mixin updates

[DONT MERGE] Disable trusty and set sepolicy to permissive

Mixin-Reviewed-On: #1233
Signed-off-by: Jeevaka Prabu Badrappan <[email protected]>

caas/AndroidBoard.mk

@@ -481,7 +481,7 @@ kernel: $(LOCAL_KERNEL_PATH)/copy_modules $(PRODUCT_OUT)/kernel
 endif
 
 ##############################################################
-# Source: device/intel/mixins/groups/sepolicy/enforcing/AndroidBoard.mk
+# Source: device/intel/mixins/groups/sepolicy/permissive/AndroidBoard.mk
 ##############################################################
 include $(CLEAR_VARS)
 LOCAL_MODULE := sepolicy-areq-checker
@@ -538,31 +538,6 @@ em-host-utilities:
 .PHONY: host-pkg
 host-pkg: em-host-utilities vinput-manager
 ##############################################################
-# Source: device/intel/mixins/groups/trusty/true/AndroidBoard.mk
-##############################################################
-.PHONY: tosimage multiboot
-
-EVMM_PKG := $(TOP)/$(PRODUCT_OUT)/obj/trusty/evmm_pkg.bin
-EVMM_LK_PKG := $(TOP)/$(PRODUCT_OUT)/obj/trusty/evmm_lk_pkg.bin
-
-LOCAL_CLANG_PATH = $(CLANG_PREBUILTS_PATH)/host/$(HOST_OS)-x86/$(KERNEL_CLANG_VERSION)/bin
-
-LOCAL_MAKE := \
-        PATH="$(LOCAL_CLANG_PATH):$(PWD)/prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8/x86_64-linux/bin:$$PATH" \
-        $(PWD)/prebuilts/build-tools/linux-x86/bin/make
-$(EVMM_PKG):
-	@echo "making evmm.."
-	$(hide) (cd $(TOPDIR)$(INTEL_PATH_VENDOR)/fw/evmm && $(TRUSTY_ENV_VAR) $(LOCAL_MAKE))
-
-$(EVMM_LK_PKG):
-	@echo "making evmm(packing with lk.bin).."
-	$(hide) (cd $(TOPDIR)$(INTEL_PATH_VENDOR)/fw/evmm && $(TRUSTY_ENV_VAR) $(LOCAL_MAKE))
-
-# include sub-makefile according to boot_arch
-include $(TARGET_DEVICE_DIR)/extra_files/trusty/trusty_project-celadon.mk
-
-LOAD_MODULES_H_IN += $(TARGET_DEVICE_DIR)/extra_files/trusty/load_trusty_modules.in
-##############################################################
 # Source: device/intel/mixins/groups/firststage-mount/true/AndroidBoard.mk
 ##############################################################
 FIRST_STAGE_MOUNT_CFG_FILE := $(TARGET_DEVICE_DIR)/extra_files/firststage-mount/config.asl

