From c0b820e056b515b090bad0b564872e92101891bc Mon Sep 17 00:00:00 2001
From: Dennis Song <denniscy@google.com>
Date: Fri, 30 Aug 2024 03:08:27 +0000
Subject: [PATCH 1/4] Explicitly set user root for the gs_watchdogd service.

Otherwise host_init_verifier would fail.

Bug: 362447627
Test: Treehugger
Flag: EXEMPT bugfix
Change-Id: I36a3a67dc357f608b33a131a4e5f6fd6defb91e5
---
 gs_watchdogd/init.gs_watchdogd.rc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gs_watchdogd/init.gs_watchdogd.rc b/gs_watchdogd/init.gs_watchdogd.rc
index 23d5fb2..ba3354f 100644
--- a/gs_watchdogd/init.gs_watchdogd.rc
+++ b/gs_watchdogd/init.gs_watchdogd.rc
@@ -1,5 +1,6 @@
 # Pet watchdog timer every half of its timeout period.
 service gs_watchdogd /system_ext/bin/gs_watchdogd
+    user root
     class core
     oneshot
     seclabel u:r:gs_watchdogd:s0

From 15ed5c639e471c2c0a49709ec8bb989821eb62e4 Mon Sep 17 00:00:00 2001
From: Tommy Chiu <tommychiu@google.com>
Date: Thu, 29 Aug 2024 07:06:10 +0000
Subject: [PATCH 2/4] Move PRODUCT_COPY_FILES from each board>device-vendor.mk
 here

We used to put the firmware copy logic in dedicated device-vendor.mk
files for each platform. This approach is difficult to maintain and
unnecessary since we always want to deploy the latest firmware.
Propose a better approach for handling firmware copy logic.

Flag: EXEMPT refactor
Bug: 359071523
Test: Build pass
Change-Id: I4169353b9f8f16b82eb0e4ebf2a884f46e1a5f8b
---
 dauntless/gsc.mk | 72 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/dauntless/gsc.mk b/dauntless/gsc.mk
index 188d9f9..c1cf0e0 100644
--- a/dauntless/gsc.mk
+++ b/dauntless/gsc.mk
@@ -20,4 +20,76 @@ PRODUCT_PACKAGES_DEBUG += citadel_integration_tests \
                           nugget_targeted_tests \
                           CitadelProvision \
                           nugget_aidl_test_weaver
+
+# Assign default value for RELEASE_GOOGLE_DAUNTLESS_DIR if no trunk flags support
+RELEASE_GOOGLE_DAUNTLESS_DIR ?= vendor/google_nos/prebuilts/dauntless
+
+# The production Dauntless firmware will be of flavors evt and d3m2.
+# There are also several flavors of pre-release chips. Each flavor
+# (production and pre-release) requires the firmware to be signed differently.
+DAUNTLESS_FIRMWARE_SIZE := 1048576
+
+# The nearly-production Dauntless chips are "proto1.1"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin))
+$(error GSC firmware size check fail)
 endif
+PRODUCT_COPY_FILES += \
+    $(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/proto11.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/proto11.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# The production Dauntless chips are "evt"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin))
+$(error GSC firmware size check fail)
+endif
+PRODUCT_COPY_FILES += \
+    $(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/evt.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/evt.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# New 2023 production Dauntless chips are "d3m2"
+ifneq (,$(wildcard $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin))
+$(error GSC firmware size check fail)
+endif
+PRODUCT_COPY_FILES += \
+    $(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/dauntless/d3m2.ec.bin
+$(call dist-for-goals,droid,$(RELEASE_GOOGLE_DAUNTLESS_DIR)/d3m2.ec.bin)
+else
+$(error GSC firmware not found in $(RELEASE_GOOGLE_DAUNTLESS_DIR))
+endif
+
+# Intermediate image artifacts are published, but aren't included in /vendor/firmware/dauntless
+# in PRODUCT_COPY_FILES
+# This is because intermediate images aren't needed on user devices, but the published artifact
+# is useful for flashstation purposes.
+
+# proto11 chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/proto11_intermediate.ec.bin)
+endif
+# evt chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/evt_intermediate.ec.bin)
+endif
+# d3m2 chips need an intermediate image prior to upgrading to newever versions of the firmware
+ifneq (,$(wildcard vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin))
+ifneq ($(DAUNTLESS_FIRMWARE_SIZE), $(shell stat -c "%s" vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin))
+$(error GSC firmware size check fail)
+endif
+$(call dist-for-goals,droid,vendor/google_nos/prebuilts/dauntless/intermediate_images/d3m2_intermediate.ec.bin)
+endif
+
+endif # $(wildcard vendor)

