %zd) failed to set memfd buffer size: %m, no memfd support",
+ test_buf_name, buf_size);
+ return false;
+ }
+
/*
* Ensure that the kernel supports ashmem ioctl commands on memfds. If not,
* fall back to using ashmem.
*/
- if (TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_SET_SIZE, getpagesize())) < 0) {
- ALOGE("ioctl(ASHMEM_SET_SIZE, %d) failed: %m, no ashmem-memfd compat support",
- getpagesize());
+ int ashmem_size = TEMP_FAILURE_RETRY(ioctl(fd, ASHMEM_GET_SIZE, 0));
+ if (ashmem_size != static_cast<int>(buf_size)) {
+ ALOGE("ioctl(ASHMEM_GET_SIZE): %d != buf_size: %zd , no ashmem-memfd compat support",
+ ashmem_size, buf_size);
return false;
}
diff --git a/libgrallocusage/OWNERS b/libgrallocusage/OWNERS
index de2bf16..249dcb0 100644
--- a/libgrallocusage/OWNERS
+++ b/libgrallocusage/OWNERS
@@ -1,2 +1 @@
jreck@google.com
-lpy@google.com
diff --git a/libmodprobe/include/exthandler/exthandler.h b/libmodprobe/include/exthandler/exthandler.h
index 232aa95..a619f81 100644
--- a/libmodprobe/include/exthandler/exthandler.h
+++ b/libmodprobe/include/exthandler/exthandler.h
@@ -17,6 +17,7 @@
#pragma once
#include <android-base/result.h>
#include <string>
+#include <sys/types.h>
android::base::Result<std::string> RunExternalHandler(
const std::string& handler, uid_t uid, gid_t gid,
diff --git a/libprocessgroup/include/processgroup/processgroup.h b/libprocessgroup/include/processgroup/processgroup.h
index 98179e8..0aa14ba 100644
--- a/libprocessgroup/include/processgroup/processgroup.h
+++ b/libprocessgroup/include/processgroup/processgroup.h
@@ -79,6 +79,7 @@
// Set various properties of a process group. For these functions to work, the process group must
// have been created by passing memControl=true to createProcessGroup.
+[[deprecated("Unsupported in memcg v2")]]
bool setProcessGroupSwappiness(uid_t uid, pid_t initialPid, int swappiness);
bool setProcessGroupSoftLimit(uid_t uid, pid_t initialPid, int64_t softLimitInBytes);
bool setProcessGroupLimit(uid_t uid, pid_t initialPid, int64_t limitInBytes);
diff --git a/libstats/pull_rust/Android.bp b/libstats/pull_rust/Android.bp
index 2a8939e..ae00e75 100644
--- a/libstats/pull_rust/Android.bp
+++ b/libstats/pull_rust/Android.bp
@@ -24,7 +24,7 @@
crate_name: "statspull_bindgen",
visibility: [
"//frameworks/proto_logging/stats/stats_log_api_gen",
- "//packages/modules/Virtualization/libs/statslog_virtualization",
+ "//packages/modules:__subpackages__",
],
source_stem: "bindings",
bindgen_flags: [
diff --git a/libsystem/OWNERS b/libsystem/OWNERS
index 9bda04c..6c6fe1f 100644
--- a/libsystem/OWNERS
+++ b/libsystem/OWNERS
@@ -1,6 +1,5 @@
# graphics/composer
adyabr@google.com
-lpy@google.com
# camera
etalvala@google.com
diff --git a/libsysutils/src/NetlinkEvent.cpp b/libsysutils/src/NetlinkEvent.cpp
index 55bbe46..47586db 100644
--- a/libsysutils/src/NetlinkEvent.cpp
+++ b/libsysutils/src/NetlinkEvent.cpp
@@ -37,108 +37,44 @@
#include <sys/utsname.h>
#include <android-base/parseint.h>
-#include <bpf/KernelUtils.h>
#include <log/log.h>
#include <sysutils/NetlinkEvent.h>
using android::base::ParseInt;
-using android::bpf::isKernel64Bit;
-/* From kernel's net/netfilter/xt_quota2.c */
-const int LOCAL_QLOG_NL_EVENT = 112;
-const int LOCAL_NFLOG_PACKET = NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET;
+// 'long' on a 32-bit kernel is 32-bits with 32-bit alignment,
+// and on a 64-bit kernel is 64-bits with 64-bit alignment,
+// while 'long long' is always 64-bit it may have 32-bit aligment (x86 structs).
+typedef long long __attribute__((__aligned__(8))) long64;
+typedef unsigned long long __attribute__((__aligned__(8))) ulong64;
+static_assert(sizeof(long64) == 8);
+static_assert(sizeof(ulong64) == 8);
-/******************************************************************************
- * WARNING: HERE BE DRAGONS! *
- * *
- * This is here to provide for compatibility with both 32 and 64-bit kernels *
- * from 32-bit userspace. *
- * *
- * The kernel definition of this struct uses types (like long) that are not *
- * the same across 32-bit and 64-bit builds, and there is no compatibility *
- * layer to fix it up before it reaches userspace. *
- * As such we need to detect the bit-ness of the kernel and deal with it. *
- * *
- ******************************************************************************/
+// From kernel's net/netfilter/xt_quota2.c
+// It got there from deprecated ipt_ULOG.h to parse QLOG_NL_EVENT.
