blob: 79b8f149509161b689ccd8985b78fa8a8eac383a [file] [log] [blame]
# Copyright 2021 The Fuchsia Authors. All rights reserved.
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
# A collection of GN arguments that are used for security purpose.
declare_args() {
# An optional list of golden files for fuchsia.zbi kernel cmdline args. If
# specified, they would be compared against fuchsia.zbi kernel cmdline during
# build time.
# In normal case, there should only be golden file in this list.
# During a soft transition where changes are made in a different repo than
# the golden file repo, user need to
# 1. copy the old golden file before the change to '*.orig'
# 2. create a new golden file reflecting the changes
# 3. add both the old golden file and new golden file to this list. e.g. there
# would be 'product.txt' and 'product.txt.orig' in this list and check in the
# above changes.
# 4. check in the changes that is made in a different repo.
# 5. delete 'product.txt.orig' and remove it from this list.
fuchsia_zbi_kernel_cmdline_goldens = []
# An optional list of golden files for recovery.zbi kernel cmdline args. If
# specified, they would be compared against recovery.zbi kernel cmdline
# during build time. At least one of the golden files must match.
# In normal case, there should only be one golden file in this list.
# During a soft transition where changes are made in a different repo than
# the golden file repo, user need to
# 1. copy the old golden file before the change to '*.orig'
# 2. create a new golden file reflecting the changes
# 3. add both the old golden file and new golden file to this list. e.g. there
# would be 'product.txt' and 'product.txt.orig' in this list and check in the
# above changes.
# 4. check in the changes that is made in a different repo.
# 5. delete 'product.txt.orig' and remove it from this list.
recovery_zbi_kernel_cmdline_goldens = []
# An optional list of golden files for fuchsia.zbi bootFS file list. If
# specified, they would be compared against fuchsia.zbi bootFS file list
# during build time. At least one of the golden files must match.
# In normal case, there should only be one golden file in this list.
# During a soft transition where changes are made in a different repo than
# the golden file repo, user need to
# 1. copy the old golden file before the change to '*.orig'
# 2. create a new golden file reflecting the changes
# 3. add both the old golden file and new golden file to this list. e.g. there
# would be 'product.txt' and 'product.txt.orig' in this list and check in the
# above changes.
# 4. check in the changes that is made in a different repo.
# 5. delete 'product.txt.orig' and remove it from this list.
fuchsia_zbi_bootfs_filelist_goldens = []
# An optional list of golden files for recovery.zbi bootFS file list. If
# specified, they would be compared against recovery.zbi bootFS file list
# during build time. At least one of the golden files must match.
# In normal case, there should only be golden file in this list.
# During a soft transition where changes are made in a different repo than
# the golden file repo, user need to
# 1. copy the old golden file before the change to '*.orig'
# 2. create a new golden file reflecting the changes
# 3. add both the old golden file and new golden file to this list. e.g. there
# would be 'product.txt' and 'product.txt.orig' in this list and check in the
# above changes.
# 4. check in the changes that is made in a different repo.
# 5. delete 'product.txt.orig' and remove it from this list.
recovery_zbi_bootfs_filelist_goldens = []
# An optional list of golden files for fuchsia.zbi bootFS package index. If
# specified, they would be compared against fuchsia.zbi bootFS package index
# during build time. At least one of the golden files must match.
# In normal case, there should only be one golden file in this list.
# During a soft transition where changes are made in a different repo than
# the golden file repo, user need to
# 1. copy the old golden file before the change to '*.orig'
# 2. create a new golden file reflecting the changes
# 3. add both the old golden file and new golden file to this list. e.g. there
# would be 'product.txt' and 'product.txt.orig' in this list and check in the
# above changes.
# 4. check in the changes that is made in a different repo.
# 5. delete 'product.txt.orig' and remove it from this list.
fuchsia_zbi_bootfs_packages_goldens = []
