openkylin
/
android-platform-external-boringssl
mirror of https://gitee.com/openkylin/android-platform-external-boringssl.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
android-platform-external-b.../Android.bp

864 lines
23 KiB
Plaintext
Raw Permalink Blame History

// Note that some host libraries have the same module name as the target
// libraries. This is currently needed to build, for example, adb. But it's
// probably something that should be changed.
package {
default_visibility: ["//visibility:private"],
default_applicable_licenses: ["external_boringssl_license"],
}
// Added automatically by a large-scale-change that took the approach of
// 'apply every license found to every target'. While this makes sure we respect
// every license restriction, it may not be entirely correct.
//
// e.g. GPL in an MIT project might only apply to the contrib/ directory.
//
// Please consider splitting the single license below into multiple licenses,
// taking care not to lose any license_kind information, and overriding the
// default license using the 'licenses: [...]' property on targets as needed.
//
// For unused files, consider creating a 'fileGroup' with "//visibility:private"
// to attach the license to, and including a comment whether the files may be
// used in the current project.
// See: http://go/android-license-faq
license {
name: "external_boringssl_license",
visibility: [":__subpackages__"],
license_kinds: [
"SPDX-license-identifier-Apache-2.0",
"SPDX-license-identifier-BSD",
"SPDX-license-identifier-ISC",
"SPDX-license-identifier-MIT",
"SPDX-license-identifier-OpenSSL",
"legacy_unencumbered",
],
license_text: [
"NOTICE",
],
}
// Pull in the autogenerated sources modules
build = ["sources.bp"]
// Used by libcrypto, libssl, bssl tool, and native tests
cc_defaults {
name: "boringssl_flags",
vendor_available: true,
product_available: true,
cflags: [
"-fvisibility=hidden",
"-DBORINGSSL_SHARED_LIBRARY",
"-DBORINGSSL_ANDROID_SYSTEM",
"-DOPENSSL_SMALL",
"-Werror",
"-Wno-unused-parameter",
],
cppflags: [
"-Wall",
"-Werror",
],
// Build BoringSSL and its tests against the same STL.
sdk_version: "9",
stl: "libc++_static",
}
// Used by libcrypto + libssl
cc_defaults {
name: "boringssl_defaults",
local_include_dirs: ["src/include"],
export_include_dirs: ["src/include"],
cflags: ["-DBORINGSSL_IMPLEMENTATION"],
}
//// libcrypto
cc_defaults {
name: "libcrypto_defaults",
host_supported: true,
ramdisk_available: true,
vendor_ramdisk_available: true,
// Windows and Macs both have problems with assembly files
target: {
windows: {
enabled: true,
cflags: ["-DOPENSSL_NO_ASM"],
host_ldlibs: ["-lws2_32"],
},
darwin: {
cflags: ["-DOPENSSL_NO_ASM"],
},
host: {
host_ldlibs: ["-lpthread"],
},
android: {
// On FIPS builds (i.e. Android only) prevent other libraries
// from pre-empting symbols in libcrypto which could affect FIPS
// compliance and cause integrity checks to fail. See b/160231064.
ldflags: ["-Wl,-Bsymbolic"],
},
},
local_include_dirs: ["src/crypto"],
stl: "none",
}
// Boring Crypto Module object file.
// Any changes here must also be reflected in bcm_object_for_testing below.
cc_object {
name: "bcm_object",
device_supported: true,
recovery_available: true,
native_bridge_supported: true,
defaults: [
"libcrypto_bcm_sources",
"libcrypto_defaults",
"boringssl_defaults",
"boringssl_flags",
],
sanitize: {
address: false,
hwaddress: false,
memtag_stack: false,
fuzzer: false,
},
target: {
android: {
cflags: [
"-DBORINGSSL_FIPS",
"-fPIC",
// -fno[data|text]-sections required to ensure a
// single text and data section for FIPS integrity check
"-fno-data-sections",
"-fno-function-sections",
],
linker_script: "src/crypto/fipsmodule/fips_shared.lds",
},
// Temporary hack to let BoringSSL build with a new compiler.
// This doesn't enable HWASAN unconditionally, it just causes
// BoringSSL's asm code to unconditionally use a HWASAN-compatible
// global variable reference so that the non-HWASANified (because of
// sanitize: { hwaddress: false } above) code in the BCM can
// successfully link against the HWASANified code in the rest of
// BoringSSL in HWASAN builds.
android_arm64: {
asflags: [
"-fsanitize=hwaddress",
],
},
},
apex_available: [
"//apex_available:platform",
"com.android.adbd",
"com.android.adservices",
"com.android.art",
"com.android.art.debug",
"com.android.art.testing",
"com.android.btservices",
"com.android.compos",
"com.android.conscrypt",
"com.android.extservices",
"com.android.resolv",
"com.android.virt",
],
min_sdk_version: "29",
}
// Version of bcm_object built with BORINGSSL_FIPS_BREAK_TESTS defined.
