From 08759ed0c9f9f0cc957640ebab1db277138f4f92 Mon Sep 17 00:00:00 2001 From: buildslave Date: Wed, 11 Aug 2021 06:11:46 +0000 Subject: [PATCH] mixin updates [DONT MERGE] Disable trusty and set sepolicy to permissive Mixin-Reviewed-On: https://github.com/projectceladon/device-androidia/pull/1233 Signed-off-by: Jeevaka Prabu Badrappan --- caas/AndroidBoard.mk | 27 +--------- caas/BoardConfig.mk | 52 ++++--------------- caas/device.mk | 35 ++----------- caas/extra_files/firststage-mount/config.asl | 2 +- .../extra_files/trusty/load_trusty_modules.in | 18 ------- .../trusty/trusty_project-celadon.mk | 50 ------------------ caas/flashfiles.ini | 5 -- caas/fstab | 3 +- caas/fstab.recovery | 3 +- caas/gpt.ini | 7 +-- caas/init.rc | 27 ---------- caas/ueventd.rc | 5 -- 12 files changed, 17 insertions(+), 217 deletions(-) delete mode 100644 caas/extra_files/trusty/load_trusty_modules.in delete mode 100644 caas/extra_files/trusty/trusty_project-celadon.mk diff --git a/caas/AndroidBoard.mk b/caas/AndroidBoard.mk index 7b1bc4d0a..6437f7b04 100644 --- a/caas/AndroidBoard.mk +++ b/caas/AndroidBoard.mk @@ -481,7 +481,7 @@ kernel: $(LOCAL_KERNEL_PATH)/copy_modules $(PRODUCT_OUT)/kernel endif ############################################################## -# Source: device/intel/mixins/groups/sepolicy/enforcing/AndroidBoard.mk +# Source: device/intel/mixins/groups/sepolicy/permissive/AndroidBoard.mk ############################################################## include $(CLEAR_VARS) LOCAL_MODULE := sepolicy-areq-checker @@ -538,31 +538,6 @@ em-host-utilities: .PHONY: host-pkg host-pkg: em-host-utilities vinput-manager ############################################################## -# Source: device/intel/mixins/groups/trusty/true/AndroidBoard.mk -############################################################## -.PHONY: tosimage multiboot - -EVMM_PKG := $(TOP)/$(PRODUCT_OUT)/obj/trusty/evmm_pkg.bin -EVMM_LK_PKG := $(TOP)/$(PRODUCT_OUT)/obj/trusty/evmm_lk_pkg.bin - -LOCAL_CLANG_PATH = $(CLANG_PREBUILTS_PATH)/host/$(HOST_OS)-x86/$(KERNEL_CLANG_VERSION)/bin - -LOCAL_MAKE := \ - PATH="$(LOCAL_CLANG_PATH):$(PWD)/prebuilts/gcc/linux-x86/host/x86_64-linux-glibc2.17-4.8/x86_64-linux/bin:$$PATH" \ - $(PWD)/prebuilts/build-tools/linux-x86/bin/make -$(EVMM_PKG): - @echo "making evmm.." - $(hide) (cd $(TOPDIR)$(INTEL_PATH_VENDOR)/fw/evmm && $(TRUSTY_ENV_VAR) $(LOCAL_MAKE)) - -$(EVMM_LK_PKG): - @echo "making evmm(packing with lk.bin).." - $(hide) (cd $(TOPDIR)$(INTEL_PATH_VENDOR)/fw/evmm && $(TRUSTY_ENV_VAR) $(LOCAL_MAKE)) - -# include sub-makefile according to boot_arch -include $(TARGET_DEVICE_DIR)/extra_files/trusty/trusty_project-celadon.mk - -LOAD_MODULES_H_IN += $(TARGET_DEVICE_DIR)/extra_files/trusty/load_trusty_modules.in -############################################################## # Source: device/intel/mixins/groups/firststage-mount/true/AndroidBoard.mk ############################################################## FIRST_STAGE_MOUNT_CFG_FILE := $(TARGET_DEVICE_DIR)/extra_files/firststage-mount/config.asl diff --git a/caas/BoardConfig.mk b/caas/BoardConfig.mk index 6166c1c70..6b0bd27d3 100644 --- a/caas/BoardConfig.mk +++ b/caas/BoardConfig.mk @@ -143,7 +143,6 @@ BOARD_VBMETAIMAGE_PARTITION_SIZE := 2097152 BOARD_FLASHFILES += $(PRODUCT_OUT)/vbmeta.img AB_OTA_PARTITIONS += vbmeta -AB_OTA_PARTITIONS += tos KERNELFLINGER_SUPPORT_USB_STORAGE ?