Ignore-AOSP-First: Ignore-AOSP-First: Other CLs in the same topic are internal-only
Test: m nothing
Bug: 267229065
Change-Id: I2d71daa6af97eeb0050e1084b27b03900d2d75ef
Merged-In: I2d71daa6af97eeb0050e1084b27b03900d2d75ef
Added new properties, which could be set for AOSP/GSI builds.
These properties are going to be used for attestation feature through
Build.java class. Earlier in AOSP builds attestation ids were different
from provisioned ids in Keymint. These properties will be identical to
provisioned ids.
Bug: 110779648
Bug: 259376922
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/0_android_hardware_security_keymint_IKeyMintDevice_default
Test: atest VtsAidlKeyMintTargetTest:PerInstance/NewKeyGenerationTest#EcdsaAttestationIdTags/1_android_hardware_security_keymint_IKeyMintDevice_strongbox
Test: atest CtsKeystoreTestCases:android.keystore.cts.KeyAttestationTest CtsKeystoreTestCases:DeviceOwnerKeyManagementTest
Change-Id: I9eea5e0f2fabc667b3efedeeefdf12e7b4fc9502
When we have dedicated .mk files for each modules (e.g. usb, drm, etc)
and those modules have their own linker configuration requirements, it
would make more sense to have "fragments" for linker configuration.
This change introduces a new list variable to store the list of linker
configuration fragments. When it's set, vendor/etc/linker.config.pb is
generated from the list of input fragments.
Bug: 264330513
Test: set PRODUCT_VENDOR_LINKER_CONFIG_FRAGMENTS
Test: m vendorimage (generates vendor/etc/linker.config.pb)
Change-Id: I9eed0f90add0191885b7195efdab94b5b1a4a62d
Example usage:
PRODUCT_INCLUDE_TAGS += use_myspecial_sdk
This also populates the allowlist with go/nogo mainline tags. Usage of
`PRODUCT_INCLUDE_TAGS` outside this allowlist will raise an error
in product config
Test: TH
Change-Id: Ica82a8f65cbfda600d72fc54fb873c1eaa1666a7
This is determined by:
- a product config flag
- the vendor API level
It is then passed to the device as a system property
"ro.dalvik.vm.enable_uffd_gc".
This change is a no-op change. It doesn't enable userfaultfd GC by
default. OVERRIDE_ENABLE_UFFD_GC=default can be passed to the build
system to enable userfaultfd GC for testing purposes.
Bug: 242553398
Test: -
1. lunch aosp_redfin-userdebug
2. OVERRIDE_ENABLE_UFFD_GC=default build/soong/soong_ui.bash --dumpvars-mode --vars=ENABLE_UFFD_GC
3. See "false" in the output
Test: -
1. lunch aosp_oriole-userdebug
2. OVERRIDE_ENABLE_UFFD_GC=default build/soong/soong_ui.bash --dumpvars-mode --vars=ENABLE_UFFD_GC
3. See "true" in the output
Test: -
1. lunch aosp_redfin-userdebug
2. OVERRIDE_ENABLE_UFFD_GC=true build/soong/soong_ui.bash --dumpvars-mode --vars=ENABLE_UFFD_GC
3. See "true" in the output
Test: -
1. lunch aosp_oriole-userdebug
2. OVERRIDE_ENABLE_UFFD_GC=false build/soong/soong_ui.bash --dumpvars-mode --vars=ENABLE_UFFD_GC
3. See "false" in the output
Change-Id: Ifd6e6cddb502315912ff949619a5b526ae0d73ff
The change in the packages/modules/Virtualization in the same topic
takes care for defining the right variant of the APEX to be installed:
* Devices with AVF support will get the full com.android.virt APEX
* Devices without AVF support will get an almost empty version that only
contains an app that defines AVF-related permissions, and soon the BCP
fragment jar.
Bug: 243512044
Test: build & flash oriole
Test: build & flash redfin
Change-Id: I2c38e03529a77dd2820212812433741725115ce0
* Expand the allowlist to include {system_ext, vendor, odm,
product}/framework/*. Generate .fsv_meta for them.
