1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17// By default this device uses hardware-wrapped keys for storage encryption,
18// which is intended to offer increased security over the traditional method
19// (software keys).  However, hardware-wrapped keys aren't compatible with
20// FIPS-140 certification of the encryption hardware, and hence we have to
21// disable the use of them in FIPS mode.  This requires having two fstab files:
22// one for the default mode, and one for FIPS mode selectable via
23// androidboot.fstab_suffix on the kernel command line.  These fstabs should be
24// identical with the exception of the encryption settings, so to keep them in
25// sync the rules below generate them from a template file.
26
27soong_namespace {
28    imports: [
29        "device/google/gs101",
30    ],
31}
32
33package {
34    // See: http://go/android-license-faq
35    // A large-scale-change added 'default_applicable_licenses' to import
36    // all of the 'license_kinds' from "device_google_gs101_license"
37    // to get the below license kinds:
38    //   SPDX-license-identifier-Apache-2.0
39    default_applicable_licenses: ["device_google_gs101_license"],
40}
41
42filegroup {
43    name: "gs101_srcs",
44    srcs: ["fstab.gs101.in"],
45}
46
47genrule {
48    name: "gen_fstab.gs101",
49    srcs: ["fstab.gs101.in"],
50    out: ["fstab.gs101"],
51    cmd: "sed -e s/@fileencryption@/::inlinecrypt_optimized+wrappedkey_v0/" +
52        " -e s/@metadata_encryption@/:wrappedkey_v0/ $(in) > $(out)",
53}
54
55genrule {
56    name: "gen_fstab.gs101-fips",
57    srcs: ["fstab.gs101.in"],
58    out: ["fstab.gs101-fips"],
59    cmd: "sed -e s/@fileencryption@/aes-256-xts/" +
60        " -e s/@metadata_encryption@/aes-256-xts/ $(in) > $(out)",
61}
62
63prebuilt_etc {
64    name: "fstab.gs101",
65    src: ":gen_fstab.gs101",
66    vendor: true,
67    vendor_ramdisk_available: true,
68}
69
70prebuilt_etc {
71    name: "fstab.gs101-fips",
72    src: ":gen_fstab.gs101-fips",
73    vendor: true,
74    vendor_ramdisk_available: true,
75}
76