From c542bcfd03907eb04aed5094348b8984c9199ef4 Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Tue, 14 May 2024 10:01:03 -0700 Subject: [PATCH 1/2] Split zuma fstab into two files Common fstab entries(everything but /metadata and /data) are moved to a separate fstab file. This allows us to create an ext4 variant of the same fstab later. Test: device boots Bug: 339337171 Change-Id: I3129551c98b14473c776f2cf3dee1b81fc0c84b3 --- conf/Android.bp | 20 ++++++++++++++++---- conf/{fstab.zuma.in => fstab.zuma.common} | 4 ---- conf/fstab.zuma.f2fs | 10 ++++++++++ 3 files changed, 26 insertions(+), 8 deletions(-) rename conf/{fstab.zuma.in => fstab.zuma.common} (69%) create mode 100644 conf/fstab.zuma.f2fs diff --git a/conf/Android.bp b/conf/Android.bp index 58f11f32..8bc835dd 100644 --- a/conf/Android.bp +++ b/conf/Android.bp @@ -35,7 +35,10 @@ package { genrule { name: "gen_fstab.zuma-hw-encrypt", - srcs: ["fstab.zuma.in"], + srcs: [ + "fstab.zuma.common", + "fstab.zuma.f2fs", + ], out: ["fstab.zuma"], cmd: "sed -e s/@fileencryption@/fileencryption=:aes-256-hctr2:inlinecrypt_optimized+wrappedkey_v0/" + " -e s/@inlinecrypt@/inlinecrypt/ " + @@ -44,7 +47,10 @@ genrule { genrule { name: "gen_fstab.zuma-sw-encrypt", - srcs: ["fstab.zuma.in"], + srcs: [ + "fstab.zuma.common", + "fstab.zuma.f2fs", + ], out: ["fstab.zuma"], cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts:aes-256-hctr2/" + " -e s/@inlinecrypt@// " + @@ -53,7 +59,10 @@ genrule { genrule { name: "gen_fstab.zuma-no-encrypt", - srcs: ["fstab.zuma.in"], + srcs: [ + "fstab.zuma.common", + "fstab.zuma.f2fs", + ], out: ["fstab.zuma"], cmd: "sed -e s/@fileencryption@//" + " -e s/@inlinecrypt@// " + @@ -62,7 +71,10 @@ genrule { genrule { name: "gen_fstab.zuma-fips", - srcs: ["fstab.zuma.in"], + srcs: [ + "fstab.zuma.common", + "fstab.zuma.f2fs", + ], out: ["fstab.zuma-fips"], cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts/" + " -e s/@inlinecrypt@/inlinecrypt/ " + diff --git a/conf/fstab.zuma.in b/conf/fstab.zuma.common similarity index 69% rename from conf/fstab.zuma.in rename to conf/fstab.zuma.common index 903bfe47..a5521b74 100644 --- a/conf/fstab.zuma.in +++ b/conf/fstab.zuma.common @@ -15,10 +15,6 @@ vendor_dlkm /vendor_dlkm /dev/block/platform/13200000.ufs/by-name/boot /boot emmc defaults slotselect,avb=boot,first_stage_mount /dev/block/platform/13200000.ufs/by-name/init_boot /init_boot emmc defaults slotselect,avb=init_boot,first_stage_mount /dev/block/platform/13200000.ufs/by-name/misc /misc emmc defaults wait -/dev/block/platform/13200000.ufs/by-name/metadata /metadata f2fs noatime,nosuid,nodev,sync wait,check,formattable,first_stage_mount -/dev/block/platform/13200000.ufs/by-name/metadata /metadata ext4 noatime,nosuid,nodev,data=journal,commit=1 wait,check,first_stage_mount,metadata_csum #/dev/block/platform/13200000.ufs/by-name/pvmfw /pvmfw emmc defaults wait,slotselect,avb=pvmfw,first_stage_mount -/dev/block/platform/13200000.ufs/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,compress_extension=apk,compress_extension=so,compress_extension=vdex,compress_extension=odex,@inlinecrypt@,atgc,checkpoint_merge,compress_cache latemount,wait,check,quota,formattable,sysfs_path=/dev/sys/block/bootdevice,checkpoint=fs,reservedsize=128M,fscompress,readahead_size_kb=128,@fileencryption@,@metadata_encryption@,keydirectory=/metadata/vold/metadata_encryption,device=zoned:/dev/block/by-name/zoned_device -/dev/block/platform/13200000.ufs/by-name/userdata /data ext4 noatime,nosuid,nodev,@inlinecrypt@ latemount,wait,check,quota,reservedsize=128M,readahead_size_kb=128,@fileencryption@,@metadata_encryption@,keydirectory=/metadata/vold/metadata_encryption /dev/block/platform/13200000.ufs/by-name/vbmeta /vbmeta emmc defaults slotselect,first_stage_mount /devices/platform/11210000.usb* auto vfat defaults voldmanaged=usb:auto diff --git a/conf/fstab.zuma.f2fs b/conf/fstab.zuma.f2fs new file mode 100644 index 00000000..10b82262 --- /dev/null +++ b/conf/fstab.zuma.f2fs @@ -0,0 +1,10 @@ +# Android fstab