Add vendor_boot to the composite disk Give the vendor_boot partition a fixed/maximum size like boot and recovery and add it to the composite disk. Fix up the a/b slotting for boot and move misc to the top of the partition table. Move all of the partitions needed by the bootloader to the top of the disk so they are less likely to be reordered. Giving the vendor_boot partition a fixed size allows us to enable AVB. Bug: 155019925 Bug: 155754955 Change-Id: Ic77fd0cdf8d28ea533610773428a4dbbcd368095 Merged-In: Ic77fd0cdf8d28ea533610773428a4dbbcd368095

commit: af8ad6218e554f00db8e109775a25815656d340c [log] [tgz]
author: Alistair Delva <adelva@google.com> Fri Apr 24 17:38:12 2020 -0700
committer: Alistair Delva <adelva@google.com> Thu May 28 17:36:25 2020 +0000
tree: 78c9fe25a68585c482960263e1d439a53ba79449
parent: c6f589290de37203e36798bcf075599d2000bfda [diff]
diff --git a/host/commands/assemble_cvd/flags.cc b/host/commands/assemble_cvd/flags.cc
index b16166c..55e6579 100644
--- a/host/commands/assemble_cvd/flags.cc
+++ b/host/commands/assemble_cvd/flags.cc

@@ -613,6 +613,26 @@
 std::vector<ImagePartition> disk_config() {
   std::vector<ImagePartition> partitions;
   partitions.push_back(ImagePartition {
+    .label = "misc",
+    .image_file_path = FLAGS_misc_image,
+  });
+  partitions.push_back(ImagePartition {
+    .label = "boot_a",
+    .image_file_path = FLAGS_boot_image,
+  });
+  partitions.push_back(ImagePartition {
+    .label = "boot_b",
+    .image_file_path = FLAGS_boot_image,
+  });
+  partitions.push_back(ImagePartition {
+    .label = "vendor_boot_a",
+    .image_file_path = FLAGS_vendor_boot_image,
+  });
+  partitions.push_back(ImagePartition {
+    .label = "vendor_boot_b",
+    .image_file_path = FLAGS_vendor_boot_image,
+  });
+  partitions.push_back(ImagePartition {
     .label = "super",
     .image_file_path = FLAGS_super_image,
   });
@@ -628,14 +648,6 @@
     .label = "metadata",
     .image_file_path = FLAGS_metadata_image,
   });
-  partitions.push_back(ImagePartition {
-    .label = "boot",
-    .image_file_path = FLAGS_boot_image,
-  });
-  partitions.push_back(ImagePartition {
-    .label = "misc",
-    .image_file_path = FLAGS_misc_image
-  });
   return partitions;
 }
 

diff --git a/shared/BoardConfig.mk b/shared/BoardConfig.mk
index 6d8220a..6506180 100644
--- a/shared/BoardConfig.mk
+++ b/shared/BoardConfig.mk

@@ -31,6 +31,7 @@
 # will not change (as is it not a filesystem.)
 BOARD_BOOTIMAGE_PARTITION_SIZE := 67108864
 BOARD_RECOVERYIMAGE_PARTITION_SIZE := 67108864
+BOARD_VENDOR_BOOTIMAGE_PARTITION_SIZE := 67108864
 
 # Build a separate vendor.img partition
 BOARD_USES_VENDORIMAGE := true

diff --git a/shared/config/fstab.ext4 b/shared/config/fstab.ext4
index 9e8d5d9..6c5d4eb 100644
--- a/shared/config/fstab.ext4
+++ b/shared/config/fstab.ext4

@@ -1,4 +1,5 @@
-boot /boot emmc defaults recoveryonly
+boot /boot emmc defaults recoveryonly,slotselect
+vendor_boot /vendor_boot emmc defaults recoveryonly,slotselect
 system /system ext4 noatime,ro,errors=panic wait,logical,first_stage_mount,slotselect
 # Add all non-dynamic partitions except system, after this comment
 /dev/block/by-name/userdata /data ext4 nodev,noatime,nosuid,errors=panic wait,fileencryption=aes-256-xts:aes-256-cts,fsverity

diff --git a/shared/config/fstab.f2fs b/shared/config/fstab.f2fs
index ace3794..493a462 100644
--- a/shared/config/fstab.f2fs
+++ b/shared/config/fstab.f2fs

@@ -1,4 +1,5 @@
-boot /boot emmc defaults recoveryonly
+boot /boot emmc defaults recoveryonly,slotselect
+vendor_boot /vendor_boot emmc defaults recoveryonly,slotselect
 system /system ext4 noatime,ro,errors=panic wait,logical,first_stage_mount,slotselect
 # Add all non-dynamic partitions except system, after this comment
 /dev/block/by-name/userdata /data f2fs nodev,noatime,nosuid,inlinecrypt,reserve_root=32768 latemount,wait,fileencryption=aes-256-xts:aes-256-cts:v2+inlinecrypt_optimized,fsverity,keydirectory=/metadata/vold/metadata_encryption

diff --git a/shared/sepolicy/vendor/file_contexts b/shared/sepolicy/vendor/file_contexts
index 294502e..92cd450 100644
--- a/shared/sepolicy/vendor/file_contexts
+++ b/shared/sepolicy/vendor/file_contexts

