StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Build otacerts as a module.

Browse Source 
Bug: 30414428
Test: `m -j dist` with aosp_taimen-userdebug. Check
      /system/etc/security/otacerts.zip available under system and
      recovery images.
Change-Id: I5abeb2da441fb3e3231e094063c2383eb3807852
Merged-In: I5abeb2da441fb3e3231e094063c2383eb3807852
This commit is contained in:
Tao Bao
2019-04-18 18:37:32 -07:00
parent 1a5e781659
commit 6f34013ba6
4 changed files with 39 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
core/Makefile
View File

@@ -1248,42 +1248,6 @@ $(winpthreads_notice_file): \
$(hide) mkdir -p $(dir $@) $(hide) mkdir -p $(dir $@)
$(hide) $(ACP) $< $@ $(hide) $(ACP) $< $@
# -----------------------------------------------------------------
# Build a keystore with the authorized keys in it, used to verify the
# authenticity of downloaded OTA packages.
#
# This rule adds to ALL_DEFAULT_INSTALLED_MODULES, so it needs to come
# before the rules that use that variable to build the image.
ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_OUT_ETC)/security/otacerts.zip
$(TARGET_OUT_ETC)/security/otacerts.zip: PRIVATE_CERT := $(DEFAULT_KEY_CERT_PAIR).x509.pem
$(TARGET_OUT_ETC)/security/otacerts.zip: $(SOONG_ZIP)
$(TARGET_OUT_ETC)/security/otacerts.zip: $(DEFAULT_KEY_CERT_PAIR).x509.pem
$(hide) rm -f $@
$(hide) mkdir -p $(dir $@)
$(hide) $(SOONG_ZIP) -o $@ -C $(dir $(PRIVATE_CERT)) -f $(PRIVATE_CERT)
# Carry the public key for update_engine if it's a non-IoT target that
# uses the AB updater. We use the same key as otacerts but in RSA public key
# format.
ifeq ($(AB_OTA_UPDATER),true)
ifneq ($(PRODUCT_IOT),true)
ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem
$(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem: $(DEFAULT_KEY_CERT_PAIR).x509.pem
$(hide) rm -f $@
$(hide) mkdir -p $(dir $@)
$(hide) openssl x509 -pubkey -noout -in $< > $@
ALL_DEFAULT_INSTALLED_MODULES += \
$(TARGET_RECOVERY_ROOT_OUT)/system/etc/update_engine/update-payload-key.pub.pem
$(TARGET_RECOVERY_ROOT_OUT)/system/etc/update_engine/update-payload-key.pub.pem: \
$(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem
$(hide) cp -f $< $@
endif
endif
.PHONY: otacerts
otacerts: $(TARGET_OUT_ETC)/security/otacerts.zip
# ################################################################# # #################################################################
# Targets for user images # Targets for user images
@@ -1848,22 +1812,6 @@ ifdef BOARD_INCLUDE_DTB_IN_BOOTIMG
INTERNAL_RECOVERYIMAGE_ARGS += --dtb $(INSTALLED_DTBIMAGE_TARGET) INTERNAL_RECOVERYIMAGE_ARGS += --dtb $(INSTALLED_DTBIMAGE_TARGET)
endif endif
# Keys authorized to sign OTA packages this build will accept. The
# build always uses dev-keys for this; release packaging tools will
# substitute other keys for this one.
OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
# Generate a file containing the keys that will be read by the
# recovery binary.
RECOVERY_INSTALL_OTA_KEYS := \
$(call intermediates-dir-for,PACKAGING,ota_keys)/otacerts.zip
$(RECOVERY_INSTALL_OTA_KEYS): PRIVATE_OTA_PUBLIC_KEYS := $(OTA_PUBLIC_KEYS)
$(RECOVERY_INSTALL_OTA_KEYS): extra_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
$(RECOVERY_INSTALL_OTA_KEYS): $(SOONG_ZIP) $(OTA_PUBLIC_KEYS) $(extra_keys)
$(hide) rm -f $@
$(hide) mkdir -p $(dir $@)
$(hide) $(SOONG_ZIP) -o $@ $(foreach key_file, $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys), -C $(dir $(key_file)) -f $(key_file))
RECOVERYIMAGE_ID_FILE := $(PRODUCT_OUT)/recovery.id RECOVERYIMAGE_ID_FILE := $(PRODUCT_OUT)/recovery.id
# $(1): output file # $(1): output file
@@ -1895,8 +1843,6 @@ define build-recoveryimage-target
cp -f $(item) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.fstab) cp -f $(item) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.fstab)
$(if $(strip $(recovery_wipe)), \ $(if $(strip $(recovery_wipe)), \
$(hide) cp -f $(recovery_wipe) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.wipe) $(hide) cp -f $(recovery_wipe) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.wipe)
$(hide) mkdir -p $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security
$(hide) cp $(RECOVERY_INSTALL_OTA_KEYS) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security/otacerts.zip
$(hide) ln -sf prop.default $(TARGET_RECOVERY_ROOT_OUT)/default.prop $(hide) ln -sf prop.default $(TARGET_RECOVERY_ROOT_OUT)/default.prop
$(BOARD_RECOVERY_IMAGE_PREPARE) $(BOARD_RECOVERY_IMAGE_PREPARE)
$(hide) $(MKBOOTFS) -d $(TARGET_OUT) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk) $(hide) $(MKBOOTFS) -d $(TARGET_OUT) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk)
@@ -1953,7 +1899,6 @@ $(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTFS) $(MKBOOTIMG) $(MINIGZIP) \
$(INSTALLED_RECOVERY_BUILD_PROP_TARGET) \ $(INSTALLED_RECOVERY_BUILD_PROP_TARGET) \
$(recovery_resource_deps) \ $(recovery_resource_deps) \
$(recovery_fstab) \ $(recovery_fstab) \
$(RECOVERY_INSTALL_OTA_KEYS) \
$(BOARD_RECOVERY_KERNEL_MODULES) \ $(BOARD_RECOVERY_KERNEL_MODULES) \
$(DEPMOD) $(DEPMOD)
$(call pretty,"Target boot image from recovery: $@") $(call pretty,"Target boot image from recovery: $@")
@@ -1984,7 +1929,6 @@ $(INSTALLED_RECOVERYIMAGE_TARGET): $(MKBOOTFS) $(MKBOOTIMG) $(MINIGZIP) \
$(INSTALLED_RECOVERY_BUILD_PROP_TARGET) \ $(INSTALLED_RECOVERY_BUILD_PROP_TARGET) \
$(recovery_resource_deps) \ $(recovery_resource_deps) \
$(recovery_fstab) \ $(recovery_fstab) \
$(RECOVERY_INSTALL_OTA_KEYS) \
$(BOARD_RECOVERY_KERNEL_MODULES) \ $(BOARD_RECOVERY_KERNEL_MODULES) \
$(DEPMOD) $(DEPMOD)
$(call build-recoveryimage-target, $@) $(call build-recoveryimage-target, $@)

