{% include "_versions.html" %}
All new devices launching with Android {{ androidPVersionNumber }} must use system-as-root
(BOARD_BUILD_SYSTEM_ROOT_IMAGE
must be true
), which
merges ramdisk.img
into system.img
, which in turn
is mounted as rootfs. For devices upgrading to Android {{ androidPVersionNumber }}, system-as-root is
not mandatory. This document describes system-as-root, lists kernel
requirements for dm-verity support (including dependent kernel patches), and
provides setup examples.
The current Android ecosystem supports two types of partition layout:
system
partition is
mounted as rootfs.ramdisk.img
in the
/boot
partition is loaded into memory (which in turn is
mounted as rootfs) while the system
partition is mounted at
/system
.System-only OTAs, in which a system.img
can be updated across
major Android releases without changing other partitions, are supported by
the architectural changes made in Android 8.0 as part of
Project Treble.
However, for non-A/B devices, as ramdisk.img
is in
/boot
partition, it cannot be updated via a system-only OTA
using the Android 8.x architecture. As a result, an old
ramdisk.img
might not work with a new system.img
for the following reasons:
/init
in ramdisk.img
might not be
able to parse the *.rc files on /system
./init.rc
, which also may be out of
date compared to what is required for the new /system
.To ensure system-only OTAs work as expected, system-as-root is mandatory in Android {{ androidPVersionNumber }}. Non-A/B devices must switch from ramdisk partition layout to system-as-root partition layout; A/B devices do not need to change as they already must use system-as-root.
A/B devices and non-A/B devices have the following partition details:
A/B Devices | Non-A/B Devices |
---|---|
Each partition (except userdata) has two copies (slots):
|
Each partition has one copy, no other backup partitions.
|
For details on A/B and non-A/B devices, refer to A/B (Seamless) System Updates.
In Android {{ androidPVersionNumber }}, non-A/B devices should adopt system-as-root so they can be updated via a system-only OTA.
Unlike A/B devices that re-purpose /boot
as the recovery
partition, non-A/B devices must keep the /recovery
partition separate as they do not have the fallback slot partition
(e.g., from boot_a
→ boot_b
). If
/recovery
is removed on non-A/B device and made similar to the
A/B scheme, recovery mode could break during a failed update to
/boot
partition. For this reason, the /recovery
partition must be a separate partition than
/boot
for non-A/B devices, which implies the recovery image will
continue to be updated in a deferred manner (i.e. the same as in pre-{{ androidPVersionNumber }}
devices).
Partition layout differences for non-A/B devices before and after Android {{ androidPVersionNumber }}:
Component | Image | ramdisk (before {{ androidPVersionNumber }}) | system-as-root (after {{ androidPVersionNumber }}) |
---|---|---|---|
Image Content | boot.img |
Contains a kernel and a ramdisk.img:
ramdisk.img -/ - init.rc - init - etc -> /system/etc - system/ (mount point) - vendor/ (mount point) - odm/ (mount point) ... |
Contains a normal boot kernel only. |
recovery.img | Contains a recovery kernel and a recovery-ramdisk.img. | ||
system.img |
Contains the following:
system.img -/ - bin/ - etc - vendor -> /vendor - ... |
Contains the merged content of original system.img and ramdisk.img:
system.img -/ - init.rc - init - etc -> /system/etc - system/ - bin/ - etc/ - vendor -> /vendor - ... - vendor/ (mount point) - odm/ (mount point) ... |
|
Partition Layout | N/A |
|
|
In system-as-root, the kernel must mount system.img
under
/
(mount point) with dm-verity.
AOSP supports the following dm-verity implementations for
system.img
:
/system
, then convert to dm-verity
params to set up dm-verity. Requires these kernel-patches./system
, converts it to dm-verity
params, and finally passes the params to the kernel via kernel
command line. (Hashtree descriptors of /system
might be on
/vbmeta
or on /system
itself.)Examples from real devices showing dm-verity related settings for system-as-root in kernel command line:
vboot 1.0
ro root=/dev/dm-0 rootwait skip_initramfs init=/init dm="system none ro,0 1 android-verity /dev/sda34" veritykeyid=id:7e4333f9bba00adfe0ede979e28ed1920492b40f
vboot 2.0 (AVB)
ro root=/dev/dm-0 rootwait skip_initramfs init=/init dm="1 vroot none ro 1,0 5159992 verity 1 PARTUUID=00000016-0000-0000-0000-000000000000 PARTUUID=00000016-0000-0000-0000-000000000000 4096 4096 644999 644999 sha1 d80b4a8be3b58a8ab86fad1b498640892d4843a2 8d08feed2f55c418fb63447fec0d32b1b107e42c 10 restart_on_corruption ignore_zero_blocks use_fec_from_device PARTUUID=00000016-0000-0000-0000-000000000000 fec_roots 2 fec_blocks 650080 fec_start 650080"
With system-as-root, after the Generic System Image (GSI)
is flashed on the device (and before running Vendor Test Suite
tests), any device-specific root folders added via
BOARD_ROOT_EXTRA_FOLDERS
will be gone because the entire root
directory content has been replaced by the system-as-root GSI. The removal of
these folders might cause the device to become unbootable if a dependency on
the device-specific root folders exists (e.g., they are used as mount
points).
To avoid this issue, do not use BOARD_ROOT_EXTRA_FOLDERS
to
add device-specific root folders (it will likely be deprecated in the
future). If you need to specify device-specific mount points, use
/mnt/vendor/<mount point>
(added in these changelists).
These vendor-specific mount points can be directly specified in both the
fstab
device tree (for first-stage mount) and the
/vendor/etc/fstab.{ro.hardware}
file without additional setup
(as fs_mgr
will create them under /mnt/vendor/*
automatically).