* Add BuildManifest.apk for those partitions.
* Rename PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA to remove "SYSTEM".
* (new in reland): add apkcerts
Bug: 245957815
Test: m
Test: ls -l $ANDROID_PRODUCT_OUT/*/etc/security/fsverity/BuildManifest.apk
Test: extract assets/build_manifest.pb from apk, inpsect
Test: run asit/ota/signing
Change-Id: I48a5e473aa5eedb24edab54357a9141fc8d78759
* Expand the allowlist to include {system_ext, vendor, odm,
product}/framework/*. Generate .fsv_meta for them.
* Add BuildManifest.apk for those partitions.
* Rename PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA to remove "SYSTEM".
Bug: 245957815
Test: m
Test: ls -l $ANDROID_PRODUCT_OUT/*/etc/security/fsverity/BuildManifest.apk
Test: extract assets/build_manifest.pb from apk, inpsect
Change-Id: I503672571741d47ba15add048c0a2f00b6b2a86d
verity.mk is used to set the related variable for VB 1.0 support, but
we already removed VB 1.0. This change removes the unused code. We also
remove and block PRODUCT_VERITY_SIGNING_KEY in this change.
Bug: 241044073
Test: atest under build/make
Change-Id: Ifbcde7da27a931ef3b9d746b1c5a279d88c0ec85
PRODUCT_SUPPORTS_VERITY and PRODUCT_SUPPORTS_VERITY_FEC are going to be
deprecated since we removed VB 1.0 support. This change removes the
related references.
Bug: 241044073
Test: atest under build/make
Change-Id: Icee659ff0606cda1ab44e92372d86a394ddf1466
These varaibles are going to be deprecated since we removed VB 1.0
support. This change removes the related references. boot.img can be
verified by a AVB 2.0 hash descriptor now.
Bug: 241044073
Test: atest under build/make
Change-Id: I267da2d591525ffc0cabf92791cf66a36ef8ff62
The makefile product inheritance code was supposed
to deduplicate inheritance calls, but there was
a bug in the uniq-word function that caused it
to not work when duplicated words were adjacent.
$(subst |||x|||,||| |||,|||x|||x|||) produces
||| |||x||| instead of ||| ||| |||.
Rewrite the uniq-word function to fix the bug.
This issue was causing a discrepency between
the makefile and starlark based product configurations,
as the starlark implementation didn't have this bug.
Bug: 237019892
Test: ./build/bazel/ci/rbc_dashboard.py --quick on an internal-only product
Change-Id: I543a80746412ffcb9743203399413a0e707111e6
The long-form variables (PRODUCTS.<makefile>.<variable>)
are used to get information about multiple products.
However, they've never really worked correctly, and so
importing multiple products is deprecated behavior.
Remove as many usages of the long-form variables and
multi-product imports as possible.
Bug: 228518445
Test: Manually
Change-Id: I0b67f16360ff8bdcdb39638de739440472bccf76
This overrides the branch default
(BRANCH_DEFAULT_MODULE_BUILD_FROM_SOURCE) if it is set to use
prebuilts.
Test: build/soong/soong_ui.bash --dumpvar-mode MODULE_BUILD_FROM_SOURCE
returns false with BRANCH_DEFAULT_MODULE_BUILD_FROM_SOURCE:=false
in internal
Test: env TARGET_PRODUCT=module_arm64 \
build/soong/soong_ui.bash --dumpvar-mode MODULE_BUILD_FROM_SOURCE
returns true with BRANCH_DEFAULT_MODULE_BUILD_FROM_SOURCE:=false
in internal
Test: env TARGET_PRODUCT=mainline_modules_x86 \
build/soong/soong_ui.bash --dumpvar-mode MODULE_BUILD_FROM_SOURCE
returns true with BRANCH_DEFAULT_MODULE_BUILD_FROM_SOURCE:=false
in internal
Test: env TARGET_PRODUCT=redfin \
build/soong/soong_ui.bash --dumpvar-mode MODULE_BUILD_FROM_SOURCE
returns false with BRANCH_DEFAULT_MODULE_BUILD_FROM_SOURCE:=false
in internal
Bug: 222723757
Change-Id: I0faea006b0e95eff40bbfbe00cc74ba5985beeba
Add vendor_kernel_boot image for vendors whose bootloader support
extra first stage booting kernel modules ramdisks. This benefit
kernel repo to build kernel-artifacts only image without Andorid
artifacts dependency.
