Add a factory-reset-protected block device.
This is unfortunately non-functional on the device without an
implementation the framework can use.
Test: launch_cvd
Test: launch_cvd with ag/13329066 and ag/13329106
Bug: 175078763
Change-Id: I16f7e94cf845de2280bc8b1ef9af5232dee13935
diff --git a/host/commands/assemble_cvd/assemble_cvd.cc b/host/commands/assemble_cvd/assemble_cvd.cc
index 0008243..4e4ad92 100644
--- a/host/commands/assemble_cvd/assemble_cvd.cc
+++ b/host/commands/assemble_cvd/assemble_cvd.cc
@@ -159,6 +159,7 @@
preserving.insert("modem_nvram.json");
preserving.insert("disk_config.txt");
preserving.insert("recording");
+ preserving.insert("factory_reset_protected.img");
std::stringstream ss;
for (int i = 0; i < FLAGS_modem_simulator_count; i++) {
ss.clear();
diff --git a/host/commands/assemble_cvd/disk_flags.cc b/host/commands/assemble_cvd/disk_flags.cc
index 129fce3..1b59971 100644
--- a/host/commands/assemble_cvd/disk_flags.cc
+++ b/host/commands/assemble_cvd/disk_flags.cc
@@ -483,6 +483,11 @@
CreateBlankImage(instance.sdcard_path(),
FLAGS_blank_sdcard_image_mb, "sdcard");
}
+
+ const auto frp = instance.factory_reset_protected_path();
+ if (!FileExists(frp)) {
+ CreateBlankImage(frp, 1 /* mb */, "none");
+ }
}
// libavb expects to be able to read the maximum vbmeta size, so we must
diff --git a/host/commands/assemble_cvd/flags.cc b/host/commands/assemble_cvd/flags.cc
index 7ea113a..6028574 100644
--- a/host/commands/assemble_cvd/flags.cc
+++ b/host/commands/assemble_cvd/flags.cc
@@ -646,6 +646,7 @@
instance.set_virtual_disk_paths({
const_instance.PerInstancePath("overlay.img"),
const_instance.sdcard_path(),
+ const_instance.factory_reset_protected_path(),
});
std::array<unsigned char, 6> mac_address;
diff --git a/host/libs/config/cuttlefish_config.h b/host/libs/config/cuttlefish_config.h
index e5a2fa0..87e1540 100644
--- a/host/libs/config/cuttlefish_config.h
+++ b/host/libs/config/cuttlefish_config.h
@@ -445,6 +445,8 @@
// Wifi MAC address inside the guest
std::array<unsigned char, 6> wifi_mac_address() const;
+
+ std::string factory_reset_protected_path() const;
};
// A view into an existing CuttlefishConfig object for a particular instance.
diff --git a/host/libs/config/cuttlefish_config_instance.cpp b/host/libs/config/cuttlefish_config_instance.cpp
index d0f919e..c808440 100644
--- a/host/libs/config/cuttlefish_config_instance.cpp
+++ b/host/libs/config/cuttlefish_config_instance.cpp
@@ -412,6 +412,10 @@
return mac_address;
}
+std::string CuttlefishConfig::InstanceSpecific::factory_reset_protected_path() const {
+ return PerInstanceInternalPath("factory_reset_protected.img");
+}
+
std::string CuttlefishConfig::InstanceSpecific::PerInstancePath(
const char* file_name) const {
return (instance_dir() + "/") + file_name;
diff --git a/shared/config/ueventd.rc b/shared/config/ueventd.rc
index 77613e9..3c2dff5 100644
--- a/shared/config/ueventd.rc
+++ b/shared/config/ueventd.rc
@@ -26,3 +26,6 @@
/dev/hvc4 0660 system system
/dev/gnss0 0664 system system
+
+# Factory Reset Protection
+/dev/block/vdc 0660 system system
diff --git a/shared/sepolicy/vendor/file_contexts b/shared/sepolicy/vendor/file_contexts
index a72facf..cfd1a6c 100644
--- a/shared/sepolicy/vendor/file_contexts
