Loading CleanSpec.mk +3 −0 Original line number Diff line number Diff line Loading @@ -610,6 +610,9 @@ $(call add-clean-step, rm -rf $(HOST_CROSS_OUT_TESTCASES)/*) $(call add-clean-step, rm -rf $(TARGET_OUT_DATA)/*) $(call add-clean-step, rm -rf $(HOST_OUT)/vts/*) $(call add-clean-step, rm -rf $(HOST_OUT)/framework/vts-tradefed.jar) # Clean up old location of system_other.avbpubkey $(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/security/avb/) # ************************************************ # NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST # ************************************************ core/Makefile +13 −5 Original line number Diff line number Diff line Loading @@ -729,6 +729,13 @@ $(BUILD_SYSTEM_STATS): @$(foreach s,$(STATS.SOONG_MODULE_TYPE),echo "modules_type_soong,$(s),$(STATS.SOONG_MODULE_TYPE.$(s))" >>$@;) $(call dist-for-goals,droidcore,$(BUILD_SYSTEM_STATS)) # ----------------------------------------------------------------- # build /product/etc/security/avb/system_other.avbpubkey if needed ifdef BUILDING_SYSTEM_OTHER_IMAGE INSTALLED_PRODUCT_SYSTEM_OTHER_AVBKEY_TARGET := $(TARGET_OUT_PRODUCT_ETC)/security/avb/system_other.avbpubkey ALL_DEFAULT_INSTALLED_MODULES += $(INSTALLED_PRODUCT_SYSTEM_OTHER_AVBKEY_TARGET) endif # BUILDING_SYSTEM_OTHER_IMAGE # ----------------------------------------------------------------- # Modules ready to be converted to Soong, ordered by how many # modules depend on them. Loading Loading @@ -1463,8 +1470,7 @@ $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_system_other_add_hashtree_footer_args $(if $(BOARD_AVB_ENABLE),\ $(if $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH),\ $(hide) echo "avb_system_other_key_path=$(BOARD_AVB_SYSTEM_OTHER_KEY_PATH)" >> $(1) $(hide) echo "avb_system_other_algorithm=$(BOARD_AVB_SYSTEM_OTHER_ALGORITHM)" >> $(1) $(hide) echo "avb_system_extract_system_other_key=true" >> $(1))) $(hide) echo "avb_system_other_algorithm=$(BOARD_AVB_SYSTEM_OTHER_ALGORITHM)" >> $(1))) $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1)) $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_add_hashtree_footer_args=$(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS)" >> $(1)) $(if $(BOARD_AVB_ENABLE),\ Loading Loading @@ -2980,9 +2986,11 @@ BOARD_AVB_SYSTEM_OTHER_KEY_PATH := $(BOARD_AVB_KEY_PATH) BOARD_AVB_SYSTEM_OTHER_ALGORITHM := $(BOARD_AVB_ALGORITHM) endif # To extract the public key of SYSTEM_OTHER_KEY_PATH will into system.img: # /system/etc/security/avb/system_other.avbpubkey. FULL_SYSTEMIMAGE_DEPS += $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH) $(INSTALLED_PRODUCT_SYSTEM_OTHER_AVBKEY_TARGET): $(AVBTOOL) $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH) @echo Extracting system_other avb key: $@ @rm -f $@ @mkdir -p $(dir $@) $(AVBTOOL) extract_public_key --key $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH) --output $@ ifndef BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP) Loading tools/releasetools/build_image.py +0 −23 Original line number Diff line number Diff line Loading @@ -740,28 +740,6 @@ def SaveGlobalDict(filename, glob_dict): f.writelines(["%s=%s" % (key, value) for (key, value) in glob_dict.items()]) def ExtractSystemOtherAvbKey(in_dir, glob_dict): if glob_dict.get("avb_system_extract_system_other_key") != "true": return extract_to = os.path.join(in_dir, "etc/security/avb/system_other.avbpubkey") extract_to_dir = os.path.dirname(extract_to) if os.path.isdir(extract_to_dir): shutil.rmtree(extract_to_dir) elif os.path.isfile(extract_to_dir): os.remove(extract_to_dir) os.mkdir(extract_to_dir); # Extracts the public key used