diff --git a/trusty/storage/interface/Android.bp b/trusty/storage/interface/Android.bp index d031b0c1e..769f53d8e 100644 --- a/trusty/storage/interface/Android.bp +++ b/trusty/storage/interface/Android.bp @@ -20,6 +20,7 @@ package { cc_library_static { name: "libtrustystorageinterface", - vendor: true, + vendor_available: true, + system_ext_specific: true, export_include_dirs: ["include"], } diff --git a/trusty/storage/proxy/Android.bp b/trusty/storage/proxy/Android.bp index 7ef0e6f83..f32188a22 100644 --- a/trusty/storage/proxy/Android.bp +++ b/trusty/storage/proxy/Android.bp @@ -18,10 +18,8 @@ package { default_applicable_licenses: ["Android-Apache-2.0"], } -cc_binary { - name: "storageproxyd", - vendor: true, - +cc_defaults { + name: "storageproxyd.defaults", srcs: [ "checkpoint_handling.cpp", "ipc.c", @@ -47,14 +45,22 @@ cc_binary { "libtrustystorageinterface", "libtrusty", ], - target: { - vendor: { - // vendor variant requires this flag - cflags: ["-DVENDOR_FS_READY_PROPERTY"], - }, - }, cflags: [ "-Wall", "-Werror", ], } + +cc_binary { + name: "storageproxyd", + defaults: ["storageproxyd.defaults"], + vendor: true, + // vendor variant requires this flag + cflags: ["-DVENDOR_FS_READY_PROPERTY"], +} + +cc_binary { + name: "storageproxyd.system", + defaults: ["storageproxyd.defaults"], + system_ext_specific: true, +} diff --git a/trusty/trusty-storage-cf.mk b/trusty/trusty-storage-cf.mk new file mode 100644 index 000000000..3b46445da --- /dev/null +++ b/trusty/trusty-storage-cf.mk @@ -0,0 +1,25 @@ +# +# Copyright (C) 2024 The Android Open-Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# +# This makefile should be included by the cuttlefish device +# when enabling the Trusty VM to pull in the baseline set +# of storage specific modules + +PRODUCT_PACKAGES += \ + storageproxyd.system \ + rpmb_dev.system \ + diff --git a/trusty/utils/rpmb_dev/Android.bp b/trusty/utils/rpmb_dev/Android.bp index 603a1a80a..13f151d2e 100644 --- a/trusty/utils/rpmb_dev/Android.bp +++ b/trusty/utils/rpmb_dev/Android.bp @@ -15,11 +15,8 @@ package { default_applicable_licenses: ["Android-Apache-2.0"], } -cc_binary { - name: "rpmb_dev", - vendor: true, - host_supported: true, - +cc_defaults { + name: "rpmb_dev.cc_defaults", srcs: [ "rpmb_dev.c", ], @@ -32,7 +29,23 @@ cc_binary { "-Wall", "-Werror", ], +} + +cc_binary { + name: "rpmb_dev", + defaults: ["rpmb_dev.cc_defaults"], + vendor: true, + host_supported: true, init_rc: [ "rpmb_dev.rc", ], } + +cc_binary { + name: "rpmb_dev.system", + defaults: ["rpmb_dev.cc_defaults"], + system_ext_specific: true, + init_rc: [ + "rpmb_dev.system.rc", + ], +} diff --git a/trusty/utils/rpmb_dev/rpmb_dev.system.rc b/trusty/utils/rpmb_dev/rpmb_dev.system.rc new file mode 100644 index 000000000..b78c4e2a1 --- /dev/null +++ b/trusty/utils/rpmb_dev/rpmb_dev.system.rc @@ -0,0 +1,64 @@ +service storageproxyd_system /system_ext/bin/storageproxyd.system \ + -d ${storageproxyd_system.trusty_ipc_dev:-/dev/trusty-ipc-dev0} \ + -r /dev/socket/rpmb_mock_system \ + -p /data/secure_storage_system \ + -t sock + disabled + user system + group system + +service rpmb_mock_init_system /system_ext/bin/rpmb_dev.system \ + --dev /mnt/secure_storage_rpmb_system/persist/RPMB_DATA --init --size 2048 + disabled + user system + group system + oneshot + +service rpmb_mock_system /system_ext/bin/rpmb_dev.system \ + --dev /mnt/secure_storage_rpmb_system/persist/RPMB_DATA \ + --sock rpmb_mock_system + disabled + user system + group system + socket rpmb_mock_system stream 660 system system + +# storageproxyd +on late-fs && \ + property:trusty_vm_system_nonsecure.ready=1 && \ + property:storageproxyd_system.trusty_ipc_dev=* + wait /dev/socket/rpmb_mock_system + start storageproxyd_system + + +# RPMB Mock +on post-fs && \ + property:trusty_vm_system_nonsecure.ready=1 && \ + property:trusty_vm_system.vm_cid=* + # Create a persistent location for the RPMB data + # (work around lack of RPMb block device on CF). + # file contexts secure_storage_rpmb_system_file + # (only used on Cuttlefish as this is non secure) + mkdir /metadata/secure_storage_rpmb_system 0770 system system + mkdir /mnt/secure_storage_rpmb_system 0770 system system + symlink /metadata/secure_storage_rpmb_system \ + /mnt/secure_storage_rpmb_system/persist + # Create a system persist directory in /metadata + # (work around lack of dedicated system persist partition). + # file contexts secure_storage_persist_system_file + mkdir /metadata/secure_storage_persist_system 0770 system system + mkdir /mnt/secure_storage_persist_system 0770 system system + symlink /metadata/secure_storage_persist_system \ + /mnt/secure_storage_persist_system/persist + setprop storageproxyd_system.trusty_ipc_dev VSOCK:${trusty_vm_system.vm_cid}:1 + exec_start rpmb_mock_init_system + start rpmb_mock_system + +on post-fs-data && \ + property:trusty_vm_system_nonsecure.ready=1 && \ + property:storageproxyd_system.trusty_ipc_dev=* + # file contexts secure_storage_system_file + mkdir /data/secure_storage_system 0770 root system + symlink /mnt/secure_storage_persist_system/persist \ + /data/secure_storage_system/persist + chown root system /data/secure_storage_system/persist + restart storageproxyd_system