1/*
2 * Copyright (C) 2021 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17// By default this device uses hardware-wrapped keys for storage encryption,
18// which is intended to offer increased security over the traditional method
19// (software keys).  However, hardware-wrapped keys aren't compatible with
20// FIPS-140 certification of the encryption hardware, and hence we have to
21// disable the use of them in FIPS mode.  This requires having two fstab files:
22// one for the default mode, and one for FIPS mode selectable via
23// androidboot.fstab_suffix on the kernel command line.  These fstabs should be
24// identical with the exception of the encryption settings, so to keep them in
25// sync the rules below generate them from a template file.
26
27soong_namespace {
28    imports: [
29        "device/google/zuma",
30    ],
31}
32
33package {
34    // See: http://go/android-license-faq
35    // A large-scale-change added 'default_applicable_licenses' to import
36    // all of the 'license_kinds' from "device_google_zuma_license"
37    // to get the below license kinds:
38    //   SPDX-license-identifier-Apache-2.0
39    default_applicable_licenses: ["device_google_zuma_license"],
40}
41
42genrule {
43    name: "gen_fstab.zuma-hw-encrypt",
44    srcs: [
45        ":fstab.zuma.common",
46        "fstab.zuma.ext4",
47    ],
48    out: ["fstab.zuma"],
49    cmd: "sed -e s/@fileencryption@/fileencryption=:aes-256-hctr2:inlinecrypt_optimized+wrappedkey_v0/" +
50        " -e s/@inlinecrypt@/inlinecrypt/ " +
51        " -e s/@metadata_encryption@/metadata_encryption=:wrappedkey_v0/ $(in) > $(out)",
52}
53
54genrule {
55    name: "gen_fstab.zuma-sw-encrypt",
56    srcs: [
57        ":fstab.zuma.common",
58        "fstab.zuma.ext4",
59    ],
60    out: ["fstab.zuma"],
61    cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts:aes-256-hctr2/" +
62        " -e s/@inlinecrypt@// " +
63        " -e s/@metadata_encryption@/metadata_encryption=/ $(in) > $(out)",
64}
65
66genrule {
67    name: "gen_fstab.zuma-no-encrypt",
68    srcs: [
69        ":fstab.zuma.common",
70        "fstab.zuma.ext4",
71    ],
72    out: ["fstab.zuma"],
73    cmd: "sed -e s/@fileencryption@//" +
74        " -e s/@inlinecrypt@// " +
75        " -e s/@metadata_encryption@// $(in) > $(out)",
76}
77
78genrule {
79    name: "gen_fstab.zuma-fips",
80    srcs: [
81        ":fstab.zuma.common",
82        "fstab.zuma.ext4",
83    ],
84    out: ["fstab.zuma-fips"],
85    cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts/" +
86        " -e s/@inlinecrypt@/inlinecrypt/ " +
87        " -e s/@metadata_encryption@/metadata_encryption=aes-256-xts/ $(in) > $(out)",
88}
89
90prebuilt_etc {
91    name: "fstab.zuma",
92    src: ":gen_fstab.zuma-hw-encrypt",
93    vendor: true,
94    vendor_ramdisk_available: true,
95}
96
97prebuilt_etc {
98    name: "fstab.zuma-fips",
99    src: ":gen_fstab.zuma-fips",
100    vendor: true,
101    vendor_ramdisk_available: true,
102}
103