// Only for use with the FIPS break-tests.sh script.
// Must be kept in sync with bcm_object.
cc_object {
name: "bcm_object_for_testing",
visibility: [
"//external/boringssl",
],
device_supported: true,
defaults: [
"libcrypto_bcm_sources",
"libcrypto_defaults",
"boringssl_defaults",
"boringssl_flags",
],
sanitize: {
address: false,
hwaddress: false,
fuzzer: false,
},
target: {
android: {
cflags: [
"-DBORINGSSL_FIPS",
"-DBORINGSSL_FIPS_BREAK_TESTS",
"-fPIC",
// -fno[data|text]-sections required to ensure a
// single text and data section for FIPS integrity check
"-fno-data-sections",
"-fno-function-sections",
],
linker_script: "src/crypto/fipsmodule/fips_shared.lds",
},
// Temporary hack to let BoringSSL build with a new compiler.
// This doesn't enable HWASAN unconditionally, it just causes
// BoringSSL's asm code to unconditionally use a HWASAN-compatible
// global variable reference so that the non-HWASANified (because of
// sanitize: { hwaddress: false } above) code in the BCM can
// successfully link against the HWASANified code in the rest of
// BoringSSL in HWASAN builds.
android_arm64: {
asflags: [
"-fsanitize=hwaddress",
],
},
},
min_sdk_version: "29",
}
bootstrap_go_package {
name: "bssl_ar",
pkgPath: "boringssl.googlesource.com/boringssl/util/ar",
srcs: [
"src/util/ar/ar.go",
],
testSrcs: [
"src/util/ar/ar_test.go",
],
}
bootstrap_go_package {
name: "bssl_fipscommon",
pkgPath: "boringssl.googlesource.com/boringssl/util/fipstools/fipscommon",
srcs: [
"src/util/fipstools/fipscommon/const.go",
],
}
blueprint_go_binary {
name: "bssl_inject_hash",
srcs: [
"src/util/fipstools/inject_hash/inject_hash.go",
],
deps: [
"bssl_ar",
"bssl_fipscommon",
],
}
// Target and host library.
// Any changes here must also be reflected in libcrypto_for_test below.
cc_library {
name: "libcrypto",
visibility: ["//visibility:public"],
vendor_available: true,
product_available: true,
native_bridge_supported: true,
vndk: {
enabled: true,
},
double_loadable: true,
recovery_available: true,
defaults: [
"libcrypto_sources",
"libcrypto_defaults",
"boringssl_defaults",
"boringssl_flags",
],
unique_host_soname: true,
srcs: [
":bcm_object",
],
target: {
android: {
cflags: [
"-DBORINGSSL_FIPS",
],
sanitize: {
// Disable address sanitizing otherwise libcrypto will not report
// itself as being in FIPS mode, which causes boringssl_self_test
// to fail.
address: false,
},
inject_bssl_hash: true,
static: {
// Disable the static version of libcrypto, as it causes
// problems for FIPS certification. Use libcrypto_static for
// modules that need static libcrypto but do not need FIPS self
// testing, or use dynamic libcrypto.
enabled: false,
},
},
},
apex_available: [
"//apex_available:platform",
"com.android.adbd",
"com.android.adservices",
"com.android.art",
"com.android.art.debug",
"com.android.art.testing",
"com.android.btservices",
"com.android.compos",
"com.android.conscrypt",
"com.android.extservices",
"com.android.resolv",
"com.android.virt",
],
min_sdk_version: "29",
}
// Version of libcrypto build with BORINGSSL_FIPS_BREAK_TESTS defined
// Only for use with the FIPS break-tests.sh script.