caas/BoardConfig.mk

@@ -143,7 +143,6 @@ BOARD_VBMETAIMAGE_PARTITION_SIZE := 2097152
 BOARD_FLASHFILES += $(PRODUCT_OUT)/vbmeta.img
 
 AB_OTA_PARTITIONS += vbmeta
-AB_OTA_PARTITIONS += tos
 
 
 KERNELFLINGER_SUPPORT_USB_STORAGE ?= true
@@ -207,7 +206,13 @@ endif
 BOARD_SEPOLICY_M4DEFS += module_kernel=true
 BOARD_SEPOLICY_DIRS += $(INTEL_PATH_SEPOLICY)/kernel
 ##############################################################
-# Source: device/intel/mixins/groups/sepolicy/enforcing/BoardConfig.mk
+# Source: device/intel/mixins/groups/sepolicy/permissive/BoardConfig.mk.1
+##############################################################
+# start kernel in permissive mode, this way we don't
+# need 'setenforce 0' from init.rc files
+BOARD_KERNEL_CMDLINE += enforcing=0 androidboot.selinux=permissive
+##############################################################
+# Source: device/intel/mixins/groups/sepolicy/permissive/BoardConfig.mk
 ##############################################################
 # SELinux Policy
 BOARD_SEPOLICY_DIRS += $(INTEL_PATH_SEPOLICY)
@@ -299,48 +304,9 @@ BUILD_BROKEN_USES_BUILD_HOST_SHARED_LIBRARY := true
 BUILD_BROKEN_USES_BUILD_HOST_EXECUTABLE := true
 BUILD_BROKEN_USES_BUILD_COPY_HEADERS := true
 ##############################################################
-# Source: device/intel/mixins/groups/trusty/true/BoardConfig.mk
+# Source: device/intel/mixins/groups/trusty/false/BoardConfig.mk
 ##############################################################
-TARGET_USE_TRUSTY := true
-
-ifneq (, $(filter abl sbl, project-celadon))
-TARGET_USE_MULTIBOOT := true
-endif
-
-BOARD_USES_TRUSTY := true
-BOARD_USES_KEYMASTER1 := true
-BOARD_SEPOLICY_DIRS += $(INTEL_PATH_SEPOLICY)/trusty/enabled
-BOARD_SEPOLICY_M4DEFS += module_trusty=true
-
-TRUSTY_BUILDROOT = $(PWD)/$(PRODUCT_OUT)/obj/trusty/
-
-TRUSTY_ENV_VAR += TRUSTY_REF_TARGET=celadon_64
-
-#for trusty vmm
-# use same toolchain as android kernel
-TRUSTY_ENV_VAR += CLANG_BINDIR=$(PWD)/$(LLVM_PREBUILTS_PATH)
-TRUSTY_ENV_VAR += COMPILE_TOOLCHAIN=$(YOCTO_CROSSCOMPILE)
-TRUSTY_ENV_VAR += TARGET_BUILD_VARIANT=$(TARGET_BUILD_VARIANT)
-TRUSTY_ENV_VAR += BOOT_ARCH=project-celadon
-
-# output build dir to android out folder
-TRUSTY_ENV_VAR += BUILD_DIR=$(TRUSTY_BUILDROOT)
-ifeq ($(LKDEBUG),2)
-TRUSTY_ENV_VAR += LKBIN_DIR=$(PWD)/vendor/intel/fw/trusty-release-binaries/debug/
-else
-TRUSTY_ENV_VAR += LKBIN_DIR=$(PWD)/vendor/intel/fw/trusty-release-binaries/
-endif
-
-#Fix the cpu hotplug fail due to the trusty.
-#Trusty will introduce some delay for cpu_up().
-#Experiment show need wait at least 60us after
-#apic_icr_write(APIC_DM_STARTUP | (start_eip >> 12), phys_apicid);
-#So here override the cpu_init_udelay to have the cpu wait for 300us
-#to guarantee the cpu_up success.
-BOARD_KERNEL_CMDLINE += cpu_init_udelay=10
-
-#TOS_PREBUILT := $(PWD)/$(INTEL_PATH_VENDOR)/fw/evmm/tos.img
-#EVMM_PREBUILT := $(PWD)/$(INTEL_PATH_VENDOR)/fw/evmm/multiboot.img
+BOARD_SEPOLICY_DIRS += $(INTEL_PATH_SEPOLICY)/trusty/disabled
 ##############################################################
 # Source: device/intel/mixins/groups/firststage-mount/true/BoardConfig.mk
 ##############################################################