= true @@ -207,7 +206,13 @@ endif BOARD_SEPOLICY_M4DEFS += module_kernel=true BOARD_SEPOLICY_DIRS += $(INTEL_PATH_SEPOLICY)/kernel ############################################################## -# Source: device/intel/mixins/groups/sepolicy/enforcing/BoardConfig.mk +# Source: device/intel/mixins/groups/sepolicy/permissive/BoardConfig.mk.1 +############################################################## +# start kernel in permissive mode, this way we don't +# need 'setenforce 0' from init.rc files +BOARD_KERNEL_CMDLINE += enforcing=0 androidboot.selinux=permissive +############################################################## +# Source: device/intel/mixins/groups/sepolicy/permissive/BoardConfig.mk ############################################################## # SELinux Policy BOARD_SEPOLICY_DIRS += $(INTEL_PATH_SEPOLICY) @@ -299,48 +304,9 @@ BUILD_BROKEN_USES_BUILD_HOST_SHARED_LIBRARY := true BUILD_BROKEN_USES_BUILD_HOST_EXECUTABLE := true BUILD_BROKEN_USES_BUILD_COPY_HEADERS := true ############################################################## -# Source: device/intel/mixins/groups/trusty/true/BoardConfig.mk +# Source: device/intel/mixins/groups/trusty/false/BoardConfig.mk ############################################################## -TARGET_USE_TRUSTY := true - -ifneq (, $(filter abl sbl, project-celadon)) -TARGET_USE_MULTIBOOT := true -endif - -BOARD_USES_TRUSTY := true -BOARD_USES_KEYMASTER1 := true -BOARD_SEPOLICY_DIRS += $(INTEL_PATH_SEPOLICY)/trusty/enabled -BOARD_SEPOLICY_M4DEFS += module_trusty=true - -TRUSTY_BUILDROOT = $(PWD)/$(PRODUCT_OUT)/obj/trusty/ - -TRUSTY_ENV_VAR += TRUSTY_REF_TARGET=celadon_64 - -#for trusty vmm -# use same toolchain as android kernel -TRUSTY_ENV_VAR += CLANG_BINDIR=$(PWD)/$(LLVM_PREBUILTS_PATH) -TRUSTY_ENV_VAR += COMPILE_TOOLCHAIN=$(YOCTO_CROSSCOMPILE) -TRUSTY_ENV_VAR += TARGET_BUILD_VARIANT=$(TARGET_BUILD_VARIANT) -TRUSTY_ENV_VAR += BOOT_ARCH=project-celadon - -# output build dir to android out folder -TRUSTY_ENV_VAR += BUILD_DIR=$(TRUSTY_BUILDROOT) -ifeq ($(LKDEBUG),2) -TRUSTY_ENV_VAR += LKBIN_DIR=$(PWD)/vendor/intel/fw/trusty-release-binaries/debug/ -else -TRUSTY_ENV_VAR += LKBIN_DIR=$(PWD)/vendor/intel/fw/trusty-release-binaries/ -endif - -#Fix the cpu hotplug fail due to the trusty. -#Trusty will introduce some delay for cpu_up(). -#Experiment show need wait at least 60us after -#apic_icr_write(APIC_DM_STARTUP | (start_eip >> 12), phys_apicid); -#So here override the cpu_init_udelay to have the cpu wait for 300us -#to guarantee the cpu_up success. -BOARD_KERNEL_CMDLINE += cpu_init_udelay=10 - -#TOS_PREBUILT := $(PWD)/$(INTEL_PATH_VENDOR)/fw/evmm/tos.img -#EVMM_PREBUILT := $(PWD)/$(INTEL_PATH_VENDOR)/fw/evmm/multiboot.img +BOARD_SEPOLICY_DIRS += $(INTEL_PATH_SEPOLICY)/trusty/disabled ############################################################## # Source: device/intel/mixins/groups/firststage-mount/true/BoardConfig.mk ############################################################## diff --git a/caas/device.mk b/caas/device.mk index c8c82c067..2ddbb05c9 100644 --- a/caas/device.mk +++ b/caas/device.mk @@ -125,7 +125,7 @@ KERNEL_MODULES_ROOT_PATH ?= vendor/lib/modules KERNEL_MODULES_ROOT ?= $(KERNEL_MODULES_ROOT_PATH) PRODUCT_DEFAULT_PROPERTY_OVERRIDES += ro.vendor.boot.moduleslocation=/$(KERNEL_MODULES_ROOT_PATH) ############################################################## -# Source: device/intel/mixins/groups/sepolicy/enforcing/product.mk +# Source: device/intel/mixins/groups/sepolicy/permissive/product.mk ############################################################## PRODUCT_PACKAGES += sepolicy-areq-checker ############################################################## @@ -300,39 +300,10 @@ PRODUCT_COPY_FILES += device/intel/civ/host/vm-manager/scripts/start_flash_usb.s PRODUCT_COPY_FILES += vendor/intel/fw/trusty-release-binaries/rpmb_dev:$(PRODUCT_OUT)/scripts/rpmb_dev PRODUCT_COPY_FILES += $(LOCAL_PATH)/wakeup.py:$(PRODUCT_OUT)/scripts/wakeup.py ############################################################## -# Source: device/intel/mixins/groups/trusty/true/product.mk +# Source: device/intel/mixins/groups/trusty/false/product.mk ############################################################## - -KM_VERSION := 2 - -ifeq ($(KM_VERSION),2) PRODUCT_PACKAGES += \ - keystore.trusty -PRODUCT_PROPERTY_OVERRIDES += \ - ro.hardware.keystore=trusty -endif - -ifeq ($(KM_VERSION),1) -PRODUCT_PACKAGES += \ - keystore.${TARGET_BOARD_PLATFORM} -endif - -PRODUCT_PACKAGES += \ - libtrusty \ - storageproxyd \ - libinteltrustystorage \ - libinteltrustystorageinterface \ - android.hardware.gatekeeper@1.0-service.trusty \ - keybox_provisioning \ - -PRODUCT_PACKAGES_DEBUG += \ - intel-secure-storage-unit-test \ - gatekeeper-unit-tests \ - libscrypt_static \ - scrypt_test \ - -PRODUCT_PROPERTY_OVERRIDES += \ - ro.hardware.gatekeeper=trusty \ + android.hardware.gatekeeper@1.0-service.software ############################################################## # Source: device/intel/mixins/groups/vendor-partition/true/product.mk ############################################################## diff --git a/caas/extra_files/firststage-mount/config.asl b/caas/extra_files/firststage-mount/config.asl index 0427707ab..b4552a73c 100644 --- a/caas/extra_files/firststage-mount/config.asl +++ b/caas/extra_files/firststage-mount/config.asl @@ -16,7 +16,7 @@ Scope(_SB) Package () { Package () {"android.compatible", "android,firmware"}, Package () {"android.vbmeta.compatible","android,vbmeta"}, - Package () {"android.vbmeta.parts","vbmeta,boot,system,vendor,tos,product"}, + Package () {"android.vbmeta.parts","vbmeta,boot,system,vendor,product"}, Package () {"android.fstab.compatible", "android,fstab"}, Package () {"android.fstab.vendor.compatible", "android,vendor"}, Package () {"android.fstab.vendor.dev", "/dev/block/pci/pci0000:00/0000:00:ff.ff/by-name/vendor"}, // Varies with platform diff --git a/caas/extra_files/trusty/load_trusty_modules.in b/caas/extra_files/trusty/load_trusty_modules.in deleted file mode 100644 index 8d19c1ee5..000000000 --- a/caas/extra_files/trusty/load_trusty_modules.in +++ /dev/null @@ -1,18 +0,0 @@ -load_trusty_modules() { - # Intall virtio drivers Trusty depends on - insmod $modules/virtio.ko - insmod $modules/virtio_ring.ko - - # Install Trusty drivers - insmod $modules/trusty.ko - #insmod $modules/trusty-irq.ko - insmod $modules/trusty-mem.ko - insmod $modules/trusty-ipc.ko - insmod $modules/trusty-virtio.ko - insmod $modules/trusty-log.ko - insmod $modules/trusty-wall.ko - insmod $modules/trusty-timer.ko - setprop vendor.modules.trusty.ready true -} - -load_trusty_modules& diff --git a/caas/extra_files/trusty/trusty_project-celadon.mk b/caas/extra_files/trusty/trusty_project-celadon.mk deleted file mode 100644 index 1d0a3b3cc..000000000 --- a/caas/extra_files/trusty/trusty_project-celadon.mk +++ /dev/null @@ -1,50 +0,0 @@ -INSTALLED_TOS_IMAGE_TARGET := $(PRODUCT_OUT)/tos.img -INSTALLED_MULTIBOOT_IMAGE_TARGET := none -TOS_SIGNING_KEY := $(PRODUCT_VERITY_SIGNING_KEY).pk8 -TOS_SIGNING_CERT := $(PRODUCT_VERITY_SIGNING_KEY).x509.pem - -tosimage: $(INSTALLED_TOS_IMAGE_TARGET) - -ifeq ($(INTEL_PREBUILT), true) -$(INSTALLED_TOS_IMAGE_TARGET): - $(hide) (cp $(INTEL_PATH_PREBUILTS)/tos.img $(INSTALLED_TOS_IMAGE_TARGET)) -else -ifeq ($(wildcard $(TOS_PREBUILT)), ) -ifeq (true,$(BOARD_AVB_ENABLE)) -$(INSTALLED_TOS_IMAGE_TARGET): $(LK_ELF) $(EVMM_LK_PKG) $(MKBOOTIMG) $(AVBTOOL) - @echo "mkbootimg to create boot image for TOS file: $@" - $(hide) $(MKBOOTIMG) --kernel $(EVMM_LK_PKG) --output $@ - @echo "$(AVBTOOL): add hashfooter to TOS file: $@" - $(hide) $(AVBTOOL) add_hash_footer \ - --image $@ \ - --partition_size $(BOARD_TOSIMAGE_PARTITION_SIZE) \ - --partition_name tos \ - --algorithm $(BOARD_AVB_ALGORITHM) --key $(BOARD_AVB_KEY_PATH) - $(hide) mkdir -p $(INTEL_PATH_PREBUILTS_OUT) - $(hide) (cp $@ $(INTEL_PATH_PREBUILTS_OUT)) -else # BOARD_AVB_ENABLE == false -$(INSTALLED_TOS_IMAGE_TARGET): $(LK_ELF) $(EVMM_LK_PKG) $(MKBOOTIMG) $(BOOT_SIGNER) - @echo "mkbootimg to create boot image for TOS file: $@" - $(hide) $(MKBOOTIMG) --kernel $(EVMM_LK_PKG) --output $@ - $(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_BOOT_SIGNER)),\ - @echo "$(BOOT_SIGNER): sign prebuilt TOS file: $@" &&\ - $(BOOT_SIGNER) /tos $@ $(TOS_SIGNING_KEY) $(TOS_SIGNING_CERT) $@) - $(hide) mkdir -p $(INTEL_PATH_PREBUILTS_OUT) - $(hide) (cp $@ $(INTEL_PATH_PREBUILTS_OUT)) -endif # BOARD_AVB_ENABLE -else # TOS_PREBUILT == true -$(INSTALLED_TOS_IMAGE_TARGET): - @echo "Use prebuilt tos image $(TOS_PREBUILT)" - $(hide) (cp $(TOS_PREBUILT) $(INSTALLED_TOS_IMAGE_TARGET)) - $(hide) mkdir -p $(INTEL_PATH_PREBUILTS_OUT) - $(hide) (cp $@ $(INTEL_PATH_PREBUILTS_OUT)) -endif # TOS_PREBUILT -endif # INTEL_PREBUILT - -ifeq (true,$(BOARD_AVB_ENABLE)) -INSTALLED_VBMETAIMAGE_TARGET ?= $(PRODUCT_OUT)/vbmeta.img -BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --include_descriptors_from_image $(INSTALLED_TOS_IMAGE_TARGET) -$(INSTALLED_VBMETAIMAGE_TARGET): $(INSTALLED_TOS_IMAGE_TARGET) -endif - -INSTALLED_RADIOIMAGE_TARGET += $(INSTALLED_TOS_IMAGE_TARGET) diff --git a/caas/flashfiles.ini b/caas/flashfiles.ini index 9262e714a..2a0205e67 100644 --- a/caas/flashfiles.ini +++ b/caas/flashfiles.ini @@ -47,11 +47,6 @@ tool = fastboot args = erase teedata description = Erase teedata partition -[command.flash.tos] -tool = fastboot -args = flash tos_a $file -file = radio:tos.img -description = Flash tos partition ############################################################## diff --git a/caas/fstab b/caas/fstab index 7830d986e..d31b7509b 100644 --- a/caas/fstab +++ b/caas/fstab @@ -9,10 +9,9 @@ # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK system /system ext4 ro,barrier=1 wait,slotselect,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey,avb=vbmeta,logical,first_stage_mount /dev/block/by-name/vbmeta /vbmeta emmc defaults defaults,slotselect,avb -/dev/block/by-name/userdata /data ext4 noatime,nosuid,nodev,noauto_da_alloc,errors=panic wait,check,formattable,fileencryption=aes-256-xts:aes-256-cts,quota,reservedsize=50m,fsverity,latemount,keydirectory=/metadata/vold/metadata_encryption,checkpoint=block +/dev/block/by-name/userdata /data ext4 noatime,nosuid,nodev,noauto_da_alloc,errors=panic wait,check,formattable,quota,reservedsize=50m,fsverity,latemount,keydirectory=/metadata/vold/metadata_encryption,checkpoint=block /dev/block/by-name/boot /boot emmc defaults defaults,slotselect,avb /dev/block/by-name/misc /misc emmc defaults defaults -/dev/block/by-name/tos /tos emmc defaults defaults,slotselect,avb /dev/block/by-name/bootloader /bootloader emmc defaults recoveryonly /dev/block/by-name/bootloader2 /bootloader2 emmc defaults recoveryonly /dev/block/by-name/persistent /persistent emmc defaults defaults diff --git a/caas/fstab.recovery