Merge "Use the new 'partition' field in 'ApexInfo' to identify vendor apexes" into main
diff --git a/debuggerd/handler/debuggerd_handler.cpp b/debuggerd/handler/debuggerd_handler.cpp
index ddc3244..88278ca 100644
--- a/debuggerd/handler/debuggerd_handler.cpp
+++ b/debuggerd/handler/debuggerd_handler.cpp
@@ -389,6 +389,13 @@
return kDebuggerdTombstoneProto;
}
+static const char* get_unwind_type(const debugger_thread_info* thread_info) {
+ if (thread_info->siginfo->si_signo == BIONIC_SIGNAL_DEBUGGER) {
+ return "Unwind request";
+ }
+ return "Crash due to signal";
+}
+
static int debuggerd_dispatch_pseudothread(void* arg) {
debugger_thread_info* thread_info = static_cast<debugger_thread_info*>(arg);
@@ -502,8 +509,8 @@
execle(CRASH_DUMP_PATH, CRASH_DUMP_NAME, main_tid, pseudothread_tid, debuggerd_dump_type,
nullptr, nullptr);
- async_safe_format_log(ANDROID_LOG_FATAL, "libc", "failed to exec crash_dump helper: %s",
- strerror(errno));
+ async_safe_format_log(ANDROID_LOG_FATAL, "libc", "%s: failed to exec crash_dump helper: %s",
+ get_unwind_type(thread_info), strerror(errno));
return 1;
}
@@ -524,26 +531,30 @@
} else {
// Something went wrong, log it.
if (rc == -1) {
- async_safe_format_log(ANDROID_LOG_FATAL, "libc", "read of IPC pipe failed: %s",
- strerror(errno));
+ async_safe_format_log(ANDROID_LOG_FATAL, "libc", "%s: read of IPC pipe failed: %s",
+ get_unwind_type(thread_info), strerror(errno));
} else if (rc == 0) {
async_safe_format_log(ANDROID_LOG_FATAL, "libc",
- "crash_dump helper failed to exec, or was killed");
+ "%s: crash_dump helper failed to exec, or was killed",
+ get_unwind_type(thread_info));
} else if (rc != 1) {
async_safe_format_log(ANDROID_LOG_FATAL, "libc",
- "read of IPC pipe returned unexpected value: %zd", rc);
+ "%s: read of IPC pipe returned unexpected value: %zd",
+ get_unwind_type(thread_info), rc);
} else if (buf[0] != '\1') {
- async_safe_format_log(ANDROID_LOG_FATAL, "libc", "crash_dump helper reported failure");
+ async_safe_format_log(ANDROID_LOG_FATAL, "libc", "%s: crash_dump helper reported failure",
+ get_unwind_type(thread_info));
}
}
// Don't leave a zombie child.
int status;
if (TEMP_FAILURE_RETRY(waitpid(crash_dump_pid, &status, 0)) == -1) {
- async_safe_format_log(ANDROID_LOG_FATAL, "libc", "failed to wait for crash_dump helper: %s",
- strerror(errno));
+ async_safe_format_log(ANDROID_LOG_FATAL, "libc", "%s: failed to wait for crash_dump helper: %s",
+ get_unwind_type(thread_info), strerror(errno));
} else if (WIFSTOPPED(status) || WIFSIGNALED(status)) {
- async_safe_format_log(ANDROID_LOG_FATAL, "libc", "crash_dump helper crashed or stopped");
+ async_safe_format_log(ANDROID_LOG_FATAL, "libc", "%s: crash_dump helper crashed or stopped",
+ get_unwind_type(thread_info));
}
if (success) {
diff --git a/debuggerd/libdebuggerd/test/mte_stack_record_test.cpp b/debuggerd/libdebuggerd/test/mte_stack_record_test.cpp
index 4b788f3..bcda0ca 100644
--- a/debuggerd/libdebuggerd/test/mte_stack_record_test.cpp
+++ b/debuggerd/libdebuggerd/test/mte_stack_record_test.cpp
@@ -26,6 +26,8 @@
#include "unwindstack/Memory.h"
#include <android-base/test_utils.h>
+#include <procinfo/process_map.h>