+constexpr int LOCAL_QLOG_NL_EVENT = 112;
+constexpr int LOCAL_NFLOG_PACKET = NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET;
-/*
- * This is the verbatim kernel declaration from net/netfilter/xt_quota2.c,
- * it is *NOT* of a well defined layout and is included here for compile
- * time assertions only.
- *
- * It got there from deprecated ipt_ULOG.h to parse QLOG_NL_EVENT.
- */
-#define ULOG_MAC_LEN 80
-#define ULOG_PREFIX_LEN 32
-typedef struct ulog_packet_msg {
- unsigned long mark;
- long timestamp_sec;
- long timestamp_usec;
+constexpr int ULOG_MAC_LEN = 80;
+constexpr int ULOG_PREFIX_LEN = 32;
+
+// This structure layout assumes we're running on a 64-bit kernel.
+typedef struct {
+ ulong64 mark; // kernel: unsigned long
+ long64 timestamp_sec; // kernel: long
+ long64 timestamp_usec; // kernel: long
unsigned int hook;
char indev_name[IFNAMSIZ];
char outdev_name[IFNAMSIZ];
- size_t data_len;
+ ulong64 data_len; // kernel: size_t, a.k.a. unsigned long
char prefix[ULOG_PREFIX_LEN];
unsigned char mac_len;
unsigned char mac[ULOG_MAC_LEN];
unsigned char payload[0];
} ulog_packet_msg_t;
-// On Linux int is always 32 bits, while sizeof(long) == sizeof(void*),
-// thus long on a 32-bit Linux kernel is 32-bits, like int always is
-typedef int long32;
-typedef unsigned int ulong32;
-static_assert(sizeof(long32) == 4);
-static_assert(sizeof(ulong32) == 4);
-
-// Here's the same structure definition with the assumption the kernel
-// is compiled for 32-bits.
-typedef struct {
- ulong32 mark;
- long32 timestamp_sec;
- long32 timestamp_usec;
- unsigned int hook;
- char indev_name[IFNAMSIZ];
- char outdev_name[IFNAMSIZ];
- ulong32 data_len;
- char prefix[ULOG_PREFIX_LEN];
- unsigned char mac_len;
- unsigned char mac[ULOG_MAC_LEN];
- unsigned char payload[0];
-} ulog_packet_msg32_t;
-
-// long on a 64-bit kernel is 64-bits with 64-bit alignment,
-// while long long is 64-bit but may have 32-bit aligment.
-typedef long long __attribute__((__aligned__(8))) long64;
-typedef unsigned long long __attribute__((__aligned__(8))) ulong64;
-static_assert(sizeof(long64) == 8);
-static_assert(sizeof(ulong64) == 8);
-
-// Here's the same structure definition with the assumption the kernel
-// is compiled for 64-bits.
-typedef struct {
- ulong64 mark;
- long64 timestamp_sec;
- long64 timestamp_usec;
- unsigned int hook;
- char indev_name[IFNAMSIZ];
- char outdev_name[IFNAMSIZ];
- ulong64 data_len;
- char prefix[ULOG_PREFIX_LEN];
- unsigned char mac_len;
- unsigned char mac[ULOG_MAC_LEN];
- unsigned char payload[0];
-} ulog_packet_msg64_t;
-
-// One expects the 32-bit version to be smaller than the 64-bit version.
-static_assert(sizeof(ulog_packet_msg32_t) < sizeof(ulog_packet_msg64_t));
-// And either way the 'native' version should match either the 32 or 64 bit one.
-static_assert(sizeof(ulog_packet_msg_t) == sizeof(ulog_packet_msg32_t) ||
- sizeof(ulog_packet_msg_t) == sizeof(ulog_packet_msg64_t));
-
-// In practice these sizes are always simply (for both x86 and arm):
-static_assert(sizeof(ulog_packet_msg32_t) == 168);
-static_assert(sizeof(ulog_packet_msg64_t) == 192);
+// In practice, for both x86 and arm, we have
+static_assert(sizeof(ulog_packet_msg_t) == 192);
/******************************************************************************/
@@ -356,20 +292,11 @@
* Parse a QLOG_NL_EVENT message.
