| # Copyright 2021 The Fuchsia Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| import("//build/assembly/assembled_system.gni") |
| import("//build/assembly/flash_manifest.gni") |
| import("//build/assembly/generated_assembly_inputs.gni") |
| import("//build/assembly/generated_partitions_config.gni") |
| import("//build/assembly/update_package.gni") |
| import("//build/images/args.gni") |
| import("//build/images/filesystem_limits.gni") |
| import("//build/images/vboot/vboot.gni") |
| import("//build/product.gni") |
| import("//build/security.gni") |
| import("//build/security/policies.gni") |
| import("//build/security/policies_swd.gni") |
| import("//build/security/verifier/verify_bootfs.gni") |
| import("//build/security/verifier/verify_component_resolvers.gni") |
| import("//build/security/verifier/verify_kernel_cmdline.gni") |
| import("//build/security/verifier/verify_route_sources.gni") |
| import("//build/security/verifier/verify_routes.gni") |
| import("//build/security/verifier/verify_routes.gni") |
| import("//build/security/verifier/verify_static_pkgs.gni") |
| import("//build/testing/host_test_data.gni") |
| import("//build/testing/verify_files_match.gni") |
| import("//src/sys/core/build/core.gni") |
| |
| if (is_host) { |
| host_test_data("fuchsia_zbi_for_host_tests") { |
| sources = [ "$root_build_dir/fuchsia.zbi" ] |
| # This dep cannot be specified, because it creates a dependency cycle. It |
| # could be added if all tests using this were not in any package set (and |
| # were just in host_labels) |
| #deps = [ ":fuchsia($default_toolchain)" ] |
| } |
| } |
| |
| # The assembly operation should only be defined in the default (fuchsia) |
| # toolchain. |
| if (is_fuchsia) { |
| assert(current_toolchain == default_toolchain, |
| "//build/images/* are only valid in the Fuchsia toolchain") |
| |
| # This catches inadvertent dependencies on the "fucshia" assembly implementation |
| # in bringup-only configurations. |
| assert( |
| !use_bringup_assembly, |
| "The bringup product config cannot rely on the fuchsia assembly. Bringup has it's own in //build/images/bringup") |
| |
| ################################################## |
| # Shared parameters across assemblies in this file |
| ################################################## |
| |
| supports_fastboot_fvm = fvm_partition != "" |
| |
| files = { |
| images_config = "$target_out_dir/fuchsia.images_config.json" |
| partitions_config = "$target_out_dir/partitions_config.json" |
| assembly_inputs = "$target_out_dir/fuchsia/assembly_inputs.json" |
| platform_aib_dir = get_label_info("//build/assembly", "target_out_dir") |
| |
| # Outputs of assembly. |
| outdir = target_out_dir + "/fuchsia" |
| zbi = "${outdir}/fuchsia.zbi" |
| zbi_signed = "${outdir}/fuchsia.zbi.signed" |
| vbmeta = "${outdir}/fuchsia.vbmeta" |
| minfs = "${outdir}/data.blk" |
| blobfs = "${outdir}/blob.blk" |
| fvm = "${outdir}/fvm.blk" |
| fvm_sparse = "${outdir}/fvm.sparse.blk" |
| fvm_blob_sparse = "${outdir}/fvm.blob.sparse.blk" |
| fvm_fastboot = "${outdir}/fvm.fastboot.blk" |
| packages_json = "${outdir}/packages.json" |
| images_json = "${outdir}/images.json" |
| |
| # Outputs of prime assembly. |
| outdir_prime = target_out_dir + "/fuchsia_prime_assembly" |
| images_prime_json = "${outdir_prime}/images.json" |
| packages_prime_json = "${outdir_prime}/packages.json" |
| |
| # Outputs of recovery. |
| recovery_outdir = get_label_info(recovery_label, "target_out_dir") + "/" + |
| get_label_info(recovery_label, "name") |
| recovery_images_json = "${recovery_outdir}/images.json" |
| } |
| |
| fuchsia_base = { |
| testonly = fuchsia_zbi_testonly |