+
#include "gtest/gtest.h"
#include "libdebuggerd/tombstone.h"
@@ -82,6 +84,33 @@
EXPECT_EQ(e.tag(), 1ULL);
}
+static std::optional<android::procinfo::MapInfo> FindMapping(void* data) {
+ std::optional<android::procinfo::MapInfo> result;
+ android::procinfo::ReadMapFile(
+ "/proc/self/maps", [&result, data](const android::procinfo::MapInfo& info) {
+ auto data_int = reinterpret_cast<uint64_t>(data) & ((1ULL << 56ULL) - 1ULL);
+ if (info.start <= data_int && data_int < info.end) {
+ result = info;
+ }
+ });
+ return result;
+}
+
+TEST_P(MteStackHistoryTest, TestFree) {
+ int size_cls = GetParam();
+ size_t size = stack_mte_ringbuffer_size(size_cls);
+ void* data = stack_mte_ringbuffer_allocate(size_cls, nullptr);
+ EXPECT_EQ(stack_mte_ringbuffer_size_from_pointer(reinterpret_cast<uintptr_t>(data)), size);
+ auto before = FindMapping(data);
+ ASSERT_TRUE(before.has_value());
+ EXPECT_EQ(before->end - before->start, size);
+ stack_mte_free_ringbuffer(reinterpret_cast<uintptr_t>(data));
+ for (size_t i = 0; i < size; i += page_size()) {
+ auto after = FindMapping(static_cast<char*>(data) + i);
+ EXPECT_TRUE(!after.has_value() || after->name != before->name);
+ }
+}
+
TEST_P(MteStackHistoryTest, TestEmpty) {
int size_cls = GetParam();
size_t size = stack_mte_ringbuffer_size(size_cls);
diff --git a/fastboot/Android.bp b/fastboot/Android.bp
index b61fbd4..d3e0581 100644
--- a/fastboot/Android.bp
+++ b/fastboot/Android.bp
@@ -201,7 +201,6 @@
"update_metadata-protos",
"liburing",
],
- include_dirs: ["bionic/libc/kernel"],
header_libs: [
"avb_headers",
diff --git a/fs_mgr/fs_mgr.cpp b/fs_mgr/fs_mgr.cpp
index e4d6986..9f52f44 100644
--- a/fs_mgr/fs_mgr.cpp
+++ b/fs_mgr/fs_mgr.cpp
@@ -822,9 +822,6 @@
if (read_only) {
mountflags |= MS_RDONLY;
}
- if (!fs_mgr_set_blk_ro(source, read_only)) {
- PLOG(ERROR) << "Failed to set " << source << " as " << (read_only ? "RO" : "RW");
- }
int ret = 0;
int save_errno = 0;
int gc_allowance = 0;
@@ -879,6 +876,9 @@
}
PINFO << __FUNCTION__ << "(source=" << source << source_missing << ",target=" << target
<< target_missing << ",type=" << entry.fs_type << ")=" << ret;
+ if ((ret == 0) && (mountflags & MS_RDONLY) != 0) {
+ fs_mgr_set_blk_ro(source);
+ }
if (ret == 0) {
android::base::SetProperty("ro.boottime.init.mount." + Basename(target),
std::to_string(t.duration().count()));
diff --git a/fs_mgr/libsnapshot/libsnapshot_cow/test_v2.cpp b/fs_mgr/libsnapshot/libsnapshot_cow/test_v2.cpp
index ce80cd7..b7bc2c8 100644
--- a/fs_mgr/libsnapshot/libsnapshot_cow/test_v2.cpp
+++ b/fs_mgr/libsnapshot/libsnapshot_cow/test_v2.cpp
@@ -1487,7 +1487,7 @@
writer = std::make_unique<CowWriterV2>(options, GetCowFd());
ASSERT_TRUE(writer->Initialize());
ASSERT_TRUE(writer->AddCopy(2, 1));
- ASSERT_TRUE(writer->AddXorBlocks(3, &data, data.size(), 1, 1));
+ ASSERT_TRUE(writer->AddXorBlocks(3, data.data(), data.size(), 1, 1));
ASSERT_TRUE(writer->Finalize());
ASSERT_TRUE(reader.Parse(cow_->fd));
ASSERT_FALSE(reader.VerifyMergeOps());
diff --git a/fs_mgr/libsnapshot/snapuserd/Android.bp b/fs_mgr/libsnapshot/snapuserd/Android.bp
index 97cfe76..639116e 100644
--- a/fs_mgr/libsnapshot/snapuserd/Android.bp
