9 files changed, 249 insertions, 87 deletions

diff --git a/filesystem/aconfig_files.go b/filesystem/aconfig_files.go
index 6d034027d..b4173d784 100644
--- a/filesystem/aconfig_files.go
+++ b/filesystem/aconfig_files.go
@@ -22,6 +22,17 @@ import (
 	"github.com/google/blueprint/proptools"
 )
 
+func init() {
+	pctx.HostBinToolVariable("aconfig", "aconfig")
+}
+
+var (
+	aconfigCreateStorage = pctx.AndroidStaticRule("aconfig_create_storage", blueprint.RuleParams{
+		Command:     `$aconfig create-storage --container $container --file $fileType --out $out --cache $in --version $version`,
+		CommandDeps: []string{"$aconfig"},
+	}, "container", "fileType", "version")
+)
+
 type installedAconfigFlagsInfo struct {
 	aconfigFiles android.Paths
 }
@@ -66,45 +77,57 @@ func (f *filesystem) buildAconfigFlagsFiles(
 
 	container := f.PartitionType()
 
-	installAconfigFlagsPath := dir.Join(ctx, "etc", "aconfig_flags.pb")
-	cmd := builder.Command().
+	aconfigFlagsPb := android.PathForModuleOut(ctx, "aconfig", "aconfig_flags.pb")
+	aconfigFlagsPbBuilder := android.NewRuleBuilder(pctx, ctx)
+	cmd := aconfigFlagsPbBuilder.Command().
 		BuiltTool("aconfig").
 		Text(" dump-cache --dedup --format protobuf --out").
-		Output(installAconfigFlagsPath).
+		Output(aconfigFlagsPb).
 		Textf("--filter container:%s+state:ENABLED", container).
 		Textf("--filter container:%s+permission:READ_WRITE", container)
 	for _, cache := range caches {
 		cmd.FlagWithInput("--cache ", cache)
 	}
+	aconfigFlagsPbBuilder.Build("aconfig_flags_pb", "build aconfig_flags.pb")
+
+	installAconfigFlagsPath := dir.Join(ctx, "etc", "aconfig_flags.pb")
+	builder.Command().Text("mkdir -p ").Text(dir.Join(ctx, "etc").String())
+	builder.Command().Text("cp").Input(aconfigFlagsPb).Text(installAconfigFlagsPath.String())
 	*fullInstallPaths = append(*fullInstallPaths, FullInstallPathInfo{
 		FullInstallPath: android.PathForModuleInPartitionInstall(ctx, f.PartitionType(), "etc/aconfig_flags.pb"),
-		SourcePath:      installAconfigFlagsPath,
+		SourcePath:      aconfigFlagsPb,
 	})
 	f.appendToEntry(ctx, installAconfigFlagsPath)
 
-	installAconfigStorageDir := dir.Join(ctx, "etc", "aconfig")
-	builder.Command().Text("mkdir -p").Text(installAconfigStorageDir.String())
-
 	// To enable fingerprint, we need to have v2 storage files. The default version is 1.
 	storageFilesVersion := 1
 	if ctx.Config().ReleaseFingerprintAconfigPackages() {
 		storageFilesVersion = 2
 	}
 