Bug: 214409109
Signed-off-by: Lucas Wei <lucaswei@google.com>
Change-Id: If07218b86a7751b3d452a172610af960f5f9ec74
Currently inherit-product and the rest of the product
configuration infrastructure does not handle wildcards.
However, they still get passed through unchanged, until
they reach the raw Make include statement, which expands
them. This essentially makes a meta-product that is the
result of combining all the makefiles that were matched.
In Starlark, the behavior is to actually treat each file
as it's own product. This causes a discrepency when using
`m product-graph`, where make shows one node for all those
files and Stalark has a node for each.
This is probably unintentional behavior, so change Make
to also import each file as separate products. On the
product I was investigating, the only difference this
made in the ninja file was in the product graph.
Bug: 221312856
Test: Presubmits
Change-Id: I9ca7aff0b0790aeb6e42861ce2745feed8a1a7c4
There are 2 choices to build system_dlkm.img for
the system_dlkm partition for Android T launch
devices and must choose one.
1. Use kernel prebuilt system_dlkm.img
- BOARD_PREBUILT_SYSTEM_DLKM_IMAGE to point image
2. Build from kernel prebuilt system_dlkm_staging
- PRODUCT_BUILD_SYSTEM_DLKM_IMAGE
Both requires: BOARD_SYSTEM_DLKM_PARTITION_SIZE and
must be 64MB or higher in size (enforced via vts).
Bug: 200082547
Test: TH
Test: atest vts_system_dlkm_partition_test
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I83435123bd8aa3d04ab8a8b650a95fbab0bc49f2
I56ed328a9ae70cf49dbd3c6efb5a4a8c54e1b7a7 added a validation check to
otatools to check the target_files archive for the existence of
userdebug_plat_sepolicy.cil. That check superseded the original
PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT product_config.mk check and
is more robust because it can handle not only phone GSI but also car/tv
GSI (downstream of phone GSI).
Modify the check to show a scary wall of text if non-compliance-GSI
products tried to set PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT,
instead of erroring out immediately.
Also add gsi_car_arm64 & gsi_car_x86_64 to the list of eligible GSI
product names.
After this change, any product can set
PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT for development purposes, but
only GSI products that specifies `--allow_gsi_debug_sepolicy` during
image signing can release sign a product built with
PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT.
Bug: 188067818
Test: Presubmit
Test: lunch gsi_arm64-userdebug && m nothing # => no warning
Change-Id: I34ef49af29c7064bea8924b0070793f1e78256bf
Equivalent to PRODUCT_EXTRA_RECOVERY_KEYS but for A/B OTA.
Bug: 211848136
Test: set PRODUCT_EXTRA_OTA_KEYS and check otacerts.zip
Change-Id: I81e27d12a22b405f6227b09c01ed684dfcede19e
This ramdisk used to be in boot.img, and is now placed into this new
init_boot.img instead.
This new image is used for a new init parition to seperate Android
platform artifacts from the kernel artifacts in boot.img.
Test: boot Cuttlefish
Bug: 203698939
Change-Id: Iaaf82486259979ab728730ce72a4e847ae005c18
This is the list of jars that system_server loads dynamically using
separate classloaders. We will rely on this variable to decide which
jars to preopt in the build system and on the device for system_server.
The list is supposed to be in sync with the code in SystemServer.java.
There will be a follow-up CL to add a comment in SystemServer.java to
remind developers to keep them in sync.
Bug: 203198541
Test: m nothing
Change-Id: I305a73218ef2d2c61ac3795d21026b2afe7007fd
builds (reland).
- Use art/build/boot/boot-image-profile.txt for the primary boot image
in the ART module, both when it's built from source in platform and
as an unbundled module.
- Use frameworks/base/boot/boot-image-profile.txt for the framework
extension image in platform, but not in unbundled builds.
