Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5b5f4958 authored by Geremy Condra's avatar Geremy Condra
Browse files

Add verity support to `make dist`. 

Without this, system images will be built that do not contain the
necessary bits for verification.

Change-Id: I87c15282b26377d7a2a1540e3d0e30b0299622e3
parent d2151e14

core/Makefile

+6 −5
Original line number Diff line number Diff line
@@ -663,6 +663,11 @@ $(if $(BOARD_OEMIMAGE_PARTITION_SIZE),$(hide) echo "oem_size=$(BOARD_OEMIMAGE_PA 
$(if $(INTERNAL_USERIMAGES_SPARSE_EXT_FLAG),$(hide) echo "extfs_sparse_flag=$(INTERNAL_USERIMAGES_SPARSE_EXT_FLAG)" >> $(1))

$(if $(mkyaffs2_extra_flags),$(hide) echo "mkyaffs2_extra_flags=$(mkyaffs2_extra_flags)" >> $(1))

$(hide) echo "selinux_fc=$(SELINUX_FC)" >> $(1)

$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY), $(hide) echo "verity=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY)" >> $(1))

$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_PARTITION)" >> $(1))

$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY)" >> $(1))

$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(VERITY_SIGNER)" >> $(1))

$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_mountpoint=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_MOUNTPOINT)" >> $(1))

$(if $(2),$(hide) $(foreach kv,$(2),echo "$(kv)" >> $(1);))

endef
@@ -875,11 +880,7 @@ define build-systemimage-target 
  @echo "Target system fs image: $(1)"

  @mkdir -p $(dir $(1)) $(systemimage_intermediates) && rm -rf $(systemimage_intermediates)/system_image_info.txt

  $(call generate-userimage-prop-dictionary, $(systemimage_intermediates)/system_image_info.txt, \

      skip_fsck=true \

      verity=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY) \

      verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_PARTITION) \

      verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY) \

      verity_signer_cmd=$(VERITY_SIGNER))

      skip_fsck=true)

  $(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH \

      ./build/tools/releasetools/build_image.py \

      $(TARGET_OUT) $(systemimage_intermediates)/system_image_info.txt $(1)

core/product.mk

+2 −1
Original line number Diff line number Diff line
@@ -104,7 +104,8 @@ _product_var_list := \ 
    PRODUCT_OEM_PROPERTIES \

    PRODUCT_SYSTEM_PROPERTY_BLACKLIST \

    PRODUCT_VERITY_PARTITION \

    PRODUCT_VERITY_SIGNING_KEY

    PRODUCT_VERITY_SIGNING_KEY \

    PRODUCT_VERITY_MOUNTPOINT



define dump-product

$(info ==== $(1) ====)\

target/product/verity.mk

+1 −0
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ 


PRODUCT_SUPPORTS_VERITY := true

PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verity_private_dev_key

PRODUCT_VERITY_MOUNTPOINT := system



PRODUCT_PACKAGES += \

        verity_key

tools/releasetools/build_image.py

+12 −11
Original line number Diff line number Diff line
@@ -26,6 +26,7 @@ import subprocess 
import sys

import commands

import shutil

import tempfile



import simg_map
@@ -170,10 +171,7 @@ def MakeVerityEnabledImage(out_file, prop_dict): 
  signer_path = prop_dict["verity_signer_cmd"]



  # make a tempdir

  tempdir_name = os.path.join(os.path.dirname(out_file), "verity_images")

  if os.path.exists(tempdir_name):

    shutil.rmtree(tempdir_name)

  os.mkdir(tempdir_name)

  tempdir_name = tempfile.mkdtemp(suffix="_verity_images")



  # get partial image paths

  verity_image_path = os.path.join(tempdir_name, "verity.img")
@@ -181,7 +179,7 @@ def MakeVerityEnabledImage(out_file, prop_dict): 


  # build the verity tree and get the root hash and salt

  if not BuildVerityTree(out_file, verity_image_path, prop_dict):

    shutil.rmtree(tempdir_name)

    shutil.rmtree(tempdir_name, ignore_errors=True)

    return False



  # build the metadata blocks
@@ -194,17 +192,17 @@ def MakeVerityEnabledImage(out_file, prop_dict): 
                              block_dev,

                              signer_path,

                              signer_key):

    shutil.rmtree(tempdir_name)

    shutil.rmtree(tempdir_name, ignore_errors=True)

    return False



  # build the full verified image

  if not BuildVerifiedImage(out_file,

                            verity_image_path,

                            verity_metadata_path):

    shutil.rmtree(tempdir_name)

    shutil.rmtree(tempdir_name, ignore_errors=True)

    return False



  shutil.rmtree(tempdir_name)

  shutil.rmtree(tempdir_name, ignore_errors=True)

  return True



def BuildImage(in_dir, prop_dict, out_file):
@@ -222,8 +220,10 @@ def BuildImage(in_dir, prop_dict, out_file): 
  fs_type = prop_dict.get("fs_type", "")

  run_fsck = False



  is_verity_partition = prop_dict.get("mount_point") == prop_dict.get("verity_mountpoint")

  verity_supported = prop_dict.get("verity") == "true"

  # adjust the partition size to make room for the hashes if this is to be verified

  if prop_dict.get("verity") == "true":

  if verity_supported and is_verity_partition:

    partition_size = int(prop_dict.get("partition_size"))

    adjusted_size = AdjustPartitionSizeForVerity(partition_size)

    if not adjusted_size:
@@ -258,7 +258,7 @@ def BuildImage(in_dir, prop_dict, out_file): 
    return False



  # create the verified image if this is to be verified

  if prop_dict.get("verity") == "true":

  if verity_supported and is_verity_partition:

    if not MakeVerityEnabledImage(out_file, prop_dict):

      return False
@@ -301,7 +301,8 @@ def ImagePropFromGlobalDict(glob_dict, mount_point): 
      "verity",

      "verity_block_device",

      "verity_key",

      "verity_signer_cmd"

      "verity_signer_cmd",

      "verity_mountpoint"

      )

  for p in common_props:

    copy_prop(p, p)