From e63c937bc310cfe1f3c78a2cfa699853c5763b5c Mon Sep 17 00:00:00 2001 From: Isaac Chen Date: Tue, 8 May 2018 17:04:08 +0800 Subject: [PATCH] Build disabled vbmeta.img for aosp_$arch System images of aosp_$arch are used as GSIs in P, and traditional GSI users often need a special vbmeta image to disable verity (if AVB is employed) befrre they flash the GSI. "BOARD_BUILD_DISABLED_VBMETAIMAGE := true" builds such vbmeta.img Bug: 79393905 Test: # For arch in arm, arm64, x86, x86_64, do $ lunch aosp_$arch; m -j # found vbmeta.img under $OUT Change-Id: I113006385991a2daab60d3c55dc03f23f1b383b8 --- target/board/generic/BoardConfig.mk | 10 ++++++++++ target/board/generic_arm64/BoardConfig.mk | 10 ++++++++++ target/board/generic_x86/BoardConfig.mk | 10 ++++++++++ target/board/generic_x86_64/BoardConfig.mk | 10 ++++++++++ 4 files changed, 40 insertions(+) diff --git a/target/board/generic/BoardConfig.mk b/target/board/generic/BoardConfig.mk index cc06983e6d..abd519e6c9 100644 --- a/target/board/generic/BoardConfig.mk +++ b/target/board/generic/BoardConfig.mk @@ -59,6 +59,16 @@ DEVICE_MATRIX_FILE := device/generic/goldfish/compatibility_matrix.xml BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true +# Android Verified Boot (AVB): +# Builds a special vbmeta.img that disables AVB verification. +# Otherwise, AVB will prevent the device from booting the generic system.img. +# Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity +# metadata into system.img. +ifeq ($(BOARD_AVB_ENABLE),true) +$(error BOARD_AVB_ENABLE cannot be set for GSI) +endif +BOARD_BUILD_DISABLED_VBMETAIMAGE := true + ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) # GSI is always userdebug and needs a couple of properties taking precedence # over those set by the vendor. diff --git a/target/board/generic_arm64/BoardConfig.mk b/target/board/generic_arm64/BoardConfig.mk index 6b766a87cf..7fa4d8f326 100644 --- a/target/board/generic_arm64/BoardConfig.mk +++ b/target/board/generic_arm64/BoardConfig.mk @@ -88,6 +88,16 @@ DEVICE_MATRIX_FILE := device/generic/goldfish/compatibility_matrix.xml BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true BOARD_SEPOLICY_DIRS += build/target/board/generic/sepolicy +# Android Verified Boot (AVB): +# Builds a special vbmeta.img that disables AVB verification. +# Otherwise, AVB will prevent the device from booting the generic system.img. +# Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity +# metadata into system.img. +ifeq ($(BOARD_AVB_ENABLE),true) +$(error BOARD_AVB_ENABLE cannot be set for GSI) +endif +BOARD_BUILD_DISABLED_VBMETAIMAGE := true + ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) # GSI is always userdebug and needs a couple of properties taking precedence # over those set by the vendor. diff --git a/target/board/generic_x86/BoardConfig.mk b/target/board/generic_x86/BoardConfig.mk index 693aa6c91c..54f37b4e63 100644 --- a/target/board/generic_x86/BoardConfig.mk +++ b/target/board/generic_x86/BoardConfig.mk @@ -62,6 +62,16 @@ BOARD_SEPOLICY_DIRS += \ build/target/board/generic/sepolicy \ build/target/board/generic_x86/sepolicy +# Android Verified Boot (AVB): +# Builds a special vbmeta.img that disables AVB verification. +# Otherwise, AVB will prevent the device from booting the generic system.img. +# Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity +# metadata into system.img. +ifeq ($(BOARD_AVB_ENABLE),true) +$(error BOARD_AVB_ENABLE cannot be set for GSI) +endif +BOARD_BUILD_DISABLED_VBMETAIMAGE := true + ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) # GSI is always userdebug and needs a couple of properties taking precedence # over those set by the vendor. diff --git a/target/board/generic_x86_64/BoardConfig.mk b/target/board/generic_x86_64/BoardConfig.mk index 21e4fc99b7..b5e0dd75fe 100755 --- a/target/board/generic_x86_64/BoardConfig.mk +++ b/target/board/generic_x86_64/BoardConfig.mk @@ -60,6 +60,16 @@ BOARD_SEPOLICY_DIRS += \ build/target/board/generic/sepolicy \ build/target/board/generic_x86/sepolicy +# Android Verified Boot (AVB): +# Builds a special vbmeta.img that disables AVB verification. +# Otherwise, AVB will prevent the device from booting the generic system.img. +# Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity +# metadata into system.img. +ifeq ($(BOARD_AVB_ENABLE),true) +$(error BOARD_AVB_ENABLE cannot be set for GSI) +endif +BOARD_BUILD_DISABLED_VBMETAIMAGE := true + ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) # GSI is always userdebug and needs a couple of properties taking precedence # over those set by the vendor.