StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Add PRODUCT_EXTRA_OTA_KEYS to add extra ota keys in otacerts.zip" am: bff997fd1f am: 4f9eb6b9e4

Browse Source 
Original change: https://android-review.googlesource.com/c/platform/build/+/1934214

Change-Id: I1c164c7697ae10012f540677ce2423fe014e5e18
This commit is contained in:
Jacky Liu
2022-01-06 06:58:05 +00:00
committed by Automerger Merge Worker
parent 2a00929dec 4f9eb6b9e4
commit 429e1f339b
6 changed files with 45 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
core/Makefile
View File

@@ -4622,6 +4622,9 @@ else
endif endif
$(hide) echo "tool_extensions=$(tool_extensions)" >> $@ $(hide) echo "tool_extensions=$(tool_extensions)" >> $@
$(hide) echo "default_system_dev_certificate=$(DEFAULT_SYSTEM_DEV_CERTIFICATE)" >> $@ $(hide) echo "default_system_dev_certificate=$(DEFAULT_SYSTEM_DEV_CERTIFICATE)" >> $@
ifdef PRODUCT_EXTRA_OTA_KEYS
$(hide) echo "extra_ota_keys=$(PRODUCT_EXTRA_OTA_KEYS)" >> $@
endif
ifdef PRODUCT_EXTRA_RECOVERY_KEYS ifdef PRODUCT_EXTRA_RECOVERY_KEYS
$(hide) echo "extra_recovery_keys=$(PRODUCT_EXTRA_RECOVERY_KEYS)" >> $@ $(hide) echo "extra_recovery_keys=$(PRODUCT_EXTRA_RECOVERY_KEYS)" >> $@
endif endif

1
core/product-graph.mk
View File

@@ -126,6 +126,7 @@ $(OUT_DIR)/products/$(strip $(1)).txt: $(this_makefile)
$(hide) echo 'PRODUCT_CHARACTERISTICS=$(call get-product-var,$(1),PRODUCT_CHARACTERISTICS)' >> $$@ $(hide) echo 'PRODUCT_CHARACTERISTICS=$(call get-product-var,$(1),PRODUCT_CHARACTERISTICS)' >> $$@
$(hide) echo 'PRODUCT_COPY_FILES=$(call get-product-var,$(1),PRODUCT_COPY_FILES)' >> $$@ $(hide) echo 'PRODUCT_COPY_FILES=$(call get-product-var,$(1),PRODUCT_COPY_FILES)' >> $$@
$(hide) echo 'PRODUCT_OTA_PUBLIC_KEYS=$(call get-product-var,$(1),PRODUCT_OTA_PUBLIC_KEYS)' >> $$@ $(hide) echo 'PRODUCT_OTA_PUBLIC_KEYS=$(call get-product-var,$(1),PRODUCT_OTA_PUBLIC_KEYS)' >> $$@
$(hide) echo 'PRODUCT_EXTRA_OTA_KEYS=$(call get-product-var,$(1),PRODUCT_EXTRA_OTA_KEYS)' >> $$@
$(hide) echo 'PRODUCT_EXTRA_RECOVERY_KEYS=$(call get-product-var,$(1),PRODUCT_EXTRA_RECOVERY_KEYS)' >> $$@ $(hide) echo 'PRODUCT_EXTRA_RECOVERY_KEYS=$(call get-product-var,$(1),PRODUCT_EXTRA_RECOVERY_KEYS)' >> $$@
$(hide) echo 'PRODUCT_PACKAGE_OVERLAYS=$(call get-product-var,$(1),PRODUCT_PACKAGE_OVERLAYS)' >> $$@ $(hide) echo 'PRODUCT_PACKAGE_OVERLAYS=$(call get-product-var,$(1),PRODUCT_PACKAGE_OVERLAYS)' >> $$@
$(hide) echo 'DEVICE_PACKAGE_OVERLAYS=$(call get-product-var,$(1),DEVICE_PACKAGE_OVERLAYS)' >> $$@ $(hide) echo 'DEVICE_PACKAGE_OVERLAYS=$(call get-product-var,$(1),DEVICE_PACKAGE_OVERLAYS)' >> $$@

1
core/product.mk
View File

@@ -183,6 +183,7 @@ _product_list_vars += PRODUCT_COPY_FILES
# signing tools can substitute them for the test key embedded by # signing tools can substitute them for the test key embedded by
# default. # default.
_product_list_vars += PRODUCT_OTA_PUBLIC_KEYS _product_list_vars += PRODUCT_OTA_PUBLIC_KEYS
_product_list_vars += PRODUCT_EXTRA_OTA_KEYS
_product_list_vars += PRODUCT_EXTRA_RECOVERY_KEYS _product_list_vars += PRODUCT_EXTRA_RECOVERY_KEYS
# Should we use the default resources or add any product specific overlays # Should we use the default resources or add any product specific overlays

1
core/product_config.mk
View File

@@ -381,6 +381,7 @@ ENFORCE_SYSTEM_CERTIFICATE := $(PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQU
ENFORCE_SYSTEM_CERTIFICATE_ALLOW_LIST := $(PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_ALLOW_LIST) ENFORCE_SYSTEM_CERTIFICATE_ALLOW_LIST := $(PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_ALLOW_LIST)
PRODUCT_OTA_PUBLIC_KEYS := $(sort $(PRODUCT_OTA_PUBLIC_KEYS)) PRODUCT_OTA_PUBLIC_KEYS := $(sort $(PRODUCT_OTA_PUBLIC_KEYS))
PRODUCT_EXTRA_OTA_KEYS := $(sort $(PRODUCT_EXTRA_OTA_KEYS))
PRODUCT_EXTRA_RECOVERY_KEYS := $(sort $(PRODUCT_EXTRA_RECOVERY_KEYS)) PRODUCT_EXTRA_RECOVERY_KEYS := $(sort $(PRODUCT_EXTRA_RECOVERY_KEYS))
# Resolve and setup per-module dex-preopt configs. # Resolve and setup per-module dex-preopt configs.