This should obsolete the combined profile
frameworks/base/config/boot-image-profile.txt.
This relands https://r.android.com/1881863 with a fix to allow multiple
values on PRODUCT_DEX_PREOPT_BOOT_IMAGE_PROFILE_LOCATION.
Test: build/soong/soong_ui.bash --dumpvar-mode \
PRODUCT_DEX_PREOPT_BOOT_IMAGE_PROFILE_LOCATION
and check that it prints both art/build/boot/boot-image-profile.txt
and frameworks/base/boot/boot-image-profile.txt in a platform build
on master.
Test: build/soong/soong_ui.bash --dumpvar-mode \
PRODUCT_DEX_PREOPT_BOOT_IMAGE_PROFILE_LOCATION
and check that it prints only art/build/boot/boot-image-profile.txt
in an unbundled build on master-art.
Test: banchan com.android.art && m
on master-art and check that
out/soong/.intermediates/art/build/apex/com.android.art/android_common_com.android.art_image/image.apex/javalib/x86_64/boot.oat
shrinks from 14 MB to 4.7.
Test: m droid
on master together with https://r.android.com/1895131 and check that
out/soong/.intermediates/art/build/apex/com.android.art/android_common_com.android.art_image/image.apex/javalib/x86_64/boot.oat
and out/target/product/vsoc_x86_64/system/framework/x86_64/boot-framework.oat
are identical.
Test: lunch armv8-eng && art/tools/buildbot-build.sh
on master-art
Bug: 174746397
Change-Id: I9114271bc69cf0888150b2c778a086bc50b73045
Using fsverity tool, fsverity metadata for specific artifacts in system
mage can be generated. Users can do that by setting a makefile variable
PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA to true.
If set to true, the following artifacts will be signed.
- system/framework/*.jar
- system/framework/oat/<arch>/*.{oat,vdex,art}
- system/etc/boot-image.prof
- system/etc/dirty-image-objects
One fsverity metadata container file per one input file will be
generated in system.img, with a suffix ".fsv_meta". e.g. a container
file for "system/framework/foo.jar" will be
"system/framework/foo.jar.fsv_meta".
Bug: 193113311
Test: build with PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA := true
Change-Id: Ib70d591a72d23286b5debcb05fbad799dfd79b94
Add PRODUCT_BROKEN_DEPRECATED_MK_SYSTEM_SERVER_JARS variable that is
undefined by default. Setting that variable to true enables support for
system server jars defined in Android.mk. It should be enabled on a
per-product basis in product makefiles.
Bug: 203618671
Test: m nothing
Change-Id: If90d7131d37f308c468e395c236d5aa5ad053bad
This reverts commit a2a5db4466.
Reason for revert: original change was obsoleted by
I3161e42b00a93177a1a4cb3b22da2218d294b7a7
Bug: 202129499
Test: Presubmit; change should be noop
Change-Id: Ib7be1ed73dbf08758276666f8ce35ed9cbf18a36
* changes:
Add generic board-agnostic pre-built pvmfw.img
Add framework for building the pvmfw.img partition
Stop assuming that pvmfw.img can only be pre-built
Adapt the variables necessary for building pvmfw.img by following what
was done for other Android partitions and introducing:
- PRODUCT_BUILD_PVMFW_IMAGE
- BUILDING_PVMFW_IMAGE
- BUILT_PVMFWIMAGE_TARGET
Replace the manual 'cp' by the more common 'copy-one-file'.
Bug: 199831815
Test: m ${ANDROID_PRODUCT_OUT}/pvmfw.img # with TARGET_PKVM_ENABLED=true
Change-Id: I5e4bbcbdbf4b96281ee54631938f097e9744883c
Add PRODUCT variables
PRODUCT_BUILD_DEBUG_BOOT_IMAGE
PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE
as toggles to enable/disable building boot-debug & vendor_boot-debug.
Bug: 200945738
Test: m bootimage_debug
Change-Id: Ic032b8594f776f911d7b6345a97d64fed930d890
This is to support a bootimage only target in AB.
