android/avf: init

Android Virtualization Framework is a new virtualization environment for Android

Among others, it is used to provide the Terminal App starting from Android 15 QPR2

This PR allows building images for AVF

The system changes have been taken from https://android.googlesource.com/platform/packages/modules/Virtualization/+/refs/heads/main/build/debian/

Author: mkg20001

android/avf/debug.nix

@@ -0,0 +1,15 @@
+{
+  # Print all logs to console for debug
+  boot.kernelParams = [
+    "systemd.journald.forward_to_console"
+  ];
+
+  # Enable AVF debug log
+  avf.vmConfig.debugLevel = 1;
+
+  # Allow the user to log in as root without a password.
+  users.users.root.initialHashedPassword = "";
+
+  # Automatically log in at the virtual consoles.
+  services.getty.autologinUser = "droid";
+}

android/avf/default.nix

@@ -0,0 +1,288 @@
+{
+  config,
+  lib,
+  modulesPath,
+  pkgs,
+  ...
+}:
+
+let
+  base = pkgs.fetchgit {
+    url = "https://android.googlesource.com/platform/packages/modules/Virtualization/";
+    rev = "f3ae17a45df25d1c0913b5cca68fcea6e5a5ce05";
+    hash = "sha256-BcfGSMOKc3Ku3GhpFgdOVM6VT3tj0ujbDIxR2MfZAxE=";
+  };
+  extraPkgs = pkgs.callPackage ./pkgs.nix { inherit base; };
+
+  serialDevice = "ttyS0";
+
+  mkService = name: {
+    serviceConfig = {
+      ExecStart = "${
+        lib.getExe extraPkgs.android_virt.${name}
+      } --grpc-port-file /mnt/internal/debian_service_port";
+      Type = "simple";
+      Restart = "on-failure";
+      RestartSec = 1;
+      User = "root";
+      Group = "root";
+      StandardOutput = "journal";
+      StandardError = "journal";
+    };
+    wantedBy = [ "multi-user.target" ];
+    after = [
+      "network-online.target"
+      "network.target"
+      "mnt-internal.mount"
+    ];
+  };
+
+  vmConfig = pkgs.formats.json { };
+
+  cfg = config.avf;
+in
+
+with lib;
+{
+  imports = [
+    "${modulesPath}/profiles/qemu-guest.nix"
+  ];
+
+  options = {
+    avf.vmConfig = mkOption {
+      description = "VM config for AVF";
+      default = { };
+      type = vmConfig.type;
+    };
+  };
+
+  config = {
+    avf.vmConfig = {
+      name = "nixos";
+      disks = [
+        {
+          partitions = [
+            {
+              label = "nixos";
+              path = "$PAYLOAD_DIR/root_part";
+              writable = true;
+              guid = "{root_part_guid}";
+            }
+            {
+              label = "ESP";
+              path = "$PAYLOAD_DIR/efi_part";
+              writable = false;
+              guid = "{efi_part_guid}";
+            }
+          ];
+          writable = true;
+        }
+      ];
+      sharedPath = [
+        {
+          sharedPath = "/storage/emulated";
+        }
+        {
+          sharedPath = "$APP_DATA_DIR/files";
+        }
+      ];
+      protected = false;
+      cpu_topology = "match_host";
+      platform_version = "~1.0";
+      memory_mib = 4096;
+      debuggable = true;
+      console_out = true;
+      console_input_device = "ttyS0";
+      network = true;
+      auto_memory_balloon = true;
+      gpu = {
+        backend = "2d";
+      };
+    };
+
+    /*
+      services.ttyd = {
+        enable = true;
+        enableSSL = true;
+        caFile = = "/mnt/internal/ca.crt";
+        keyFile = "/etc/ttyd/server.key";
+        clientOptions = [ "disableLeaveAlert=true" ];
+        certFile = "/etc/ttyd/server.ct";
+        entrypoint = [ "${pkgs.shadow}/bin/login" "-f" "droid" ];
+        writeable = true;
+      };
+    */
+
+    systemd.services.ttyd = {
+      serviceConfig = {
+        ExecStart = "${extraPkgs.ttyd}/bin/ttyd --ssl --ssl-cert /etc/ttyd/server.crt --ssl-key /etc/ttyd/server.key --ssl-ca /mnt/internal/ca.crt -t disableLeaveAlert=true -W ${config.services.ttyd.entrypoint} -f droid";
+        Type = "simple";
+        Restart = "always";
+        User = "root";
+        Group = "root";
+      };
+
+      wantedBy = [ "multi-user.target" ];
+      after = [
+        "network-online.target"
+        "network.target"
+        "mnt-internal.mount"
+      ];
+    };
+