+++ b/shared/sepolicy/vendor/file_contexts
@@ -12,6 +12,7 @@
/dev/block/by-name/cache u:object_r:cache_block_device:s0
/dev/block/by-name/metadata u:object_r:metadata_block_device:s0
+/dev/block/vdc u:object_r:frp_block_device:s0
/dev/block/pmem0 u:object_r:rebootescrow_device:s0
/dev/block/zram0 u:object_r:swap_block_device:s0
/dev/dri u:object_r:gpu_device:s0
diff --git a/shared/sepolicy/vendor/genfs_contexts b/shared/sepolicy/vendor/genfs_contexts
index b3bf300..6cc0dc4 100644
--- a/shared/sepolicy/vendor/genfs_contexts
+++ b/shared/sepolicy/vendor/genfs_contexts
@@ -5,7 +5,8 @@
pushdef(`cf_pci_block_device', `dnl
genfscon sysfs $1/0000:00:eval($2 + 0, 16, 2).0/virtio`'eval($3 + 0)`'/block u:object_r:sysfs_devices_block:s0 # vda
genfscon sysfs $1/0000:00:eval($2 + 1, 16, 2).0/virtio`'eval($3 + 1)`'/block u:object_r:sysfs_devices_block:s0 # vdb
-genfscon sysfs $1/0000:00:eval($2 + 2, 16, 2).0/virtio`'eval($3 + 2)`'/ndbus0 u:object_r:sysfs_devices_block:s0 # pmem0
+genfscon sysfs $1/0000:00:eval($2 + 2, 16, 2).0/virtio`'eval($3 + 2)`'/block u:object_r:sysfs_devices_block:s0 # vdc
+genfscon sysfs $1/0000:00:eval($2 + 3, 16, 2).0/virtio`'eval($3 + 3)`'/ndbus0 u:object_r:sysfs_devices_block:s0 # pmem0
dnl')dnl
dnl
dnl # $1 = pci prefix
@@ -29,7 +30,7 @@
dnl
# crosvm (x86)
cf_pci_block_device(/devices/pci0000:00, 0x6, 5)
-cf_pci_gpu_device(/devices/pci0000:00, 0x10)
+cf_pci_gpu_device(/devices/pci0000:00, 0x11)
## find /sys/devices/platform/* -type d -name 'rtc[0-9]' | sed 's,/rtc[0-9],,'
genfscon sysfs /devices/platform/rtc_cmos/rtc u:object_r:sysfs_rtc:s0
## find /sys/devices/platform/* -type d -name 'wakeup[0-9]'
@@ -39,7 +40,7 @@
# crosvm (arm64)
cf_pci_block_device(/devices/platform/10000.pci, 0x6, 4)
-cf_pci_gpu_device(/devices/platform/10000.pci/pci0000:00, 0x10)
+cf_pci_gpu_device(/devices/platform/10000.pci/pci0000:00, 0x11)
## find /sys/devices/platform/* -type d -name 'rtc[0-9]' | sed 's,/rtc[0-9],,'
genfscon sysfs /devices/platform/2000.rtc/rtc u:object_r:sysfs_rtc:s0
## find /sys/devices/platform/* -type d -name 'wakeup[0-9]'
@@ -58,7 +59,7 @@
# qemu (arm64)
cf_pci_block_device(/devices/platform/4010000000.pcie/pci0000:00, 0x6, 4)
-cf_pci_gpu_device(/devices/platform/4010000000.pcie/pci0000:00, 0xe)
+cf_pci_gpu_device(/devices/platform/4010000000.pcie/pci0000:00, 0xf)
## find /sys/devices/platform/* -type d -name 'rtc[0-9]' | sed 's,/rtc[0-9],,'
genfscon sysfs /devices/platform/9010000.pl031/rtc u:object_r:sysfs_rtc:s0
## find /sys/devices/platform/* -type d -name 'wakeup[0-9]'
@@ -66,7 +67,7 @@
# qemu (arm)
cf_pci_block_device(/devices/platform/3f000000.pcie/pci0000:00, 0x6, 4)
-cf_pci_gpu_device(/devices/platform/3f000000.pcie/pci0000:00, 0xe)
+cf_pci_gpu_device(/devices/platform/3f000000.pcie/pci0000:00, 0xf)
# common on all platforms / vm managers
genfscon sysfs /devices/platform/rtc-test.0/rtc u:object_r:sysfs_rtc:s0
diff --git a/shared/sepolicy/vendor/init.te b/shared/sepolicy/vendor/init.te
index f11adf4..56e7df0 100644
--- a/shared/sepolicy/vendor/init.te
+++ b/shared/sepolicy/vendor/init.te
@@ -24,3 +24,5 @@
allow init keymaster_device:chr_file rw_file_perms;
allow init gatekeeper_device:chr_file rw_file_perms;
+
+allow init frp_block_device:blk_file setattr;