*/
bool NetlinkEvent::parseUlogPacketMessage(const struct nlmsghdr *nh) {
- const char* alert;
- const char* devname;
+ ulog_packet_msg_t* pm = (ulog_packet_msg_t*)NLMSG_DATA(nh);
+ if (!checkRtNetlinkLength(nh, sizeof(*pm))) return false;
- if (isKernel64Bit()) {
- ulog_packet_msg64_t* pm64 = (ulog_packet_msg64_t*)NLMSG_DATA(nh);
- if (!checkRtNetlinkLength(nh, sizeof(*pm64))) return false;
- alert = pm64->prefix;
- devname = pm64->indev_name[0] ? pm64->indev_name : pm64->outdev_name;
- } else {
- ulog_packet_msg32_t* pm32 = (ulog_packet_msg32_t*)NLMSG_DATA(nh);
- if (!checkRtNetlinkLength(nh, sizeof(*pm32))) return false;
- alert = pm32->prefix;
- devname = pm32->indev_name[0] ? pm32->indev_name : pm32->outdev_name;
- }
+ const char* alert = pm->prefix;
+ const char* devname = pm->indev_name[0] ? pm->indev_name : pm->outdev_name;
asprintf(&mParams[0], "ALERT_NAME=%s", alert);
asprintf(&mParams[1], "INTERFACE=%s", devname);
diff --git a/libsysutils/src/OWNERS b/libsysutils/src/OWNERS
index c65a40d..3244fe8 100644
--- a/libsysutils/src/OWNERS
+++ b/libsysutils/src/OWNERS
@@ -1,2 +1,2 @@
-per-file OWNERS,Netlink* = codewiz@google.com, jchalard@google.com, lorenzo@google.com, satk@google.com
+per-file OWNERS,Netlink* = jchalard@google.com, lorenzo@google.com, maze@google.com, satk@google.com
diff --git a/libutils/binder/RefBase.cpp b/libutils/binder/RefBase.cpp
index 4291f1e..bf803e7 100644
--- a/libutils/binder/RefBase.cpp
+++ b/libutils/binder/RefBase.cpp
@@ -492,7 +492,10 @@
#if PRINT_REFS
ALOGD("decStrong of %p from %p: cnt=%d\n", this, id, c);
#endif
- LOG_ALWAYS_FATAL_IF(BAD_STRONG(c), "decStrong() called on %p too many times",
+ LOG_ALWAYS_FATAL_IF(
+ BAD_STRONG(c),
+ "decStrong() called on %p too many times, possible memory corruption. Consider "
+ "compiling with ANDROID_UTILS_REF_BASE_DISABLE_IMPLICIT_CONSTRUCTION for better errors",
refs);
if (c == 1) {
std::atomic_thread_fence(std::memory_order_acquire);
@@ -576,7 +579,10 @@
weakref_impl* const impl = static_cast<weakref_impl*>(this);
impl->removeWeakRef(id);
const int32_t c = impl->mWeak.fetch_sub(1, std::memory_order_release);
- LOG_ALWAYS_FATAL_IF(BAD_WEAK(c), "decWeak called on %p too many times",
+ LOG_ALWAYS_FATAL_IF(
+ BAD_WEAK(c),
+ "decWeak called on %p too many times, possible memory corruption. Consider compiling "
+ "with ANDROID_UTILS_REF_BASE_DISABLE_IMPLICIT_CONSTRUCTION for better errors",
this);
if (c != 1) return;
atomic_thread_fence(std::memory_order_acquire);
diff --git a/libutils/binder/RefBase_test.cpp b/libutils/binder/RefBase_test.cpp
index 65d40a2..36d1a4a 100644
--- a/libutils/binder/RefBase_test.cpp
+++ b/libutils/binder/RefBase_test.cpp
@@ -265,6 +265,37 @@
delete foo;
}
+TEST(RefBase, NoStrongCountPromoteFromWeak) {
+ bool isDeleted;
+ Foo* foo = new Foo(&isDeleted);
+
+ wp<Foo> weakFoo = wp<Foo>(foo);
+
+ EXPECT_FALSE(isDeleted);
+
+ {
+ sp<Foo> strongFoo = weakFoo.promote();
+ EXPECT_EQ(strongFoo, foo);
+ }
+
+ // this shows the justification of wp<>::fromExisting.
+ // if you construct a wp<>, for instance in a constructor, and it is
+ // accidentally promoted, that promoted sp<> will exclusively own
+ // the object. If that happens during the initialization of the
+ // object or in this scope, as you can see 'Foo* foo' is unowned,
+ // then we are left with a deleted object, and we could not put it
+ // into an sp<>.
+ //
+ // Consider the other implementation, where we disallow promoting
+ // a wp<> if there are no strong counts. If we return null, then
+ // the object would be unpromotable even though it hasn't been deleted.
+ // This is also errorprone.
+ //
+ // attemptIncStrong aborting in this case is a backwards incompatible
+ // change due to frequent use of wp<T>(this) in the constructor.