// Must be kept in sync with libcrypto.
cc_library {
name: "libcrypto_for_testing",
visibility: [
"//external/boringssl",
],
defaults: [
"libcrypto_sources",
"libcrypto_defaults",
"boringssl_defaults",
"boringssl_flags",
],
unique_host_soname: true,
srcs: [
":bcm_object_for_testing",
],
target: {
android: {
cflags: [
"-DBORINGSSL_FIPS",
"-DBORINGSSL_FIPS_BREAK_TESTS",
],
sanitize: {
// Disable address sanitizing otherwise libcrypto will not report
// itself as being in FIPS mode, which causes boringssl_self_test
// to fail.
address: false,
},
inject_bssl_hash: true,
static: {
// Disable the static version of libcrypto, as it causes
// problems for FIPS certification. Use libcrypto_static for
// modules that need static libcrypto but do not need FIPS self
// testing, or use dynamic libcrypto.
enabled: false,
},
},
},
min_sdk_version: "29",
}
// Static library
// This version of libcrypto will not have FIPS self tests enabled, so its
// usage is protected through visibility to ensure it doesn't end up used
// somewhere that needs the FIPS version.
cc_library_static {
name: "libcrypto_static",
visibility: [
"//art/build/sdk",
"//bootable/recovery/updater",
"//external/conscrypt",
"//external/python/cpython2",
"//external/rust/crates/quiche",
// Strictly, only the *static* toybox for legacy devices should have
// access to libcrypto_static, but we can't express that.
"//external/toybox",
"//hardware/interfaces/confirmationui/1.0/vts/functional",
"//hardware/interfaces/drm/1.0/vts/functional",
"//hardware/interfaces/drm/1.2/vts/functional",
"//hardware/interfaces/drm/1.3/vts/functional",
"//hardware/interfaces/keymaster/3.0/vts/functional",
"//hardware/interfaces/keymaster/4.0/vts/functional",
"//hardware/interfaces/keymaster/4.1/vts/functional",
"//packages/modules/adb",
"//packages/modules/Bluetooth:__subpackages__",
"//packages/modules/DnsResolver/tests:__subpackages__",
"//packages/modules/NeuralNetworks:__subpackages__",
"//system/core/init",
"//system/core/fs_mgr/liblp",
"//system/core/fs_mgr/liblp/vts_core",
"//system/core/fs_mgr/libsnapshot",
"//system/libvintf/test",
"//system/security/keystore/tests",
"//test/vts-testcase/security/avb",
],
min_sdk_version: "29",
apex_available: [
"//apex_available:platform",
"com.android.neuralnetworks",
],
defaults: [
"libcrypto_bcm_sources",
"libcrypto_sources",
"libcrypto_defaults",
"boringssl_defaults",
"boringssl_flags",
],
}
// Static library for use in bare-metal environments
cc_library_static {
name: "libcrypto_baremetal",
defaults: [
"libcrypto_bcm_sources",
"libcrypto_sources",
"libcrypto_defaults",
"boringssl_defaults",
"boringssl_flags",
],
cflags: [
"-DBORINGSSL_NO_STATIC_INITIALIZER",
"-DOPENSSL_SMALL",
"-DOPENSSL_STATIC_ARMCAP",
"-D__TRUSTY__",
],
visibility: [
"//external/avb",
"//external/open-dice",
"//packages/modules/Virtualization:__subpackages__",
"//system/security/diced/open_dice",
],
apex_available: ["com.android.virt"],
}
// Common defaults for lib*_fuzz_unsafe. These are unsafe and deterministic
// libraries for testing and fuzzing only. See src/FUZZING.md.
cc_defaults {
name: "boringssl_fuzz_unsafe_defaults",
host_supported: true,
cflags: [
"-DBORINGSSL_UNSAFE_DETERMINISTIC_MODE",
"-DBORINGSSL_UNSAFE_FUZZER_MODE",
],
visibility: [
"//frameworks/native/libs/binder/tests:__subpackages__",
],
}
// Unsafe and deterministic version of libcrypto. For testing and fuzzing only.
// See src/FUZZING.md.
cc_test_library {
name: "libcrypto_fuzz_unsafe",
ramdisk_available: false,
vendor_ramdisk_available: false,
defaults: [
"libcrypto_bcm_sources",
"libcrypto_sources",
"libcrypto_defaults",
"boringssl_defaults",
"boringssl_flags",
"boringssl_fuzz_unsafe_defaults",
],
}
//// libssl
// Target static library
// Static and Shared library
cc_library {
name: "libssl",
visibility: ["//visibility:public"],
recovery_available: true,
vendor_available: true,
product_available: true,
native_bridge_supported: true,
vndk: {
enabled: true,
},
host_supported: true,
defaults: [
"libssl_sources",
"boringssl_defaults",
"boringssl_flags",
],
target: {
windows: {
enabled: true,
},
},
unique_host_soname: true,
shared_libs: ["libcrypto"],
apex_available: [
"//apex_available:platform",
"com.android.btservices",
"com.android.adbd",
"com.android.conscrypt",
"com.android.resolv",
"com.android.virt",
],
min_sdk_version: "29",
}
cc_library_static {
name: "libssl_baremetal",
defaults: [
"libssl_sources",
"boringssl_defaults",
"boringssl_flags",
],
static_libs: ["libcrypto_baremetal"],
}
// Unsafe and deterministic version of libssl. For testing and fuzzing only.