+    systemd.services.avahi_ttyd = {
+      description = "avahi_TTYD";
+
+      after = [
+        "ttyd.service"
+        "avahi-daemon.socket"
+      ];
+      wantedBy = [ "multi-user.target" ];
+
+      serviceConfig = {
+        ExecStart = "${pkgs.avahi}/bin/avahi-publish-service ttyd _http._tcp 7681";
+        Type = "simple";
+        Restart = "always";
+        User = "root";
+        Group = "root";
+      };
+    };
+
+    services.avahi = {
+      enable = true;
+      publish = {
+        enable = true;
+        userServices = true;
+      };
+    };
+
+    system.build.avfImage = pkgs.callPackage ./finish.nix {
+      raw_disk_image = import "${pkgs.path}/nixos/lib/make-disk-image.nix" {
+        inherit pkgs lib config;
+
+        partitionTableType = "efi";
+        copyChannel = true;
+        memSize = "2048";
+      };
+
+      vm_config = vmConfig.generate "vm_config.json" cfg.vmConfig;
+    };
+
+    boot.growPartition = true;
+    boot.loader.systemd-boot.enable = true;
+    boot.initrd.systemd.enable = true;
+
+    # image building needs to know what device to install bootloader on
+    boot.loader.grub.device = "/dev/vda";
+    # Faster boot. User can't access bootloader currently anyways (?)
+    boot.loader.timeout = 0;
+
+    # avf patches only available for 6.1 right now
+    boot.kernelPackages = pkgs.linuxPackages_6_1;
+
+    boot.kernelPatches = [
+      {
+        name = "avf";
+        patch = "${base}/build/debian/kernel/patches/avf/arm64-balloon.patch";
+        extraStructuredConfig = with lib.kernel; {
+          # DRM = module;
+          SND_VIRTIO = module;
+          SND = yes;
+          SOUND = yes;
+        };
+      }
+    ];
+
+    boot.kernelParams = [
+      "console=tty1"
+      "console=${serialDevice}"
+    ];
+
+    boot.kernelModules = [ "vhost_vsock" ];
+
+    fileSystems = {
+      "/" = {
+        device = "/dev/disk/by-label/nixos";
+        autoResize = true;
+        fsType = "ext4";
+      };
+      "/boot" = {
+        device = "/dev/disk/by-label/ESP";
+        fsType = "vfat";
+      };
+
+      "/mnt/internal" = {
+        device = "internal";
+        fsType = "virtiofs";
+      };
+      "/mnt/shared" = {
+        device = "android";
+        fsType = "virtiofs";
+      };
+      /*
+        "/mnt/backup" = {
+          device = "/dev/vdb";
+          fsType = "virtiofs";
+        };
+      */
+    };
+
+    # from Virtualization/guest/storage_balloon_agent/debian/service
+
+    systemd.services.storage_balloon_agent = mkService "storage_balloon_agent";
+
+    # from Virtualization/guest/forwarder_guest_launcher/debian/service
+
+    systemd.services.forwarder_guest_launcher = mkService "forwarder_guest_launcher" // {
+      path = [
+        extraPkgs.android_virt.forwarder_guest
+        pkgs.bcc
+        "/run/current-system/sw"
+      ];
+    };
+
+    # from Virtualization/guest/shutdown_runner/debian/service
+
+    systemd.services.shutdown_runner = mkService "shutdown_runner";
+
+    system.activationScripts.setup_files = {
+      text = ''
+        if [ ! -e /_setup ]; then
+          cp -rv ${./etc}/* /etc/
+          mkdir -vp /mnt/{shared,internal,backup}
+          chown -v 1000:100 /mnt/{shared,internal,backup}
+          touch /_setup
+        fi
+      '';
+    };
+
+    users.users.droid = {
+      isNormalUser = true;
+      extraGroups = [
+        "droid"
+        "wheel"
+        "video"
+        "render"
+      ];
+      initialHashedPassword = "";
+    };
+    users.groups.droid = { };
+    security.sudo.wheelNeedsPassword = false;
+
+    programs.bcc.enable = true;
+
+    programs.bash.promptInit = ''
+      # Show title of current running command
+      trap 'echo -ne "\e]0;\$BASH_COMMAND\007"' DEBUG
+    '';
+
+    systemd.network.enable = true;
+    networking.useNetworkd = true;
+    networking.dhcpcd.enable = false;
+    services.resolved.dnssec = "false";
+    networking.useDHCP = true;
+    networking.firewall.enable = true; # default
+    networking.nftables.enable = true;
+    networking.firewall.allowedTCPPorts = [ 7681 ];
+  };
+}