+ EXPECT_TRUE(isDeleted);
+}
+
TEST(RefBase, DoubleOwnershipDeath) {
bool isDeleted;
auto foo = sp<Foo>::make(&isDeleted);
diff --git a/llkd/OWNERS b/llkd/OWNERS
index b6af537..b15bb48 100644
--- a/llkd/OWNERS
+++ b/llkd/OWNERS
@@ -1,2 +1 @@
-salyzyn@google.com
surenb@google.com
diff --git a/overlay_remounter/Android.bp b/overlay_remounter/Android.bp
new file mode 100644
index 0000000..d74f7da
--- /dev/null
+++ b/overlay_remounter/Android.bp
@@ -0,0 +1,34 @@
+//
+// Copyright (C) 2025 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+cc_binary {
+ name: "overlay_remounter",
+ srcs: [
+ "overlay_remounter.cpp",
+ ],
+ cflags: [
+ "-D_FILE_OFFSET_BITS=64",
+ "-Wall",
+ "-Werror",
+ ],
+ static_libs: [
+ "libbase",
+ "liblog",
+ ],
+ system_shared_libs: [],
+ static_executable: true,
+ install_in_xbin: true,
+}
diff --git a/overlay_remounter/overlay_remounter.cpp b/overlay_remounter/overlay_remounter.cpp
new file mode 100644
index 0000000..ddf97fa
--- /dev/null
+++ b/overlay_remounter/overlay_remounter.cpp
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <sys/mount.h>
+#include <unistd.h>
+
+#include <android-base/file.h>
+#include <android-base/logging.h>
+#include <android-base/strings.h>
+
+int main(int /*argc*/, char** argv) {
+ android::base::InitLogging(argv, &android::base::KernelLogger);
+ LOG(INFO) << "Overlay remounter will remount all overlay mount points in the overlay_remounter "
+ "domain";
+
+ // Remount ouerlayfs
+ std::string contents;
+ auto result = android::base::ReadFileToString("/proc/mounts", &contents, true);
+
+ auto lines = android::base::Split(contents, "\n");
+ for (auto const& line : lines) {
+ if (!android::base::StartsWith(line, "overlay")) {
+ continue;
+ }
+ auto bits = android::base::Split(line, " ");
+ if (int result = umount(bits[1].c_str()); result == -1) {
+ PLOG(FATAL) << "umount FAILED: " << bits[1];
+ }
+ std::string options;
+ for (auto const& option : android::base::Split(bits[3], ",")) {
+ if (option == "ro" || option == "seclabel" || option == "noatime") continue;
+ if (!options.empty()) options += ',';
+ options += option;
+ }
+ result = mount("overlay", bits[1].c_str(), "overlay", MS_RDONLY | MS_NOATIME,
+ options.c_str());
+ if (result == 0) {
+ LOG(INFO) << "mount succeeded: " << bits[1] << " " << options;
+ } else {
+ PLOG(FATAL) << "mount FAILED: " << bits[1] << " " << bits[3];
+ }
+ }
+
+ const char* path = "/system/bin/init";
+ const char* args[] = {path, "second_stage", nullptr};
+ execv(path, const_cast<char**>(args));
+
+ // execv() only returns if an error happened, in which case we
+ // panic and never return from this function.
+ PLOG(FATAL) << "execv(\"" << path << "\") failed";
+
+ return 1;
+}
diff --git a/rootdir/init.rc b/rootdir/init.rc
index f1670ae..734197b 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -902,7 +902,7 @@
mkdir /data/system/users 0775 system system
# Mkdir and set SELinux security contexts for shutdown-checkpoints.
# TODO(b/270286197): remove these after couple releases.
- mkdir /data/system/shutdown-checkpoints 0700 system system
+ mkdir /data/system/shutdown-checkpoints 0755 system system
restorecon_recursive /data/system/shutdown-checkpoints
# Create the parent directories of the user CE and DE storage directories.
diff --git a/storaged/OWNERS b/storaged/OWNERS
index d033f00..9e70e7d 100644
--- a/storaged/OWNERS
+++ b/storaged/OWNERS
@@ -1,2 +1 @@
-salyzyn@google.com
dvander@google.com
diff --git a/toolbox/modprobe.cpp b/toolbox/modprobe.cpp
index 13026ac..fe49ec8 100644
--- a/toolbox/modprobe.cpp
+++ b/toolbox/modprobe.cpp
@@ -23,6 +23,7 @@
#include <android-base/file.h>
#include <android-base/logging.h>
+#include <android-base/macros.h>
#include <android-base/strings.h>
#include <android-base/stringprintf.h>
#include <modprobe/modprobe.h>
@@ -88,6 +89,17 @@
static bool ModDirMatchesKernelPageSize(const char* mod_dir) {
static const unsigned int kernel_pgsize_kb = getpagesize() / 1024;
+ unsigned int mod_pgsize_kb = 16; // 16k default since android15-6.6
+
+ if (mod_dir && strstr(mod_dir, "-4k") != NULL) {
+ mod_pgsize_kb = 4;
+ }
+
+ return kernel_pgsize_kb == mod_pgsize_kb;
+}
+
+static bool ModDirMatchesKernelPageSizeLegacy(const char* mod_dir) {
+ static const unsigned int kernel_pgsize_kb = getpagesize() / 1024;
const char* mod_sfx = strrchr(mod_dir, '_');
unsigned int mod_pgsize_kb;
int mod_sfx_len;
@@ -102,7 +114,7 @@
// Find directories in format of "/lib/modules/x.y.z-*".
static int KernelVersionNameFilter(const dirent* de) {
- unsigned int major, minor;
+ static unsigned int major, minor;
static std::string kernel_version;
utsname uts;
@@ -115,7 +127,20 @@
}
if (android::base::StartsWith(de->d_name, kernel_version)) {
- return ModDirMatchesKernelPageSize(de->d_name);
+ // Check for GKI to avoid breaking non-GKI Android devices.