caas/device.mk

@@ -125,7 +125,7 @@ KERNEL_MODULES_ROOT_PATH ?= vendor/lib/modules
 KERNEL_MODULES_ROOT ?= $(KERNEL_MODULES_ROOT_PATH)
 PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.vendor.boot.moduleslocation=/$(KERNEL_MODULES_ROOT_PATH)
 ##############################################################
-# Source: device/intel/mixins/groups/sepolicy/enforcing/product.mk
+# Source: device/intel/mixins/groups/sepolicy/permissive/product.mk
 ##############################################################
 PRODUCT_PACKAGES += sepolicy-areq-checker
 ##############################################################
@@ -300,39 +300,10 @@ PRODUCT_COPY_FILES += device/intel/civ/host/vm-manager/scripts/start_flash_usb.s
 PRODUCT_COPY_FILES += vendor/intel/fw/trusty-release-binaries/rpmb_dev:$(PRODUCT_OUT)/scripts/rpmb_dev
 PRODUCT_COPY_FILES += $(LOCAL_PATH)/wakeup.py:$(PRODUCT_OUT)/scripts/wakeup.py
 ##############################################################
-# Source: device/intel/mixins/groups/trusty/true/product.mk
+# Source: device/intel/mixins/groups/trusty/false/product.mk
 ##############################################################
-
-KM_VERSION := 2
-
-ifeq ($(KM_VERSION),2)
 PRODUCT_PACKAGES += \
-	keystore.trusty
-PRODUCT_PROPERTY_OVERRIDES += \
-	ro.hardware.keystore=trusty
-endif
-
-ifeq ($(KM_VERSION),1)
-PRODUCT_PACKAGES += \
-	keystore.${TARGET_BOARD_PLATFORM}
-endif
-
-PRODUCT_PACKAGES += \
-	libtrusty \
-	storageproxyd \
-	libinteltrustystorage \
-	libinteltrustystorageinterface \
-	[email protected] \
-	keybox_provisioning \
-
-PRODUCT_PACKAGES_DEBUG += \
-	intel-secure-storage-unit-test \
-	gatekeeper-unit-tests \
-	libscrypt_static \
-	scrypt_test \
-
-PRODUCT_PROPERTY_OVERRIDES += \
-	ro.hardware.gatekeeper=trusty \
+    [email protected]
 ##############################################################
 # Source: device/intel/mixins/groups/vendor-partition/true/product.mk
 ##############################################################

caas/extra_files/firststage-mount/config.asl

@@ -16,7 +16,7 @@ Scope(_SB)
                 Package () {
                     Package () {"android.compatible", "android,firmware"},
                     Package () {"android.vbmeta.compatible","android,vbmeta"},
-                    Package () {"android.vbmeta.parts","vbmeta,boot,system,vendor,tos,product"},
+                    Package () {"android.vbmeta.parts","vbmeta,boot,system,vendor,product"},
                     Package () {"android.fstab.compatible", "android,fstab"},
                     Package () {"android.fstab.vendor.compatible", "android,vendor"},
                     Package () {"android.fstab.vendor.dev", "/dev/block/pci/pci0000:00/0000:00:ff.ff/by-name/vendor"},  // Varies with platform

caas/flashfiles.ini

@@ -47,11 +47,6 @@ tool = fastboot
 args = erase teedata
 description = Erase teedata partition
 
-[command.flash.tos]
-tool = fastboot
-args = flash tos_a $file
-file = radio:tos.img
-description = Flash tos partition
 
 
 ##############################################################

caas/fstab

@@ -9,10 +9,9 @@
 # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
 system   /system  ext4 ro,barrier=1 wait,slotselect,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey,avb=vbmeta,logical,first_stage_mount
 /dev/block/by-name/vbmeta       /vbmeta         emmc    defaults                                                   defaults,slotselect,avb
-/dev/block/by-name/userdata         /data           ext4    noatime,nosuid,nodev,noauto_da_alloc,errors=panic   wait,check,formattable,fileencryption=aes-256-xts:aes-256-cts,quota,reservedsize=50m,fsverity,latemount,keydirectory=/metadata/vold/metadata_encryption,checkpoint=block
+/dev/block/by-name/userdata         /data           ext4    noatime,nosuid,nodev,noauto_da_alloc,errors=panic   wait,check,formattable,quota,reservedsize=50m,fsverity,latemount,keydirectory=/metadata/vold/metadata_encryption,checkpoint=block
 /dev/block/by-name/boot         /boot           emmc    defaults                                                    defaults,slotselect,avb
 /dev/block/by-name/misc         /misc           emmc    defaults                                                    defaults
-/dev/block/by-name/tos          /tos            emmc    defaults                                                    defaults,slotselect,avb
 /dev/block/by-name/bootloader   /bootloader     emmc    defaults                                                    recoveryonly
 /dev/block/by-name/bootloader2  /bootloader2    emmc    defaults                                                    recoveryonly
 /dev/block/by-name/persistent   /persistent     emmc    defaults                                                    defaults

