c1a8f1a5d7
The major purpose of vbmeta.img built on GSI targets (e.g., aosp_arm, aosp_arm64, etc) is to disable AVB. We should also set the rollback index to zero, to prevent the device bootloader from updating the last seen rollback index in the tamper-evident storage. Bug: 122583908 Test: build aosp_arm64, then `avbtool info_image --image $OUT/vbmeta.img` Change-Id: I48a49957f8dd3169003b9507fe80e519f301d5b5
70 lines
2.5 KiB
Makefile
70 lines
2.5 KiB
Makefile
# BoardConfigGsiCommon.mk
|
|
#
|
|
# Common compile-time definitions for GSI
|
|
# Builds upon the mainline config.
|
|
#
|
|
|
|
include build/make/target/board/BoardConfigMainlineCommon.mk
|
|
|
|
# Enable system property split for Treble
|
|
BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true
|
|
|
|
# This flag is set by mainline but isn't desired for GSI.
|
|
BOARD_USES_SYSTEM_OTHER_ODEX :=
|
|
|
|
# GSIs are historically released in sparse format.
|
|
# Some vendors' bootloaders don't work properly with raw format images. So
|
|
# we explicit specify this need below (even though it's the current default).
|
|
TARGET_USERIMAGES_SPARSE_EXT_DISABLED := false
|
|
|
|
# system.img is always ext4 with sparse option
|
|
# GSI also includes make_f2fs to support userdata parition in f2fs
|
|
# for some devices
|
|
TARGET_USERIMAGES_USE_F2FS := true
|
|
|
|
# Enable dynamic system image size and reserved 64MB in it.
|
|
BOARD_SYSTEMIMAGE_PARTITION_RESERVED_SIZE := 67108864
|
|
|
|
# GSI forces product packages to /system for now.
|
|
TARGET_COPY_OUT_PRODUCT := system/product
|
|
|
|
# Creates metadata partition mount point under root for
|
|
# the devices with metadata parition
|
|
BOARD_USES_METADATA_PARTITION := true
|
|
|
|
# Android Verified Boot (AVB):
|
|
# Set AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (--flags 2) in
|
|
# vbmeta.img to disable AVB verification. Also set the rollback index
|
|
# to zero, to prevent the device bootloader from updating the last seen
|
|
# rollback index in the tamper-evident storage.
|
|
#
|
|
# To disable AVB for GSI, use the vbmeta.img and the GSI together.
|
|
# To enable AVB for GSI, include the GSI public key into the device-specific
|
|
# vbmeta.img.
|
|
BOARD_AVB_ROLLBACK_INDEX := 0
|
|
BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2
|
|
|
|
# Enable chain partition for system.
|
|
BOARD_AVB_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
|
|
BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048
|
|
BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
|
|
BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1
|
|
|
|
# GSI specific System Properties
|
|
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
|
|
TARGET_SYSTEM_PROP := build/make/target/board/gsi_system.prop
|
|
else
|
|
TARGET_SYSTEM_PROP := build/make/target/board/gsi_system_user.prop
|
|
endif
|
|
|
|
# Set this to create /cache mount point for non-A/B devices that mounts /cache.
|
|
# The partition size doesn't matter, just to make build pass.
|
|
BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
|
|
BOARD_CACHEIMAGE_PARTITION_SIZE := 16777216
|
|
|
|
# Disable 64 bit mediadrmserver
|
|
TARGET_ENABLE_MEDIADRM_64 :=
|
|
|
|
# Ordinary (non-flattened) APEX may require kernel changes. For maximum compatibility,
|
|
# use flattened APEX for GSI
|
|
TARGET_FLATTEN_APEX := true
|