+	installAconfigStorageDir := dir.Join(ctx, "etc", "aconfig")
+	builder.Command().Text("mkdir -p").Text(installAconfigStorageDir.String())
+
 	generatePartitionAconfigStorageFile := func(fileType, fileName string) {
-		outputPath := installAconfigStorageDir.Join(ctx, fileName)
+		outPath := android.PathForModuleOut(ctx, "aconfig", fileName)
+		installPath := installAconfigStorageDir.Join(ctx, fileName)
+		ctx.Build(pctx, android.BuildParams{
+			Rule:   aconfigCreateStorage,
+			Input:  aconfigFlagsPb,
+			Output: outPath,
+			Args: map[string]string{
+				"container": container,
+				"fileType":  fileType,
+				"version":   strconv.Itoa(storageFilesVersion),
+			},
+		})
 		builder.Command().
-			BuiltTool("aconfig").
-			FlagWithArg("create-storage --container ", container).
-			FlagWithArg("--file ", fileType).
-			FlagWithOutput("--out ", outputPath).
-			FlagWithArg("--cache ", installAconfigFlagsPath.String()).
-			FlagWithArg("--version ", strconv.Itoa(storageFilesVersion))
+			Text("cp").Input(outPath).Text(installPath.String())
 		*fullInstallPaths = append(*fullInstallPaths, FullInstallPathInfo{
+			SourcePath:      outPath,
 			FullInstallPath: android.PathForModuleInPartitionInstall(ctx, f.PartitionType(), "etc/aconfig", fileName),
-			SourcePath:      outputPath,
 		})
-		f.appendToEntry(ctx, outputPath)
+		f.appendToEntry(ctx, installPath)
 	}
 
 	if ctx.Config().ReleaseCreateAconfigStorageFile() {
diff --git a/filesystem/android_device.go b/filesystem/android_device.go
index 6d6521728..47c4e3d0c 100644
--- a/filesystem/android_device.go
+++ b/filesystem/android_device.go
@@ -336,11 +336,6 @@ func (a *androidDevice) buildTargetFilesZip(ctx android.ModuleContext) {
 		targetFilesZipCopy{a.partitionProps.Init_boot_partition_name, "INIT_BOOT/RAMDISK"},
 		targetFilesZipCopy{a.partitionProps.Vendor_boot_partition_name, "VENDOR_BOOT/RAMDISK"},
 	}
-	// TODO: Handle cases where recovery files are copied to BOOT/ or RECOVERY/
-	// https://cs.android.com/android/platform/superproject/main/+/main:build/make/core/Makefile;l=6211-6219?q=core%2FMakefile&ss=android%2Fplatform%2Fsuperproject%2Fmain
-	if ctx.DeviceConfig().BoardMoveRecoveryResourcesToVendorBoot() {
-		toCopy = append(toCopy, targetFilesZipCopy{a.partitionProps.Recovery_partition_name, "VENDOR_BOOT/RAMDISK"})
-	}
 
 	filesystemsToCopy := []targetFilesystemZipCopy{}
 	for _, zipCopy := range toCopy {
@@ -377,6 +372,12 @@ func (a *androidDevice) buildTargetFilesZip(ctx android.ModuleContext) {
 			BuiltTool("acp").
 			Textf("-rd %s/. %s/%s", rootDirString, targetFilesDir, toCopy.destSubdir).
 			Implicit(toCopy.fsInfo.Output) // so that the staging dir is built
+		for _, extraRootDir := range toCopy.fsInfo.ExtraRootDirs {
+			builder.Command().
+				BuiltTool("acp").
+				Textf("-rd %s/. %s/%s", extraRootDir, targetFilesDir, toCopy.destSubdir).
+				Implicit(toCopy.fsInfo.Output) // so that the staging dir is built
+		}
 
 		if toCopy.destSubdir == "SYSTEM" {
 			// Create the ROOT partition in target_files.zip
diff --git a/filesystem/avb_add_hash_footer.go b/filesystem/avb_add_hash_footer.go
index f32993c4b..c1e03cb62 100644
--- a/filesystem/avb_add_hash_footer.go
+++ b/filesystem/avb_add_hash_footer.go
@@ -149,6 +149,8 @@ func (a *avbAddHashFooter) GenerateAndroidBuildActions(ctx android.ModuleContext
 	a.installDir = android.PathForModuleInstall(ctx, "etc")
 	ctx.InstallFile(a.installDir, a.installFileName(), output)
 	a.output = output
+
+	setCommonFilesystemInfo(ctx, a)
 }
 
 func addAvbProp(ctx android.ModuleContext, cmd *android.RuleBuilderCommand, prop avbProp) {
diff --git a/filesystem/bootimg.go b/filesystem/bootimg.go
index 6d6c15c05..effbd6542 100644
--- a/filesystem/bootimg.go
+++ b/filesystem/bootimg.go
@@ -230,6 +230,8 @@ func (b *bootimg) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 		ramdiskModule := ctx.GetDirectDepWithTag(ramdisk, bootimgRamdiskDep)
 		fsInfo, _ := android.OtherModuleProvider(ctx, ramdiskModule, FilesystemProvider)
 		android.SetProvider(ctx, FilesystemProvider, fsInfo)
+	} else {
+		setCommonFilesystemInfo(ctx, b)
 	}
 
