diff --git a/conf/Android.bp b/conf/Android.bp index 8bc835dd..3958e167 100644 --- a/conf/Android.bp +++ b/conf/Android.bp @@ -14,16 +14,6 @@ * limitations under the License. */ -// By default this device uses hardware-wrapped keys for storage encryption, -// which is intended to offer increased security over the traditional method -// (software keys). However, hardware-wrapped keys aren't compatible with -// FIPS-140 certification of the encryption hardware, and hence we have to -// disable the use of them in FIPS mode. This requires having two fstab files: -// one for the default mode, and one for FIPS mode selectable via -// androidboot.fstab_suffix on the kernel command line. These fstabs should be -// identical with the exception of the encryption settings, so to keep them in -// sync the rules below generate them from a template file. - package { // See: http://go/android-license-faq // A large-scale-change added 'default_applicable_licenses' to import @@ -33,64 +23,7 @@ package { default_applicable_licenses: ["device_google_zuma_license"], } -genrule { - name: "gen_fstab.zuma-hw-encrypt", - srcs: [ - "fstab.zuma.common", - "fstab.zuma.f2fs", - ], - out: ["fstab.zuma"], - cmd: "sed -e s/@fileencryption@/fileencryption=:aes-256-hctr2:inlinecrypt_optimized+wrappedkey_v0/" + - " -e s/@inlinecrypt@/inlinecrypt/ " + - " -e s/@metadata_encryption@/metadata_encryption=:wrappedkey_v0/ $(in) > $(out)", -} - -genrule { - name: "gen_fstab.zuma-sw-encrypt", - srcs: [ - "fstab.zuma.common", - "fstab.zuma.f2fs", - ], - out: ["fstab.zuma"], - cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts:aes-256-hctr2/" + - " -e s/@inlinecrypt@// " + - " -e s/@metadata_encryption@/metadata_encryption=/ $(in) > $(out)", -} - -genrule { - name: "gen_fstab.zuma-no-encrypt", - srcs: [ - "fstab.zuma.common", - "fstab.zuma.f2fs", - ], - out: ["fstab.zuma"], - cmd: "sed -e s/@fileencryption@//" + - " -e s/@inlinecrypt@// " + - " -e s/@metadata_encryption@// $(in) > $(out)", -} - -genrule { - name: "gen_fstab.zuma-fips", - srcs: [ - "fstab.zuma.common", - "fstab.zuma.f2fs", - ], - out: ["fstab.zuma-fips"], - cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts/" + - " -e s/@inlinecrypt@/inlinecrypt/ " + - " -e s/@metadata_encryption@/metadata_encryption=aes-256-xts/ $(in) > $(out)", -} - -prebuilt_etc { - name: "fstab.zuma", - src: ":gen_fstab.zuma-hw-encrypt", - vendor: true, - vendor_ramdisk_available: true, -} - -prebuilt_etc { - name: "fstab.zuma-fips", - src: ":gen_fstab.zuma-fips", - vendor: true, - vendor_ramdisk_available: true, -} +filegroup { + name: "fstab.zuma.common", + srcs: ["fstab.zuma.common"], +} \ No newline at end of file diff --git a/conf/ext4/Android.bp b/conf/ext4/Android.bp new file mode 100644 index 00000000..8f809ef3 --- /dev/null +++ b/conf/ext4/Android.bp @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// By default this device uses hardware-wrapped keys for storage encryption, +// which is intended to offer increased security over the traditional method +// (software keys). However, hardware-wrapped keys aren't compatible with +// FIPS-140 certification of the encryption hardware, and hence we have to +// disable the use of them in FIPS mode. This requires having two fstab files: +// one for the default mode, and one for FIPS mode selectable via +// androidboot.fstab_suffix on the kernel command line. These fstabs should be +// identical with the exception of the encryption settings, so to keep them in +// sync the rules below generate them from a template file. + +soong_namespace { + imports: [ + "device/google/zuma", + ], +} + +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "device_google_zuma_license" + // to get the below license kinds: + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["device_google_zuma_license"], +} + +genrule { + name: "gen_fstab.zuma-hw-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.ext4", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@/fileencryption=:aes-256-hctr2:inlinecrypt_optimized+wrappedkey_v0/" + + " -e s/@inlinecrypt@/inlinecrypt/ " + + " -e s/@metadata_encryption@/metadata_encryption=:wrappedkey_v0/ $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-sw-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.ext4", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts:aes-256-hctr2/" + + " -e s/@inlinecrypt@// " + + " -e s/@metadata_encryption@/metadata_encryption=/ $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-no-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.ext4", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@//" + + " -e s/@inlinecrypt@// " + + " -e s/@metadata_encryption@// $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-fips", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.ext4", + ], + out: ["fstab.zuma-fips"], + cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts/" + + " -e s/@inlinecrypt@/inlinecrypt/ " + + " -e s/@metadata_encryption@/metadata_encryption=aes-256-xts/ $(in) > $(out)", +} + +prebuilt_etc { + name: "fstab.zuma", + src: ":gen_fstab.zuma-hw-encrypt", + vendor: true, + vendor_ramdisk_available: true, +} + +prebuilt_etc { + name: "fstab.zuma-fips", + src: ":gen_fstab.zuma-fips", + vendor: true, + vendor_ramdisk_available: true, +} diff --git a/conf/ext4/fstab.zuma.ext4 b/conf/ext4/fstab.zuma.ext4 new file mode 100644 index 00000000..94c64a0d --- /dev/null +++ b/conf/ext4/fstab.zuma.ext4 @@ -0,0 +1,10 @@ +# Android fstab file. +# +# The filesystem that contains the filesystem checker binary (typically /system) cannot +# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK +# +# +/dev/block/platform/13200000.ufs/by-name/userdata /data ext4 noatime,nosuid,nodev,@inlinecrypt@ latemount,wait,check,quota,formattable,reservedsize=128M,readahead_size_kb=128,@fileencryption@,@metadata_encryption@,keydirectory=/metadata/vold/metadata_encryption +/dev/block/platform/13200000.ufs/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,compress_extension=apk,compress_extension=so,compress_extension=vdex,compress_extension=odex,@inlinecrypt@,atgc,checkpoint_merge,compress_cache latemount,wait,check,quota,sysfs_path=/dev/sys/block/bootdevice,checkpoint=fs,reservedsize=128M,fscompress,readahead_size_kb=128,@fileencryption@,@metadata_encryption@,keydirectory=/metadata/vold/metadata_encryption,device=zoned:/dev/block/by-name/zoned_device +/dev/block/platform/13200000.ufs/by-name/metadata /metadata ext4 noatime,nosuid,nodev,data=journal,commit=1 wait,check,formattable,first_stage_mount,metadata_csum +/dev/block/platform/13200000.ufs/by-name/metadata /metadata f2fs noatime,nosuid,nodev,sync wait,check,first_stage_mount diff --git a/conf/f2fs/Android.bp b/conf/f2fs/Android.bp new file mode 100644 index 00000000..535df6cf --- /dev/null +++ b/conf/f2fs/Android.bp @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// By default this device uses hardware-wrapped keys for storage encryption, +// which is intended to offer increased security over the traditional method +// (software keys). However, hardware-wrapped keys aren't compatible with +// FIPS-140 certification of the encryption hardware, and hence we have to +// disable the use of them in FIPS mode. This requires having two fstab files: +// one for the default mode, and one for FIPS mode selectable via +// androidboot.fstab_suffix on the kernel command line. These fstabs should be +// identical with the exception of the encryption settings, so to keep them in +// sync the rules below generate them from a template file. + +soong_namespace { + imports: [ + "device/google/zuma", + ], +} + +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "device_google_zuma_license" + // to get the below license kinds: + // SPDX-license-identifier-Apache-2.0 + default_applicable_licenses: ["device_google_zuma_license"], +} + +genrule { + name: "gen_fstab.zuma-hw-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.f2fs", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@/fileencryption=:aes-256-hctr2:inlinecrypt_optimized+wrappedkey_v0/" + + " -e s/@inlinecrypt@/inlinecrypt/ " + + " -e s/@metadata_encryption@/metadata_encryption=:wrappedkey_v0/ $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-sw-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.f2fs", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts:aes-256-hctr2/" + + " -e s/@inlinecrypt@// " + + " -e s/@metadata_encryption@/metadata_encryption=/ $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-no-encrypt", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.f2fs", + ], + out: ["fstab.zuma"], + cmd: "sed -e s/@fileencryption@//" + + " -e s/@inlinecrypt@// " + + " -e s/@metadata_encryption@// $(in) > $(out)", +} + +genrule { + name: "gen_fstab.zuma-fips", + srcs: [ + ":fstab.zuma.common", + "fstab.zuma.f2fs", + ], + out: ["fstab.zuma-fips"], + cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts/" + + " -e s/@inlinecrypt@/inlinecrypt/ " + + " -e s/@metadata_encryption@/metadata_encryption=aes-256-xts/ $(in) > $(out)", +} + +prebuilt_etc { + name: "fstab.zuma", + src: ":gen_fstab.zuma-hw-encrypt", + vendor: true, + vendor_ramdisk_available: true, +} + +prebuilt_etc { + name: "fstab.zuma-fips", + src: ":gen_fstab.zuma-fips", + vendor: true, + vendor_ramdisk_available: true, +} diff --git a/conf/fstab.zuma.f2fs b/conf/f2fs/fstab.zuma.f2fs similarity index 100% rename from conf/fstab.zuma.f2fs rename to conf/f2fs/fstab.zuma.f2fs diff --git a/device.mk b/device.mk index a055f83c..bcf96249 100644 --- a/device.mk +++ b/device.mk @@ -383,6 +383,14 @@ PRODUCT_COPY_FILES += \ device/google/zuma/conf/init.recovery.device.rc:$(TARGET_COPY_OUT_RECOVERY)/root/init.recovery.zuma.rc # Fstab files +ifeq (ext4,$(TARGET_RW_FILE_SYSTEM_TYPE)) +PRODUCT_SOONG_NAMESPACES += \ + device/google/zuma/conf/ext4 +else +PRODUCT_SOONG_NAMESPACES += \ + device/google/zuma/conf/f2fs +endif + PRODUCT_PACKAGES += \ fstab.zuma \ fstab.zuma.vendor_ramdisk \