to sign system_other.img, into system.img: # /system/etc/security/avb/system_other.avbpubkey. avbtool = glob_dict.get("avb_avbtool") extract_from = glob_dict.get("avb_system_other_key_path") cmd = [avbtool, "extract_public_key", "--key", extract_from, "--output", extract_to] common.RunAndCheckOutput(cmd, verbose=False) def main(argv): if len(argv) < 4 or len(argv) > 5: print(__doc__) Loading @@ -785,7 +763,6 @@ def main(argv): mount_point = "" if image_filename == "system.img": mount_point = "system" ExtractSystemOtherAvbKey(in_dir, glob_dict) elif image_filename == "system_other.img": mount_point = "system_other" elif image_filename == "userdata.img": Loading tools/releasetools/sign_target_files_apks.py +25 −3 Original line number Diff line number Diff line Loading @@ -91,12 +91,12 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files Replace the veritykeyid in BOOT/cmdline of input_target_file_zip with keyid of the cert pointed by <path_to_X509_PEM_cert_file>. --avb_{boot,system,vendor,dtbo,vbmeta}_algorithm <algorithm> --avb_{boot,system,vendor,dtbo,vbmeta}_key <key> --avb_{boot,system,system_other,vendor,dtbo,vbmeta}_algorithm <algorithm> --avb_{boot,system,system_other,vendor,dtbo,vbmeta}_key <key> Use the specified algorithm (e.g. SHA256_RSA4096) and the key to AVB-sign the specified image. Otherwise it uses the existing values in info dict. --avb_{apex,boot,system,vendor,dtbo,vbmeta}_extra_args <args> --avb_{apex,boot,system,system_other,vendor,dtbo,vbmeta}_extra_args <args> Specify any additional args that are needed to AVB-sign the image (e.g. "--signing_helper /path/to/helper"). The args will be appended to the existing ones in info dict. Loading Loading @@ -584,6 +584,18 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, elif filename == "META/care_map.pb" or filename == "META/care_map.txt": pass # Updates system_other.avbpubkey in /product/etc/. elif filename in ( "PRODUCT/etc/security/avb/system_other.avbpubkey", "SYSTEM/product/etc/security/avb/system_other.avbpubkey"): # Only update system_other's public key, if the corresponding signing # key is specified via --avb_system_other_key. signing_key = OPTIONS.avb_keys.get("system_other") if signing_key: public_key = common.ExtractAvbPublicKey(signing_key) print(" Rewriting AVB public key of system_other in /product") common.ZipWrite(output_tf_zip, public_key, filename) # A non-APK file; copy it verbatim. else: common.ZipWriteStr(output_tf_zip, out_info, data) Loading Loading @@ -934,6 +946,7 @@ def ReplaceAvbSigningKeys(misc_info): 'dtbo' : 'avb_dtbo_add_hash_footer_args', 'recovery' : 'avb_recovery_add_hash_footer_args', 'system' : 'avb_system_add_hashtree_footer_args', 'system_other' : 'avb_system_other_add_hashtree_footer_args', 'vendor' : 'avb_vendor_add_hashtree_footer_args', 'vbmeta' : 'avb_vbmeta_args', } Loading Loading @@ -1153,6 +1166,12 @@ def main(argv): OPTIONS.avb_algorithms['system'] = a elif o == "--avb_system_extra_args": OPTIONS.avb_extra_args['system'] = a elif o == "--avb_system_other_key": OPTIONS.avb_keys['system_other'] = a elif o == "--avb_system_other_algorithm": OPTIONS.avb_algorithms['system_other'] = a elif o == "--avb_system_other_extra_args": OPTIONS.avb_extra_args['system_other'] = a elif o == "--avb_vendor_key": OPTIONS.avb_keys['vendor'] = a elif o == "--avb_vendor_algorithm": Loading Loading @@ -1192,6 +1211,9 @@ def main(argv): "avb_system_algorithm=", "avb_system_key=", "avb_system_extra_args=", "avb_system_other_algorithm=", "avb_system_other_key=", "avb_system_other_extra_args=", "avb_vendor_algorithm=", "avb_vendor_key=", "avb_vendor_extra_args=", Loading Loading