+++ b/fs_mgr/libsnapshot/snapuserd/Android.bp
@@ -89,7 +89,6 @@
"libprocessgroup_util",
"libjsoncpp",
],
- include_dirs: ["bionic/libc/kernel"],
export_include_dirs: ["include"],
header_libs: [
"libcutils_headers",
@@ -144,7 +143,6 @@
"libstorage_literals_headers",
],
- include_dirs: ["bionic/libc/kernel"],
system_shared_libs: [],
// snapuserd is started during early boot by first-stage init. At that
@@ -226,7 +224,6 @@
"libz",
],
include_dirs: [
- "bionic/libc/kernel",
".",
],
header_libs: [
@@ -324,7 +321,6 @@
"libz",
],
include_dirs: [
- "bionic/libc/kernel",
".",
],
header_libs: [
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp b/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp
index 486548c..a0c5c66 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp
@@ -582,7 +582,6 @@
pthread_setname_np(pthread_self(), "MergeWorker");
if (!snapuserd_->WaitForMergeBegin()) {
- SNAP_LOG(ERROR) << "Merge terminated early...";
return true;
}
auto merge_thread_priority = android::base::GetUintProperty<uint32_t>(
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_readahead.cpp b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_readahead.cpp
index 9a1d441..3007d45 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_readahead.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_readahead.cpp
@@ -702,7 +702,7 @@
// window. If there is a crash during this time frame, merge should resume
// based on the contents of the scratch space.
if (!snapuserd_->WaitForMergeReady()) {
- SNAP_LOG(ERROR) << "ReadAhead failed to wait for merge ready";
+ SNAP_LOG(VERBOSE) << "ReadAhead failed to wait for merge ready";
return false;
}
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_transitions.cpp b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_transitions.cpp
index 2ad4ea1..714c641 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_transitions.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_transitions.cpp
@@ -202,7 +202,7 @@
cv.wait(lock, [this]() -> bool { return MergeInitiated() || IsMergeBeginError(io_state_); });
if (IsMergeBeginError(io_state_)) {
- SNAP_LOG(ERROR) << "WaitForMergeBegin failed with state: " << io_state_;
+ SNAP_LOG(VERBOSE) << "WaitForMergeBegin failed with state: " << io_state_;
return false;
}
@@ -276,7 +276,9 @@
if (io_state_ == MERGE_IO_TRANSITION::MERGE_FAILED ||
io_state_ == MERGE_IO_TRANSITION::MERGE_COMPLETE ||
io_state_ == MERGE_IO_TRANSITION::IO_TERMINATED) {
- SNAP_LOG(ERROR) << "Wait for merge ready failed: " << io_state_;
+ if (io_state_ == MERGE_IO_TRANSITION::MERGE_FAILED) {
+ SNAP_LOG(ERROR) << "Wait for merge ready failed: " << io_state_;
+ }
return false;
}
return true;
diff --git a/init/devices.cpp b/init/devices.cpp
index 2cdecec..fafa58f 100644
--- a/init/devices.cpp
+++ b/init/devices.cpp
@@ -193,9 +193,11 @@
BlockDeviceInfo info;
if (!boot_part_uuid_.empty()) {
- // Only use the more specific "MMC" or "SCSI" match if a partition UUID
- // was passed. Old bootloaders that aren't passing the partition UUID
- // instead pass the path to the closest "platform" device. It would
+ // Only use the more specific "MMC" / "NVME" / "SCSI" match if a
+ // partition UUID was passed.
