Merge changes I2ba6d40e,I8a7f3d4a
* changes:
Qualify 8250 based serial port flag
Remove obsolete vport_trigger tool
diff --git a/host/commands/secure_env/secure_env.cpp b/host/commands/secure_env/secure_env.cpp
index 434d99b..720189c 100644
--- a/host/commands/secure_env/secure_env.cpp
+++ b/host/commands/secure_env/secure_env.cpp
@@ -17,10 +17,15 @@
#include <gflags/gflags.h>
#include <keymaster/android_keymaster.h>
#include <keymaster/contexts/pure_soft_keymaster_context.h>
+#include <tss2/tss2_esys.h>
+#include <tss2/tss2_rc.h>
#include "common/libs/fs/shared_fd.h"
#include "common/libs/security/keymaster_channel.h"
+#include "host/commands/secure_env/in_process_tpm.h"
#include "host/commands/secure_env/keymaster_responder.h"
+#include "host/commands/secure_env/tpm_keymaster_context.h"
+#include "host/commands/secure_env/tpm_resource_manager.h"
#include "host/libs/config/logging.h"
// Copied from AndroidKeymaster4Device
@@ -28,14 +33,60 @@
DEFINE_int32(keymaster_fd, -1, "A file descriptor for keymaster communication");
+DEFINE_string(keymaster_impl,
+ "software",
+ "The keymaster implementation. "
+ "\"in_process_tpm\" or \"software\"");
+
int main(int argc, char** argv) {
cuttlefish::DefaultSubprocessLogging(argv);
gflags::ParseCommandLineFlags(&argc, &argv, true);
// keymaster::AndroidKeymaster puts the given pointer into a UniquePtr,
// taking ownership.
- keymaster::PureSoftKeymasterContext* keymaster_context
- = new keymaster::PureSoftKeymasterContext(KM_SECURITY_LEVEL_SOFTWARE);
- keymaster::AndroidKeymaster keymaster{keymaster_context, kOperationTableSize};
+ keymaster::KeymasterContext* keymaster_context;
+
+ std::unique_ptr<InProcessTpm> in_process_tpm;
+ std::unique_ptr<ESYS_CONTEXT, void(*)(ESYS_CONTEXT*)> esys(
+ nullptr, [](ESYS_CONTEXT* esys) { Esys_Finalize(&esys); });
+ std::unique_ptr<TpmResourceManager> resource_manager;
+
+ if (FLAGS_keymaster_impl == "software") {
+ keymaster_context =
+ new keymaster::PureSoftKeymasterContext(KM_SECURITY_LEVEL_SOFTWARE);
+ } else if (FLAGS_keymaster_impl == "in_process_tpm") {
+ in_process_tpm.reset(new InProcessTpm());
+ ESYS_CONTEXT* esys_ptr = nullptr;
+ auto rc =
+ Esys_Initialize(&esys_ptr, in_process_tpm->TctiContext(), nullptr);
+ if (rc != TPM2_RC_SUCCESS) {
+ LOG(FATAL) << "Could not initialize esys: " << Tss2_RC_Decode(rc)
+ << " (" << rc << ")";
+ }
+ esys.reset(esys_ptr);
+ rc = Esys_Startup(esys.get(), TPM2_SU_CLEAR);
+ if (rc != TPM2_RC_SUCCESS) {
+ LOG(FATAL) << "TPM2_Startup failed: " << Tss2_RC_Decode(rc)
+ << " (" << rc << ")";
+ }
+ // TODO(schuffelen): Call this only on first boot.