file. +# +# The filesystem that contains the filesystem checker binary (typically /system) cannot +# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK +# +# +/dev/block/platform/13200000.ufs/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,compress_extension=apk,compress_extension=so,compress_extension=vdex,compress_extension=odex,@inlinecrypt@,atgc,checkpoint_merge,compress_cache latemount,wait,check,quota,formattable,sysfs_path=/dev/sys/block/bootdevice,checkpoint=fs,reservedsize=128M,fscompress,readahead_size_kb=128,@fileencryption@,@metadata_encryption@,keydirectory=/metadata/vold/metadata_encryption,device=zoned:/dev/block/by-name/zoned_device +/dev/block/platform/13200000.ufs/by-name/userdata /data ext4 noatime,nosuid,nodev,@inlinecrypt@ latemount,wait,check,quota,reservedsize=128M,readahead_size_kb=128,@fileencryption@,@metadata_encryption@,keydirectory=/metadata/vold/metadata_encryption +/dev/block/platform/13200000.ufs/by-name/metadata /metadata f2fs noatime,nosuid,nodev,sync wait,check,formattable,first_stage_mount +/dev/block/platform/13200000.ufs/by-name/metadata /metadata ext4 noatime,nosuid,nodev,data=journal,commit=1 wait,check,first_stage_mount,metadata_csum From 5a679bbf762a36eb15e69b2780b887cafdb87c3e Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Tue, 14 May 2024 10:22:10 -0700 Subject: [PATCH 2/2] Allow devices to pick ext4 as default fs at build time Products using 16KB kernel may wish to boot into 16KB mode directly. To do this, these targets would need to use ext4 as their default fs type for /data and /metadata . Add a build time flag which would install ext4 fstabs. Test: th Bug: 339337171 Change-Id: I53de1599bbff583b45ca2bf6d3e3efb83957913e --- conf/Android.bp | 75 ++--------------------- conf/ext4/Android.bp | 102 ++++++++++++++++++++++++++++++++ conf/ext4/fstab.zuma.ext4 | 10 ++++ conf/f2fs/Android.bp | 102 ++++++++++++++++++++++++++++++++ conf/{ => f2fs}/fstab.zuma.f2fs | 0 device.mk | 8 +++ 6 files changed, 226 insertions(+), 71 deletions(-) create mode 100644 conf/ext4/Android.bp create mode 100644 conf/ext4/fstab.zuma.ext4 create mode 100644 conf/f2fs/Android.bp rename conf/{ => f2fs}/fstab.zuma.f2fs (100%) diff --git a/conf/Android.bp b/conf/Android.bp index 8bc835dd..3958e167 100644 --- a/conf/Android.bp +++ b/conf/Android.bp @@ -14,16 +14,6 @@ * limitations under the License. */ -// By default this device uses hardware-wrapped keys for storage encryption, -// which is intended to offer increased security over the traditional method -// (software keys). However, hardware-wrapped keys aren't compatible with -// FIPS-140 certification of the encryption hardware, and hence we have to -// disable the use of them in FIPS mode. This requires having two fstab files: -// one for the default mode, and one for FIPS mode selectable via -// androidboot.fstab_suffix on the kernel command line. These fstabs should be -// identical with the exception of the encryption settings, so to keep them in -// sync the rules below generate them from a template file. - package { // See: http://go/android-license-faq // A large-scale-change added 'default_applicable_licenses' to import @@ -33,64 +23,7 @@ package { default_applicable_licenses: ["device_google_zuma_license"], } -genrule { - name: "gen_fstab.zuma-hw-encrypt", - srcs: [ - "fstab.zuma.common", - "fstab.zuma.f2fs", - ], - out: ["fstab.zuma"], - cmd: "sed -e s/@fileencryption@/fileencryption=:aes-256-hctr2:inlinecrypt_optimized+wrappedkey_v0/" + - " -e s/@inlinecrypt@/inlinecrypt/ " + - " -e s/@metadata_encryption@/metadata_encryption=:wrappedkey_v0/ $(in) > $(out)", -} - -genrule { - name: "gen_fstab.zuma-sw-encrypt", - srcs: [ - "fstab.zuma.common", - "fstab.zuma.f2fs", - ], - out: ["fstab.zuma"], - cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts:aes-256-hctr2/" + - " -e s/@inlinecrypt@// " + - " -e s/@metadata_encryption@/metadata_encryption=/ $(in) > $(out)", -} - -genrule { - name: "gen_fstab.zuma-no-encrypt", - srcs: [ - "fstab.zuma.common", - "fstab.zuma.f2fs", - ], - out: ["fstab.zuma"], - cmd: "sed -e s/@fileencryption@//" + - " -e s/@inlinecrypt@// " + - " -e s/@metadata_encryption@// $(in) > $(out)", -} - -genrule { - name: "gen_fstab.zuma-fips", - srcs: [ - "fstab.zuma.common", - "fstab.zuma.f2fs", - ], - out: ["fstab.zuma-fips"], - cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts/" + - " -e s/@inlinecrypt@/inlinecrypt/ " + - " -e s/@metadata_encryption@/metadata_encryption=aes-256-xts/ $(in) > $(out)", -} - -prebuilt_etc { - name: "fstab.zuma", - src: ":gen_fstab.zuma-hw-encrypt", - vendor: true, - vendor_ramdisk_available: true, -} - -prebuilt_etc { - name: "fstab.zuma-fips", - src: ":gen_fstab.zuma-fips", - vendor: true, - vendor_ramdisk_available: true, -} +filegroup { + name: "fstab.zuma.common", + srcs: ["fstab.zuma.common"], +} \ No newline at end of file diff --git a/conf/ext4/Android.bp b/conf/ext4/Android.bp new file mode 100644 index 00000000..8f809ef3 --- /dev/null +++ b/conf/ext4/Android.bp @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// By default this device uses hardware-wrapped keys for storage encryption, +// which is intended to offer increased security over the traditional method +// (software keys). However, hardware-wrapped keys aren't compatible with +// FIPS-140 certification of the encryption hardware, and hence we have to +// disable the use of them in FIPS mode. This requires having two fstab files: +// one for the default mode, and one for FIPS mode selectable via +// androidboot.fstab_suffix on the kernel command line. These fstabs should be +// identical with the exception of the encryption settings, so to keep them in +// sync the rules below generate them from a template file. + +soong_namespace { + imports: [ + "device/google/zuma", + ], +} + +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "device_google_zuma_license" + // to get the below license kinds: + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["device_google_zuma_license"], +} + +genrule { + name: "gen_fstab.zuma-hw-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.ext4", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@/fileencryption=:aes-256-hctr2:inlinecrypt_optimized+wrappedkey_v0/" + + " -e s/@inlinecrypt@/inlinecrypt/ " + + " -e s/@metadata_encryption@/metadata_encryption=:wrappedkey_v0/ $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-sw-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.ext4", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts:aes-256-hctr2/" + + " -e s/@inlinecrypt@// " + + " -e s/@metadata_encryption@/metadata_encryption=/ $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-no-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.ext4", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@//" + + " -e s/@inlinecrypt@// " + + " -e s/@metadata_encryption@// $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-fips", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.ext4", + ], + out: ["fstab.zuma-fips"], + cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts/" + + " -e s/@inlinecrypt@/inlinecrypt/ " + + " -e s/@metadata_encryption@/metadata_encryption=aes-256-xts/ $(in) > $(out)", +} + +prebuilt_etc { + name: "fstab.zuma", + src: ":gen_fstab.zuma-hw-encrypt", + vendor: true, + vendor_ramdisk_available: true, +} + +prebuilt_etc { + name: "fstab.zuma-fips", + src: ":gen_fstab.zuma-fips", + vendor: true, + vendor_ramdisk_available: true, +} diff --git a/conf/ext4/fstab.zuma.ext4 b/conf/ext4/fstab.zuma.ext4 new file mode 100644 index 00000000..94c64a0d --- /dev/null +++ b/conf/ext4/fstab.zuma.ext4 @@ -0,0 +1,10 @@ +# Android fstab file. +# +# The filesystem that contains the filesystem checker binary (typically /system) cannot +# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK +# +# +/dev/block/platform/13200000.ufs/by-name/userdata /data ext4 noatime,nosuid,nodev,@inlinecrypt@ latemount,wait,check,quota,formattable,reservedsize=128M,readahead_size_kb=128,@fileencryption@,@metadata_encryption@,keydirectory=/metadata/vold/metadata_encryption +/dev/block/platform/13200000.ufs/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,compress_extension=apk,compress_extension=so,compress_extension=vdex,compress_extension=odex,@inlinecrypt@,atgc,checkpoint_merge,compress_cache latemount,wait,check,quota,sysfs_path=/dev/sys/block/bootdevice,checkpoint=fs,reservedsize=128M,fscompress,readahead_size_kb=128,@fileencryption@,@metadata_encryption@,keydirectory=/metadata/vold/metadata_encryption,device=zoned:/dev/block/by-name/zoned_device +/dev/block/platform/13200000.ufs/by-name/metadata /metadata ext4 noatime,nosuid,nodev,data=journal,commit=1 wait,check,formattable,first_stage_mount,metadata_csum +/dev/block/platform/13200000.ufs/by-name/metadata /metadata f2fs noatime,nosuid,nodev,sync wait,check,first_stage_mount diff --git a/conf/f2fs/Android.bp b/conf/f2fs/Android.bp new file mode 100644 index 00000000..535df6cf --- /dev/null +++ b/conf/f2fs/Android.bp @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// By default this device uses hardware-wrapped keys for storage encryption, +// which is intended to offer increased security over the traditional method +// (software keys). However, hardware-wrapped keys aren't compatible with +// FIPS-140 certification of the encryption hardware, and hence we have to +// disable the use of them in FIPS mode. This requires having two fstab files: +// one for the default mode, and one for FIPS mode selectable via +// androidboot.fstab_suffix on the kernel command line. These fstabs should be +// identical with the exception of the encryption settings, so to keep them in +// sync the rules below generate them from a template file. + +soong_namespace { + imports: [ + "device/google/zuma", + ], +} + +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "device_google_zuma_license" + // to get the below license kinds: + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["device_google_zuma_license"], +} + +genrule { + name: "gen_fstab.zuma-hw-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.f2fs", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@/fileencryption=:aes-256-hctr2:inlinecrypt_optimized+wrappedkey_v0/" + + " -e s/@inlinecrypt@/inlinecrypt/ " + + " -e s/@metadata_encryption@/metadata_encryption=:wrappedkey_v0/ $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-sw-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.f2fs", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts:aes-256-hctr2/" + + " -e s/@inlinecrypt@// " + + " -e s/@metadata_encryption@/metadata_encryption=/ $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-no-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.f2fs", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@//" + + " -e s/@inlinecrypt@// " + + " -e s/@metadata_encryption@// $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-fips", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.f2fs", + ], + out: ["fstab.zuma-fips"], + cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts/" + + " -e s/@inlinecrypt@/inlinecrypt/ " + + " -e s/@metadata_encryption@/metadata_encryption=aes-256-xts/ $(in) > $(out)", +} + +prebuilt_etc { + name: "fstab.zuma", + src: ":gen_fstab.zuma-hw-encrypt", + vendor: true, + vendor_ramdisk_available: true, +} + +prebuilt_etc { + name: "fstab.zuma-fips", + src: ":gen_fstab.zuma-fips", + vendor: true, + vendor_ramdisk_available: true, +} diff --git a/conf/fstab.zuma.f2fs b/conf/f2fs/fstab.zuma.f2fs similarity index 100% rename from conf/fstab.zuma.f2fs rename to conf/f2fs/fstab.zuma.f2fs diff --git a/device.mk b/device.mk index 0447229d..19305220 100644 --- a/device.mk +++ b/device.mk @@ -383,6 +383,14 @@ PRODUCT_COPY_FILES += \ device/google/zuma/conf/init.recovery.device.rc:$(TARGET_COPY_OUT_RECOVERY)/root/init.recovery.zuma.rc # Fstab files +ifeq (ext4,$(TARGET_RW_FILE_SYSTEM_TYPE)) +PRODUCT_SOONG_NAMESPACES += \ + device/google/zuma/conf/ext4 +else +PRODUCT_SOONG_NAMESPACES += \ + device/google/zuma/conf/f2fs +endif + PRODUCT_PACKAGES += \ fstab.zuma \ fstab.zuma.vendor_ramdisk \