CleanSpec.mk +3 −0 Original line number Diff line number Diff line Loading @@ -610,6 +610,9 @@ $(call add-clean-step, rm -rf $(HOST_CROSS_OUT_TESTCASES)/*) $(call add-clean-step, rm -rf $(TARGET_OUT_DATA)/*) $(call add-clean-step, rm -rf $(HOST_OUT)/vts/*) $(call add-clean-step, rm -rf $(HOST_OUT)/framework/vts-tradefed.jar) # Clean up old location of system_other.avbpubkey $(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/security/avb/) # ************************************************ # NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST # ************************************************
core/Makefile +13 −5 Original line number Diff line number Diff line Loading @@ -729,6 +729,13 @@ $(BUILD_SYSTEM_STATS): @$(foreach s,$(STATS.SOONG_MODULE_TYPE),echo "modules_type_soong,$(s),$(STATS.SOONG_MODULE_TYPE.$(s))" >>$@;) $(call dist-for-goals,droidcore,$(BUILD_SYSTEM_STATS)) # ----------------------------------------------------------------- # build /product/etc/security/avb/system_other.avbpubkey if needed ifdef BUILDING_SYSTEM_OTHER_IMAGE INSTALLED_PRODUCT_SYSTEM_OTHER_AVBKEY_TARGET := $(TARGET_OUT_PRODUCT_ETC)/security/avb/system_other.avbpubkey ALL_DEFAULT_INSTALLED_MODULES += $(INSTALLED_PRODUCT_SYSTEM_OTHER_AVBKEY_TARGET) endif # BUILDING_SYSTEM_OTHER_IMAGE # ----------------------------------------------------------------- # Modules ready to be converted to Soong, ordered by how many # modules depend on them. Loading Loading @@ -1463,8 +1470,7 @@ $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_system_other_add_hashtree_footer_args $(if $(BOARD_AVB_ENABLE),\ $(if $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH),\ $(hide) echo "avb_system_other_key_path=$(BOARD_AVB_SYSTEM_OTHER_KEY_PATH)" >> $(1) $(hide) echo "avb_system_other_algorithm=$(BOARD_AVB_SYSTEM_OTHER_ALGORITHM)" >> $(1) $(hide) echo "avb_system_extract_system_other_key=true" >> $(1))) $(hide) echo "avb_system_other_algorithm=$(BOARD_AVB_SYSTEM_OTHER_ALGORITHM)" >> $(1))) $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1)) $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_add_hashtree_footer_args=$(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS)" >> $(1)) $(if $(BOARD_AVB_ENABLE),\ Loading Loading @@ -2980,9 +2986,11 @@ BOARD_AVB_SYSTEM_OTHER_KEY_PATH := $(BOARD_AVB_KEY_PATH) BOARD_AVB_SYSTEM_OTHER_ALGORITHM := $(BOARD_AVB_ALGORITHM) endif # To extract the public key of SYSTEM_OTHER_KEY_PATH will into system.img: # /system/etc/security/avb/system_other.avbpubkey. FULL_SYSTEMIMAGE_DEPS += $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH) $(INSTALLED_PRODUCT_SYSTEM_OTHER_AVBKEY_TARGET): $(AVBTOOL) $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH) @echo Extracting system_other avb key: $@ @rm -f $@ @mkdir -p $(dir $@) $(AVBTOOL) extract_public_key --key $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH) --output $@ ifndef BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP) Loading
tools/releasetools/build_image.py +0 −23 Original line number Diff line number Diff line Loading @@ -740,28 +740,6 @@ def SaveGlobalDict(filename, glob_dict): f.writelines(["%s=%s" % (key, value) for (key, value) in glob_dict.items()]) def ExtractSystemOtherAvbKey(in_dir, glob_dict): if glob_dict.get("avb_system_extract_system_other_key") != "true": return extract_to = os.path.join(in_dir, "etc/security/avb/system_other.avbpubkey") extract_to_dir = os.path.dirname(extract_to) if os.path.isdir(extract_to_dir): shutil.rmtree(extract_to_dir) elif os.path.isfile(extract_to_dir): os.remove(extract_to_dir) os.mkdir(extract_to_dir); # Extracts the public key used