This change allows init to ensure that a specified virtio-console
device file (`/dev/hvc*`) is available before `ueventd` coldboot.
Times out if device path is not encountered within 10 seconds.
Bug: 325538592
Test: build bertha_x86_64 and bertha_arm64
Change-Id: Ia1512e69ea607bf4d235595caa53668e2dac500c
The derivation happens in the derive_microdroid_vendor_dice_node binary
which first_stage_init forks and execvs.
Since the derivation requires talking to the dice driver, its
initialisation is also moved to the first stage init.
The derivation happens before the microdroid vendor partition is
verified & mounted. This should be safe because the first_stage_init
will fail the boot if the verification of the microdroid vendor
partition fails.
Bug: 287593065
Test: run microdroid with and without vendor partition
Test: atest MicrodroidTests
Change-Id: I0d83772eb98a56c315617e66ec64bd03639cfde6
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
In first-stage init, libsnapshot needs to know how to wait for device
paths, since ueventd isn't running yet. We do this by passing a callback
wrapping BlockDevInitializer.
Bug: 173476209
Test: device boots into first-stage init after full VABC ota
Change-Id: I9a87f98824e65a9379cb0b99c001e28cccd9d205
This allows init to easily ensure misc devices other than device-mapper
are present.
Bug: 154536437
Test: manual test
Change-Id: I49495684edee322f9787ce7ab7f79d0e8060171d
This will make it possible to re-use in second-stage init.
Bug: 150315914
Test: first-stage init boots
Change-Id: I6a0f13d5c71ab5529a76751f68ac0f15834323d1