android/avf/etc/ttyd/server.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiTCCAnGgAwIBAgIUasfD1K/4tJHwNRXL2kdSD9VbeSwwDQYJKoZIhvcNAQEL
+BQAwUzELMAkGA1UEBhMCQ04xCzAJBgNVBAgMAkdEMQswCQYDVQQHDAJTWjETMBEG
+A1UECgwKQWNtZSwgSW5jLjEVMBMGA1UEAwwMQWNtZSBSb290IENBMB4XDTI0MTAx
+NDAxMjgzOFoXDTI1MTAxNDAxMjgzOFowUDELMAkGA1UEBhMCQ04xCzAJBgNVBAgM
+AkdEMQswCQYDVQQHDAJTWjETMBEGA1UECgwKQWNtZSwgSW5jLjESMBAGA1UEAwwJ
+bG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3+uVF4TP
+jUjfL8vJlECAN1rLFK8lDuOUv52VCrW7MXMfGYlA4nk1OKDjygnZIpET6I9cTfCG
+Xiwad6bU6Oqy4MZ2i338F+eERrGpkitSQ7QRqZannjBIDFxXZvJpMTJDIWNCmz+P
+K2VcvCh8im2tJA66wJogUcVmJBugNqleqxFcxPvXOdBdWBK7JYOcb4J643eLX6+D
+X6v2QTlKXfihouVC8wAzbw9HHmOVb7ono1rV7xpcFrOyBiDGVSgEteiB8l26iXA9
+fExkb0rUzHjlgvb/l8/nGAaQHd0eE+/SGd4tXvs9KHX6XJh/PI0ExTsDIBDcuVOt
+2YzXeuM6zzrKLQIDAQABo1gwVjAUBgNVHREEDTALgglsb2NhbGhvc3QwHQYDVR0O
+BBYEFHpFYqFC/AEOfWfdZmpy5YBZfgR2MB8GA1UdIwQYMBaAFGThxe/2q5/Dg6hI
+9Von5HRAOUxZMA0GCSqGSIb3DQEBCwUAA4IBAQBQspP3wo3yzcPWuFk4lRyo7zpF
+JfBBX0UU1Z0MQfIGxLC2YtRvxobRqwLcKUKQjBqUuRdukleOaVVFeXb/HI9vY3ji
+9PfUb2UJ4O3z3pdSK0EwXbkCidtUflRLvPG6dgBrXyLOqxBqA5lWR2ds5HRAMRAi
+eXfDkJTmNOAQAnPgM+35FBgmhh6axG+bUudvvVoA8ca+zW9i1R6/vblxYJ6bhmw0
+8s+uoAX6FXcZ0YFOGdhcpJmnbiRd3D0VVacjc3b9pjFOI8d3bh9pR47p0kVOaRsh
+aAG3gZhyMPOgbYceCjfzND5YhycDI+MzPo/JOYdhHGGJawoh1nP94QNPan6J
+-----END CERTIFICATE-----

