From b0f8873811d447182b2e5a96c7689d26ac1e51ac Mon Sep 17 00:00:00 2001
From: Yifan Hong <elsk@google.com>
Date: Thu, 8 Sep 2022 17:15:54 -0700
Subject: [PATCH] ANDROID: kleaf: convert fips140 to kleaf

As a result of this change:

- fips140 is no longer part of the GKI build but a
  separate module, so it is not signed
  (CONFIG_MODULE_SIG_ALL is not set)

- GKI images (e.g. system_dlkm image, boot images)
  etc. are no longer part of the build -- because
  they are unnecessary.

- The build config no longer inherits from build.config.gki.aarch64
  directly to avoid building unnecessary system_dklm, boot images,
  GKI artifacts, etc.

Test: BUILD_CONFIG=common/build.config.gki.aarch64.fips140 build/build.sh
Test: tools/bazel build //common:fips140_dist
Bug: 232083350

Change-Id: I2cb0ee0b55c2a5ea46e6d73ecad4aa97585c1989
Signed-off-by: Yifan Hong <elsk@google.com>
---
 BUILD.bazel                             | 19 +++++++++++++++++++
 arch/arm64/configs/fips140_gki.fragment |  1 +
 build.config.gki.aarch64.fips140        | 14 ++++++++++----
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/BUILD.bazel b/BUILD.bazel
index ceff2c8f0e79..0ecc69b64c88 100644
--- a/BUILD.bazel
+++ b/BUILD.bazel
@@ -17,7 +17,9 @@ package(
     ],
 )
 
+load("//build/bazel_common_rules/dist:dist.bzl", "copy_to_dist_dir")
 load("//build/kernel/kleaf:common_kernels.bzl", "define_common_kernels", "define_db845c")
+load("//build/kernel/kleaf:kernel.bzl", "kernel_build")
 
 # This uses android/abi_gki_aarch64* in kmi_configs. If the list of
 # glob(["android/abi_gki_aarch64*"]) differs from
@@ -218,3 +220,20 @@ define_db845c(
         "sound/soc/qcom/snd-soc-sm8250.ko",
     ],
 )
+
+kernel_build(
+    name = "fips140",
+    outs = [],
+    base_kernel = ":kernel_aarch64",
+    build_config = "build.config.gki.aarch64.fips140",
+    module_outs = ["crypto/fips140.ko"],
+)
+
+copy_to_dist_dir(
+    name = "fips140_dist",
+    data = [
+        ":fips140",
+    ],
+    dist_dir = "out/fips140/dist",
+    flat = True,
+)
diff --git a/arch/arm64/configs/fips140_gki.fragment b/arch/arm64/configs/fips140_gki.fragment
index 68292520be10..198cd3367a24 100644
--- a/arch/arm64/configs/fips140_gki.fragment
+++ b/arch/arm64/configs/fips140_gki.fragment
@@ -1 +1,2 @@
 CONFIG_CRYPTO_FIPS140_MOD=y
+# CONFIG_MODULE_SIG_ALL is not set
diff --git a/build.config.gki.aarch64.fips140 b/build.config.gki.aarch64.fips140
index 040d73af3d2a..522a0f3e2d41 100644
--- a/build.config.gki.aarch64.fips140
+++ b/build.config.gki.aarch64.fips140
@@ -1,9 +1,15 @@
-. ${ROOT_DIR}/${KERNEL_DIR}/build.config.gki.aarch64
+. ${ROOT_DIR}/${KERNEL_DIR}/build.config.common
+. ${ROOT_DIR}/${KERNEL_DIR}/build.config.aarch64
+. ${ROOT_DIR}/${KERNEL_DIR}/build.config.gki
 
-FILES="${FILES}
+FILES="
 crypto/fips140.ko
 "
 
+MAKE_GOALS="
+modules
+"
+
 if [ "${LTO}" = "none" ]; then
 	echo "The FIPS140 module needs LTO to be enabled."
 	exit 1
@@ -13,5 +19,5 @@ MODULES_ORDER=android/gki_aarch64_fips140_modules
 KERNEL_DIR=common
 
 DEFCONFIG=fips140_gki_defconfig
-PRE_DEFCONFIG_CMDS="cat ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/gki_defconfig ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/fips140_gki.fragment > ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/${DEFCONFIG};"
-POST_DEFCONFIG_CMDS="rm ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/${DEFCONFIG}"
+PRE_DEFCONFIG_CMDS="mkdir -p \${OUT_DIR}/arch/arm64/configs/ && KCONFIG_CONFIG=\${OUT_DIR}/arch/arm64/configs/${DEFCONFIG} ${ROOT_DIR}/${KERNEL_DIR}/scripts/kconfig/merge_config.sh -m -r ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/gki_defconfig ${ROOT_DIR}/${KERNEL_DIR}/arch/arm64/configs/fips140_gki.fragment"
+POST_DEFCONFIG_CMDS=""