diff options
author | Colin Cross <ccross@android.com> | 2019-09-18 11:20:16 -0700 |
---|---|---|
committer | Colin Cross <ccross@android.com> | 2019-09-25 12:38:27 -0700 |
commit | 4b979db85e85cf549f8be491c2e12d3ff4cd7745 (patch) | |
tree | 9a828d2cb727e5e6006396102c7f5b3a92e90d2c /Android.bp | |
parent | 580fcaf18d41bf6c7513e90a2520d0fd8f0c244c (diff) | |
download | boringssl-4b979db85e85cf549f8be491c2e12d3ff4cd7745.tar.gz |
Force all static users of libcrypto on the device to libcrypto_static
Static libcrypto on the device complicates FIPS certification, we
prefer to use shared libcrypto whenever possible. Disable the
static version of libcrypto on the device, and use libcrypto_static
for modules that need static libcrypto and don't need the FIPS self
tests. libcrypto_static is protected by visibility to ensure that
only modules that don't need the FIPS self tests use it.
The existing intended use of libcrypto_static is for host libraries
loaded into the JVM, but there are no host modules that depend on
libcrypto static, so remove the old usage.
Bug: 141248879
Test: m checkbuild
Change-Id: I73ff358b5e11c18c38de597ba374629d7c83f32d
Diffstat (limited to 'Android.bp')
-rw-r--r-- | Android.bp | 45 |
1 files changed, 29 insertions, 16 deletions
@@ -159,16 +159,42 @@ cc_library { "-DBORINGSSL_FIPS", ], inject_bssl_hash: true, + static: { + // Disable the static version of libcrypto, as it causes + // problems for FIPS certification. Use libcrypto_static for + // modules that need static libcrypto but do not need FIPS self + // testing, or use dynamic libcrypto. + enabled: false, + }, }, }, } // Static library -// This should only be used for host modules that will be in a JVM, all other -// modules should use the static variant of libcrypto. +// This version of libcrypto will not have FIPS self tests enabled, so its +// usage is protected through visibility to ensure it doesn't end up used +// somewhere that needs the FIPS version. cc_library_static { name: "libcrypto_static", - visibility: ["//visibility:public"], + visibility: [ + "//bootable/recovery/updater", + "//external/conscrypt", + "//external/python/cpython2", + "//frameworks/ml/nn/runtime/test", + "//hardware/interfaces/confirmationui/1.0/vts/functional", + "//hardware/interfaces/drm/1.0/vts/functional", + "//hardware/interfaces/drm/1.2/vts/functional", + "//hardware/interfaces/keymaster/3.0/vts/functional", + "//hardware/interfaces/keymaster/4.0/vts/functional", + "//system/core/adb", + "//system/core/init", + "//system/core/fs_mgr/liblp", + "//system/core/fs_mgr/liblp/vts_core", + "//system/core/fs_mgr/libsnapshot", + "//system/libvintf/test", + "//system/security/keystore/tests", + "//test/vts-testcase/security/avb", + ], defaults: [ "libcrypto_bcm_sources", "libcrypto_sources", @@ -176,19 +202,6 @@ cc_library_static { "boringssl_defaults", "boringssl_flags", ], - - target: { - host: { - // TODO: b/26160319. ASAN breaks use of this library in JVM. - // Re-enable sanitization when the issue with making clients of this library - // preload ASAN runtime is resolved. Without that, clients are getting runtime - // errors due to unresolved ASAN symbols, such as - // __asan_option_detect_stack_use_after_return. - sanitize: { - never: true, - }, - }, - }, } //// libssl |