Merge "Adding sepolicy sign params to sign_target_files_apks." (fb042449) · Commits · e / os / android_build

tools/releasetools/common.py

+1 −0

Original line number	Diff line number	Diff line
		@@ -97,6 +97,7 @@ class Options(object):
		self.stash_threshold = 0.8
		self.logfile = None
		self.host_tools = {}
		self.sepolicy_name = 'sepolicy.apex'


		OPTIONS = Options()

tools/releasetools/sign_apex.py

+2 −1

Original line number	Diff line number	Diff line
		@@ -61,6 +61,7 @@ import apex_utils
		import common

		logger = logging.getLogger(__name__)
		OPTIONS = common.OPTIONS


		def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
		@@ -81,7 +82,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
		apk_keys=apk_keys,
		signing_args=signing_args,
		sign_tool=sign_tool,
		is_sepolicy=apex_file.endswith("sepolicy.apex"),
		is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name),
		sepolicy_key=sepolicy_key,
		sepolicy_cert=sepolicy_cert,
		fsverity_tool=fsverity_tool)

tools/releasetools/sign_target_files_apks.py

+80 −10

Original line number	Diff line number	Diff line
		@@ -137,6 +137,15 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files
		--android_jar_path <path>
		Path to the android.jar to repack the apex file.

		--sepolicy_key <key>
		Optional flag that specifies the sepolicy signing key, defaults to payload_key for the sepolicy.apex.

		--sepolicy_cert <cert>
		Optional flag that specifies the sepolicy signing cert.

		--fsverity_tool <path>
		Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity.

		--allow_gsi_debug_sepolicy
		Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
		(/system/system_ext\|/system_ext)/etc/selinux.
		@@ -196,6 +205,9 @@ OPTIONS.gki_signing_extra_args = None
		OPTIONS.android_jar_path = None
		OPTIONS.vendor_partitions = set()
		OPTIONS.vendor_otatools = None
		OPTIONS.sepolicy_key = None
		OPTIONS.sepolicy_cert = None
		OPTIONS.fsverity_tool = None
		OPTIONS.allow_gsi_debug_sepolicy = False


		@@ -234,6 +246,8 @@ ALLOWED_VENDOR_PARTITIONS = set(["vendor", "odm"])
		def IsApexFile(filename):
		return filename.endswith(".apex") or filename.endswith(".capex")

		def IsSepolicyApex(filename):
		return filename.endswith(OPTIONS.sepolicy_name)

		def GetApexFilename(filename):
		name = os.path.basename(filename)
		@@ -256,6 +270,24 @@ def GetApkCerts(certmap):

		return certmap

		def GetSepolicyKeys(keys_info):
		"""Gets SEPolicy signing keys applying overrides from command line options.

		Args:
		keys_info: A dict that maps from the SEPolicy APEX filename to a tuple of
		(sepolicy_key, sepolicy_cert, fsverity_tool).

		Returns:
		A dict that contains the updated APEX key mapping, which should be used for
		the current signing.
		"""
		for name in keys_info:
		(sepolicy_key, sepolicy_cert, fsverity_tool) = keys_info[name]
		sepolicy_key = OPTIONS.sepolicy_key if OPTIONS.sepolicy_key else sepolicy_key
		sepolicy_cert = OPTIONS.sepolicy_cert if OPTIONS.sepolicy_cert else sepolicy_cert
		fsverity_tool = OPTIONS.fsverity_tool if OPTIONS.fsverity_tool else fsverity_tool
		keys_info[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
		return keys_info

		def GetApexKeys(keys_info, key_map):
		"""Gets APEX payload and container signing keys by applying the mapping rules.
		@@ -518,7 +550,7 @@ def IsBuildPropFile(filename):
		def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
		apk_keys, apex_keys, key_passwords,
		platform_api_level, codename_to_api_level_map,
		compressed_extension):
		compressed_extension, sepolicy_keys):
		# maxsize measures the maximum filename length, including the ones to be
		# skipped.
		try:
		@@ -586,6 +618,17 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
		print(" : %-*s payload (%s)" % (
		maxsize, name, payload_key))

		sepolicy_key = None
		sepolicy_cert = None
		fsverity_tool = None

		if IsSepolicyApex(name):
		(sepolicy_key, sepolicy_cert, fsverity_tool) = sepolicy_keys[name]
		print(" : %-*s sepolicy key (%s)" % (
		maxsize, name, sepolicy_key))
		print(" : %-*s sepolicy cert (%s)" % (
		maxsize, name, sepolicy_cert))

		signed_apex = apex_utils.SignApex(
		misc_info['avb_avbtool'],
		data,
		@@ -596,7 +639,11 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
		codename_to_api_level_map,
		no_hashtree=None, # Let apex_util determine if hash tree is needed
		signing_args=OPTIONS.avb_extra_args.get('apex'),
		sign_tool=sign_tool)
		sign_tool=sign_tool,
		is_sepolicy=IsSepolicyApex(name),
		sepolicy_key=sepolicy_key,
		sepolicy_cert=sepolicy_cert,
		fsverity_tool=fsverity_tool)
		common.ZipWrite(output_tf_zip, signed_apex, filename)

		else:
		@@ -1206,20 +1253,24 @@ def GetCodenameToApiLevelMap(input_tf_zip):
		def ReadApexKeysInfo(tf_zip):
		"""Parses the APEX keys info from a given target-files zip.

		Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a
		dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a
		tuple of (payload_key, container_key, sign_tool).
		Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns
		two dicts, the first one contains the mapping from APEX names
		(e.g. com.android.tzdata) to a tuple of (payload_key, container_key,
		sign_tool). The second one maps the sepolicy APEX name to a tuple containing
		(sepolicy_key, sepolicy_cert, fsverity_tool).

		Args:
		tf_zip: The input target_files ZipFile (already open).

		Returns:
		(payload_key, container_key, sign_tool):
		name : (payload_key, container_key, sign_tool)
		- payload_key contains the path to the payload signing key
		- container_key contains the path to the container signing key
		- sign_tool is an apex-specific signing tool for its payload contents
		name : (sepolicy_key, sepolicy_cert, fsverity_tool)
		"""
		keys = {}
		sepolicy_keys = {}
		for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'):
		line = line.strip()
		if not line:
		@@ -1230,6 +1281,9 @@ def ReadApexKeysInfo(tf_zip):
		r'private_key="(?P<PAYLOAD_PRIVATE_KEY>.*)"\s+'
		r'container_certificate="(?P<CONTAINER_CERT>.*)"\s+'
		r'container_private_key="(?P<CONTAINER_PRIVATE_KEY>.*?)"'
		r'(\s+sepolicy_key="(?P<SEPOLICY_KEY>.*?)")?'
		r'(\s+sepolicy_certificate="(?P<SEPOLICY_CERT>.*?)")?'
		r'(\s+fsverity_tool="(?P<FSVERITY_TOOL>.*?)")?'
		r'(\s+partition="(?P<PARTITION>.*?)")?'
		r'(\s+sign_tool="(?P<SIGN_TOOL>.*?)")?$',
		line)
		@@ -1258,12 +1312,18 @@ def ReadApexKeysInfo(tf_zip):
		container_private_key, OPTIONS.private_key_suffix):
		container_key = container_cert[:-len(OPTIONS.public_key_suffix)]
		else:
		raise ValueError("Failed to parse container keys: \n{}".format(line))
		raise ValueError("Failed to parse container keys: \n{} **** {}".format(container_cert, container_private_key))

		sign_tool = matches.group("SIGN_TOOL")
		keys[name] = (payload_private_key, container_key, sign_tool)

		return keys
		if IsSepolicyApex(name):
		sepolicy_key = matches.group('SEPOLICY_KEY')
		sepolicy_cert = matches.group('SEPOLICY_CERT')
		fsverity_tool = matches.group('FSVERITY_TOOL')
		sepolicy_keys[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)

		return keys, sepolicy_keys


		def BuildVendorPartitions(output_zip_path):
		@@ -1475,6 +1535,12 @@ def main(argv):
		OPTIONS.vendor_otatools = a
		elif o == "--vendor_partitions":
		OPTIONS.vendor_partitions = set(a.split(","))
		elif o == '--sepolicy_key':
		OPTIONS.sepolicy_key = a
		elif o == '--sepolicy_cert':
		OPTIONS.sepolicy_cert = a
		elif o == '--fsverity_tool':
		OPTIONS.fsverity_tool = a
		elif o == "--allow_gsi_debug_sepolicy":
		OPTIONS.allow_gsi_debug_sepolicy = True
		else:
		@@ -1529,6 +1595,9 @@ def main(argv):
		"gki_signing_extra_args=",
		"vendor_partitions=",
		"vendor_otatools=",
		"sepolicy_key=",
		"sepolicy_cert=",
		"fsverity_tool=",
		"allow_gsi_debug_sepolicy",
		],
		extra_option_handler=option_handler)
		@@ -1551,8 +1620,9 @@ def main(argv):
		apk_keys_info, compressed_extension = common.ReadApkCerts(input_zip)
		apk_keys = GetApkCerts(apk_keys_info)

		apex_keys_info = ReadApexKeysInfo(input_zip)
		apex_keys_info, sepolicy_keys_info = ReadApexKeysInfo(input_zip)
		apex_keys = GetApexKeys(apex_keys_info, apk_keys)
		sepolicy_keys = GetSepolicyKeys(sepolicy_keys_info)