// See src/FUZZING.md.
cc_test_library {
name: "libssl_fuzz_unsafe",
host_supported: true,
defaults: [
"libssl_sources",
"boringssl_defaults",
"boringssl_flags",
"boringssl_fuzz_unsafe_defaults",
],
static_libs: [
"libcrypto_fuzz_unsafe",
],
}
// Tool
cc_binary {
name: "bssl",
host_supported: true,
defaults: [
"bssl_sources",
"boringssl_flags",
],
shared_libs: [
"libcrypto",
"libssl",
],
target: {
darwin: {
enabled: false,
},
android: {
compile_multilib: "both",
},
},
multilib: {
lib32: {
suffix: "32",
},
},
}
// Used for ACVP testing for FIPS certification.
// Not installed on devices by default.
cc_binary {
name: "acvp_modulewrapper",
srcs: [
"src/util/fipstools/acvp/modulewrapper/main.cc",
],
target: {
android_x86: {
enabled: false,
},
android_x86_64: {
enabled: false,
},
},
stem: "modulewrapper",
compile_multilib: "both",
multilib: {
lib32: {
suffix: "32",
},
},
static_libs: [
"libacvp_modulewrapper",
],
shared_libs: [
"libcrypto",
],
defaults: [
"boringssl_flags",
],
}
// ACVP wrapper implementation shared between Android and Trusty
cc_library_static {
name: "libacvp_modulewrapper",
host_supported: true,
vendor_available: true,
srcs: [
"src/util/fipstools/acvp/modulewrapper/modulewrapper.cc",
],
target: {
android: {
compile_multilib: "both",
},
},
export_include_dirs: ["src/util/fipstools/acvp/modulewrapper/"],
shared_libs: [
"libcrypto",
],
defaults: [
"boringssl_flags",
],
visibility: ["//system/core/trusty/utils/acvp"],
}
// Test support library
cc_library_static {
name: "boringssl_test_support",
host_supported: true,
defaults: [
"boringssl_test_support_sources",
"boringssl_flags",
],
shared_libs: [
"libcrypto",
],
}
// Tests
cc_test {
name: "boringssl_crypto_test",
test_config: "CryptoNativeTests.xml",
host_supported: false,
per_testcase_directory: true,
compile_multilib: "both",
multilib: {
lib32: {
suffix: "32",
},
lib64: {
suffix: "64",
},
},
defaults: [
"boringssl_crypto_test_sources",
"boringssl_flags",
],
whole_static_libs: ["boringssl_test_support"],
// Statically link the library to test to ensure we always pick up the
// correct version regardless of device linker configuration.
static_libs: ["libcrypto_static"],
target: {
android: {
test_suites: ["mts-conscrypt"],
},
},
}
cc_test {
name: "boringssl_ssl_test",
test_config: "SslNativeTests.xml",
host_supported: false,
per_testcase_directory: true,
compile_multilib: "both",
multilib: {
lib32: {
suffix: "32",
},
lib64: {
suffix: "64",
},
},
defaults: [
"boringssl_ssl_test_sources",
"boringssl_flags",
],
whole_static_libs: ["boringssl_test_support"],
// Statically link the libraries to test to ensure we always pick up the
// correct version regardless of device linker configuration.
static_libs: [
"libcrypto_static",
"libssl",
],
target: {
android: {
test_suites: ["mts-conscrypt"],
},
},
}
// Utility binary for CMVP on-site testing.
cc_binary {
name: "test_fips",
host_supported: false,
defaults: [
"boringssl_flags",
],
shared_libs: [
"libcrypto",
],
srcs: [
"src/util/fipstools/test_fips.c",
],
required: [
"adb",
"libcrypto_for_testing",
],
}
libbssl_sys_raw_flags = [
// Adapted from upstream the src/rust/CMakeLists.txt file at:
// https://boringssl.googlesource.com/boringssl/+/refs/heads/master/rust/CMakeLists.txt
"--no-derive-default",
"--enable-function-attribute-detection",
"--use-core",
"--size_t-is-usize",
"--default-macro-constant-type=signed",
"--rustified-enum=point_conversion_form_t",
"--allowlist-file=.*/include/openssl/.*\\.h",
"--allowlist-file=.*/rust_wrapper\\.h",
// These are not BoringSSL symbols, they are from glibc
// and are not relevant to the build besides throwing warnings
// about their 'long double' (aka u128) not being FFI safe.