caas/fstab.recovery

@@ -9,10 +9,9 @@
 # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
 system   /system  ext4 ro,barrier=1 wait,slotselect,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey,avb=vbmeta,logical,first_stage_mount
 /dev/block/by-name/vbmeta               /vbmeta         emmc    defaults                                            defaults,slotselect,avb
-/dev/block/by-name/userdata         /data           ext4     noatime,nosuid,nodev,noauto_da_alloc,errors=panic   wait,check,formattable,fileencryption=aes-256-xts:aes-256-cts
+/dev/block/by-name/userdata         /data           ext4     noatime,nosuid,nodev,noauto_da_alloc,errors=panic   wait,check,formattable
 /dev/block/by-name/boot         /boot           emmc    defaults                                                    defaults
 /dev/block/by-name/misc         /misc           emmc    defaults                                                    defaults
-/dev/block/by-name/tos          /tos            emmc    defaults                                                    defaults,slotselect
 /dev/block/by-name/bootloader   /bootloader     emmc    defaults                                                    recoveryonly
 /dev/block/by-name/bootloader2  /bootloader2    emmc    defaults                                                    recoveryonly
 /dev/block/by-name/persistent   /persistent     emmc    defaults                                                    defaults

caas/gpt.ini

@@ -22,7 +22,7 @@ has_slot = true
 # Source: device/intel/mixins/groups/boot-arch/project-celadon/gpt.ini
 ##############################################################
 [base]
-partitions = bootloader bootloader2 boot tos misc metadata acpio super data persistent teedata
+partitions = bootloader bootloader2 boot misc metadata acpio super data persistent teedata
 device = auto
 nb_slot = 2
 
@@ -45,11 +45,6 @@ len = 30
 type = boot
 has_slot = true
 
-[partition.tos]
-label = tos
-len = 10
-type = boot
-has_slot = true
 
 [partition.misc]
 label = misc

caas/init.rc

@@ -187,33 +187,6 @@ on post-fs
     insmod /vendor/lib/modules/r8152.ko
     insmod /vendor/lib/modules/r8169.ko
 ##############################################################
-# Source: device/intel/mixins/groups/trusty/true/init.rc
-##############################################################
-on post-fs-data
-    mkdir /data/vendor/securestorage 0700 system system
-    chmod 666 /dev/rpmb0
-
-on early-boot
-    start storageproxyd
-
-service storageproxyd /vendor/bin/storageproxyd -d /dev/trusty-ipc-dev0 -p /data/vendor/securestorage -r /dev/vport0p1 -t virt
-    user system
-    group system
-
-on boot
-    start keyboxd
-
-service keyboxd /vendor/bin/keybox_provisioning -d /dev/trusty-ipc-dev0 -p /dev/block/by-name/teedata
-    user system
-    group system
-    oneshot
-
-on post-fs
-    wait_for_prop vendor.modules.trusty.ready true
-    # Update device node r/w attribute
-    chmod 666 /dev/trusty-ipc-dev0
-    chmod 666 /dev/vport0p1
-##############################################################
 # Source: device/intel/mixins/groups/config-partition/true/init.rc
 ##############################################################
 # Enable SELinux labeling

caas/ueventd.rc

@@ -27,11 +27,6 @@
 
 # Used by WideVine
 /dev/meimm                    0660   system     drmrpc
-##############################################################
-# Source: device/intel/mixins/groups/trusty/true/ueventd.rc
-##############################################################
-/dev/block/p*/*/*/by-name/teedata      0660 system system
-
 ##############################################################
 # Source: device/intel/mixins/groups/graphics/auto/ueventd.rc
 ##############################################################