| generate_fvm = true |
| board_name = board_name |
| output_dir = root_build_dir |
| fshost_config = board_fshost_config |
| |
| check_production_tag = check_production_eligibility |
| |
| include_component_id_index = true |
| |
| # Use the GN arg for including shell commands. |
| include_shell_commands = include_shell_commands_package |
| |
| # If the product definition is specifying a product assembly config file, then |
| # pass that to the assembled_system() call(s). |
| if (fuchsia_product_assembly_config_file != false) { |
| product_assembly_config_file = fuchsia_product_assembly_config_file |
| } else { |
| product_assembly_config_file = |
| "//build/assembly/empty_product_config.json" |
| } |
| if (fuchsia_product_assembly_config_label != false) { |
| product_assembly_config_dep = fuchsia_product_assembly_config_label |
| } |
| |
| cmdline_deps = [ "//build/input:bootfs" ] |
| |
| base_packages = [ |
| "//:developer_base_driver_packages", |
| "//:developer_base_packages", |
| "//:legacy_base_driver_packages", |
| "//:legacy_base_packages", |
| ":core_realm", |
| ] |
| |
| # Include the product-defined meta package labels. |
| meta_packages = meta_package_labels |
| |
| # Add the base package labels for the selected SWD policy. |
| if (defined(policy_labels.swd)) { |
| foreach(policy, policies_swd) { |
| if (policy.name == policy_labels.swd) { |
| base_packages += policy.base_package_deps |
| } |
| } |
| } |
| |
| # Add the base package labels for the selected SWD policy. |
| extra_core_realm_shards = [] |
| if (defined(policy_labels.update_checker)) { |
| foreach(policy, policies_update_checker) { |
| if (policy.name == policy_labels.update_checker) { |
| # TODO(fxbug.dev/93695) Remove the need for |
| # `if_board_supports_update_configurator` and |
| # `board_supports_update_configurator`, replacing them with an |
| # optional capability route when that feature is available. |
| if (board_supports_update_configurator) { |
| inner = policy.if_board_supports_update_configurator |
| |
| extra_core_realm_shards += inner.core_realm_shards |
| } |
| } |
| } |
| } |
| |
| base_driver_packages = [ |
| "//:developer_base_driver_packages", |
| "//:legacy_base_driver_packages", |
| ] |
| cache_packages = [ |
| "//:developer_cache_packages", |
| "//:legacy_cache_packages", |
| ] |
| system_image_deps = [ "//build/input:system_image" ] |
| universe_packages = [ |
| "//:developer_universe_packages", |
| "//:legacy_universe_packages", |
| ] |
| bootfs_labels = [ "//build/input:bootfs" ] |
| bootfs_package_labels = product_bootfs_packages |
| |
| # minfs arguments |
| if (minfs_product_minimum_data_bytes != false) { |
| minfs_minimum_data_bytes = minfs_product_minimum_data_bytes |
| } else if (minfs_board_minimum_data_bytes != false) { |
| minfs_minimum_data_bytes = minfs_board_minimum_data_bytes |
| } |
| if (minfs_product_maximum_bytes != false) { |
| minfs_maximum_bytes = minfs_product_maximum_bytes |
| } else if (minfs_board_maximum_bytes != false) { |
| minfs_maximum_bytes = minfs_board_maximum_bytes |
| } |
| |
| # blobfs arguments |
| assembly_blob_layout_format = blob_layout_format |
| assembly_compress_blobs = compress_blobs |
| if (blobfs_product_minimum_inodes != false) { |
| blobfs_minimum_inodes = blobfs_product_minimum_inodes |
| } else if (blobfs_board_minimum_inodes != false) { |
| blobfs_minimum_inodes = blobfs_board_minimum_inodes |
| } |
| if (blobfs_product_minimum_data_bytes != false) { |
| blobfs_minimum_data_bytes = blobfs_product_minimum_data_bytes |
| } else if (blobfs_board_minimum_data_bytes != false) { |
| blobfs_minimum_data_bytes = blobfs_board_minimum_data_bytes |