From d6d4a779e50154d892f1f3d35107cbbe3396c3a5 Mon Sep 17 00:00:00 2001
From: Martin Liu <liumartin@google.com>
Date: Fri, 30 Aug 2024 06:14:04 +0000
Subject: [PATCH 3/4] Move compaction_proactiveness to vendor sepolicy

Move compaction_proactiveness sepolicy from the system
to vendor since it breaks other vendors.

Bug: 361985704
Test: check knob value
Flag: NONE sepolicy doesn't support flag
Change-Id: I14cff8dfe4e143995b9011cd34a1e7d74613ae33
Signed-off-by: Martin Liu <liumartin@google.com>
---
 performance/sepolicy/file.te        | 6 ++++++
 performance/sepolicy/genfs_contexts | 1 +
 performance/sepolicy/vendor_init.te | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/performance/sepolicy/file.te b/performance/sepolicy/file.te
index 8e16bbf..e79f9b2 100644
--- a/performance/sepolicy/file.te
+++ b/performance/sepolicy/file.te
@@ -1,2 +1,8 @@
+# proactive kill
 type sysfs_pakills, fs_type, sysfs_type;
+
+# bts dump
 type vendor_bts_debugfs, fs_type, debugfs_type;
+
+# proc_compaction_proactiveness type
+type proc_compaction_proactiveness, fs_type, proc_type;
diff --git a/performance/sepolicy/genfs_contexts b/performance/sepolicy/genfs_contexts
index 041021c..57e3634 100644
--- a/performance/sepolicy/genfs_contexts
+++ b/performance/sepolicy/genfs_contexts
@@ -1,3 +1,4 @@
 genfscon proc /sys/kernel/sched_pelt_multiplier u:object_r:proc_sched:s0
 genfscon sysfs /kernel/vendor_mm/pa_kill u:object_r:sysfs_pakills:s0
 genfscon debugfs /bts u:object_r:vendor_bts_debugfs:s0
+genfscon proc /sys/vm/compaction_proactiveness u:object_r:proc_compaction_proactiveness:s0
diff --git a/performance/sepolicy/vendor_init.te b/performance/sepolicy/vendor_init.te
index fefecb1..188984f 100644
--- a/performance/sepolicy/vendor_init.te
+++ b/performance/sepolicy/vendor_init.te
@@ -1,3 +1,3 @@
 # MM
 allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms;
-
+allow vendor_init proc_compaction_proactiveness:file w_file_perms;

From f25cb6895f06d89bbbbeb5d7f8bf77e5d1dc89c8 Mon Sep 17 00:00:00 2001
From: Dennis Song <denniscy@google.com>
Date: Fri, 30 Aug 2024 03:08:27 +0000
Subject: [PATCH 4/4] Explicitly set user root for the gs_watchdogd service.

Otherwise host_init_verifier would fail.

Bug: 362447627
Test: Treehugger
Merged-In: I36a3a67dc357f608b33a131a4e5f6fd6defb91e5
Change-Id: I36a3a67dc357f608b33a131a4e5f6fd6defb91e5
---
 gs_watchdogd/init.gs_watchdogd.rc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gs_watchdogd/init.gs_watchdogd.rc b/gs_watchdogd/init.gs_watchdogd.rc
index f58ce50..a7ef505 100644
--- a/gs_watchdogd/init.gs_watchdogd.rc
+++ b/gs_watchdogd/init.gs_watchdogd.rc
@@ -1,5 +1,6 @@
 # Set watchdog timer to 30 seconds and pet it every 10 seconds to get a 20 second margin
 service gs_watchdogd /system_ext/bin/gs_watchdogd 10 20
+    user root
     class core
     oneshot
     seclabel u:r:gs_watchdogd:s0