 	// Set BootimgInfo for building target_files.zip
diff --git a/filesystem/filesystem.go b/filesystem/filesystem.go
index aadb76262..40a460b31 100644
--- a/filesystem/filesystem.go
+++ b/filesystem/filesystem.go
@@ -392,6 +392,9 @@ type InstalledModuleInfo struct {
 type FilesystemInfo struct {
 	// The built filesystem image
 	Output android.Path
+	// Returns the output file that is signed by avbtool. If this module is not signed, returns
+	// nil.
+	SignedOutputPath android.Path
 	// An additional hermetic filesystem image.
 	// e.g. this will contain inodes with pinned timestamps.
 	// This will be copied to target_files.zip
@@ -402,6 +405,9 @@ type FilesystemInfo struct {
 	// to add a dependency on the Output file, as you cannot add dependencies on directories
 	// in ninja.
 	RootDir android.Path
+	// Extra root directories that are also built into the partition. Currently only used for
+	// including the recovery partition files into the vendor_boot image.
+	ExtraRootDirs android.Paths
 	// The rebased staging directory used to build the output filesystem. If consuming this, make
 	// sure to add a dependency on the Output file, as you cannot add dependencies on directories
 	// in ninja. In many cases this is the same as RootDir, only in the system partition is it
@@ -619,6 +625,7 @@ func (f *filesystem) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 	var outputHermetic android.WritablePath
 	var buildImagePropFile android.Path
 	var buildImagePropFileDeps android.Paths
+	var extraRootDirs android.Paths
 	switch f.fsType(ctx) {
 	case ext4Type, erofsType, f2fsType:
 		buildImagePropFile, buildImagePropFileDeps = f.buildPropFile(ctx)
@@ -632,9 +639,9 @@ func (f *filesystem) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 		f.buildImageUsingBuildImage(ctx, hermeticBuilder, buildImageParams{rootDir, propFileHermetic, buildImagePropFileDeps, outputHermetic})
 		mapFile = f.getMapFile(ctx)
 	case compressedCpioType:
-		f.output = f.buildCpioImage(ctx, builder, rootDir, true)
+		f.output, extraRootDirs = f.buildCpioImage(ctx, builder, rootDir, true)
 	case cpioType:
-		f.output = f.buildCpioImage(ctx, builder, rootDir, false)
+		f.output, extraRootDirs = f.buildCpioImage(ctx, builder, rootDir, false)
 	default:
 		return
 	}
@@ -662,10 +669,12 @@ func (f *filesystem) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 	}
 
 	fsInfo := FilesystemInfo{
-		Output:                 f.output,
+		Output:                 f.OutputPath(),
+		SignedOutputPath:       f.SignedOutputPath(),
 		OutputHermetic:         outputHermetic,
 		FileListFile:           fileListFile,
 		RootDir:                rootDir,
+		ExtraRootDirs:          extraRootDirs,
 		RebasedDir:             rebasedDir,
 		MapFile:                mapFile,
 		ModuleName:             ctx.ModuleName(),
@@ -1165,7 +1174,7 @@ func (f *filesystem) buildCpioImage(
 	builder *android.RuleBuilder,
 	rootDir android.OutputPath,
 	compressed bool,
-) android.Path {
+) (android.Path, android.Paths) {
 	if proptools.Bool(f.properties.Use_avb) {
 		ctx.PropertyErrorf("use_avb", "signing compresed cpio image using avbtool is not supported."+
 			"Consider adding this to bootimg module and signing the entire boot image.")
@@ -1205,7 +1214,7 @@ func (f *filesystem) buildCpioImage(
 	// rootDir is not deleted. Might be useful for quick inspection.
 	builder.Build("build_cpio_image", fmt.Sprintf("Creating filesystem %s", f.BaseModuleName()))
 