@@ -3,26 +3,29 @@
 #
 
 # crosvm (x86) block devices
-/dev/block/pci/pci0000:00/0000:00:01\.0/by-name/boot u:object_r:boot_block_device:s0
-/dev/block/pci/pci0000:00/0000:00:01\.0/by-name/metadata u:object_r:metadata_block_device:s0
 /dev/block/pci/pci0000:00/0000:00:01\.0/by-name/misc u:object_r:misc_block_device:s0
+/dev/block/pci/pci0000:00/0000:00:01\.0/by-name/boot_[ab] u:object_r:boot_block_device:s0
+/dev/block/pci/pci0000:00/0000:00:01\.0/by-name/vendor_boot_[ab] u:object_r:boot_block_device:s0
 /dev/block/pci/pci0000:00/0000:00:01\.0/by-name/super u:object_r:super_block_device:s0
 /dev/block/pci/pci0000:00/0000:00:01\.0/by-name/userdata u:object_r:userdata_block_device:s0
 /dev/block/pci/pci0000:00/0000:00:01\.0/by-name/cache u:object_r:cache_block_device:s0
+/dev/block/pci/pci0000:00/0000:00:01\.0/by-name/metadata u:object_r:metadata_block_device:s0
 # crosvm (arm64) block devices
-/dev/block/platform/10000.pci/by-name/boot u:object_r:boot_block_device:s0
-/dev/block/platform/10000.pci/by-name/metadata u:object_r:metadata_block_device:s0
 /dev/block/platform/10000.pci/by-name/misc u:object_r:misc_block_device:s0
+/dev/block/platform/10000.pci/by-name/boot_[ab] u:object_r:boot_block_device:s0
+/dev/block/platform/10000.pci/by-name/vendor_boot_[ab] u:object_r:boot_block_device:s0
 /dev/block/platform/10000.pci/by-name/super u:object_r:super_block_device:s0
 /dev/block/platform/10000.pci/by-name/userdata u:object_r:userdata_block_device:s0
 /dev/block/platform/10000.pci/by-name/cache u:object_r:cache_block_device:s0
+/dev/block/platform/10000.pci/by-name/metadata u:object_r:metadata_block_device:s0
 # qemu block devices
-/dev/block/pci/pci0000:00/0000:00:03\.0/by-name/boot u:object_r:boot_block_device:s0
-/dev/block/pci/pci0000:00/0000:00:03\.0/by-name/metadata u:object_r:metadata_block_device:s0
 /dev/block/pci/pci0000:00/0000:00:03\.0/by-name/misc u:object_r:misc_block_device:s0
+/dev/block/pci/pci0000:00/0000:00:03\.0/by-name/boot_[ab] u:object_r:boot_block_device:s0
+/dev/block/pci/pci0000:00/0000:00:03\.0/by-name/vendor_boot_[ab] u:object_r:boot_block_device:s0
 /dev/block/pci/pci0000:00/0000:00:03\.0/by-name/super u:object_r:super_block_device:s0
 /dev/block/pci/pci0000:00/0000:00:03\.0/by-name/userdata u:object_r:userdata_block_device:s0
 /dev/block/pci/pci0000:00/0000:00:03\.0/by-name/cache u:object_r:cache_block_device:s0
+/dev/block/pci/pci0000:00/0000:00:03\.0/by-name/metadata u:object_r:metadata_block_device:s0
 
 /dev/block/pmem0  u:object_r:rebootescrow_device:s0
 /dev/block/zram0  u:object_r:swap_block_device:s0

diff --git a/shared/sepolicy/vendor/hal_bootctl_default.te b/shared/sepolicy/vendor/hal_bootctl_default.te
new file mode 100644
index 0000000..e727add
--- /dev/null
+++ b/shared/sepolicy/vendor/hal_bootctl_default.te

@@ -0,0 +1 @@
+allow hal_bootctl_default boot_block_device:blk_file getattr;
commit	af8ad6218e554f00db8e109775a25815656d340c	[log] [tgz]
author	Alistair Delva <adelva@google.com>	Fri Apr 24 17:38:12 2020 -0700
committer	Alistair Delva <adelva@google.com>	Thu May 28 17:36:25 2020 +0000
tree	78c9fe25a68585c482960263e1d439a53ba79449
parent	c6f589290de37203e36798bcf075599d2000bfda [diff]