| # Copyright 2021 The Fuchsia Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| # A collection of GN arguments that are used for security purpose. |
| |
| declare_args() { |
| # An optional list of golden files for fuchsia.zbi kernel cmdline args. If |
| # specified, they would be compared against fuchsia.zbi kernel cmdline during |
| # build time. |
| # In normal case, there should only be golden file in this list. |
| # During a soft transition where changes are made in a different repo than |
| # the golden file repo, user need to |
| # 1. copy the old golden file before the change to '*.orig' |
| # 2. create a new golden file reflecting the changes |
| # 3. add both the old golden file and new golden file to this list. e.g. there |
| # would be 'product.txt' and 'product.txt.orig' in this list and check in the |
| # above changes. |
| # 4. check in the changes that is made in a different repo. |
| # 5. delete 'product.txt.orig' and remove it from this list. |
| fuchsia_zbi_kernel_cmdline_goldens = [] |
| |
| # An optional list of golden files for recovery.zbi kernel cmdline args. If |
| # specified, they would be compared against recovery.zbi kernel cmdline |
| # during build time. At least one of the golden files must match. |
| # In normal case, there should only be one golden file in this list. |
| # During a soft transition where changes are made in a different repo than |
| # the golden file repo, user need to |
| # 1. copy the old golden file before the change to '*.orig' |
| # 2. create a new golden file reflecting the changes |
| # 3. add both the old golden file and new golden file to this list. e.g. there |
| # would be 'product.txt' and 'product.txt.orig' in this list and check in the |
| # above changes. |
| # 4. check in the changes that is made in a different repo. |
| # 5. delete 'product.txt.orig' and remove it from this list. |
| recovery_zbi_kernel_cmdline_goldens = [] |
| |
| # An optional lit of golden files for fuchsia.zbi bootFS file list. If |
| # specified, they would be compared against fuchsia.zbi bootFS file list |
| # during build time. At least one of the golden files must match. |
| # In normal case, there should only be one golden file in this list. |
| # During a soft transition where changes are made in a different repo than |
| # the golden file repo, user need to |
| # 1. copy the old golden file before the change to '*.orig' |
| # 2. create a new golden file reflecting the changes |
| # 3. add both the old golden file and new golden file to this list. e.g. there |
| # would be 'product.txt' and 'product.txt.orig' in this list and check in the |
| # above changes. |
| # 4. check in the changes that is made in a different repo. |
| # 5. delete 'product.txt.orig' and remove it from this list. |
| fuchsia_zbi_bootfs_filelist_goldens = [] |
| |
| # An optional list of golden files for recovery.zbi bootFS file list. If |
| # specified, they would be compared against recovery.zbi bootFS file list |
| # during build time. At least one of the golden files must match. |
| # In normal case, there should only be golden file in this list. |
| # During a soft transition where changes are made in a different repo than |
| # the golden file repo, user need to |
| # 1. copy the old golden file before the change to '*.orig' |
| # 2. create a new golden file reflecting the changes |
| # 3. add both the old golden file and new golden file to this list. e.g. there |
| # would be 'product.txt' and 'product.txt.orig' in this list and check in the |
| # above changes. |
| # 4. check in the changes that is made in a different repo. |
| # 5. delete 'product.txt.orig' and remove it from this list. |
| recovery_zbi_bootfs_filelist_goldens = [] |
| |
| # An optional lit of golden files for fuchsia.zbi static pkgs list. If |
| # specified, they would be compared against fuchsia.zbi static pkgs list |
| # during build time. At least one of the golden files must match. |
| # In normal case, there should only be one golden file in this list. |
| # During a soft transition where changes are made in a different repo than |
| # the golden file repo, user need to |
| # 1. copy the old golden file before the change to '*.orig' |
| # 2. create a new golden file reflecting the changes |
| # 3. add both the old golden file and new golden file to this list. e.g. there |
| # would be 'product.txt' and 'product.txt.orig' in this list and check in the |
| # above changes. |
| # 4. check in the changes that is made in a different repo. |
| # 5. delete 'product.txt.orig' and remove it from this list. |