# An optional list of golden files for recovery.zbi bootfs package index. If
# specified, they would be compared against recovery.zbi bootfs package index
# during build time. At least one of the golden files must match.
# In normal case, there should only be golden file in this list.
# During a soft transition where changes are made in a different repo than
# the golden file repo, user need to
# 1. copy the old golden file before the change to '*.orig'
# 2. create a new golden file reflecting the changes
# 3. add both the old golden file and new golden file to this list. e.g. there
# would be 'product.txt' and 'product.txt.orig' in this list and check in the
# above changes.
# 4. check in the changes that is made in a different repo.
# 5. delete 'product.txt.orig' and remove it from this list.
recovery_zbi_bootfs_packages_goldens = []
# An optional list of golden files for fuchsia.zbi static pkgs list. If
# specified, they would be compared against fuchsia.zbi static pkgs list
# during build time. At least one of the golden files must match.
# In normal case, there should only be one golden file in this list.
# During a soft transition where changes are made in a different repo than
# the golden file repo, user need to
# 1. copy the old golden file before the change to '*.orig'
# 2. create a new golden file reflecting the changes
# 3. add both the old golden file and new golden file to this list. e.g. there
# would be 'product.txt' and 'product.txt.orig' in this list and check in the
# above changes.
# 4. check in the changes that is made in a different repo.
# 5. delete 'product.txt.orig' and remove it from this list.
fuchsia_static_pkgs_goldens = []
# An optional list of golden files for recovery.zbi static pkgs list. If
# specified, they would be compared against recovery.zbi static pkgs list
# during build time. At least one of the golden files must match.
# In normal case, there should only be golden file in this list.
# During a soft transition where changes are made in a different repo than
# the golden file repo, user need to
# 1. copy the old golden file before the change to '*.orig'
# 2. create a new golden file reflecting the changes
# 3. add both the old golden file and new golden file to this list. e.g. there
# would be 'product.txt' and 'product.txt.orig' in this list and check in the
# above changes.
# 4. check in the changes that is made in a different repo.
# 5. delete 'product.txt.orig' and remove it from this list.
recovery_static_pkgs_goldens = []
# An optional file path to the structured configuration policy to be used on the
# assembled fuchsia system. Defaults to no enforcement. Policy must be provided
# for any product which is not an `eng` build type.
fuchsia_structured_config_policy = ""
# An optional file path to the structured configuration policy to be used on the
# assembled recovery system. Defaults to no enforcement. Policy must be provided
# for any product which is not an `eng` build type.
recovery_structured_config_policy = ""
# An optional file path to the route_sources verifier configuration to be used
# on the assembled fuchsia system.
fuchsia_route_sources_config = ""
# An optional file path to the route_sources verifier configuration to be used
# on the assembled recovery system.
recovery_route_sources_config = ""
# An optional list of (capability, moniker) pairs that determine exceptions
# to the verify_route.gni build rule that prevents v2 components from
# attempting to use capabilities they were not offered in the fuchsia
# system. Generally new entries should not be added to this allowlist and acts
# as a marker for future technical debt to clean up.
fuchsia_verify_routes_exceptions_allowlist =
"//src/security/policy/build/verify_routes_exceptions_allowlist.json5"
# An optional list of (capability, moniker) pairs that determine exceptions
# to the verify_route.gni build rule that prevents v2 components from
# attempting to use capabilities they were not offered in the recovery
# system. Generally new entries should not be added to this allowlist and acts
# as a marker for future technical debt to clean up.
#
# The path to this list defaults to "" because most build configurations do
# perform recovery build verification. The canonical allowlist for build
# configurations that do perform recovery build verification is
# "//src/security/policy/build/verify_routes_exceptions_allowlist.json5".
recovery_verify_routes_exceptions_allowlist = ""
# Same as fuchsia_verify_routes_exceptions_allowlist, except this allowlist
# gets added in bootfs_only builds.
fuchsia_verify_routes_exceptions_allowlist_bootfs = "//src/security/policy/build/verify_routes_exceptions_allowlist_bootfs.json5"
