add borealis support

- remove crosvm ro param: `--params root=/dev/pmem0 ro` - remove kernel version limit - skip insert_coin token board check - show borealis feature Signed-off-by: jinqiang zhang <[email protected]>
openFyde · Oct 24, 2022 · 35da948 · 35da948
1 parent d6662c0
commit 35da948
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 0 deletions.
diff --git a/chromeos-base/vm_host_tools/files/remove-params-pemm0-ro.patch b/chromeos-base/vm_host_tools/files/remove-params-pemm0-ro.patch
@@ -0,0 +1,14 @@
+diff --git a/vm_tools/concierge/vm_builder.cc b/vm_tools/concierge/vm_builder.cc
+index 44be060c26..7f6b2541a4 100644
+--- a/vm_tools/concierge/vm_builder.cc
++++ b/vm_tools/concierge/vm_builder.cc
+@@ -338,7 +338,8 @@ base::StringPairs VmBuilder::BuildVmArgs() const {
+       }
+       // TODO(davidriley): Re-add rootflags=dax once guest kernel has fix for
+       // b/169339326.
+-      args.emplace_back("--params", "root=/dev/pmem0 ro");
++      // args.emplace_back("--params", "root=/dev/pmem0 ro");
++      args.emplace_back("--params", "root=/dev/pmem0");
+     } else {
+       if (rootfs.writable) {
+         args.emplace_back("--rwroot", rootfs.path.value());
diff --git a/chromeos-base/vm_host_tools/files/skip-kMinKernelVersionForUntrustedAndNestedVM-check.patch b/chromeos-base/vm_host_tools/files/skip-kMinKernelVersionForUntrustedAndNestedVM-check.patch
@@ -0,0 +1,35 @@
+diff --git a/vm_tools/concierge/service.cc b/vm_tools/concierge/service.cc
+index be3bd5004f..69bce1e2f9 100644
+--- a/vm_tools/concierge/service.cc
++++ b/vm_tools/concierge/service.cc
+@@ -1547,18 +1547,18 @@ StartVmResponse Service::StartVm(StartVmRequest request,
+   if (is_untrusted_vm) {
+     const auto untrusted_vm_check_result =
+         IsUntrustedVMAllowed(request.run_as_untrusted(), host_kernel_version_);
+-    if (!untrusted_vm_check_result.untrusted_vm_allowed) {
+-      std::stringstream ss;
+-      ss << "Untrusted VMs are not allowed: "
+-         << "the host kernel version (" << host_kernel_version_.first << "."
+-         << host_kernel_version_.second << ") must be newer than or equal to "
+-         << kMinKernelVersionForUntrustedAndNestedVM.first << "."
+-         << kMinKernelVersionForUntrustedAndNestedVM.second
+-         << ", or the device must be in the developer mode";
+-      LOG(ERROR) << ss.str();
+-      response.set_failure_reason(ss.str());
+-      return response;
+-    }
++    // if (!untrusted_vm_check_result.untrusted_vm_allowed) {
++    //   std::stringstream ss;
++    //   ss << "Untrusted VMs are not allowed: "
++    //      << "the host kernel version (" << host_kernel_version_.first << "."
++    //      << host_kernel_version_.second << ") must be newer than or equal to "
++    //      << kMinKernelVersionForUntrustedAndNestedVM.first << "."
++    //      << kMinKernelVersionForUntrustedAndNestedVM.second
++    //      << ", or the device must be in the developer mode";
++    //   LOG(ERROR) << ss.str();
++    //   response.set_failure_reason(ss.str());
++    //   return response;
++    // }
+
+     // For untrusted VMs -
+     // Check if l1tf and mds mitigations are present on the host. Skip the
diff --git a/chromeos-base/vm_host_tools/vm_host_tools.bashrc b/chromeos-base/vm_host_tools/vm_host_tools.bashrc
@@ -0,0 +1,7 @@
+# Copyright (c) 2022 Fyde Innovations Limited and the openFyde Authors.
+# Distributed under the license specified in the root directory of this project.
+
+cros_pre_src_prepare_amd64_openfyde() {
+  eapply -p2 ${AMD64_OPENFYDE_BASHRC_FILEPATH}/remove-params-pemm0-ro.patch
+  eapply -p2 ${AMD64_OPENFYDE_BASHRC_FILEPATH}/skip-kMinKernelVersionForUntrustedAndNestedVM-check.patch
+}
diff --git a/chromium-patches/skip-borealis-board-check.patch b/chromium-patches/skip-borealis-board-check.patch
@@ -0,0 +1,16 @@
+diff --git a/chrome/browser/ash/borealis/borealis_features.cc b/chrome/browser/ash/borealis/borealis_features.cc
+index 4fe8d8b4c9d2a..eabb0667af4e1 100644
+--- a/chrome/browser/ash/borealis/borealis_features.cc
++++ b/chrome/browser/ash/borealis/borealis_features.cc
+@@ -130,6 +130,11 @@ enum class TokenAuthority {
+ //   "aT79k1Uv7v7D5s2/rpYUJYRXTUq4EkPN2FK4JBQJWgw=";
+ TokenAuthority GetAuthorityForToken(const std::string& board,
+                                     const std::string& hash_of_current_token) {
++  if (board != "") {
++    LOG(INFO) << "bypassing hardware checks.";
++    LOG(INFO) << "board: " << board << " hash_of_current_token: " << hash_of_current_token;
++    return TokenAuthority::kAllowedOverridesHardwareChecks;
++  }
+   // Tokens provide more fine-grained control over whether borealis can be run
+   // on a specific device. The different kinds of token are:
+   //  * "Super" token: Allows borealis on any device.
diff --git a/make.conf b/make.conf
@@ -35,3 +35,4 @@ ARC_PLATFORM_SDK_VERSION="28"
 #ARC_VERSION_PATCH="0"
 MULTILIB_ABIS="amd64 x86"
 #CHROME_DEV_FLAGS="${CHROME_DEV_FLAGS} --flint-account-enabled --remote-debugging-port=9229"
+CHROME_DEV_FLAGS="${CHROME_DEV_FLAGS} --enable-features=Borealis"