+ //
+ // Old bootloaders that aren't passing the partition UUID instead
+ // pass the path to the closest "platform" device. It would
// break them if we chose this deeper (more specific) path.
//
// When we have a UUID we _want_ the more specific path since it can
@@ -204,6 +206,8 @@
// classify them both the same by using the path to the USB controller.
if (FindMmcDevice(uevent_path, &info.str)) {
info.type = "mmc";
+ } else if (FindNvmeDevice(uevent_path, &info.str)) {
+ info.type = "nvme";
} else if (FindScsiDevice(uevent_path, &info.str)) {
info.type = "scsi";
}
@@ -325,6 +329,14 @@
return FindSubsystemDevice(path, mmc_device_path, subsystem_paths);
}
+bool DeviceHandler::FindNvmeDevice(const std::string& path, std::string* nvme_device_path) const {
+ const std::set<std::string> subsystem_paths = {
+ sysfs_mount_point_ + "/class/nvme",
+ };
+
+ return FindSubsystemDevice(path, nvme_device_path, subsystem_paths);
+}
+
bool DeviceHandler::FindScsiDevice(const std::string& path, std::string* scsi_device_path) const {
const std::set<std::string> subsystem_paths = {
sysfs_mount_point_ + "/bus/scsi",
diff --git a/init/devices.h b/init/devices.h
index 67a3d00..b8f8e54 100644
--- a/init/devices.h
+++ b/init/devices.h
@@ -151,6 +151,7 @@
const std::set<std::string>& subsystem_paths) const;
bool FindPlatformDevice(const std::string& path, std::string* platform_device_path) const;
bool FindMmcDevice(const std::string& path, std::string* mmc_device_path) const;
+ bool FindNvmeDevice(const std::string& path, std::string* nvme_device_path) const;
bool FindScsiDevice(const std::string& path, std::string* scsi_device_path) const;
std::tuple<mode_t, uid_t, gid_t> GetDevicePermissions(
const std::string& path, const std::vector<std::string>& links) const;
diff --git a/init/selinux.cpp b/init/selinux.cpp
index c2d9b8d..5ced0b8 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -190,6 +190,22 @@
return true;
}
+int GetVendorGenfsVersion() {
+ std::string line;
+ if (!ReadFirstLine("/vendor/etc/selinux/genfs_labels_version.txt", &line)) {
+ PLOG(ERROR) << "Failed to read /vendor/etc/selinux/genfs_labels_version.txt; assuming it's "
+ "202404";
+ return 202404;
+ }
+ int version;
+ if (!ParseInt(line, &version)) {
+ PLOG(ERROR) << "Failed to parse the genfs labels version " << line
+ << "; assuming it's 202404";
+ return 202404;
+ }
+ return version;
+}
+
constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";
bool IsSplitPolicyDevice() {
@@ -324,6 +340,15 @@
}
const std::string version_as_string = std::to_string(SEPOLICY_VERSION);
+ std::vector<std::string> genfs_cil_files;
+
+ int vendor_genfs_version = GetVendorGenfsVersion();
+ std::string genfs_cil_file =
+ std::format("/system/etc/selinux/plat_sepolicy_genfs_{}.cil", vendor_genfs_version);
+ if (access(genfs_cil_file.c_str(), F_OK) != 0) {
+ genfs_cil_file.clear();
+ }
+
// clang-format off
std::vector<const char*> compile_args {
"/system/bin/secilc",
@@ -364,6 +389,9 @@
if (!odm_policy_cil_file.empty()) {
compile_args.push_back(odm_policy_cil_file.c_str());
}
+ if (!genfs_cil_file.empty()) {
+ compile_args.push_back(genfs_cil_file.c_str());
+ }
compile_args.push_back(nullptr);
if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args.data())) {