b/caas/fstab.recovery index 37221475b..44e21ffb2 100644 --- a/caas/fstab.recovery +++ b/caas/fstab.recovery @@ -9,10 +9,9 @@ # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK system /system ext4 ro,barrier=1 wait,slotselect,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey,avb=vbmeta,logical,first_stage_mount /dev/block/by-name/vbmeta /vbmeta emmc defaults defaults,slotselect,avb -/dev/block/by-name/userdata /data ext4 noatime,nosuid,nodev,noauto_da_alloc,errors=panic wait,check,formattable,fileencryption=aes-256-xts:aes-256-cts +/dev/block/by-name/userdata /data ext4 noatime,nosuid,nodev,noauto_da_alloc,errors=panic wait,check,formattable /dev/block/by-name/boot /boot emmc defaults defaults /dev/block/by-name/misc /misc emmc defaults defaults -/dev/block/by-name/tos /tos emmc defaults defaults,slotselect /dev/block/by-name/bootloader /bootloader emmc defaults recoveryonly /dev/block/by-name/bootloader2 /bootloader2 emmc defaults recoveryonly /dev/block/by-name/persistent /persistent emmc defaults defaults diff --git a/caas/gpt.ini b/caas/gpt.ini index 82a2f740b..7372f8faa 100644 --- a/caas/gpt.ini +++ b/caas/gpt.ini @@ -22,7 +22,7 @@ has_slot = true # Source: device/intel/mixins/groups/boot-arch/project-celadon/gpt.ini ############################################################## [base] -partitions = bootloader bootloader2 boot tos misc metadata acpio super data persistent teedata +partitions = bootloader bootloader2 boot misc metadata acpio super data persistent teedata device = auto nb_slot = 2 @@ -45,11 +45,6 @@ len = 30 type = boot has_slot = true -[partition.tos] -label = tos -len = 10 -type = boot -has_slot = true [partition.misc] label = misc diff --git a/caas/init.rc b/caas/init.rc index 39ddbba3e..553b7ff04 100644 --- a/caas/init.rc +++ b/caas/init.rc @@ -187,33 +187,6 @@ on post-fs insmod /vendor/lib/modules/r8152.ko insmod /vendor/lib/modules/r8169.ko ############################################################## -# Source: device/intel/mixins/groups/trusty/true/init.rc -############################################################## -on post-fs-data - mkdir /data/vendor/securestorage 0700 system system - chmod 666 /dev/rpmb0 - -on early-boot - start storageproxyd - -service storageproxyd /vendor/bin/storageproxyd -d /dev/trusty-ipc-dev0 -p /data/vendor/securestorage -r /dev/vport0p1 -t virt - user system - group system - -on boot - start keyboxd - -service keyboxd /vendor/bin/keybox_provisioning -d /dev/trusty-ipc-dev0 -p /dev/block/by-name/teedata - user system - group system - oneshot - -on post-fs - wait_for_prop vendor.modules.trusty.ready true - # Update device node r/w attribute - chmod 666 /dev/trusty-ipc-dev0 - chmod 666 /dev/vport0p1 -############################################################## # Source: device/intel/mixins/groups/config-partition/true/init.rc ############################################################## # Enable SELinux labeling diff --git a/caas/ueventd.rc b/caas/ueventd.rc index 3a30b9525..f3a30e4e9 100644 --- a/caas/ueventd.rc +++ b/caas/ueventd.rc @@ -27,11 +27,6 @@ # Used by WideVine /dev/meimm 0660 system drmrpc -############################################################## -# Source: device/intel/mixins/groups/trusty/true/ueventd.rc -############################################################## -/dev/block/p*/*/*/by-name/teedata 0660 system system - ############################################################## # Source: device/intel/mixins/groups/graphics/auto/ueventd.rc ##############################################################