+ rc = Esys_Clear(
+ esys.get(),
+ ESYS_TR_RH_PLATFORM,
+ ESYS_TR_PASSWORD,
+ ESYS_TR_NONE,
+ ESYS_TR_NONE);
+ if (rc != TPM2_RC_SUCCESS) {
+ LOG(FATAL) << "TPM2_Clear failed: " << Tss2_RC_Decode(rc)
+ << " (" << rc << ")";
+ }
+ resource_manager.reset(new TpmResourceManager(esys.get()));
+ keymaster_context = new TpmKeymasterContext(resource_manager.get());
+ } else {
+ LOG(FATAL) << "Unknown keymaster implementation " << FLAGS_keymaster_impl;
+ return -1;
+ }
+ keymaster::AndroidKeymaster keymaster{
+ keymaster_context, kOperationTableSize};
CHECK(FLAGS_keymaster_fd != -1)
<< "TODO(schuffelen): Add keymaster_fd alternative";
diff --git a/host/frontend/gcastv2/signaling_server/Android.bp b/host/frontend/gcastv2/signaling_server/Android.bp
index 731396d..332241e 100644
--- a/host/frontend/gcastv2/signaling_server/Android.bp
+++ b/host/frontend/gcastv2/signaling_server/Android.bp
@@ -44,7 +44,6 @@
"libgflags",
"libjsoncpp",
"libhttps",
- "libwebrtc",
"libcuttlefish_utils",
"libcuttlefish_host_config"
],
diff --git a/host/frontend/gcastv2/signaling_server/server_config.cpp b/host/frontend/gcastv2/signaling_server/server_config.cpp
index be419ae..efcae93 100644
--- a/host/frontend/gcastv2/signaling_server/server_config.cpp
+++ b/host/frontend/gcastv2/signaling_server/server_config.cpp
@@ -32,7 +32,9 @@
Json::Value ice_servers(Json::ValueType::arrayValue);
for (const auto& str : stun_servers_) {
Json::Value server;
- server["urls"] = StartsWith(str, kStunPrefix)? str: kStunPrefix + str;
+ Json::Value urls(Json::ValueType::arrayValue);
+ urls.append(StartsWith(str, kStunPrefix)? str: kStunPrefix + str);
+ server["urls"] = urls;
ice_servers.append(server);
}
Json::Value server_config;
diff --git a/host/frontend/gcastv2/webrtc/Android.bp b/host/frontend/gcastv2/webrtc/Android.bp
index d406446..8b5dcaf 100644
--- a/host/frontend/gcastv2/webrtc/Android.bp
+++ b/host/frontend/gcastv2/webrtc/Android.bp
@@ -14,7 +14,7 @@
// limitations under the License.
cc_library_static {
- name: "libwebrtc",
+ name: "libwebrtc_cf",
srcs: [
"AdbHandler.cpp",
"DTLS.cpp",
@@ -91,7 +91,7 @@
"libjsoncpp",
"libsource",
"libsrtp2",
- "libwebrtc",
+ "libwebrtc_cf",
"libdrm",
"libffi",
"libwayland_server",
diff --git a/host/libs/vm_manager/crosvm_manager.cpp b/host/libs/vm_manager/crosvm_manager.cpp
index c8867a8..e072f36 100644
--- a/host/libs/vm_manager/crosvm_manager.cpp
+++ b/host/libs/vm_manager/crosvm_manager.cpp
@@ -274,14 +274,19 @@
crosvm_cmd.AddParameter(config_->GetKernelImageToUse());
}
- // TODO(schuffelen): QEMU also needs this and this is not the best place for
- // this code. Find a better place to put it.
- auto lease_file =
- cuttlefish::ForCurrentInstance("/var/run/cuttlefish-dnsmasq-cvd-wbr-")
- + ".leases";
- if (!ReleaseDhcpLeases(lease_file, wifi_tap)) {
- LOG(ERROR) << "Failed to release wifi DHCP leases. Connecting to the wifi "
- << "network may not work.";
+ // Only run the leases workaround if we are not using the new network
+ // bridge architecture - in that case, we have a wider DHCP address
+ // space and stale leases should be much less of an issue
+ if (!cuttlefish::FileExists("/var/run/cuttlefish-dnsmasq-cvd-wbr.leases")) {
+ // TODO(schuffelen): QEMU also needs this and this is not the best place for
+ // this code. Find a better place to put it.