diff --git a/init/test_upgrade_mte/OWNERS b/init/test_upgrade_mte/OWNERS
index 79625df..c95d3cf 100644
--- a/init/test_upgrade_mte/OWNERS
+++ b/init/test_upgrade_mte/OWNERS
@@ -1,5 +1,4 @@
fmayer@google.com
eugenis@google.com
-mitchp@google.com
pcc@google.com
diff --git a/libprocessgroup/cgrouprc_format/Android.bp b/libprocessgroup/cgrouprc_format/Android.bp
deleted file mode 100644
index 6f9ab3e..0000000
--- a/libprocessgroup/cgrouprc_format/Android.bp
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright (C) 2019 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package {
- default_applicable_licenses: ["Android-Apache-2.0"],
-}
-
-cc_library_static {
- name: "libcgrouprc_format",
- host_supported: true,
- ramdisk_available: true,
- vendor_ramdisk_available: true,
- recovery_available: true,
- native_bridge_supported: true,
-}
diff --git a/libprocessgroup/profiles/task_profiles.json b/libprocessgroup/profiles/task_profiles.json
index feda3b4..28902ef 100644
--- a/libprocessgroup/profiles/task_profiles.json
+++ b/libprocessgroup/profiles/task_profiles.json
@@ -203,6 +203,19 @@
]
},
{
+ "Name": "RealTimeInputScheduling",
+ "Actions": [
+ {
+ "Name": "SetSchedulerPolicy",
+ "Params":
+ {
+ "Policy": "SCHED_FIFO",
+ "Priority": "2"
+ }
+ }
+ ]
+ },
+ {
"Name": "CameraServicePerformance",
"Actions": [
{
@@ -704,7 +717,7 @@
},
{
"Name": "InputPolicy",
- "Profiles": [ "MaxPerformance", "ProcessCapacityMax", "TimerSlackNormal" ]
+ "Profiles": [ "RealTimeInputScheduling", "MaxPerformance", "ProcessCapacityMax", "TimerSlackNormal" ]
}
]
}
diff --git a/libvendorsupport/Android.bp b/libvendorsupport/Android.bp
index a22737c..f9a889b 100644
--- a/libvendorsupport/Android.bp
+++ b/libvendorsupport/Android.bp
@@ -35,32 +35,3 @@
"libbase",
],
}
-
-cc_library_headers {
- name: "libvendorsupport_llndk_headers",
- host_supported: true,
- vendor_available: true,
- recovery_available: true,
- ramdisk_available: true,
- vendor_ramdisk_available: true,
- native_bridge_supported: true,
-
- export_include_dirs: ["include_llndk"],
- llndk: {
- llndk_headers: true,
- },
-
- apex_available: [
- "//apex_available:platform",
- "//apex_available:anyapex",
- ],
- min_sdk_version: "apex_inherit",
-
- system_shared_libs: [],
- stl: "none",
-
- // This header library is used for libc and must be available to any sdk
- // versions.
- // Setting sdk_version to the lowest version allows the dependencies.
- sdk_version: "1",
-}
diff --git a/libvendorsupport/include_llndk/android/llndk-versioning.h b/libvendorsupport/include_llndk/android/llndk-versioning.h
deleted file mode 100644
index 81d165f..0000000
--- a/libvendorsupport/include_llndk/android/llndk-versioning.h
+++ /dev/null
@@ -1,45 +0,0 @@
-// Copyright (C) 2024 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#pragma once
-
-// LLNDK (https://source.android.com/docs/core/architecture/vndk/build-system#ll-ndk) is similar to
-// NDK, but uses its own versioning of YYYYMM format for vendor builds. The LLNDK symbols are
-// enabled when the vendor api level is equal to or newer than the ro.board.api_level. These symbols
-// must be annotated in map.txt files with the `# llndk=YYYYMM` annotation. They also must be marked
-// with `__INTRODUCED_IN_LLNDK(YYYYMM)` in the header files. It leaves a no-op annotation for ABI
-// analysis.