		# TODO(xunchang) check for the apks inside the apex files, and abort early if
		# the keys are not available.
		@@ -1570,7 +1640,7 @@ def main(argv):
		ProcessTargetFiles(input_zip, output_zip, misc_info,
		apk_keys, apex_keys, key_passwords,
		platform_api_level, codename_to_api_level_map,
		compressed_extension)
		compressed_extension, sepolicy_keys)

		common.ZipClose(input_zip)
		common.ZipClose(output_zip)

tools/releasetools/test_sign_target_files_apks.py

+75 −5

Original line number	Diff line number	Diff line
		@@ -476,7 +476,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
		target_files_zip.writestr('META/apexkeys.txt', self.APEX_KEYS_TXT)

		with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
		keys_info = ReadApexKeysInfo(target_files_zip)
		keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

		self.assertEqual({
		'apex.apexd_test.apex': (
		@@ -486,6 +486,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
		'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
		'build/make/target/product/security/testkey', None),
		}, keys_info)
		self.assertEqual({}, sepolicy_keys_info)

		def test_ReadApexKeysInfo_mismatchingContainerKeys(self):
		# Mismatching payload public / private keys.
		@@ -515,7 +516,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
		target_files_zip.writestr('META/apexkeys.txt', apex_keys)

		with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
		keys_info = ReadApexKeysInfo(target_files_zip)
		keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

		self.assertEqual({
		'apex.apexd_test.apex': (
		@@ -525,6 +526,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
		'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
		'build/make/target/product/security/testkey', None),
		}, keys_info)
		self.assertEqual({}, sepolicy_keys_info)

		def test_ReadApexKeysInfo_missingPayloadPublicKey(self):
		# Invalid lines will be skipped.
		@@ -538,7 +540,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
		target_files_zip.writestr('META/apexkeys.txt', apex_keys)

		with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
		keys_info = ReadApexKeysInfo(target_files_zip)
		keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

		self.assertEqual({
		'apex.apexd_test.apex': (
		@@ -548,6 +550,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
		'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
		'build/make/target/product/security/testkey', None),
		}, keys_info)
		self.assertEqual({}, sepolicy_keys_info)

		def test_ReadApexKeysInfo_presignedKeys(self):
		apex_keys = self.APEX_KEYS_TXT + (
		@@ -561,7 +564,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
		target_files_zip.writestr('META/apexkeys.txt', apex_keys)

		with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
		keys_info = ReadApexKeysInfo(target_files_zip)
		keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

		self.assertEqual({
		'apex.apexd_test.apex': (
		@@ -571,6 +574,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
		'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
		'build/make/target/product/security/testkey', None),
		}, keys_info)
		self.assertEqual({}, sepolicy_keys_info)

		def test_ReadApexKeysInfo_presignedKeys(self):
		apex_keys = self.APEX_KEYS_TXT + (
		@@ -584,7 +588,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
		target_files_zip.writestr('META/apexkeys.txt', apex_keys)

		with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
		keys_info = ReadApexKeysInfo(target_files_zip)
		keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

		self.assertEqual({
		'apex.apexd_test.apex': (
		@@ -594,6 +598,72 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
		'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
		'build/make/target/product/security/testkey', None),
		}, keys_info)
		self.assertEqual({}, sepolicy_keys_info)

		def test_ReadApexKeysInfo_withSepolicyKeys(self):
		apex_keys = self.APEX_KEYS_TXT + (
		'name="sepolicy.apex" '
		'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
		'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
		'container_certificate="build/make/target/product/security/testkey.x509.pem" '
		'container_private_key="build/make/target/product/security/testkey.pk8" '
		'sepolicy_key="build/make/target/product/security/testkey.key" '
		'sepolicy_certificate="build/make/target/product/security/testkey.x509.pem" '
		'fsverity_tool="fsverity"')
		target_files = common.MakeTempFile(suffix='.zip')
		with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
		target_files_zip.writestr('META/apexkeys.txt', apex_keys)

		with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
		keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

		self.assertEqual({
		'apex.apexd_test.apex': (
		'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
		'build/make/target/product/security/testkey', None),
		'apex.apexd_test_different_app.apex': (
		'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
		'build/make/target/product/security/testkey', None),
		'sepolicy.apex': (
		'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
		'build/make/target/product/security/testkey', None),
		}, keys_info)
		self.assertEqual({'sepolicy.apex': (
		'build/make/target/product/security/testkey.key',
		'build/make/target/product/security/testkey.x509.pem',
		'fsverity'),
		}, sepolicy_keys_info)

		def test_ReadApexKeysInfo_withSepolicyApex(self):
		apex_keys = self.APEX_KEYS_TXT + (
		'name="sepolicy.apex" '
		'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
		'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
		'container_certificate="build/make/target/product/security/testkey.x509.pem" '
		'container_private_key="build/make/target/product/security/testkey.pk8" ')
		target_files = common.MakeTempFile(suffix='.zip')
		with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
		target_files_zip.writestr('META/apexkeys.txt', apex_keys)

		with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
		keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

		self.assertEqual({
		'apex.apexd_test.apex': (
		'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
		'build/make/target/product/security/testkey', None),
		'apex.apexd_test_different_app.apex': (
		'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
		'build/make/target/product/security/testkey', None),
		'sepolicy.apex': (
		'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
		'build/make/target/product/security/testkey', None),
		}, keys_info)
		self.assertEqual({'sepolicy.apex': (
		None,
		None,
		None),
		}, sepolicy_keys_info)

		def test_ReplaceGkiSigningKey(self):
		common.OPTIONS.gki_signing_key = 'release_gki_key'