-	return output
+	return output, rootDirs
 }
 
 var validPartitions = []string{
@@ -1519,3 +1528,10 @@ func (f *filesystem) MakeVars(ctx android.MakeVarsModuleContext) {
 		ctx.StrictRaw("SOONG_DEFINED_SYSTEM_IMAGE_PATH", f.output.String())
 	}
 }
+
+func setCommonFilesystemInfo(ctx android.ModuleContext, m Filesystem) {
+	android.SetProvider(ctx, FilesystemProvider, FilesystemInfo{
+		Output:           m.OutputPath(),
+		SignedOutputPath: m.SignedOutputPath(),
+	})
+}
diff --git a/filesystem/fsverity_metadata.go b/filesystem/fsverity_metadata.go
index a3a2086ce..89da3182a 100644
--- a/filesystem/fsverity_metadata.go
+++ b/filesystem/fsverity_metadata.go
@@ -21,9 +21,27 @@ import (
 
 	"android/soong/android"
 
+	"github.com/google/blueprint"
 	"github.com/google/blueprint/proptools"
 )
 
+func init() {
+	pctx.HostBinToolVariable("fsverity_metadata_generator", "fsverity_metadata_generator")
+	pctx.HostBinToolVariable("fsverity_manifest_generator", "fsverity_manifest_generator")
+	pctx.HostBinToolVariable("fsverity", "fsverity")
+}
+
+var (
+	buildFsverityMeta = pctx.AndroidStaticRule("build_fsverity_meta", blueprint.RuleParams{
+		Command:     `$fsverity_metadata_generator --fsverity-path $fsverity --signature none --hash-alg sha256 --output $out $in`,
+		CommandDeps: []string{"$fsverity_metadata_generator", "$fsverity"},
+	})
+	buildFsverityManifest = pctx.AndroidStaticRule("build_fsverity_manifest", blueprint.RuleParams{
+		Command:     `$fsverity_manifest_generator --fsverity-path $fsverity --output $out @$in`,
+		CommandDeps: []string{"$fsverity_manifest_generator", "$fsverity"},
+	})
+)
+
 type fsverityProperties struct {
 	// Patterns of files for fsverity metadata generation.  For each matched file, a .fsv_meta file
 	// will be generated and included to the filesystem image.
@@ -35,13 +53,57 @@ type fsverityProperties struct {
 	Libs proptools.Configurable[[]string] `android:"path"`
 }
 
-func (f *filesystem) writeManifestGeneratorListFile(ctx android.ModuleContext, outputPath android.WritablePath, matchedSpecs []android.PackagingSpec, rebasedDir android.OutputPath) {
+// Mapping of a given fsverity file, which may be a real file or a symlink, and the on-device
+// path it should have relative to the filesystem root.
+type fsveritySrcDest struct {
+	src  android.Path
+	dest string
+}
+
+func (f *filesystem) writeManifestGeneratorListFile(
+	ctx android.ModuleContext,
+	outputPath android.WritablePath,
+	matchedFiles []fsveritySrcDest,
+	rootDir android.OutputPath,
+	rebasedDir android.OutputPath,
+) []android.Path {
+	prefix, err := filepath.Rel(rootDir.String(), rebasedDir.String())
+	if err != nil {
+		panic("rebasedDir should be relative to rootDir")
+	}
+	if prefix == "." {
+		prefix = ""
+	}
+	if f.PartitionType() == "system_ext" {
+		// Use the equivalent of $PRODUCT_OUT as the base dir.
+		// This ensures that the paths in build_manifest.pb contain on-device paths
+		// e.g. system_ext/framework/javalib.jar
+		// and not framework/javalib.jar.
+		//
+		// Although base-dir is outside the rootdir provided for packaging, this action
+		// is hermetic since it uses `manifestGeneratorListPath` to filter the files to be written to build_manifest.pb
+		prefix = "system_ext"
+	}
+
+	var deps []android.Path
 	var buf strings.Builder
-	for _, spec := range matchedSpecs {
-		buf.WriteString(rebasedDir.Join(ctx, spec.RelPathInPackage()).String())
-		buf.WriteRune('\n')
+	for _, spec := range matchedFiles {
+		src := spec.src.String()
+		dst := filepath.Join(prefix, spec.dest)
+		if strings.Contains(src, ",") {
+			ctx.ModuleErrorf("Path cannot contain a comma: %s", src)
+		}
+		if strings.Contains(dst, ",") {
+			ctx.ModuleErrorf("Path cannot contain a comma: %s", dst)
+		}
+		buf.WriteString(src)
+		buf.WriteString(",")
+		buf.WriteString(dst)
+		buf.WriteString("\n")
+		deps = append(deps, spec.src)
 	}
 	android.WriteFileRuleVerbatim(ctx, outputPath, buf.String())
+	return deps
 }
 