-#if !defined(__INTRODUCED_IN_LLNDK)
-#define __INTRODUCED_IN_LLNDK(vendor_api_level) \
- __attribute__((annotate("introduced_in_llndk=" #vendor_api_level)))
-#endif
-
-#if defined(__ANDROID_VENDOR_API__)
-// __ANDROID_VENDOR_API__ is defined only for vendor or product variant modules.
-// Use this macro as an `if` statement to call an API that are available to both NDK and LLNDK.
-// This returns true for vendor or product modules if the vendor_api_level is less than or equal to
-// the ro.board.api_level.
-#define API_LEVEL_AT_LEAST(sdk_api_level, vendor_api_level) \
- constexpr(__ANDROID_VENDOR_API__ >= vendor_api_level)
-
-#else // __ANDROID_VENDOR_API__
-
-// For non-vendor modules, API_LEVEL_AT_LEAST is replaced with __builtin_available(sdk_api_level) to
-// guard the API for __INTRODUCED_IN.
-#if !defined(API_LEVEL_AT_LEAST)
-#define API_LEVEL_AT_LEAST(sdk_api_level, vendor_api_level) \
- (__builtin_available(android sdk_api_level, *))
-#endif
-
-#endif // __ANDROID_VENDOR_API__
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 5bb64cc..617e60a 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -614,6 +614,9 @@
mkdir /metadata/aconfig/boot 0775 root system
mkdir /metadata/aconfig_test_missions 0775 root system
+
+ # See flag enable_system_aconfigd_rust, which toggles these processes.
+ exec_start system_aconfigd_platform_init
exec_start aconfigd-platform-init
on late-fs
@@ -1002,7 +1005,16 @@
# Wait for apexd to finish activating APEXes before starting more processes.
wait_for_prop apexd.status activated
perform_apex_config
+
+ # See flag enable_system_aconfigd_rust, which toggles these processes.
exec_start aconfigd-mainline-init
+ exec_start system_aconfigd_mainline_init
+
+ # system_aconfigd_socket_service is replacing aconfigd:
+ # - A flag (enable_system_aconfigd_rust) toggles which socket executes.
+ # - When enabled, aconfigd is a no-op, system_aconfigd_socket_service executes.
+ # - Conversely, when disabled, aconfigd executes, and system_aconfigd_socket_service is a no-op.
+ start system_aconfigd_socket_service
start aconfigd
# Create directories for boot animation.
diff --git a/trusty/keymaster/Android.bp b/trusty/keymaster/Android.bp
index cb07829..5a1e420 100644
--- a/trusty/keymaster/Android.bp
+++ b/trusty/keymaster/Android.bp
@@ -121,7 +121,7 @@
"libutils",
],
required: [
- "android.hardware.hardware_keystore.xml",
+ "android.hardware.hardware_keystore_V3.xml",
],
}
diff --git a/trusty/keymint/Android.bp b/trusty/keymint/Android.bp
index 5cdd381..36efb1b 100644
--- a/trusty/keymint/Android.bp
+++ b/trusty/keymint/Android.bp
@@ -42,9 +42,10 @@
defaults: ["android.hardware.security.keymint-service.rust.trusty.default"],
init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"],
vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"],
- required: [
- "android.hardware.hardware_keystore.xml",
- ],
+ required: select(release_flag("RELEASE_AIDL_USE_UNFROZEN"), {
+ true: ["android.hardware.hardware_keystore.xml"],
+ default: ["android.hardware.hardware_keystore_V3.xml"],
+ }),
}
rust_binary {
diff --git a/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc b/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
