Implementation
Android-powered devices with Android 9 and lower that have A/B partitions can
use the inactive system_other partition (for example,
system_bwhen slot_a is active) to store preoptimized
VDEX/ODEX files. When system_other is used,
ro.cp_system_other_odex is set to 1 for the package manager
service to set sys.cppreopt=requested for cppreopts.rc
to act on it.
In Android 10, libfs_avb
is introduced to support standalone AVB verification for the
system_other partition. The VBMeta struct of such a partition is
appended to the end of the partition, to be verified by an expected public key
from the file system. The Android build system supports signing
system_other.img while including the corresponding signing key
under /product/etc/security/avb/system_other.avbpubkey. The release
tool sign_target_files_apks.py also supports replacing the signing
key to a release version.
A/B devices launched before Android 10 have a physical
system_other partition, even if it's upgraded to Android 10 with
PRODUCT_RETROFIT_DYNAMIC_PARTITIONS set to true.
A/B devices launched with Android 10 must have a logical
system_other partition. The following example shows a typical
fstab.postinstall file that enables AVB on
system_other.
#<dev> <mnt_point> <type> <mnt_flags options> <fs_mgr_flags> system /postinstall ext4 ro,nosuid,nodev,noexec slotselect_other,logical,avb_keys=/product/etc/security/avb/system_other.avbpubkey
Devices that need to enable AVB on the system_other partition
should place the fstab file in the product partition and set the
property ro.postinstall.fstab.prefix to /product.
# Use /product/etc/fstab.postinstall to mount system_other. PRODUCT_PRODUCT_PROPERTIES += \ ro.postinstall.fstab.prefix=/product PRODUCT_COPY_FILES += \ $(LOCAL_PATH)/fstab.postinstall:$(TARGET_COPY_OUT_PRODUCT)/etc/fstab.postinstall