 func (f *filesystem) buildFsverityMetadataFiles(
@@ -64,69 +126,98 @@ func (f *filesystem) buildFsverityMetadataFiles(
 		return false
 	}
 
-	var matchedSpecs []android.PackagingSpec
+	var matchedFiles []android.PackagingSpec
+	var matchedSymlinks []android.PackagingSpec
 	for _, relPath := range android.SortedKeys(specs) {
 		if match(relPath) {
-			matchedSpecs = append(matchedSpecs, specs[relPath])
+			spec := specs[relPath]
+			if spec.SrcPath() != nil {
+				matchedFiles = append(matchedFiles, spec)
+			} else if spec.SymlinkTarget() != "" {
+				matchedSymlinks = append(matchedSymlinks, spec)
+			} else {
+				ctx.ModuleErrorf("Expected a file or symlink for fsverity packaging spec")
+			}
 		}
 	}
 
-	if len(matchedSpecs) == 0 {
+	if len(matchedFiles) == 0 && len(matchedSymlinks) == 0 {
 		return
 	}
 
-	fsverityPath := ctx.Config().HostToolPath(ctx, "fsverity")
-
 	// STEP 1: generate .fsv_meta
-	var sb strings.Builder
-	sb.WriteString("set -e\n")
-	for _, spec := range matchedSpecs {
+	var fsverityFileSpecs []fsveritySrcDest
+	for _, spec := range matchedFiles {
+		rel := spec.RelPathInPackage() + ".fsv_meta"
+		outPath := android.PathForModuleOut(ctx, "fsverity/meta_files", rel)
+		destPath := rebasedDir.Join(ctx, rel)
 		// srcPath is copied by CopySpecsToDir()
-		srcPath := rebasedDir.Join(ctx, spec.RelPathInPackage())
-		destPath := rebasedDir.Join(ctx, spec.RelPathInPackage()+".fsv_meta")
-		builder.Command().
-			BuiltTool("fsverity_metadata_generator").
-			FlagWithInput("--fsverity-path ", fsverityPath).
-			FlagWithArg("--signature ", "none").
-			FlagWithArg("--hash-alg ", "sha256").
-			FlagWithOutput("--output ", destPath).
-			Text(srcPath.String())
+		ctx.Build(pctx, android.BuildParams{
+			Rule:   buildFsverityMeta,
+			Input:  spec.SrcPath(),
+			Output: outPath,
+		})
+		builder.Command().Textf("cp").Input(outPath).Output(destPath)
 		f.appendToEntry(ctx, destPath)
 		*fullInstallPaths = append(*fullInstallPaths, FullInstallPathInfo{
 			SourcePath:      destPath,
-			FullInstallPath: android.PathForModuleInPartitionInstall(ctx, f.PartitionType(), spec.RelPathInPackage()+".fsv_meta"),
+			FullInstallPath: android.PathForModuleInPartitionInstall(ctx, f.PartitionType(), rel),
+		})
+		fsverityFileSpecs = append(fsverityFileSpecs, fsveritySrcDest{
+			src:  spec.SrcPath(),
+			dest: spec.RelPathInPackage(),
 		})
 	}
-
-	fsVerityBaseDir := rootDir.String()
-	if f.PartitionType() == "system_ext" {
-		// Use the equivalent of $PRODUCT_OUT as the base dir.
-		// This ensures that the paths in build_manifest.pb contain on-device paths
-		// e.g. system_ext/framework/javalib.jar
-		// and not framework/javalib.jar.
-		//
-		// Although base-dir is outside the rootdir provided for packaging, this action
-		// is hermetic since it uses `manifestGeneratorListPath` to filter the files to be written to build_manifest.pb