| } |
| if (blobfs_product_maximum_bytes != false) { |
| blobfs_maximum_bytes = blobfs_product_maximum_bytes |
| } else if (blobfs_board_maximum_bytes != false) { |
| blobfs_maximum_bytes = blobfs_board_maximum_bytes |
| } |
| if (max_blob_contents_size != false) { |
| blobfs_maximum_contents_size = max_blob_contents_size |
| } |
| |
| # fvm arguments |
| assembly_include_account_in_fvm = include_account_in_fvm |
| assembly_fvm_slice_size = fvm_slice_size |
| |
| # zbi arguments |
| if (custom_signing_script != "") { |
| zbi_signing_script = custom_signing_script |
| zbi_signing_script_deps = [ "//build/images/custom_signing:deps" ] |
| } else if (use_vboot) { |
| zbi_signing_script = vboot_action.script |
| zbi_signing_args = vboot_action.args |
| zbi_signing_script_deps = vboot_action.deps |
| inputs = vboot_action.inputs |
| } |
| } |
| |
| core_realm("core_realm") { |
| package_name = core_realm_package_name |
| deps = core_realm_shards + board_core_realm_shards + |
| fuchsia_base.extra_core_realm_shards |
| restrict_persistent_storage = core_realm_restrict_persistent_storage |
| restrict_full_resolver_to_base = !auto_update_packages |
| } |
| |
| ################################################## |
| # Fuchsia |
| ################################################## |
| |
| # Copy the blob.blk to the old location for assembled images. |
| # TODO(fxbug.dev/82077): Delete this once clients do not depend on the old path. |
| old_blobfs_path = "${root_out_dir}/obj/build/images/blob.blk" |
| copy("copy_blobfs") { |
| testonly = fuchsia_zbi_testonly |
| sources = [ "${target_out_dir}/fuchsia/blob.blk" ] |
| outputs = [ old_blobfs_path ] |
| deps = [ ":fuchsia_assembly" ] |
| |
| metadata = { |
| # Declare all the generated images. |
| images = [ |
| # BlobFS |
| { |
| label = get_label_info(":fuchsia", "label_with_toolchain") |
| name = "blob" |
| path = rebase_path(old_blobfs_path, root_build_dir) |
| type = "blk" |
| }, |
| ] |
| } |
| } |
| |
| # Copy the fvm.blob.sparse.blk to the old location for assembled images. |
| # TODO(fxbug.dev/82077): Delete this once clients do not depend on the old path. |
| if (include_fvm_blob_sparse) { |
| old_fvm_blob_sparse_path = |
| "${root_out_dir}/obj/build/images/fvm.blob.sparse.blk" |
| copy("copy_fvm_blob_sparse") { |
| testonly = fuchsia_zbi_testonly |
| sources = [ "${target_out_dir}/fuchsia/fvm.blob.sparse.blk" ] |
| outputs = [ old_fvm_blob_sparse_path ] |
| deps = [ ":fuchsia_assembly" ] |
| |
| metadata = { |
| images = [ |
| { |
| label = get_label_info(":fuchsia", "label_with_toolchain") |
| |
| # Hack: Infra expects bootserver_pave to be present |
| # in the GN graph for this image to be built. |
| bootserver_pave = [] |
| name = "fvm.blob.sparse" |
| path = rebase_path(old_fvm_blob_sparse_path, root_build_dir) |
| type = "blk" |
| }, |
| ] |
| } |
| } |
| } |
| |
| group("fuchsia") { |
| testonly = fuchsia_zbi_testonly |
| public_deps = [ |
| ":assembly_inputs", |
| ":copy_blobfs", |
| ":flash_manifest", |
| ":fuchsia_assembly", |
| ":update", |
| ] |
| |
| if (include_fvm_blob_sparse) { |
| public_deps += [ ":copy_fvm_blob_sparse" ] |
| } |
| deps = [ ":verify_base_resolver_config" ] |
| if (!is_coverage && custom_signing_script == "") { |
| deps += [ |
| ":verify_capability_routes", |
| ":verify_component_resolvers", |
| ] |
| if (fuchsia_static_pkgs_goldens != []) { |
| deps += [ ":verify_static_pkgs" ] |
| } |
| |
| if (fuchsia_zbi_bootfs_filelist_goldens != []) { |
| deps += [ ":verify_bootfs_filelist" ] |
| } |
| if (fuchsia_zbi_kernel_cmdline_goldens != []) { |
| deps += [ ":verify_kernel_cmdline" ] |
| } |
| if (fuchsia_route_sources_config != "") { |
