Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2d78a263 authored by Treehugger Robot's avatar Treehugger Robot Committed by Gerrit Code Review
Browse files

Merge "trusty: support secure storage in system-ext" into main

parents 13502072 69f3da83
Loading
Loading
Loading
Loading
+2 −1
Original line number Diff line number Diff line
@@ -20,6 +20,7 @@ package {

cc_library_static {
    name: "libtrustystorageinterface",
    vendor: true,
    vendor_available: true,
    system_ext_specific: true,
    export_include_dirs: ["include"],
}
+16 −10
Original line number Diff line number Diff line
@@ -18,10 +18,8 @@ package {
    default_applicable_licenses: ["Android-Apache-2.0"],
}

cc_binary {
    name: "storageproxyd",
    vendor: true,

cc_defaults {
    name: "storageproxyd.defaults",
    srcs: [
        "checkpoint_handling.cpp",
        "ipc.c",
@@ -47,14 +45,22 @@ cc_binary {
        "libtrustystorageinterface",
        "libtrusty",
    ],
    target: {
        vendor: {
            // vendor variant requires this flag
            cflags: ["-DVENDOR_FS_READY_PROPERTY"],
        },
    },
    cflags: [
        "-Wall",
        "-Werror",
    ],
}

cc_binary {
    name: "storageproxyd",
    defaults: ["storageproxyd.defaults"],
    vendor: true,
    // vendor variant requires this flag
    cflags: ["-DVENDOR_FS_READY_PROPERTY"],
}

cc_binary {
    name: "storageproxyd.system",
    defaults: ["storageproxyd.defaults"],
    system_ext_specific: true,
}
+25 −0
Original line number Diff line number Diff line
#
# Copyright (C) 2024 The Android Open-Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

#
# This makefile should be included by the cuttlefish device
# when enabling the Trusty VM to pull in the baseline set
# of storage specific modules

PRODUCT_PACKAGES += \
	storageproxyd.system \
	rpmb_dev.system \
+18 −5
Original line number Diff line number Diff line
@@ -15,11 +15,8 @@ package {
    default_applicable_licenses: ["Android-Apache-2.0"],
}

cc_binary {
    name: "rpmb_dev",
    vendor: true,
    host_supported: true,

cc_defaults {
    name: "rpmb_dev.cc_defaults",
    srcs: [
        "rpmb_dev.c",
    ],
@@ -32,7 +29,23 @@ cc_binary {
        "-Wall",
        "-Werror",
    ],
}

cc_binary {
    name: "rpmb_dev",
    defaults: ["rpmb_dev.cc_defaults"],
    vendor: true,
    host_supported: true,
    init_rc: [
        "rpmb_dev.rc",
    ],
}

cc_binary {
    name: "rpmb_dev.system",
    defaults: ["rpmb_dev.cc_defaults"],
    system_ext_specific: true,
    init_rc: [
        "rpmb_dev.system.rc",
    ],
}
+64 −0
Original line number Diff line number Diff line
service storageproxyd_system /system_ext/bin/storageproxyd.system \
        -d ${storageproxyd_system.trusty_ipc_dev:-/dev/trusty-ipc-dev0} \
        -r /dev/socket/rpmb_mock_system \
        -p /data/secure_storage_system \
        -t sock
    disabled
    user system
    group system

service rpmb_mock_init_system /system_ext/bin/rpmb_dev.system \
        --dev /mnt/secure_storage_rpmb_system/persist/RPMB_DATA --init --size 2048
    disabled
    user system
    group system
    oneshot

service rpmb_mock_system /system_ext/bin/rpmb_dev.system \
        --dev /mnt/secure_storage_rpmb_system/persist/RPMB_DATA \
        --sock rpmb_mock_system
    disabled
    user system
    group system
    socket rpmb_mock_system stream 660 system system

# storageproxyd
on late-fs && \
    property:trusty_vm_system_nonsecure.ready=1 && \
    property:storageproxyd_system.trusty_ipc_dev=*
    wait /dev/socket/rpmb_mock_system
    start storageproxyd_system


# RPMB Mock
on post-fs && \
    property:trusty_vm_system_nonsecure.ready=1 && \
    property:trusty_vm_system.vm_cid=*
    # Create a persistent location for the RPMB data
    # (work around lack of RPMb block device on CF).
    # file contexts secure_storage_rpmb_system_file
    # (only used on Cuttlefish as this is non secure)
    mkdir /metadata/secure_storage_rpmb_system 0770 system system
    mkdir /mnt/secure_storage_rpmb_system 0770 system system
    symlink /metadata/secure_storage_rpmb_system \
            /mnt/secure_storage_rpmb_system/persist
    # Create a system persist directory in /metadata
    # (work around lack of dedicated system persist partition).
    # file contexts secure_storage_persist_system_file
    mkdir /metadata/secure_storage_persist_system 0770 system system
    mkdir /mnt/secure_storage_persist_system 0770 system system
    symlink /metadata/secure_storage_persist_system \
            /mnt/secure_storage_persist_system/persist
    setprop storageproxyd_system.trusty_ipc_dev VSOCK:${trusty_vm_system.vm_cid}:1
    exec_start rpmb_mock_init_system
    start rpmb_mock_system

on post-fs-data && \
    property:trusty_vm_system_nonsecure.ready=1 && \
    property:storageproxyd_system.trusty_ipc_dev=*
    # file contexts secure_storage_system_file
    mkdir /data/secure_storage_system 0770 root system
    symlink /mnt/secure_storage_persist_system/persist \
            /data/secure_storage_system/persist
    chown root system /data/secure_storage_system/persist
    restart storageproxyd_system