android/avf/etc/ttyd/server.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDf65UXhM+NSN8v
+y8mUQIA3WssUryUO45S/nZUKtbsxcx8ZiUDieTU4oOPKCdkikRPoj1xN8IZeLBp3
+ptTo6rLgxnaLffwX54RGsamSK1JDtBGplqeeMEgMXFdm8mkxMkMhY0KbP48rZVy8
+KHyKba0kDrrAmiBRxWYkG6A2qV6rEVzE+9c50F1YErslg5xvgnrjd4tfr4Nfq/ZB
+OUpd+KGi5ULzADNvD0ceY5VvuiejWtXvGlwWs7IGIMZVKAS16IHyXbqJcD18TGRv
+StTMeOWC9v+Xz+cYBpAd3R4T79IZ3i1e+z0odfpcmH88jQTFOwMgENy5U63ZjNd6
+4zrPOsotAgMBAAECggEAARJYlD12ch5WM2aDrPOGOAtREOfP7CCwWcMiOfBP72iR
+Y9Vipxmuz16nwTJ22F7HvPsdPOUo1cFtWhim2Aqr/ZxuT4Ce9oVrk6iDwRdeuYdY
+cIhtChvJi+p0ggMcuyzp90+3AYXxynsOlCufMjSNGaqvYUsNEXnJFSgiKr7mgbIO
+J0VU1Wrquw7N58RKL+T3xEvE7uO3QpLOim2MbfRSVq/JGNxqAGw0/uxtjFs7Vtf9
+z44e/ULeYDS7zMj6cMggxQp5nfzcboGoNVUEDgYjOzqXCe4cG0n3XfN7GJhaS1ZF
+tPd8l4Ch0IrT4hs5uVFaMdFbj+er7mvmqfTVytrRmQKBgQD2kVB53EKhqxgvz2N7
+bAJglOLd6FWKsWlLMSdER0/4dRVRMIBxnYWgQ0gaRc4TM7oyKOl3MDF9jdDne5KJ
+cnfzFoH2GD6VBQRr0mFmV1UV6oHEjDJBasMo/1Vw3TJ4oZgZpYpJjrDmPWZqHUs4
+I79TdvJrNFSmk3MGVFjatLIq5QKBgQDofHpHfBeRCn2Z3OOkiAN5V53n5deZl6Jt
+lGTsrXKpEzRTre4LWZojoB9hiGjptZkXHA2HW90RiV9OHhTa8W9ZntLnOnWc5RUn
+Tzh14KupjsBQm/gE8SuqHSDx1mxTnIUo0W28d/Beecri5KfaoEY+wxZXOeQy5JFR
+ec/AhU4FqQKBgGhVzUwDnF502+M/SsVrSwY7elSUf74UnI2o2wjVdE2anc6hS3jI
+Q0cxsU0MxMrzVJLtJP2+cvLCE+ggLj3jJkbC+3N7ht/gI6LMf1KjGeoQNaFKAeoU
+l0i94xXDRBwvpQEVP5MowkprKO82PiIfXlKfPq2Gk1t5gW7oOkExvULRAoGBAK7R
+051nec0uJ06I5IE3ae1X7jyP//TWKmTeHpo+vybWcxWth3/va9H4OUC9M67ySGEx
+ThcIBA+IzirOwf31aTbqEEuiEQje1m5NyvYQ8OS6nHDBJ9qHg78S0lAoXiLtYtBT
+04HSauSQDvlY2cOzm77cMjN7K9b9Oy0aPRfW5dmpAoGAGesq4Ojky4crpi0H1O7n
+cMuIAzaPozsMx7iSrhUe69fwVFiMkEKR6ems01DmjYwPb6DtxCieaRlGbd9E8oIZ
+y6n+Uh9Qbc5sDhPMsys6NyKOv/A6rkn49/etr40f0Z5g9g/d2+qtwoAXjo3sSPuW
+7iqbruRjbKUaJKzdpIqOKD0=
+-----END PRIVATE KEY-----

android/avf/finish.nix

@@ -0,0 +1,50 @@
+{
+  stdenv,
+  raw_disk_image,
+  vm_config,
+  utillinux,
+  pigz,
+  e2fsprogs,
+}:
+
+stdenv.mkDerivation {
+  name = "avf_image.tar.gz";
+
+  nativeBuildInputs = [
+    utillinux
+    pigz
+    e2fsprogs
+  ];
+
+  dontUnpack = true;
+  dontBuild = true;
+  installPhase = ''
+    diskImage=$(echo ${raw_disk_image}/*.img)
+
+    OFFSETS=($(sfdisk -l $diskImage -o Start,Sectors | tail -n 2 | grep -o "[0-9]*"))
+
+    echo $out > build_id
+
+    # bs=512 -> sector size is 512, skip=start sector, count=size in sectors
+    dd if=$diskImage of=efi_part bs=512 skip="''${OFFSETS[0]}" count="''${OFFSETS[1]}"
+    dd if=$diskImage of=root_part bs=512 skip="''${OFFSETS[2]}" count="''${OFFSETS[3]}"
+
+    # can be removed once android e2fsck supports this feature
+    tune2fs -O ^orphan_file root_part
+
+    cp ${vm_config} vm_config.json
+
+    sed -i "s/{efi_part_guid}/$(sfdisk --part-uuid $diskImage 1)/g" vm_config.json
+    sed -i "s/{root_part_guid}/$(sfdisk --part-uuid $diskImage 2)/g" vm_config.json
+
+    contents=(
+    build_id
+    root_part
+    efi_part
+    vm_config.json
+    )
+
+    # --sparse option isn't supported in apache-commons-compress
+    tar cv -I pigz -f $out -C . "''${contents[@]}"
+  '';
+}