+ auto lease_file =
+ cuttlefish::ForCurrentInstance("/var/run/cuttlefish-dnsmasq-cvd-wbr-")
+ + ".leases";
+ if (!ReleaseDhcpLeases(lease_file, wifi_tap)) {
+ LOG(ERROR) << "Failed to release wifi DHCP leases. Connecting to the wifi "
+ << "network may not work.";
+ }
}
std::vector<cuttlefish::Command> ret;
diff --git a/shared/config/task_profiles.json b/shared/config/task_profiles.json
index b883c46..5844ee7 100644
--- a/shared/config/task_profiles.json
+++ b/shared/config/task_profiles.json
@@ -1,47 +1,4 @@
{
- "Attributes": [
- {
- "Name": "LowCapacityCPUs",
- "Controller": "cpuset",
- "File": "background/cpus"
- },
- {
- "Name": "HighCapacityCPUs",
- "Controller": "cpuset",
- "File": "foreground/cpus"
- },
- {
- "Name": "MaxCapacityCPUs",
- "Controller": "cpuset",
- "File": "top-app/cpus"
- },
- {
- "Name": "MemLimit",
- "Controller": "memory",
- "File": "memory.limit_in_bytes"
- },
- {
- "Name": "MemSoftLimit",
- "Controller": "memory",
- "File": "memory.soft_limit_in_bytes"
- },
- {
- "Name": "MemSwappiness",
- "Controller": "memory",
- "File": "memory.swappiness"
- },
- {
- "Name": "UClampMin",
- "Controller": "cpu",
- "File": "cpu.uclamp.min"
- },
- {
- "Name": "UClampMax",
- "Controller": "cpu",
- "File": "cpu.uclamp.max"
- }
- ],
-
"Profiles": [
{
"Name": "HighEnergySaving",
diff --git a/shared/sepolicy/vendor/device.te b/shared/sepolicy/vendor/device.te
index e63eddf..b698e35 100644
--- a/shared/sepolicy/vendor/device.te
+++ b/shared/sepolicy/vendor/device.te
@@ -1,3 +1,2 @@
# Device types
type ab_block_device, dev_type;
-type virtual_serial_device, dev_type;
diff --git a/shared/sepolicy/vendor/file_contexts b/shared/sepolicy/vendor/file_contexts
index 5312795..4c26ad9 100644
--- a/shared/sepolicy/vendor/file_contexts
+++ b/shared/sepolicy/vendor/file_contexts
@@ -38,7 +38,7 @@
/dev/dri u:object_r:gpu_device:s0
/dev/dri/card0 u:object_r:graphics_device:s0
/dev/dri/renderD128 u:object_r:gpu_device:s0
-/dev/vport[0-9]p[0-9]* u:object_r:virtual_serial_device:s0
+/dev/hvc[0-9]* u:object_r:serial_device:s0
/dev/vtpmx u:object_r:vtpm_creation_device:s0
/dev/tpmrm0 u:object_r:tpm_resource_manager:s0
diff --git a/shared/sepolicy/vendor/logpersist.te b/shared/sepolicy/vendor/logpersist.te
index 84e43ee..20add55 100644
--- a/shared/sepolicy/vendor/logpersist.te
+++ b/shared/sepolicy/vendor/logpersist.te
@@ -3,6 +3,6 @@
# the /dev filesystem.
allow logpersist device:dir r_dir_perms;
allow logpersist device:fifo_file ra_file_perms;
-allow logpersist virtual_serial_device:chr_file ra_file_perms;
+allow logpersist serial_device:chr_file ra_file_perms;
allowxperm logpersist device:fifo_file ioctl F2FS_IOC_SET_PIN_FILE;
diff --git a/tools/create_base_image_gce.sh b/tools/create_base_image_gce.sh
index 6db2463..3bbb865 100755
--- a/tools/create_base_image_gce.sh
+++ b/tools/create_base_image_gce.sh
@@ -102,6 +102,10 @@
# Vulkan loader
sudo chroot /mnt/image /usr/bin/apt install -y libvulkan1
+# Wayland-server needed to have Nvidia driver fail gracefully when attemping to
+# use the EGL API on GCE instances without a GPU.
+sudo chroot /mnt/image /usr/bin/apt install -y libwayland-server0
+
# Clean up the builder's version of resolv.conf
sudo rm /mnt/image/etc/resolv.conf
diff --git a/vsoc_x86_noapex/aosp_cf_noapex.mk b/vsoc_x86_noapex/aosp_cf_noapex.mk
index fcf7607..8739a06 100644
--- a/vsoc_x86_noapex/aosp_cf_noapex.mk
+++ b/vsoc_x86_noapex/aosp_cf_noapex.mk
@@ -17,7 +17,7 @@
# Order of this and the following statements is important.
# Putting this first in the list takes precedence over the one inherited from
# aosp_cf.
-PRODUCT_PROPERTY_OVERRIDES += ro.apex.updatable=false
+OVERRIDE_TARGET_FLATTEN_APEX := true
$(call inherit-product, device/google/cuttlefish/vsoc_x86/phone/aosp_cf.mk)