// We block those functions so that the build doesn't
// spam warnings.
//
// https://github.com/rust-lang/rust-bindgen/issues/1549 describes the current problem
// and other folks' solutions.
"--blocklist-function=strtold",
"--blocklist-function=qecvt",
"--blocklist-function=qecvt_r",
"--blocklist-function=qgcvt",
"--blocklist-function=qfcvt",
"--blocklist-function=qfcvt_r",
]
// Rust bindings
rust_bindgen {
name: "libbssl_sys_raw",
source_stem: "bindings",
crate_name: "bssl_sys_raw",
host_supported: true,
wrapper_src: "src/rust/bssl-sys/wrapper.h",
vendor_available: true,
product_available: true,
bindgen_flags: libbssl_sys_raw_flags,
shared_libs: [
"libcrypto",
"libssl",
],
apex_available: [
"//apex_available:platform",
"com.android.virt",
],
}
rust_bindgen {
name: "libbssl_sys_raw_nostd",
source_stem: "bindings",
crate_name: "bssl_sys_raw",
wrapper_src: "src/rust/bssl-sys/wrapper.h",
bindgen_flags: [
"--raw-line=#![no_std]",
"--ctypes-prefix=core::ffi",
] + libbssl_sys_raw_flags,
header_libs: [
"libcrypto_baremetal",
"libssl_baremetal",
],
}
// Encapsulate the bindgen-generated layout tests as a test target.
rust_test {
name: "libbssl_sys_raw_test",
srcs: [
":libbssl_sys_raw",
],
crate_name: "bssl_sys_raw_test",
test_suites: ["general-tests"],
auto_gen_config: true,
clippy_lints: "none",
lints: "none",
}
// Rust's bindgen doesn't cope with macros, so this target includes C functions that
// do the same thing as macros defined in BoringSSL header files.
cc_library_static {
name: "libbssl_rust_support",
host_supported: true,
defaults: ["boringssl_flags"],
srcs: ["src/rust/bssl-sys/rust_wrapper.c"],
shared_libs: [
"libcrypto",
"libssl",
],
apex_available: [
"//apex_available:platform",
"com.android.virt",
],
}
cc_library_static {
name: "libbssl_rust_support_baremetal",
defaults: ["boringssl_flags"],
srcs: ["src/rust/bssl-sys/rust_wrapper.c"],
static_libs: [
"libcrypto_baremetal",
"libssl_baremetal",
],
}
// Replace the upstream CMake placeholder with a re-export of all of the local bindgen output.
gensrcs {
name: "libbssl_sys_src",
srcs: ["src/rust/bssl-sys/src/lib.rs"],
cmd: "sed 's@^.{INCLUDES}@pub use bssl_sys_raw::*;@' $(in) > $(out)",
}
rust_library {
name: "libbssl_ffi",
host_supported: true,
crate_name: "bssl_ffi",
visibility: [
"//external/rust/crates/openssl",
"//system/keymint/boringssl",
"//system/security/prng_seeder",
],
// Use the modified source with placeholder replaced.
srcs: [":libbssl_sys_src"],
vendor_available: true,
product_available: true,
// Since libbssl_sys_raw is not publicly visible, we can't accidentally
// force a double-link by linking statically, so do so.
rlibs: ["libbssl_sys_raw"],
whole_static_libs: [
"libbssl_rust_support",
],
apex_available: [
"//apex_available:platform",
"com.android.virt",
],
}
gensrcs {
name: "libbssl_sys_src_nostd",
srcs: [":libbssl_sys_src"],
cmd: "(echo '#![no_std]' && cat $(in)) > $(out)",
}
rust_library_rlib {
name: "libbssl_ffi_nostd",
crate_name: "bssl_ffi",
visibility: [
"//packages/modules/Virtualization/pvmfw",
],
srcs: [":libbssl_sys_src_nostd"],
rlibs: ["libbssl_sys_raw_nostd"],
prefer_rlib: true,
no_stdlibs: true,
stdlibs: [
"libcompiler_builtins.rust_sysroot",
"libcore.rust_sysroot",
],
whole_static_libs: [
"libbssl_rust_support_baremetal",
],
}
Reference in New Issue View Git Blame Copy Permalink