-		fsVerityBaseDir = filepath.Dir(rootDir.String())
+	for _, spec := range matchedSymlinks {
+		rel := spec.RelPathInPackage() + ".fsv_meta"
+		outPath := android.PathForModuleOut(ctx, "fsverity/meta_files", rel)
+		destPath := rebasedDir.Join(ctx, rel)
+		target := spec.SymlinkTarget() + ".fsv_meta"
+		ctx.Build(pctx, android.BuildParams{
+			Rule:   android.Symlink,
+			Output: outPath,
+			Args: map[string]string{
+				"fromPath": target,
+			},
+		})
+		builder.Command().
+			Textf("cp").
+			Flag(ctx.Config().CpPreserveSymlinksFlags()).
+			Input(outPath).
+			Output(destPath)
+		f.appendToEntry(ctx, destPath)
+		*fullInstallPaths = append(*fullInstallPaths, FullInstallPathInfo{
+			SymlinkTarget:   target,
+			FullInstallPath: android.PathForModuleInPartitionInstall(ctx, f.PartitionType(), rel),
+		})
+		// The fsverity manifest tool needs to actually look at the symlink. But symlink
+		// packagingSpecs are not actually created on disk, at least until the staging dir is
+		// built for the partition. Create a fake one now so the tool can see it.
+		realizedSymlink := android.PathForModuleOut(ctx, "fsverity/realized_symlinks", spec.RelPathInPackage())
+		ctx.Build(pctx, android.BuildParams{
+			Rule:   android.Symlink,
+			Output: realizedSymlink,
+			Args: map[string]string{
+				"fromPath": spec.SymlinkTarget(),
+			},
+		})
+		fsverityFileSpecs = append(fsverityFileSpecs, fsveritySrcDest{
+			src:  realizedSymlink,
+			dest: spec.RelPathInPackage(),
+		})
 	}
 
 	// STEP 2: generate signed BuildManifest.apk
 	// STEP 2-1: generate build_manifest.pb
-	manifestGeneratorListPath := android.PathForModuleOut(ctx, "fsverity_manifest.list")
-	f.writeManifestGeneratorListFile(ctx, manifestGeneratorListPath, matchedSpecs, rebasedDir)
-	assetsPath := android.PathForModuleOut(ctx, "fsverity_manifest/assets")
-	manifestPbPath := assetsPath.Join(ctx, "build_manifest.pb")
-	builder.Command().Text("rm -rf " + assetsPath.String())
-	builder.Command().Text("mkdir -p " + assetsPath.String())
-	builder.Command().
-		BuiltTool("fsverity_manifest_generator").
-		FlagWithInput("--fsverity-path ", fsverityPath).
-		FlagWithArg("--base-dir ", fsVerityBaseDir).
-		FlagWithArg("--output ", manifestPbPath.String()).
-		FlagWithInput("@", manifestGeneratorListPath)
-
-	f.appendToEntry(ctx, manifestPbPath)
-	f.appendToEntry(ctx, manifestGeneratorListPath)
+	manifestGeneratorListPath := android.PathForModuleOut(ctx, "fsverity/fsverity_manifest.list")
+	manifestDeps := f.writeManifestGeneratorListFile(ctx, manifestGeneratorListPath, fsverityFileSpecs, rootDir, rebasedDir)
+	manifestPbPath := android.PathForModuleOut(ctx, "fsverity/build_manifest.pb")
+	ctx.Build(pctx, android.BuildParams{
+		Rule:      buildFsverityManifest,
+		Input:     manifestGeneratorListPath,
+		Implicits: manifestDeps,
+		Output:    manifestPbPath,
+	})
 