+ if (UNLIKELY(strstr(de->d_name, "-android") == NULL)) {
+ // For non-GKI, just match when the major and minor versions match.
+ return 1;
+ }
+
+ // For android15-6.6 and later, GKI adds `-4k` to the UTS release
+ // string to identify 4kb page size kernels. If there is no page size
+ // suffix, then the kernel page size is 16kb.
+ if (major > 6 || (major == 6 && minor >= 6)) {
+ return ModDirMatchesKernelPageSize(de->d_name);
+ } else {
+ return ModDirMatchesKernelPageSizeLegacy(de->d_name);
+ }
}
return 0;
}
diff --git a/trusty/fuzz/tipc_fuzzer.cpp b/trusty/fuzz/tipc_fuzzer.cpp
index d5e23e0..f9f6c8c 100644
--- a/trusty/fuzz/tipc_fuzzer.cpp
+++ b/trusty/fuzz/tipc_fuzzer.cpp
@@ -97,48 +97,47 @@
static_assert(MAX_CONNECTIONS >= 1);
// Either
- // 1. Add a new TA and connect.
- // 2. Remove a TA.
- // 3. Send a random message to a random TA.
+ // 1. (20%) Add a new TA and connect.
+ // 2. (20%) Remove a TA.
+ // 3. (60%) Send a random message to a random TA.
+ auto add_ta = [&]() {
+ if (trustyApps.size() >= MAX_CONNECTIONS) {
+ return;
+ }
+ auto& ta = trustyApps.emplace_back(TIPC_DEV, TRUSTY_APP_PORT);
+ abortResult(ta.Connect());
+ };
+ auto remove_ta = [&]() {
+ if (trustyApps.empty()) {
+ return;
+ }
+ trustyApps.pop_back();
+ };
+ auto send_message = [&]() {
+ if (trustyApps.empty()) {
+ return;
+ }
+
+ // Choose a random TA.
+ const auto i = provider.ConsumeIntegralInRange<size_t>(0, trustyApps.size() - 1);
+ std::swap(trustyApps[i], trustyApps.back());
+ auto& ta = trustyApps.back();
+
+ // Send a random message.
+ const auto data = provider.ConsumeRandomLengthString();
+ abortResult(ta.Write(data.data(), data.size()));
+
+ std::array<uint8_t, TIPC_MAX_MSG_SIZE> buf;
+ abortResult(ta.Read(buf.data(), buf.size()));
+
+ // Reconnect to ensure that the service is still up.
+ ta.Disconnect();
+ abortResult(ta.Connect());
+ };
const std::function<void()> options[] = {
- // Add a new TA and connect.
- [&]() {
- if (trustyApps.size() >= MAX_CONNECTIONS) {
- return;
- }
- auto& ta = trustyApps.emplace_back(TIPC_DEV, TRUSTY_APP_PORT);
- abortResult(ta.Connect());
- },
- // Remove a TA.
- [&]() {
- if (trustyApps.empty()) {
- return;
- }
- trustyApps.pop_back();
- },
- // Send a random message to a random TA.
- [&]() {
- if (trustyApps.empty()) {
- return;
- }
-
- // Choose a random TA.
- const auto i =
- provider.ConsumeIntegralInRange<size_t>(0, trustyApps.size() - 1);
- std::swap(trustyApps[i], trustyApps.back());
- auto& ta = trustyApps.back();
-
- // Send a random message.
- const auto data = provider.ConsumeRandomLengthString();
- abortResult(ta.Write(data.data(), data.size()));
-
- std::array<uint8_t, TIPC_MAX_MSG_SIZE> buf;
- abortResult(ta.Read(buf.data(), buf.size()));
-
- // Reconnect to ensure that the service is still up.
- ta.Disconnect();
- abortResult(ta.Connect());
- },
+ add_ta, // 1x: 20%
+ remove_ta, // 1x: 20%
+ send_message, send_message, send_message, // 3x: 60%
};
provider.PickValueInArray(options)();
diff --git a/trusty/keymaster/Android.bp b/trusty/keymaster/Android.bp
index 8ebfc1a..31187f5 100644
--- a/trusty/keymaster/Android.bp
+++ b/trusty/keymaster/Android.bp
@@ -80,13 +80,9 @@
vintf_fragments: ["4.0/android.hardware.keymaster@4.0-service.trusty.xml"],
}
-cc_binary {
- name: "android.hardware.security.keymint-service.trusty",
+cc_defaults {
+ name: "android.hardware.security.keymint-service.trusty.defaults",
relative_install_path: "hw",
- init_rc: ["keymint/android.hardware.security.keymint-service.trusty.rc"],
- vintf_fragments: [
- "keymint/android.hardware.security.keymint-service.trusty.xml",
- ],
vendor: true,
cflags: [
"-Wall",
@@ -120,10 +116,38 @@
"libtrusty",
"libutils",
],
- required: select(release_flag("RELEASE_AIDL_USE_UNFROZEN"), {
- true: ["android.hardware.hardware_keystore.xml"],
- default: ["android.hardware.hardware_keystore_V3.xml"],
- }),
+}
+
+// keymint hal binary for keymint in Trusty TEE prebuilt
+cc_binary {
+ name: "android.hardware.security.keymint-service.trusty",
+ defaults: ["android.hardware.security.keymint-service.trusty.defaults"],
+ init_rc: ["keymint/android.hardware.security.keymint-service.trusty.rc"],
+ vintf_fragments: [
+ "keymint/android.hardware.security.keymint-service.trusty.xml",
+ ],
+ required: ["android.hardware.hardware_keystore.xml"],
+}
+
+// Keymint hal service in vendor, enabled by vendor apex.