| fuchsia_static_pkgs_goldens = [] |
| |
| # An optional file path to the route_sources verifier configuration to be used |
| # on the assembled fuchsia system. |
| fuchsia_route_sources_config = "" |
| |
| # An optional list of (capability, moniker) pairs that determine exceptions |
| # to the verify_route.gni build rule that prevents v2 components from |
| # attempting to use capabilities they were not offered. Generally new entries |
| # should not be added to this allowlist and acts as a marker for future |
| # technical debt to clean up. |
| fuchsia_verify_routes_exceptions_allowlist = |
| "//src/security/policy/build/verify_routes_exceptions_allowlist.json5" |
| |
| # Same as above, except this allowlist gets added in bootfs_only builds. |
| fuchsia_verify_routes_exceptions_allowlist_bootfs = "//src/security/policy/build/verify_routes_exceptions_allowlist_bootfs.json5" |
| |
| # Same as above, except these allowlists get added according to |
| # product-specific configuration. |
| fuchsia_verify_routes_exceptions_allowlist_product = [] |
| |
| # An optional component tree configuration file used to finalize dynamic |
| # elements of the component tree constructed for route verification. When |
| # non-empty, this value is passed as the `--component-tree-config` option |
| # to `ffx scrutiny verify routes` to verify routes in the fuchsia component |
| # tree. |
| fuchsia_verify_routes_component_tree_config = "" |
| |
| # An optional mapping of (scheme, resolver moniker, and resolver capability) |
| # to component monikers that determine which component resolvers are compared |
| # to the allowlist and which components are allowed to be resolved by the |
| # matching component resolver. Used by verify_component_resolvers.gni. |
| fuchsia_verify_component_resolvers_allowlist = |
| "//src/security/policy/component_resolvers_policy.json5" |
| |
| # An optional list of golden files for recovery.zbi static pkgs list. If |
| # specified, they would be compared against recovery.zbi static pkgs list |
| # during build time. At least one of the golden files must match. |
| # In normal case, there should only be golden file in this list. |
| # During a soft transition where changes are made in a different repo than |
| # the golden file repo, user need to |
| # 1. copy the old golden file before the change to '*.orig' |
| # 2. create a new golden file reflecting the changes |
| # 3. add both the old golden file and new golden file to this list. e.g. there |
| # would be 'product.txt' and 'product.txt.orig' in this list and check in the |
| # above changes. |
| # 4. check in the changes that is made in a different repo. |
| # 5. delete 'product.txt.orig' and remove it from this list. |
| recovery_static_pkgs_goldens = [] |
| |
| # Whether to allow testonly=true targets in fuchsia ZBI or base/cache packages. |
| # |
| # Possible values are |
| # "all": Allow testonly=true target in fuchsia ZBI and base/cache packages. |
| # "all_but_base_cache_packages": Do not allow testonly=true target in |
| # base/cache packages, but allow in other fuchsia ZBI dependencies. |
| # "none": Do not allow testonly=true target in all ZBI dependencies |
| # including base/cache packages. |
| # |
| # Default value is 'all', it is preferable to set to 'none' for production |
| # image to avoid accidental inclusion of testing targets. |
| testonly_in_containers = "all" |
| |
| # Controls the behavior of sysmgr's PackageUpdatingLoader (v1) and the |
| # full-resolver (v2). If true, when resolving a component an attempt to |
| # update the component's package is first made through the Software Delivery |
| # system (specifically, through the package resolver, |
| # fuchsia.pkg.PackageResolver). If false, no attempt to update is made and |
| # components are loaded only from packages already available locally (for |
| # example, because the package is in base). |
| auto_update_packages = true |
| } |
| |
| # Whether to allow testonly=true in base_packages/cache_packages. |
| base_cache_packages_testonly = false |
| if (testonly_in_containers == "all") { |
| # If we allow testonly=true for all containers, then we allow it for |
| # base/cache packges. |
| base_cache_packages_testonly = true |
| } |
| |
| # Whether to allow testonly=true in zbi("fuchsia") and all its dependencies |
| # except base_packages/cache_packages. |
| fuchsia_zbi_testonly = false |
| if (testonly_in_containers == "all" || |
| testonly_in_containers == "all_but_base_cache_packages") { |
| fuchsia_zbi_testonly = true |
| } |