Bug: 198363484
Test: lunch aosp_arm64-userdebug; make bootimage dist
Change-Id: I9a32c365f635ec4693675a1969d7a1e684c8f55a
If this option is set, then an additional copy of the debug policy can
be installed to the GSI, and the init-second-stage of GSI could load
debug policy from GSI /system_ext when debug-ramdisk is used.
Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I8c62a3cea026bd26b1994092a14238d22ba1e2df
Those boot-debug-*.img is used with `repack_bootimg` for a
vendor_boot-debug.img in VTS setup. It is not for GKI boot.img
release.
https://source.android.com/compatibility/vts/vts-on-gsi#repacking
Renames boot-debug-*.img to boot-with-debug-ramdisk-*.img to
avoid confusion with the official GKI boot.img release.
Bug: 200878300
Test: `lunch gsi_arm64-user` then `make bootimage_debug`
Change-Id: Ia1f6ba847d5b7409fb7a8534432484d2aa972494
Revert "Add system_ext_userdebug_plat_sepolicy.cil for GSI"
Revert submission 1824717-gsi_debug_policy
Reason for revert: Breaks the build (see b/200933187).
Reverted Changes:
I37ef02628:Add a copy of debug policy to GSI system image
I9c3dad8bb:Add PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT
I43adc6ada:Add system_ext_userdebug_plat_sepolicy.cil for GSI...
I4d6235c73:Add /system_ext/etc/selinux/ to the debug policy s...
Bug: 200933187
Change-Id: I4252793fbee1b83e3db26f944ac0be6581fa773f
If this option is set, then an additional copy of the debug policy can
be installed to the GSI, and the init-second-stage of GSI could load
debug policy from GSI /system_ext when debug-ramdisk is used.
Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I9c3dad8bb6c5fa88b16762193446dc7e54f326c8
This reverts commit efe6a4d748.
As a result of b/191269918, APEX variants are now consistently
identified by their "runtime names", i.e. their mount names under
/apex. Those names are now also used to identify the APEXes in
PRODUCT_BOOT_JARS and similar variables. That avoids implementing a
global lookup mechanism in Soong, and since they don't vary between
products also makes this override variable unnecessary.
Test: `m nothing` in internal
Bug: 191269918
Bug: 180325915
Change-Id: I6fd3d29d1c032c9f8bda0191781f9d2dc6f199a4
Regardless of an "updatable" property, list all apex jars in the same
variable. This is less confusing for devs and matches the pattern with
PRODUCT_APEX_BOOT_JARS.
Bug: 191127295
Test: atest CtsClasspathsTestCases
Change-Id: I3b12f26237636f4271cb000480928b3ce1c2e62f
Merged-In: I3b12f26237636f4271cb000480928b3ce1c2e62f
Regardless of an "updatable" property of individual, list all apex boot
jars in the same variable. This is less confusing for devs, especially
since they shouldn't care about things like boot images.
Bug: 191127295
Test: atest CtsClasspathsTestCases
Change-Id: I0a559db462d1e1f67003ac54d1e27a89110d802a
Merged-In: I0a559db462d1e1f67003ac54d1e27a89110d802a
Starting with Android R launched devices, debugfs cannot be mounted in
production builds. In order to avoid accidental debugfs dependencies
from creeping in during development with userdebug/eng builds, this
patch introduces a build flag that can be set by vendors to enforce
additional debugfs restrictions for userdebug/eng builds. The same flag
will be used to enable sepolicy neverallow statements to prevent new
permissions added for debugfs access.
Bug: 184381659
Test: make with/without PRODUCT_SET_DEBUGFS_RESTRICTIONS
Change-Id: I9aff974da7ddce9bf1a7ec54153b161527b12062
After aosp/1184262 is submitted, PRODUCT_CHECK_ELF_FILES is deprecated
and nobody is using this variable anymore.
Bug: 149715904
Test: Presubmit; Should be noop
Change-Id: Iaf4a6ae1fe4062684a9699b7ef999030ff483e16
This reverts commit ccfea17fb7.
Reason for revert: Original bug was resolved by updating branch config
Change-Id: I2327092261a2147fa8f2be3d878db04228e65511