+// This service is disabled by default and does not package a VINTF fragment.
+// This service can be enabled at boot via vendor apex:
+// - at boot, mount a vendor apex for module `com.android.hardware.keymint`
+// - have the vendor init.rc file enable the service when the associated
+// apex is selected
+// - have the vendor apex package the vintf fragment and the required permissions
+cc_binary {
+ name: "android.hardware.security.keymint-service.trusty_tee.cpp",
+ defaults: ["android.hardware.security.keymint-service.trusty.defaults"],
+ init_rc: ["keymint/android.hardware.security.keymint-service.trusty_tee.cpp.rc"],
+}
+
+// vintf fragment packaged in vendor apex
+prebuilt_etc {
+ name: "android.hardware.security.keymint-service.trusty.xml",
+ sub_dir: "vintf",
+ vendor: true,
+ src: "keymint/android.hardware.security.keymint-service.trusty.xml",
}
prebuilt_etc {
diff --git a/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty_tee.cpp.rc b/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty_tee.cpp.rc
new file mode 100644
index 0000000..61ae8ae
--- /dev/null
+++ b/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty_tee.cpp.rc
@@ -0,0 +1,11 @@
+# service started when selecting `com.android.hardware.keymint.trusty_tee.cpp` vendor apex
+service vendor.keymint-service.trusty_tee.cpp \
+ /vendor/bin/hw/android.hardware.security.keymint-service.trusty_tee.cpp \
+ --dev ${ro.hardware.trusty_ipc_dev.keymint:-/dev/trusty-ipc-dev0}
+ disabled
+ class early_hal
+ user nobody
+ group drmrpc
+ # The keymint service is not allowed to restart.
+ # If it crashes, a device restart is required.
+ oneshot
diff --git a/trusty/keymint/Android.bp b/trusty/keymint/Android.bp
index 36efb1b..80e58f9 100644
--- a/trusty/keymint/Android.bp
+++ b/trusty/keymint/Android.bp
@@ -36,25 +36,67 @@
prefer_rlib: true,
}
+// keymint hal binary for keymint in Trusty TEE (legacy approach not using apex)
rust_binary {
name: "android.hardware.security.keymint-service.rust.trusty",
vendor: true,
defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"],
vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"],
- required: select(release_flag("RELEASE_AIDL_USE_UNFROZEN"), {
- true: ["android.hardware.hardware_keystore.xml"],
- default: ["android.hardware.hardware_keystore_V3.xml"],
- }),
+ required: ["android.hardware.hardware_keystore.xml"],
}
+// Keymint hal service in vendor, enabled by vendor apex.
+// This service is disabled by default and does not package a VINTF fragment.
+// This service can be enabled at boot via vendor apex:
+// - at boot, mount a vendor apex for module `com.android.hardware.keymint`
+// - have the vendor apex init.rc file to start the service when the apex is selected
+// - have the vendor apex package the vintf fragment
rust_binary {
- name: "android.hardware.security.keymint-service.rust.trusty.system.nonsecure",
- system_ext_specific: true,
+ name: "android.hardware.security.keymint-service.trusty_tee",
+ vendor: true,
defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
- init_rc: ["android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc"],
- features: ["nonsecure"],
+ init_rc: ["android.hardware.security.keymint-service.trusty_tee.rc"],
+ features: select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), {
+ true: ["nonsecure"],
+ default: [],
+ }),
rustlibs: [
"libkmr_hal_nonsecure",
],
}
+
+// Keymint hal service in system_ext, interacting with the Trusty Security VM.
+// This service is disabled by default and does not package a VINTF fragment.
