ScoopDroid/android_build_soong
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_build_soong/filesystem/fsverity_metadata.go
Inseob Kim cd34413b9d Make fsverity props configurable 
Bug: 381019944
Test: build
Change-Id: I7389131a944ce477d5d49d01acbcacae2e6fecfe
2025-03-30 16:08:39 +02:00

152 lines
5.7 KiB
Go
Raw Blame History

// Copyright (C) 2024 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package filesystem
import (
"fmt"
"path/filepath"
"strings"
"android/soong/android"
"github.com/google/blueprint/proptools"
)
type fsverityProperties struct {
// Patterns of files for fsverity metadata generation. For each matched file, a .fsv_meta file
// will be generated and included to the filesystem image.
// etc/security/fsverity/BuildManifest.apk will also be generated which contains information
// about generated .fsv_meta files.
Inputs proptools.Configurable[[]string]
// APK libraries to link against, for etc/security/fsverity/BuildManifest.apk
Libs proptools.Configurable[[]string] `android:"path"`
}
func (f *filesystem) writeManifestGeneratorListFile(ctx android.ModuleContext, outputPath android.WritablePath, matchedSpecs []android.PackagingSpec, rebasedDir android.OutputPath) {
var buf strings.Builder
for _, spec := range matchedSpecs {
buf.WriteString(rebasedDir.Join(ctx, spec.RelPathInPackage()).String())
buf.WriteRune('\n')
}
android.WriteFileRuleVerbatim(ctx, outputPath, buf.String())
}
func (f *filesystem) buildFsverityMetadataFiles(ctx android.ModuleContext, builder *android.RuleBuilder, specs map[string]android.PackagingSpec, rootDir android.OutputPath, rebasedDir android.OutputPath) {
match := func(path string) bool {
for _, pattern := range f.properties.Fsverity.Inputs.GetOrDefault(ctx, nil) {
if matched, err := filepath.Match(pattern, path); matched {
return true
} else if err != nil {
ctx.PropertyErrorf("fsverity.inputs", "bad pattern %q", pattern)
return false
}
}
return false
}
var matchedSpecs []android.PackagingSpec
for _, relPath := range android.SortedKeys(specs) {
if match(relPath) {
matchedSpecs = append(matchedSpecs, specs[relPath])
}
}
if len(matchedSpecs) == 0 {
return
}
fsverityPath := ctx.Config().HostToolPath(ctx, "fsverity")
// STEP 1: generate .fsv_meta
var sb strings.Builder
sb.WriteString("set -e\n")
for _, spec := range matchedSpecs {
// srcPath is copied by CopySpecsToDir()
srcPath := rebasedDir.Join(ctx, spec.RelPathInPackage())
destPath := rebasedDir.Join(ctx, spec.RelPathInPackage()+".fsv_meta")
builder.Command().
BuiltTool("fsverity_metadata_generator").
FlagWithInput("--fsverity-path ", fsverityPath).
FlagWithArg("--signature ", "none").
FlagWithArg("--hash-alg ", "sha256").
FlagWithArg("--output ", destPath.String()).
Text(srcPath.String())
f.appendToEntry(ctx, destPath)
}
// STEP 2: generate signed BuildManifest.apk
// STEP 2-1: generate build_manifest.pb
manifestGeneratorListPath := android.PathForModuleOut(ctx, "fsverity_manifest.list")
f.writeManifestGeneratorListFile(ctx, manifestGeneratorListPath, matchedSpecs, rebasedDir)
assetsPath := android.PathForModuleOut(ctx, "fsverity_manifest/assets")
manifestPbPath := assetsPath.Join(ctx, "build_manifest.pb")
builder.Command().Text("rm -rf " + assetsPath.String())
builder.Command().Text("mkdir -p " + assetsPath.String())
builder.Command().
BuiltTool("fsverity_manifest_generator").
FlagWithInput("--fsverity-path ", fsverityPath).
FlagWithArg("--base-dir ", rootDir.String()).
FlagWithArg("--output ", manifestPbPath.String()).
FlagWithInput("@", manifestGeneratorListPath)
f.appendToEntry(ctx, manifestPbPath)
f.appendToEntry(ctx, manifestGeneratorListPath)
// STEP 2-2: generate BuildManifest.apk (unsigned)
apkNameSuffix := ""
if f.PartitionType() == "system_ext" {
//https://source.corp.google.com/h/googleplex-android/platform/build/+/e392d2b486c2d4187b20a72b1c67cc737ecbcca5:core/Makefile;l=3410;drc=ea8f34bc1d6e63656b4ec32f2391e9d54b3ebb6b;bpv=1;bpt=0
apkNameSuffix = "SystemExt"
}
apkPath := rebasedDir.Join(ctx, "etc", "security", "fsverity", fmt.Sprintf("BuildManifest%s.apk", apkNameSuffix))
idsigPath := rebasedDir.Join(ctx, "etc", "security", "fsverity", fmt.Sprintf("BuildManifest%s.apk.idsig", apkNameSuffix))
manifestTemplatePath := android.PathForSource(ctx, "system/security/fsverity/AndroidManifest.xml")
libs := android.PathsForModuleSrc(ctx, f.properties.Fsverity.Libs.GetOrDefault(ctx, nil))
minSdkVersion := ctx.Config().PlatformSdkCodename()
if minSdkVersion == "REL" {
minSdkVersion = ctx.Config().PlatformSdkVersion().String()
}
unsignedApkCommand := builder.Command().
BuiltTool("aapt2").
Text("link").
FlagWithOutput("-o ", apkPath).
FlagWithArg("-A ", assetsPath.String())
for _, lib := range libs {
unsignedApkCommand.FlagWithInput("-I ", lib)
}
unsignedApkCommand.
FlagWithArg("--min-sdk-version ", minSdkVersion).
FlagWithArg("--version-code ", ctx.Config().PlatformSdkVersion().String()).
FlagWithArg("--version-name ", ctx.Config().AppsDefaultVersionName()).
FlagWithInput("--manifest ", manifestTemplatePath).
Text(" --rename-manifest-package com.android.security.fsverity_metadata." + f.partitionName())
f.appendToEntry(ctx, apkPath)
// STEP 2-3: sign BuildManifest.apk
pemPath, keyPath := ctx.Config().DefaultAppCertificate(ctx)
builder.Command().
BuiltTool("apksigner").
Text("sign").
FlagWithArg("--in ", apkPath.String()).
FlagWithInput("--cert ", pemPath).
FlagWithInput("--key ", keyPath).
ImplicitOutput(idsigPath)
f.appendToEntry(ctx, idsigPath)
}
Reference in a new issue View git blame Copy permalink