16
target/product/security/Android.mk
View File

@@ -63,9 +63,17 @@ LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_STEM := otacerts.zip LOCAL_MODULE_STEM := otacerts.zip
LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
include $(BUILD_SYSTEM)/base_rules.mk include $(BUILD_SYSTEM)/base_rules.mk
extra_ota_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_OTA_KEYS))
$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem $(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
$(LOCAL_BUILT_MODULE): $(SOONG_ZIP) $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem $(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_OTA_KEYS := $(extra_ota_keys)
$(SOONG_ZIP) -o $@ -j -symlinks=false -f $(PRIVATE_CERT) $(LOCAL_BUILT_MODULE): \
$(SOONG_ZIP) \
$(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
$(extra_ota_keys)
$(SOONG_ZIP) -o $@ -j -symlinks=false \
$(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_OTA_KEYS))
####################################### #######################################
@@ -80,7 +88,7 @@ LOCAL_MODULE_STEM := otacerts.zip
LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security
include $(BUILD_SYSTEM)/base_rules.mk include $(BUILD_SYSTEM)/base_rules.mk
extra_recovery_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS)) extra_recovery_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem $(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_RECOVERY_KEYS := $(extra_recovery_keys) $(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_RECOVERY_KEYS := $(extra_recovery_keys)
@@ -89,4 +97,4 @@ $(LOCAL_BUILT_MODULE): \
$(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \ $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
$(extra_recovery_keys) $(extra_recovery_keys)
$(SOONG_ZIP) -o $@ -j -symlinks=false \ $(SOONG_ZIP) -o $@ -j -symlinks=false \
$(foreach key_file, $(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS), -f $(key_file)) $(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS))

34
tools/releasetools/sign_target_files_apks.py
View File

@@ -888,14 +888,27 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
except KeyError: except KeyError:
raise common.ExternalError("can't read META/otakeys.txt from input") raise common.ExternalError("can't read META/otakeys.txt from input")
extra_recovery_keys = misc_info.get("extra_recovery_keys") extra_ota_keys_info = misc_info.get("extra_ota_keys")
if extra_recovery_keys: if extra_ota_keys_info:
extra_ota_keys = [OPTIONS.key_map.get(k, k) + ".x509.pem"
for k in extra_ota_keys_info.split()]
print("extra ota key(s): " + ", ".join(extra_ota_keys))
else:
extra_ota_keys = []
for k in extra_ota_keys:
if not os.path.isfile(k):
raise common.ExternalError(k + " does not exist or is not a file")
extra_recovery_keys_info = misc_info.get("extra_recovery_keys")
if extra_recovery_keys_info:
extra_recovery_keys = [OPTIONS.key_map.get(k, k) + ".x509.pem" extra_recovery_keys = [OPTIONS.key_map.get(k, k) + ".x509.pem"
for k in extra_recovery_keys.split()] for k in extra_recovery_keys_info.split()]
if extra_recovery_keys: print("extra recovery-only key(s): " + ", ".join(extra_recovery_keys))
print("extra recovery-only key(s): " + ", ".join(extra_recovery_keys))
else: else:
extra_recovery_keys = [] extra_recovery_keys = []
for k in extra_recovery_keys:
if not os.path.isfile(k):
raise common.ExternalError(k + " does not exist or is not a file")
mapped_keys = [] mapped_keys = []
for k in keylist: for k in keylist:
@@ -918,13 +931,20 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
mapped_keys.append(mapped_devkey + ".x509.pem") mapped_keys.append(mapped_devkey + ".x509.pem")
print("META/otakeys.txt has no keys; using %s for OTA package" print("META/otakeys.txt has no keys; using %s for OTA package"
" verification." % (mapped_keys[0],)) " verification." % (mapped_keys[0],))
for k in mapped_keys:
if not os.path.isfile(k):
raise common.ExternalError(k + " does not exist or is not a file")
otacerts = [info otacerts = [info
for info in input_tf_zip.infolist() for info in input_tf_zip.infolist()
if info.filename.endswith("/otacerts.zip")] if info.filename.endswith("/otacerts.zip")]
for info in otacerts: for info in otacerts:
print("Rewriting OTA key:", info.filename, mapped_keys) if info.filename.startswith(("BOOT/", "RECOVERY/", "VENDOR_BOOT/")):
WriteOtacerts(output_tf_zip, info.filename, mapped_keys) extra_keys = extra_recovery_keys
else:
extra_keys = extra_ota_keys
print("Rewriting OTA key:", info.filename, mapped_keys + extra_keys)
WriteOtacerts(output_tf_zip, info.filename, mapped_keys + extra_keys)
def ReplaceVerityPublicKey(output_zip, filename, key_path): def ReplaceVerityPublicKey(output_zip, filename, key_path):