android/avf/forwarder_guest_Cargo.lock

@@ -0,0 +1,15 @@
+diff --git a/src/main.rs b/src/main.rs
+index 3cb557aed..b42e54eb9 100644
+--- a/src/main.rs
++++ b/src/main.rs
+@@ -112,9 +112,7 @@ async fn report_active_ports(
+     mut client: DebianServiceClient<Channel>,
+ ) -> Result<(), Box<dyn std::error::Error>> {
+     // TODO: we can remove python3 -u when https://github.com/iovisor/bcc/pull/5142 is deployed
+-    let mut cmd = Command::new("python3")
+-        .arg("-u")
+-        .arg("/usr/sbin/tcpstates-bpfcc")
++    let mut cmd = Command::new("tcpstates")
+         .arg("-s")
+         .stdout(Stdio::piped())
+         .spawn()?;

android/avf/forwarder_guest_launcher_Cargo.lock

@@ -0,0 +1,74 @@
+{
+  base,
+  lib,
+  ttyd,
+  rustPlatform,
+  protobuf_28,
+  libwebsockets,
+}:
+let
+
+  mkRustPkg =
+    name: lock: extra:
+    rustPlatform.buildRustPackage (
+      {
+        inherit name;
+
+        RUSTFLAGS = "-C linker=gcc";
+
+        # see https://github.com/NixOS/nixpkgs/issues/145726
+        # TODO: disable when cross-compling
+        prePatch = ''
+          rm .cargo/config.toml
+        '';
+
+        src = base;
+        setSourceRoot = "sourceRoot=$(echo */guest/${name})";
+
+        nativeBuildInputs = [
+          protobuf_28
+        ];
+
+        postPatch = ''
+          ln -s ${lock} Cargo.lock
+        '';
+
+        cargoLock = {
+          lockFile = lock;
+        };
+
+        meta = {
+          mainProgram = name;
+        };
+      }
+      // extra
+    );
+in
+{
+  ttyd =
+    (ttyd.override ({
+      libwebsockets = libwebsockets.overrideAttrs (_: {
+        patches = [
+          "${base}/build/debian/ttyd/client_cert.patch"
+        ];
+      });
+    })).overrideAttrs
+      (a: {
+        patches = [
+          "${base}/build/debian/ttyd/xtermjs_a11y.patch"
+        ];
+      });
+
+  android_virt = lib.recurseIntoAttrs {
+    forwarder_guest = mkRustPkg "forwarder_guest" ./forwarder_guest_Cargo.lock { };
+    forwarder_guest_launcher =
+      mkRustPkg "forwarder_guest_launcher" ./forwarder_guest_launcher_Cargo.lock
+        {
+          patches = [
+            ./guest-tcpstates.patch
+          ];
+        };
+    shutdown_runner = mkRustPkg "shutdown_runner" ./shutdown_runner_Cargo.lock { };
+    storage_balloon_agent = mkRustPkg "storage_balloon_agent" ./storage_balloon_agent_Cargo.lock { };
+  };
+}

android/avf/guest-tcpstates.patch

@@ -0,0 +1,14 @@
+(import <nixpkgs/nixos/lib/eval-config.nix> {
+  system = "aarch64-linux";
+  modules = [
+    (
+      { modulesPath, ... }:
+      {
+        imports = [
+          ./android/avf
+          ./android/avf/debug.nix
+        ];
+      }
+    )
+  ];
+}).config.system.build.avfImage