+// This service can be enabled at boot via vendor apex:
+// - at boot, mount a vendor apex for module `com.android.hardware.keymint`
+// - have the vendor apex init.rc file to start the service when the apex is selected
+// - have the vendor apex package the vintf fragment
+rust_binary {
+ name: "android.hardware.security.keymint-service.trusty_system_vm",
+ system_ext_specific: true,
+ defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
+ init_rc: ["android.hardware.security.keymint-service.trusty_system_vm.rc"],
+ features: select(soong_config_variable("trusty_system_vm", "placeholder_trusted_hal"), {
+ true: ["nonsecure"],
+ default: [],
+ }),
+ rustlibs: [
+ "libkmr_hal_nonsecure",
+ ],
+}
+
+// vintf fragment packaged in vendor apex
+prebuilt_etc {
+ name: "android.hardware.security.keymint-service.rust.trusty.xml",
+ sub_dir: "vintf",
+ vendor: true,
+ src: "android.hardware.security.keymint-service.rust.trusty.xml",
+}
+
+prebuilt_etc {
+ name: "android.hardware.security.keymint-service.trusty_system_vm.xml",
+ sub_dir: "vintf",
+ vendor: true,
+ src: "android.hardware.security.keymint-service.trusty_system_vm.xml",
+}
diff --git a/trusty/keymint/android.hardware.hardware_keystore.rust.trusty-keymint.xml b/trusty/keymint/android.hardware.hardware_keystore.rust.trusty-keymint.xml
deleted file mode 100644
index cd656b2..0000000
--- a/trusty/keymint/android.hardware.hardware_keystore.rust.trusty-keymint.xml
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Copyright 2021 The Android Open Source Project
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
--->
-<permissions>
- <feature name="android.hardware.hardware_keystore" version="300" />
-</permissions>
diff --git a/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc b/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
deleted file mode 100644
index e580651..0000000
--- a/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
+++ /dev/null
@@ -1,17 +0,0 @@
-service system.keymint.rust-trusty.nonsecure \
- /system_ext/bin/hw/android.hardware.security.keymint-service.rust.trusty.system.nonsecure \
- --dev ${system.keymint.trusty_ipc_dev:-/dev/trusty-ipc-dev0}
- disabled
- user nobody
- group drmrpc
- # The keymint service is not allowed to restart.
- # If it crashes, a device restart is required.
- oneshot
-
-# Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled
-# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM
-# has a mechanism to notify the host.
-on late-fs && property:trusty.security_vm.keymint.enabled=1 && \
- property:trusty.security_vm.vm_cid=*
- setprop system.keymint.trusty_ipc_dev VSOCK:${trusty.security_vm.vm_cid}:1
- start system.keymint.rust-trusty.nonsecure
diff --git a/trusty/keymint/android.hardware.security.keymint-service.trusty_system_vm.rc b/trusty/keymint/android.hardware.security.keymint-service.trusty_system_vm.rc
new file mode 100644
index 0000000..2e8ad00
--- /dev/null
+++ b/trusty/keymint/android.hardware.security.keymint-service.trusty_system_vm.rc
@@ -0,0 +1,17 @@
+# service started when selecting `com.android.hardware.keymint.trusty_system_vm` vendor apex
+service system.keymint-service.trusty_system_vm \
+ /system_ext/bin/hw/android.hardware.security.keymint-service.trusty_system_vm \
+ --dev ${system.keymint.trusty_ipc_dev}
+ disabled
+ user nobody
+ group drmrpc
+ # The keymint service is not allowed to restart.
+ # If it crashes, a device restart is required.
+ oneshot
+
+# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM
+# has a mechanism to notify the host.
+on post-fs && property:trusty.security_vm.keymint.enabled=1 && \
+ property:trusty.security_vm.vm_cid=*
+ setprop system.keymint.trusty_ipc_dev VSOCK:${trusty.security_vm.vm_cid}:1
+ start system.keymint-service.trusty_system_vm
diff --git a/trusty/keymint/android.hardware.security.keymint-service.trusty_system_vm.xml b/trusty/keymint/android.hardware.security.keymint-service.trusty_system_vm.xml
new file mode 100644
index 0000000..c35c843
--- /dev/null
+++ b/trusty/keymint/android.hardware.security.keymint-service.trusty_system_vm.xml
@@ -0,0 +1,20 @@
+<manifest version="1.0" type="device">
+ <hal format="aidl" updatable-via-system="true">
+ <name>android.hardware.security.keymint</name>
+ <version>4</version>
+ <fqname>IKeyMintDevice/default</fqname>
+ </hal>
+ <hal format="aidl" updatable-via-system="true">
+ <name>android.hardware.security.secureclock</name>
+ <fqname>ISecureClock/default</fqname>
+ </hal>
+ <hal format="aidl" updatable-via-system="true">
+ <name>android.hardware.security.sharedsecret</name>
+ <fqname>ISharedSecret/default</fqname>
+ </hal>
+ <hal format="aidl" updatable-via-system="true">
+ <name>android.hardware.security.keymint</name>
+ <version>3</version>
+ <fqname>IRemotelyProvisionedComponent/default</fqname>
+ </hal>
+</manifest>
diff --git a/trusty/keymint/android.hardware.security.keymint-service.trusty_tee.rc b/trusty/keymint/android.hardware.security.keymint-service.trusty_tee.rc
new file mode 100644
index 0000000..694c9ce
--- /dev/null
+++ b/trusty/keymint/android.hardware.security.keymint-service.trusty_tee.rc
@@ -0,0 +1,11 @@
+# service started when selecting `com.android.hardware.keymint.trusty_tee` vendor apex
+service vendor.keymint-service.trusty_tee \
+ /vendor/bin/hw/android.hardware.security.keymint-service.trusty_tee \
+ --dev ${ro.hardware.trusty_ipc_dev.keymint:-/dev/trusty-ipc-dev0}
+ disabled
+ class early_hal
+ user nobody
+ group drmrpc
+ # The keymint service is not allowed to restart.