 	// STEP 2-2: generate BuildManifest.apk (unsigned)
 	apkNameSuffix := ""
@@ -134,8 +225,8 @@ func (f *filesystem) buildFsverityMetadataFiles(
 		//https://source.corp.google.com/h/googleplex-android/platform/build/+/e392d2b486c2d4187b20a72b1c67cc737ecbcca5:core/Makefile;l=3410;drc=ea8f34bc1d6e63656b4ec32f2391e9d54b3ebb6b;bpv=1;bpt=0
 		apkNameSuffix = "SystemExt"
 	}
-	apkPath := rebasedDir.Join(ctx, "etc", "security", "fsverity", fmt.Sprintf("BuildManifest%s.apk", apkNameSuffix))
-	idsigPath := rebasedDir.Join(ctx, "etc", "security", "fsverity", fmt.Sprintf("BuildManifest%s.apk.idsig", apkNameSuffix))
+	apkPath := android.PathForModuleOut(ctx, "fsverity", fmt.Sprintf("BuildManifest%s.apk", apkNameSuffix))
+	idsigPath := android.PathForModuleOut(ctx, "fsverity", fmt.Sprintf("BuildManifest%s.apk.idsig", apkNameSuffix))
 	manifestTemplatePath := android.PathForSource(ctx, "system/security/fsverity/AndroidManifest.xml")
 	libs := android.PathsForModuleSrc(ctx, f.properties.Fsverity.Libs.GetOrDefault(ctx, nil))
 
@@ -144,12 +235,23 @@ func (f *filesystem) buildFsverityMetadataFiles(
 		minSdkVersion = ctx.Config().PlatformSdkVersion().String()
 	}
 
-	unsignedApkCommand := builder.Command().
-		Textf("mkdir -p %s && ", filepath.Dir(apkPath.String())).
+	apkBuilder := android.NewRuleBuilder(pctx, ctx)
+
+	// aapt2 doesn't support adding individual asset files. Create a temp directory to hold asset
+	// files and pass it to aapt2.
+	tmpAssetDir := android.PathForModuleOut(ctx, "fsverity/tmp_asset_dir")
+	stagedManifestPbPath := tmpAssetDir.Join(ctx, "build_manifest.pb")
+	apkBuilder.Command().
+		Text("rm -rf").Text(tmpAssetDir.String()).
+		Text("&&").
+		Text("mkdir -p").Text(tmpAssetDir.String())
+	apkBuilder.Command().Text("cp").Input(manifestPbPath).Output(stagedManifestPbPath)
+
+	unsignedApkCommand := apkBuilder.Command().
 		BuiltTool("aapt2").
 		Text("link").
 		FlagWithOutput("-o ", apkPath).
-		FlagWithArg("-A ", assetsPath.String())
+		FlagWithArg("-A ", tmpAssetDir.String()).Implicit(stagedManifestPbPath)
 	for _, lib := range libs {
 		unsignedApkCommand.FlagWithInput("-I ", lib)
 	}
@@ -159,26 +261,36 @@ func (f *filesystem) buildFsverityMetadataFiles(
 		FlagWithArg("--version-name ", ctx.Config().AppsDefaultVersionName()).
 		FlagWithInput("--manifest ", manifestTemplatePath).
 		Text(" --rename-manifest-package com.android.security.fsverity_metadata." + f.partitionName())
-	*fullInstallPaths = append(*fullInstallPaths, FullInstallPathInfo{
-		SourcePath:      apkPath,
-		FullInstallPath: android.PathForModuleInPartitionInstall(ctx, f.PartitionType(), fmt.Sprintf("etc/security/fsverity/BuildManifest%s.apk", apkNameSuffix)),
-	})
-
-	f.appendToEntry(ctx, apkPath)
 