| deps += [ ":verify_route_sources" ] |
| } |
| } |
| |
| metadata = { |
| assembly_inputs = [ |
| { |
| path = rebase_path(files.assembly_inputs, root_build_dir) |
| }, |
| ] |
| } |
| } |
| |
| assembled_system("fuchsia_assembly") { |
| forward_variables_from(fuchsia_base, "*") |
| image_name = "fuchsia" |
| |
| create_legacy_aib_package = !is_debug |
| create_legacy_aib_archive = !is_debug |
| |
| _rebased_files = { |
| zbi = rebase_path(files.zbi, root_build_dir) |
| zbi_signed = rebase_path(files.zbi_signed, root_build_dir) |
| vbmeta = rebase_path(files.vbmeta, root_build_dir) |
| minfs = rebase_path(files.minfs, root_build_dir) |
| blobfs = rebase_path(files.blobfs, root_build_dir) |
| fvm = rebase_path(files.fvm, root_build_dir) |
| fvm_sparse = rebase_path(files.fvm_sparse, root_build_dir) |
| fvm_blob_sparse = rebase_path(files.fvm_blob_sparse, root_build_dir) |
| fvm_fastboot = rebase_path(files.fvm_fastboot, root_build_dir) |
| } |
| |
| metadata = { |
| # Declare all the generated images. |
| images = [ |
| # MinFS |
| { |
| label = get_label_info(":$target_name", "label_with_toolchain") |
| name = "data" |
| path = _rebased_files.minfs |
| type = "blk" |
| }, |
| |
| # TODO(fxbug.dev/82077): Add this back once clients move to the new path. |
| # BlobFS |
| #{ |
| # label = get_label_info(":$target_name", "label_with_toolchain") |
| # name = "blob" |
| # path = rebased_files.blobfs |
| # type = "blk" |
| #}, |
| |
| # ZBI |
| { |
| label = get_label_info(":$target_name", "label_with_toolchain") |
| name = "zircon-a" |
| |
| # We are using the copied-to path, becuase some e2e tests depend on it |
| # for their host_test_data. |
| path = "fuchsia.zbi" |
| type = "zbi" |
| |
| archive = true |
| bootserver_pave = [] |
| |
| # TODO(fxbug.dev/31931): we want to reduce the usage of mexec, but currently we |
| # do not have sufficient boot control on x64. |
| if (target_cpu == "x64") { |
| bootserver_pave += [ "--boot" ] |
| } |
| if (custom_signing_script == "" && !use_vboot) { |
| bootserver_pave += [ |
| "--zircona", |
| # TODO(fxbug.dev/32475): `dm reboot-recovery` boots from zircon-b instead of |
| # zircon-r, so for now zedboot is being paved to this slot. |
| # "--zirconb", |
| ] |
| |
| fastboot_flash = [] |
| if (zircon_a_partition != "") { |
| fastboot_flash += [ zircon_a_partition ] |
| } |
| if (zircon_b_partition != "") { |
| fastboot_flash += [ zircon_b_partition ] |
| } |
| } |
| }, |
| |
| # FVM |
| { |
| label = get_label_info(":$target_name", "label_with_toolchain") |
| archive = add_qemu_to_build_archives |
| name = "storage-full" |
| path = _rebased_files.fvm |
| type = "blk" |
| }, |
| |
| # Sparse FVM |
| { |
| label = get_label_info(":$target_name", "label_with_toolchain") |
| archive = true |
| bootserver_pave = [ "--fvm" ] |
| name = "storage-sparse" |
| path = _rebased_files.fvm_sparse |
| type = "blk" |
| }, |
| ] |
| |
| # Declare the paths to the images. |
| image_paths = [ |
| "IMAGE_DATA_RAW=${_rebased_files.minfs}", |
| "IMAGE_BLOB_RAW=${_rebased_files.blobfs}", |
| "IMAGE_ZIRCONA_ZBI=fuchsia.zbi", |
| "IMAGE_FVM_RAW=${_rebased_files.fvm}", |
| "IMAGE_FVM_SPARSE=${_rebased_files.fvm_sparse}", |
| "IMAGE_FVM_BLOB_SPARSE=${_rebased_files.fvm_blob_sparse}", |
| |
| # TODO(mcgrathr): The complete ZBI can be used with a separate |
| # kernel too, the kernel image in it will just be ignored. So |
| # just use the primary ZBI for this until all uses are |
| # converted to using the ZBI alone. Then remove this as |
| # IMAGE_BOOT_RAM variable should no longer be in use. |
| "IMAGE_BOOT_RAM=fuchsia.zbi", |
| ] |
| |
| # Optionally add the signed images. |