to sign system_other.img, into system.img: # /system/etc/security/avb/system_other.avbpubkey. avbtool = glob_dict.get("avb_avbtool") extract_from = glob_dict.get("avb_system_other_key_path") cmd = [avbtool, "extract_public_key", "--key", extract_from, "--output", extract_to] common.RunAndCheckOutput(cmd, verbose=False) def main(argv): if len(argv) < 4 or len(argv) > 5: print(__doc__) Loading @@ -785,7 +763,6 @@ def main(argv): mount_point = "" if image_filename == "system.img": mount_point = "system" ExtractSystemOtherAvbKey(in_dir, glob_dict) elif image_filename == "system_other.img": mount_point = "system_other" elif image_filename == "userdata.img": Loading
tools/releasetools/sign_target_files_apks.py +25 −3 Original line number Diff line number Diff line Loading @@ -91,12 +91,12 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files Replace the veritykeyid in BOOT/cmdline of input_target_file_zip with keyid of the cert pointed by <path_to_X509_PEM_cert_file>. --avb_{boot,system,vendor,dtbo,vbmeta}_algorithm <algorithm> --avb_{boot,system,vendor,dtbo,vbmeta}_key <key> --avb_{boot,system,system_other,vendor,dtbo,vbmeta}_algorithm <algorithm> --avb_{boot,system,system_other,vendor,dtbo,vbmeta}_key <key> Use the specified algorithm (e.g. SHA256_RSA4096) and the key to AVB-sign the specified image. Otherwise it uses the existing values in info dict. --avb_{apex,boot,system,vendor,dtbo,vbmeta}_extra_args <args> --avb_{apex,boot,system,system_other,vendor,dtbo,vbmeta}_extra_args <args> Specify any additional args that are needed to AVB-sign the image (e.g. "--signing_helper /path/to/helper"). The args will be appended to the existing ones in info dict. Loading Loading @@ -584,6 +584,18 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, elif filename == "META/care_map.pb" or filename == "META/care_map.txt": pass # Updates system_other.avbpubkey in /product/etc/. elif filename in ( "PRODUCT/etc/security/avb/system_other.avbpubkey", "SYSTEM/product/etc/security/avb/system_other.avbpubkey"): # Only update system_other's public key, if the corresponding signing # key is specified via --avb_system_other_key. signing_key = OPTIONS.avb_keys.get("system_other") if signing_key: public_key = common.ExtractAvbPublicKey(signing_key) print(" Rewriting AVB public key of system_other in /product") common.ZipWrite(output_tf_zip, public_key, filename) # A non-APK file; copy it verbatim. else: common.ZipWriteStr(output_tf_zip, out_info, data) Loading Loading @@ -934,6 +946,7 @@ def ReplaceAvbSigningKeys(misc_info): 'dtbo' : 'avb_dtbo_add_hash_footer_args', 'recovery' : 'avb_recovery_add_hash_footer_args', 'system' : 'avb_system_add_hashtree_footer_args', 'system_other' : 'avb_system_other_add_hashtree_footer_args', 'vendor' : 'avb_vendor_add_hashtree_footer_args', 'vbmeta' : 'avb_vbmeta_args', } Loading Loading @@ -1153,6 +1166,12 @@ def main(argv): OPTIONS.avb_algorithms['system'] = a elif o == "--avb_system_extra_args": OPTIONS.avb_extra_args['system'] = a elif o == "--avb_system_other_key": OPTIONS.avb_keys['system_other'] = a elif o == "--avb_system_other_algorithm": OPTIONS.avb_algorithms['system_other'] = a elif o == "--avb_system_other_extra_args": OPTIONS.avb_extra_args['system_other'] = a elif o == "--avb_vendor_key": OPTIONS.avb_keys['vendor'] = a elif o == "--avb_vendor_algorithm": Loading Loading @@ -1192,6 +1211,9 @@ def main(argv): "avb_system_algorithm=", "avb_system_key=", "avb_system_extra_args=", "avb_system_other_algorithm=", "avb_system_other_key=", "avb_system_other_extra_args=", "avb_vendor_algorithm=", "avb_vendor_key=", "avb_vendor_extra_args=", Loading