 	// STEP 2-3: sign BuildManifest.apk
 	pemPath, keyPath := ctx.Config().DefaultAppCertificate(ctx)
-	builder.Command().
+	apkBuilder.Command().
 		BuiltTool("apksigner").
 		Text("sign").
 		FlagWithArg("--in ", apkPath.String()).
 		FlagWithInput("--cert ", pemPath).
 		FlagWithInput("--key ", keyPath).
 		ImplicitOutput(idsigPath)
+	apkBuilder.Build(fmt.Sprintf("%s_fsverity_apk", ctx.ModuleName()), "build fsverity apk")
+
+	// STEP 2-4: Install the apk into the staging directory
+	installedApkPath := rebasedDir.Join(ctx, "etc", "security", "fsverity", fmt.Sprintf("BuildManifest%s.apk", apkNameSuffix))
+	installedIdsigPath := rebasedDir.Join(ctx, "etc", "security", "fsverity", fmt.Sprintf("BuildManifest%s.apk.idsig", apkNameSuffix))
+	builder.Command().Text("mkdir -p").Text(filepath.Dir(installedApkPath.String()))
+	builder.Command().Text("cp").Input(apkPath).Text(installedApkPath.String())
+	builder.Command().Text("cp").Input(idsigPath).Text(installedIdsigPath.String())
+
+	*fullInstallPaths = append(*fullInstallPaths, FullInstallPathInfo{
+		SourcePath:      apkPath,
+		FullInstallPath: android.PathForModuleInPartitionInstall(ctx, f.PartitionType(), fmt.Sprintf("etc/security/fsverity/BuildManifest%s.apk", apkNameSuffix)),
+	})
+
+	f.appendToEntry(ctx, installedApkPath)
+
 	*fullInstallPaths = append(*fullInstallPaths, FullInstallPathInfo{
 		SourcePath:      idsigPath,
 		FullInstallPath: android.PathForModuleInPartitionInstall(ctx, f.PartitionType(), fmt.Sprintf("etc/security/fsverity/BuildManifest%s.apk.idsig", apkNameSuffix)),
 	})
 
-	f.appendToEntry(ctx, idsigPath)
+	f.appendToEntry(ctx, installedIdsigPath)
 }
diff --git a/filesystem/logical_partition.go b/filesystem/logical_partition.go
index d0888a9c8..1fd2e766b 100644
--- a/filesystem/logical_partition.go
+++ b/filesystem/logical_partition.go
@@ -198,6 +198,8 @@ func (l *logicalPartition) GenerateAndroidBuildActions(ctx android.ModuleContext
 
 	ctx.SetOutputFiles([]android.Path{output}, "")
 	l.output = output
+
+	setCommonFilesystemInfo(ctx, l)
 }
 
 // Add a rule that converts the filesystem for the given partition to the given rule builder. The
diff --git a/filesystem/raw_binary.go b/filesystem/raw_binary.go
index 707fba06f..6ca155aaf 100644
--- a/filesystem/raw_binary.go
+++ b/filesystem/raw_binary.go
@@ -88,6 +88,8 @@ func (r *rawBinary) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 
 	ctx.SetOutputFiles([]android.Path{outputFile}, "")
 	r.output = outputFile
+
+	setCommonFilesystemInfo(ctx, r)
 }
 
 var _ android.AndroidMkEntriesProvider = (*rawBinary)(nil)
diff --git a/filesystem/vbmeta.go b/filesystem/vbmeta.go
index e5809d31b..01b453e25 100644
--- a/filesystem/vbmeta.go
+++ b/filesystem/vbmeta.go
@@ -306,6 +306,8 @@ func (v *vbmeta) GenerateAndroidBuildActions(ctx android.ModuleContext) {
 
 	ctx.SetOutputFiles([]android.Path{output}, "")
 	v.output = output
+
+	setCommonFilesystemInfo(ctx, v)
 }
 
 // Returns the embedded shell command that prints the rollback index