| if (custom_signing_script != "" || use_vboot) { |
| images += [ |
| { |
| label = get_label_info(":$target_name", "label_with_toolchain") |
| archive = true |
| bootserver_pave = [ "--zircona" ] |
| name = "zircon-a.signed" |
| path = "fuchsia.zbi.signed" |
| type = "zbi.signed" |
| |
| fastboot_flash = [] |
| if (zircon_a_partition != "") { |
| fastboot_flash += [ zircon_a_partition ] |
| } |
| if (zircon_b_partition != "") { |
| fastboot_flash += [ zircon_b_partition ] |
| } |
| }, |
| ] |
| image_paths += [ "IMAGE_ZIRCONA_SIGNEDZBI=fuchsia.zbi.signed" ] |
| } |
| |
| # Optionally add the vbmeta image. |
| if (use_vbmeta) { |
| images += [ |
| { |
| label = get_label_info(":$target_name", "label_with_toolchain") |
| archive = true |
| name = "zircon-a" |
| path = "fuchsia.vbmeta" |
| type = "vbmeta" |
| |
| bootserver_pave = [ "--vbmetaa" ] |
| |
| fastboot_flash = [] |
| if (vbmeta_a_partition != "") { |
| fastboot_flash += [ vbmeta_a_partition ] |
| } |
| if (vbmeta_b_partition != "") { |
| fastboot_flash += [ vbmeta_b_partition ] |
| } |
| }, |
| ] |
| image_paths += [ "IMAGE_VBMETAA_RAW=fuchsia.vbmeta" ] |
| } |
| |
| # TODO(fxbug.dev/82077): Add this back once clients move to the new path. |
| # Optionally include the blob-only sparse FVM. |
| # if (include_fvm_blob_sparse) { |
| # images += [ |
| # { |
| # label = get_label_info(":$target_name", "label_with_toolchain") |
| |
| # # Hack: Infra expects bootserver_pave to be present |
| # # in the GN graph for this image to be built. |
| # bootserver_pave = [] |
| # name = "fvm.blob.sparse" |
| # path = rebased_files.fvm_blob_sparse |
| # type = "blk" |
| # }, |
| # ] |
| # } |
| |
| # Optionally include the fastboot FVM. |
| if (supports_fastboot_fvm) { |
| images += [ |
| { |
| label = get_label_info(":$target_name", "label_with_toolchain") |
| archive = true |
| name = "fvm.fastboot" |
| path = rebase_path(files.fvm_fastboot, root_build_dir) |
| type = "blk" |
| fastboot_flash = [ fvm_partition ] |
| }, |
| ] |
| image_paths += [ "IMAGE_FVM_FASTBOOT=${_rebased_files.fvm_fastboot}" ] |
| } |
| } |
| } |
| |
| generated_partitions_config("partitions_config") { |
| testonly = fuchsia_zbi_testonly |
| output_path = files.partitions_config |
| hw_revision = board_name |
| bootstrap_partitions = bootstrap_files |
| unlock_credentials = board_fastboot_unlock_credentials |
| |
| if (use_gigaboot) { |
| esp_image_path = "${root_build_dir}/fuchsia.esp.blk" |
| deps = [ "//build/images/flash:esp" ] |
| } |
| } |
| |
| update_package("update") { |
| testonly = fuchsia_zbi_testonly |
| deps = [ |
| ":fuchsia_assembly", |
| ":partitions_config", |
| "//build/info:latest-commit-date", |
| recovery_label, |
| ] |
| partitions = files.partitions_config |
| packages = files.packages_json |
| system_a = files.images_json |
| system_r = files.recovery_images_json |
| board_name = board_name |
| version_file = build_info_files.version |
| epoch = "1" |
| } |
| |
| flash_manifest("flash_manifest") { |
| testonly = fuchsia_zbi_testonly |
| deps = [ |
| ":fuchsia_assembly", |
| ":partitions_config", |
| recovery_label, |
| ] |
| partitions = files.partitions_config |
| system_a = files.images_json |
| system_b = files.images_json |
| system_r = files.recovery_images_json |
| } |
| |
| generated_assembly_inputs("assembly_inputs") { |
| testonly = fuchsia_zbi_testonly |
| images_config = files.images_config |
| partitions_config = files.partitions_config |
| output_path = files.assembly_inputs |
| |
| sources = [ |
| "${files.outdir}/legacy", |
| "${files.platform_aib_dir}/emulator_support", |
| ] |
| |
| deps = [ |
| ":fuchsia_assembly", |