+ # If it crashes, a device restart is required.
+ oneshot
diff --git a/trusty/keymint/trusty-keymint-apex.mk b/trusty/keymint/trusty-keymint-apex.mk
new file mode 100644
index 0000000..7c44fbc
--- /dev/null
+++ b/trusty/keymint/trusty-keymint-apex.mk
@@ -0,0 +1,29 @@
+#
+# Copyright (C) 2024 The Android Open-Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+#
+# This makefile should be included by devices that choose to integrate
+# Keymint HAL via vendor apex
+
+PRODUCT_PACKAGES += \
+ android.hardware.security.keymint-service.trusty_tee.cpp \
+ android.hardware.security.keymint-service.trusty_tee \
+
+ifeq ($(findstring enabled, $(TRUSTY_SYSTEM_VM)),enabled)
+ PRODUCT_PACKAGES += \
+ android.hardware.security.keymint-service.trusty_system_vm \
+
+endif
diff --git a/trusty/keymint/trusty-keymint.mk b/trusty/keymint/trusty-keymint.mk
index d5791ea..43cc186 100644
--- a/trusty/keymint/trusty-keymint.mk
+++ b/trusty/keymint/trusty-keymint.mk
@@ -21,19 +21,14 @@
# Allow KeyMint HAL service implementation selection at build time. This must be
# synchronized with the TA implementation included in Trusty. Possible values:
#
-# - Rust implementation for Trusty VM (requires Trusty VM support):
+# - Rust implementation for Trusty TEE
# export TRUSTY_KEYMINT_IMPL=rust
-# export TRUSTY_SYSTEM_VM=nonsecure
-# - Rust implementation for Trusty TEE (no Trusty VM support):
-# export TRUSTY_KEYMINT_IMPL=rust
-# - C++ implementation (default): (any other value or unset TRUSTY_KEYMINT_IMPL)
+# - C++ implementation (default):
+# any other value or unset TRUSTY_KEYMINT_IMPL
ifeq ($(TRUSTY_KEYMINT_IMPL),rust)
- ifeq ($(TRUSTY_SYSTEM_VM),nonsecure)
- LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty.system.nonsecure
- else
- LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty
- endif
+ LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.rust.trusty
+
else
# Default to the C++ implementation
LOCAL_KEYMINT_PRODUCT_PACKAGE := android.hardware.security.keymint-service.trusty
diff --git a/trusty/trusty-base.mk b/trusty/trusty-base.mk
index 9d810dc..fcde61d 100644
--- a/trusty/trusty-base.mk
+++ b/trusty/trusty-base.mk
@@ -22,7 +22,13 @@
# For gatekeeper, we include the generic -service and -impl to use legacy
# HAL loading of gatekeeper.trusty.
-$(call inherit-product, system/core/trusty/keymint/trusty-keymint.mk)
+ifeq ($(KEYMINT_HAL_VENDOR_APEX_SELECT),true)
+ $(call inherit-product, system/core/trusty/keymint/trusty-keymint-apex.mk)
+
+else
+ $(call inherit-product, system/core/trusty/keymint/trusty-keymint.mk)
+
+endif
ifeq ($(SECRETKEEPER_ENABLED),true)
LOCAL_SECRETKEEPER_PRODUCT_PACKAGE := android.hardware.security.secretkeeper.trusty
diff --git a/trusty/trusty-storage.mk b/trusty/trusty-storage.mk
index 3f26316..d2bc0b1 100644
--- a/trusty/trusty-storage.mk
+++ b/trusty/trusty-storage.mk
@@ -14,5 +14,30 @@
# limitations under the License.
#
+#
+# Trusty TEE packages
+#
+
+# below statement adds the singleton storage daemon in vendor,
+# storageproxyd vendor interacts with the Secure Storage TA in the
+# Trustzone Trusty TEE
PRODUCT_PACKAGES += \
storageproxyd \
+
+#
+# Trusty VM packages
+#
+ifeq ($(TRUSTY_SYSTEM_VM),enabled_with_placeholder_trusted_hal)
+
+# with placeholder Trusted HALs, the Trusty VMs are standalone (i.e. they don't access
+# remote Trusted HAL services) and thus require their own secure storage.
+# (one secure storage emulation for each Trusty VM - security VM, test VM and WV VM)
+# in secure mode, the secure storage is the services by Trusty in Trustzone
+# and requires a single storageproxyd in vendor.
+PRODUCT_PACKAGES += \
+ storageproxyd.system \
+ rpmb_dev.test.system \
+ rpmb_dev.system \
+ rpmb_dev.wv.system \
+
+endif