1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17// By default this device uses hardware-wrapped keys for storage encryption,
18// which is intended to offer increased security over the traditional method
19// (software keys).  However, hardware-wrapped keys aren't compatible with
20// FIPS-140 certification of the encryption hardware, and hence we have to
21// disable the use of them in FIPS mode.  This requires having two fstab files:
22// one for the default mode, and one for FIPS mode selectable via
23// androidboot.fstab_suffix on the kernel command line.  These fstabs should be
24// identical with the exception of the encryption settings, so to keep them in
25// sync the rules below generate them from a template file.
26
27package {
28    // See: http://go/android-license-faq
29    // A large-scale-change added 'default_applicable_licenses' to import
30    // all of the 'license_kinds' from "device_google_gs201_license"
31    // to get the below license kinds:
32    //   SPDX-license-identifier-Apache-2.0
33    default_applicable_licenses: ["device_google_gs201_license"],
34}
35
36genrule {
37    name: "gen_fstab.gs201",
38    srcs: ["fstab.gs201.in"],
39    out: ["fstab.gs201"],
40    cmd: "sed -e s/@fileencryption@/::inlinecrypt_optimized+wrappedkey_v0/" +
41        " -e s/@metadata_encryption@/:wrappedkey_v0/ $(in) > $(out)",
42}
43
44genrule {
45    name: "gen_fstab.gs201-fips",
46    srcs: ["fstab.gs201.in"],
47    out: ["fstab.gs201-fips"],
48    cmd: "sed -e s/@fileencryption@/aes-256-xts/" +
49        " -e s/@metadata_encryption@/aes-256-xts/ $(in) > $(out)",
50}
51
52prebuilt_etc {
53    name: "fstab.gs201",
54    src: ":gen_fstab.gs201",
55    vendor: true,
56    vendor_ramdisk_available: true,
57}
58
59prebuilt_etc {
60    name: "fstab.gs201-fips",
61    src: ":gen_fstab.gs201-fips",
62    vendor: true,
63    vendor_ramdisk_available: true,
64}
65