| ":partitions_config", |
| ] |
| |
| product_config = fuchsia_base.product_assembly_config_file |
| if (fuchsia_product_assembly_config_label != false) { |
| deps += [ fuchsia_product_assembly_config_label ] |
| } |
| } |
| |
| ################################################## |
| # Fuchsia Prime |
| ################################################## |
| |
| # Generate a fuchsia_prime system, which is the same as a fuchsia system, but |
| # with the addition of a dummy file in the system_image package. This can be |
| # used for OTA tests. |
| resource("dummy_resources") { |
| sources = [ "dummy.txt" ] |
| outputs = [ "dummy.txt" ] |
| visibility = [ ":*" ] |
| } |
| fuchsia_package("dummy") { |
| deps = [ ":dummy_resources" ] |
| visibility = [ ":*" ] |
| } |
| |
| assembled_system("fuchsia_prime_assembly") { |
| forward_variables_from(fuchsia_base, "*") |
| system_image_deps += [ ":dummy" ] |
| base_package_name = "system_image_prime" |
| } |
| |
| update_package("fuchsia_prime") { |
| testonly = fuchsia_zbi_testonly |
| deps = [ |
| ":fuchsia_prime_assembly", |
| ":partitions_config", |
| "//build/info:latest-commit-date", |
| recovery_label, |
| ] |
| name = "update_prime" |
| partitions = files.partitions_config |
| packages = files.packages_prime_json |
| system_a = files.images_prime_json |
| system_r = files.recovery_images_json |
| board_name = board_name |
| version_file = build_info_files.version |
| epoch = "1" |
| } |
| |
| ################################################## |
| # Netboot |
| ################################################## |
| |
| # This rolls the primary ZBI together with a compressed RAMDISK image of |
| # fvm.blk into a fat ZBI that boots the full system without using any real |
| # storage. The system decompresses the fvm.blk image into memory and then |
| # sees that RAM disk just as if it were a real disk on the device. |
| assembled_system("netboot") { |
| forward_variables_from(fuchsia_base, "*") |
| ramdisk_fvm_in_zbi = true |
| |
| metadata = { |
| images = [ |
| { |
| label = get_label_info(":$target_name", "label_with_toolchain") |
| archive = enable_netboot |
| bootserver_netboot = [ "--boot" ] |
| name = "netboot" |
| path = "netboot.zbi" |
| type = "zbi" |
| }, |
| ] |
| image_paths = [ |
| "IMAGE_NETBOOT_ZBI=netboot.zbi", |
| |
| # TODO(mcgrathr): The complete ZBI can be used with a separate kernel |
| # too, the kernel image in it will just be ignored. So just use the |
| # primary ZBI for this until all uses are converted to using the ZBI |
| # alone. Then remove this as IMAGE_BOOT_RAM variable should no |
| # longer be in use. |
| "IMAGE_NETBOOT_RAM=netboot.zbi", |
| ] |
| } |
| } |
| |
| ################################################## |
| # Scrutiny verifiers |
| ################################################## |
| |
| # TODO(fxbug.dev/102968): There is a need for scrutiny verifiers that process |
| # structured configuration files. Until such verifiers are ready, structured |
| # configuration files for sensitive components are verified using the |
| # strategy below. |
| action("verify_base_resolver_config") { |
| # TODO(fxbug.dev/102968): Uncomment in upcoming fxrev.dev/687102. |
| # _cvf_eng_golden = |
| # "//src/security/policy/build/base_resolver_golden_eng.cvf" |
| |
| _cvf_non_eng_golden = |
| "//src/security/policy/build/base_resolver_golden_non_eng.cvf" |
| |
| # Follow output conventions defined by cvf template in |
| # //tools/configc/build/config.gni. |
| # TODO(fxbug.dev/102968): Uncomment in upcoming fxrev.dev/687102. |
| # _cvf_target = "//src/sys/base-resolver:values_from_gn" |
| # _cvf_output_name = "values_from_gn" |