# Same as recovery_verify_routes_exceptions_allowlist, except this allowlist
# gets added in bootfs_only builds.
#
# The path to this list defaults to "" because most build configurations do
# perform recovery build verification. The canonical allowlist for build
# configurations that do perform recovery build verification is
# "//src/security/policy/build/verify_routes_exceptions_allowlist_bootfs.json5".
recovery_verify_routes_exceptions_allowlist_bootfs = ""
# Same as fuchsia_verify_routes_exceptions_allowlist, except these allowlists
# get added according to product-specific configuration.
fuchsia_verify_routes_exceptions_allowlist_product = []
# Same as recovery_verify_routes_exceptions_allowlist, except these allowlists
# get added according to product-specific configuration.
recovery_verify_routes_exceptions_allowlist_product = []
# An optional component tree configuration file used to finalize dynamic
# elements of the component tree constructed for route verification on the
# fuchsia assembled system. When non-empty, this value is passed as the
# `--component-tree-config` option to `ffx scrutiny verify routes` to verify
# routes in the fuchsia component tree.
fuchsia_verify_routes_component_tree_config = ""
# An optional component tree configuration file used to finalize dynamic
# elements of the component tree constructed for route verification on the
# recovery assembled system. When non-empty, this value is passed as the
# `--component-tree-config` option to `ffx scrutiny verify routes` to verify
# routes in the fuchsia component tree.
recovery_verify_routes_component_tree_config = ""
# An optional mapping of (scheme, resolver moniker, and resolver capability)
# to component monikers that determine which component resolvers are compared
# to the allowlist and which components are allowed to be resolved by the
# matching component resolver in the fuchsia assembled system. Used by
# verify_component_resolvers.gni.
fuchsia_verify_component_resolvers_allowlist =
"//src/security/policy/component_resolvers_policy.json5"
# An optional mapping of (scheme, resolver moniker, and resolver capability)
# to component monikers that determine which component resolvers are compared
# to the allowlist and which components are allowed to be resolved by the
# matching component resolver in the recovery assembled system. Used by
# verify_component_resolvers.gni.
recovery_verify_component_resolvers_allowlist =
"//src/security/policy/component_resolvers_policy.json5"
# Whether to allow testonly=true targets in fuchsia ZBI or base/cache packages.
#
# Possible values are
# "all": Allow testonly=true target in fuchsia ZBI and base/cache packages.
# "all_but_base_cache_packages": Do not allow testonly=true target in
# base/cache packages, but allow in other fuchsia ZBI dependencies.
# "none": Do not allow testonly=true target in all ZBI dependencies
# including base/cache packages.
#
# Default value is 'all', it is preferable to set to 'none' for production
# image to avoid accidental inclusion of testing targets.
testonly_in_containers = "all"
# Controls the behavior of sysmgr's PackageUpdatingLoader (v1) and the
# full-resolver (v2). If true, when resolving a component an attempt to
# update the component's package is first made through the Software Delivery
# system (specifically, through the package resolver,
# fuchsia.pkg.PackageResolver). If false, no attempt to update is made and
# components are loaded only from packages already available locally (for
# example, because the package is in base).
auto_update_packages = true
# Whether to allow base-resolver to resolve subpackages.
# TODO(fxbug.dev/102652): This configuration will be removed when subpackages
# is generally available.
base_resolver_enable_subpackages = false
# Whether to allow full-resolver to resolve subpackages.
# TODO(fxbug.dev/102652): This configuration will be removed when subpackages
# is generally available.
full_resolver_enable_subpackages = false
}
# Whether to allow testonly=true in base_packages/cache_packages.
base_cache_packages_testonly = false
if (testonly_in_containers == "all") {
# If we allow testonly=true for all containers, then we allow it for
# base/cache packges.
base_cache_packages_testonly = true
}
# Whether to allow testonly=true in zbi("fuchsia") and all its dependencies
# except base_packages/cache_packages.
fuchsia_zbi_testonly = false
if (testonly_in_containers == "all" ||
testonly_in_containers == "all_but_base_cache_packages") {
fuchsia_zbi_testonly = true
}