1
target/product/base_system.mk
View File

@@ -210,6 +210,7 @@ PRODUCT_PACKAGES += \
netd \ netd \
NetworkStack \ NetworkStack \
org.apache.http.legacy \ org.apache.http.legacy \
otacerts \
perfetto \ perfetto \
ping \ ping \
ping6 \ ping6 \

1
target/product/base_vendor.mk
View File

@@ -23,6 +23,7 @@ PRODUCT_PACKAGES += \
init_second_stage.recovery \ init_second_stage.recovery \
ld.config.recovery.txt \ ld.config.recovery.txt \
linker.recovery \ linker.recovery \
otacerts.recovery \
recovery \ recovery \
shell_and_utilities_recovery \ shell_and_utilities_recovery \
watchdogd.recovery \ watchdogd.recovery \

37
target/product/security/Android.mk
View File

@@ -23,3 +23,40 @@ ifdef PRODUCT_ADB_KEYS
include $(BUILD_PREBUILT) include $(BUILD_PREBUILT)
endif endif
endif endif
#######################################
# otacerts: A keystore with the authorized keys in it, which is used to verify the authenticity of
# downloaded OTA packages.
include $(CLEAR_VARS)
LOCAL_MODULE := otacerts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_STEM := otacerts.zip
LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
include $(BUILD_SYSTEM)/base_rules.mk
$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
$(LOCAL_BUILT_MODULE): $(SOONG_ZIP) $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
$(SOONG_ZIP) -o $@ -j -f $(PRIVATE_CERT)
#######################################
# otacerts for recovery image.
include $(CLEAR_VARS)
LOCAL_MODULE := otacerts.recovery
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_STEM := otacerts.zip
LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security
include $(BUILD_SYSTEM)/base_rules.mk
extra_recovery_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_RECOVERY_KEYS := $(extra_recovery_keys)
$(LOCAL_BUILT_MODULE): \
$(SOONG_ZIP) \
$(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
$(extra_recovery_keys)
$(SOONG_ZIP) -o $@ -j \
$(foreach key_file, $(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS), -f $(key_file))