| # _cvf_out_dir = get_label_info(_cvf_target, "target_out_dir") |
| # _cvf_output = "${_cvf_out_dir}/${_cvf_output_name}.cvf" |
| |
| _output = "${target_out_dir}/${target_name}.verified" |
| |
| script = "//src/security/policy/build/verify_golden_by_build_type.py" |
| args = [ |
| "--eng-golden", |
| |
| # TODO(fxbug.dev/102968): Uncomment/swap in upcoming fxrev.dev/687102. |
| # rebase_path(_cvf_eng_golden, root_out_dir), |
| rebase_path(_cvf_non_eng_golden, root_out_dir), |
| |
| "--non-eng-golden", |
| rebase_path(_cvf_non_eng_golden, root_out_dir), |
| |
| "--product-config", |
| rebase_path(fuchsia_base.product_assembly_config_file, root_out_dir), |
| |
| "--input", |
| |
| # TODO(fxbug.dev/102968): Uncomment/swap in upcoming fxrev.dev/687102. |
| # rebase_path(_cvf_output, root_out_dir), |
| rebase_path(_cvf_non_eng_golden, root_out_dir), |
| |
| "--output", |
| rebase_path(_output, root_out_dir), |
| ] |
| |
| inputs = [ |
| # TODO(fxbug.dev/102968): Uncomment in upcoming fxrev.dev/687102. |
| # _cvf_eng_golden, |
| # _cvf_output, |
| |
| _cvf_non_eng_golden, |
| fuchsia_base.product_assembly_config_file, |
| ] |
| outputs = [ _output ] |
| |
| deps = [ |
| # TODO(fxbug.dev/102968): Uncomment in upcoming fxrev.dev/687102. |
| # _cvf_target, |
| ] |
| if (defined(fuchsia_base.product_assembly_config_dep)) { |
| deps += [ fuchsia_base.product_assembly_config_dep ] |
| } |
| } |
| |
| # See //build/scrutiny/verifier/verify_*.gni and //build/security.gni for |
| # documentation. |
| |
| if (custom_signing_script == "") { |
| verify_bootfs_filelist("verify_bootfs_filelist") { |
| testonly = fuchsia_base.testonly |
| zbi_is_signed = custom_signing_script != "" || use_vboot |
| image_assembler_target = ":fuchsia.image_assembler" |
| assembly_image_name = "fuchsia" |
| goldens = fuchsia_zbi_bootfs_filelist_goldens |
| } |
| |
| verify_kernel_cmdline("verify_kernel_cmdline") { |
| testonly = fuchsia_base.testonly |
| zbi_is_signed = custom_signing_script != "" || use_vboot |
| image_assembler_target = ":fuchsia.image_assembler" |
| assembly_image_name = "fuchsia" |
| goldens = fuchsia_zbi_kernel_cmdline_goldens |
| } |
| |
| if (fuchsia_route_sources_config != "") { |
| verify_route_sources("verify_route_sources") { |
| testonly = fuchsia_base.testonly |
| update_package_target = ":update" |
| image_assembler_target = ":fuchsia.image_assembler" |
| assembly_image_name = "fuchsia" |
| config_path = fuchsia_route_sources_config |
| } |
| } |
| |
| verify_component_resolvers("verify_component_resolvers") { |
| testonly = fuchsia_base.testonly |
| update_package_target = ":update" |
| image_assembler_target = ":fuchsia.image_assembler" |
| assembly_image_name = "fuchsia" |
| allowlist = fuchsia_verify_component_resolvers_allowlist |
| } |
| |
| verify_routes("verify_capability_routes") { |
| testonly = fuchsia_base.testonly |
| update_package_target = ":update" |
| image_assembler_target = ":fuchsia.image_assembler" |
| assembly_image_name = "fuchsia" |
| allowlist = [ fuchsia_verify_routes_exceptions_allowlist ] + |
| fuchsia_verify_routes_exceptions_allowlist_product |
| if (bootfs_only) { |
| allowlist += [ fuchsia_verify_routes_exceptions_allowlist_bootfs ] |
| } |
| if (fuchsia_verify_routes_component_tree_config != "") { |
| component_tree_config = fuchsia_verify_routes_component_tree_config |
| } |
| } |
| |
| verify_static_pkgs("verify_static_pkgs") { |
| testonly = fuchsia_base.testonly |
| update_package_target = ":update" |
| image_assembler_target = ":fuchsia.image_assembler" |
| assembly_image_name = "fuchsia" |
| goldens = fuchsia_static_pkgs_goldens |
| } |
| } |
| } |