index ca6132e..410e10a 100644
--- a/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
+++ b/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
@@ -11,7 +11,7 @@
# Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled
# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM
# has a mechanism to notify the host.
-on late-fs && property:ro.hardware.security.keymint.trusty.system=1 && \
+on late-fs && property:ro.hardware.trusty.security_vm.keymint.enabled=1 && \
property:trusty.security_vm.vm_cid=*
setprop system.keymint.trusty_ipc_dev VSOCK:${trusty.security_vm.vm_cid}:1
start system.keymint.rust-trusty.nonsecure
diff --git a/trusty/utils/rpmb_dev/Android.bp b/trusty/utils/rpmb_dev/Android.bp
index 13f151d..ef23cc5 100644
--- a/trusty/utils/rpmb_dev/Android.bp
+++ b/trusty/utils/rpmb_dev/Android.bp
@@ -49,3 +49,12 @@
"rpmb_dev.system.rc",
],
}
+
+cc_binary {
+ name: "rpmb_dev.wv.system",
+ defaults: ["rpmb_dev.cc_defaults"],
+ system_ext_specific: true,
+ init_rc: [
+ "rpmb_dev.wv.system.rc",
+ ],
+}
diff --git a/trusty/utils/rpmb_dev/rpmb_dev.wv.system.rc b/trusty/utils/rpmb_dev/rpmb_dev.wv.system.rc
new file mode 100644
index 0000000..3e7f8b4
--- /dev/null
+++ b/trusty/utils/rpmb_dev/rpmb_dev.wv.system.rc
@@ -0,0 +1,62 @@
+service storageproxyd_wv_system /system_ext/bin/storageproxyd.system \
+ -d ${storageproxyd_wv_system.trusty_ipc_dev:-/dev/trusty-ipc-dev0} \
+ -r /dev/socket/rpmb_mock_wv_system \
+ -p /data/secure_storage_wv_system \
+ -t sock
+ disabled
+ class hal
+ user system
+ group system
+
+service rpmb_mock_init_wv_system /system_ext/bin/rpmb_dev.wv.system \
+ --dev /mnt/secure_storage_rpmb_wv_system/persist/RPMB_DATA --init --size 2048
+ disabled
+ user system
+ group system
+ oneshot
+
+service rpmb_mock_wv_system /system_ext/bin/rpmb_dev.wv.system \
+ --dev /mnt/secure_storage_rpmb_wv_system/persist/RPMB_DATA \
+ --sock rpmb_mock_wv_system
+ disabled
+ user system
+ group system
+ socket rpmb_mock_wv_system stream 660 system system
+
+# storageproxyd
+on boot && \
+ property:trusty.widevine_vm.nonsecure_vm_ready=1 && \
+ property:storageproxyd_wv_system.trusty_ipc_dev=*
+ wait /dev/socket/rpmb_mock_wv_system
+ enable storageproxyd_wv_system
+
+
+# RPMB Mock
+on early-boot && \
+ property:ro.hardware.security.trusty.widevine_vm.system=1 && \
+ property:trusty.widevine_vm.vm_cid=* && \
+ property:ro.boot.vendor.apex.com.android.services.widevine=\
+com.android.services.widevine.cf_guest_trusty_nonsecure
+ # Create a persistent location for the RPMB data
+ # (work around lack of RPMb block device on CF).
+ # file contexts secure_storage_rpmb_system_file
+ # (only used on Cuttlefish as this is non secure)
+ mkdir /metadata/secure_storage_rpmb_wv_system 0770 system system
+ mkdir /mnt/secure_storage_rpmb_wv_system 0770 system system
+ symlink /metadata/secure_storage_rpmb_wv_system \
+ /mnt/secure_storage_rpmb_wv_system/persist
+ # Create a system persist directory in /metadata
+ # (work around lack of dedicated system persist partition).
+ # file contexts secure_storage_persist_system_file
+ mkdir /metadata/secure_storage_persist_wv_system 0770 system system
+ mkdir /mnt/secure_storage_persist_wv_system 0770 system system
+ symlink /metadata/secure_storage_persist_wv_system \
+ /mnt/secure_storage_persist_wv_system/persist
+ # file contexts secure_storage_system_file
+ mkdir /data/secure_storage_wv_system 0770 root system
+ symlink /mnt/secure_storage_persist_wv_system/persist \
+ /data/secure_storage_wv_system/persist
+ chown root system /data/secure_storage_wv_system/persist
+ setprop storageproxyd_wv_system.trusty_ipc_dev VSOCK:${trusty.widevine_vm.vm_cid}:1
+ exec_start rpmb_mock_init_wv_system
+ start rpmb_mock_wv_system