From 80ff46678055f82fa3000b8b5863c84f04be26f4 Mon Sep 17 00:00:00 2001
From: Kelvin Zhang <zhangkelvin@google.com>
Date: Mon, 8 Feb 2021 19:57:57 -0500
Subject: [PATCH] Prevent SPL downgrade OTAs from generating

Previously we allow all spl downgrade OTA to generate. But applying such
OTA often causes device to hang and rollback, because keymaster refuses
to attach if it detects spl downgrade. When such error happens, it's
really hard to debug. So instead of debugging a mysterious boot failure,
let''s prevent such OTA from generating in the first place.

Test: th
Bug: 178584781

Change-Id: I8e271862d804e86b16aea70424b4d3e289d43cc9
---
 tools/releasetools/ota_from_target_files.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/tools/releasetools/ota_from_target_files.py b/tools/releasetools/ota_from_target_files.py
index 4c69e69057..16ade38572 100755
--- a/tools/releasetools/ota_from_target_files.py
+++ b/tools/releasetools/ota_from_target_files.py
@@ -273,6 +273,7 @@ OPTIONS.disable_verity_computation = False
 OPTIONS.partial = None
 OPTIONS.custom_images = {}
 OPTIONS.disable_vabc = False
+OPTIONS.spl_downgrade = False
 
 POSTINSTALL_CONFIG = 'META/postinstall_config.txt'
 DYNAMIC_PARTITION_INFO = 'META/dynamic_partitions_info.txt'
@@ -291,6 +292,8 @@ SECONDARY_PAYLOAD_SKIPPED_IMAGES = [
     'system_ext', 'vbmeta', 'vbmeta_system', 'vbmeta_vendor', 'vendor',
     'vendor_boot']
 
+SECURITY_PATCH_LEVEL_PROP_NAME = "ro.build.version.security_patch"
+
 
 class PayloadSigner(object):
   """A class that wraps the payload signing works.
@@ -1262,6 +1265,8 @@ def main(argv):
       OPTIONS.custom_images[custom_partition] = custom_image
     elif o == "--disable_vabc":
       OPTIONS.disable_vabc = True
+    elif o == "--spl_downgrade":
+      OPTIONS.spl_downgrade = True
     else:
       return False
     return True
@@ -1304,6 +1309,7 @@ def main(argv):
                                  "partial=",
                                  "custom_image=",
                                  "disable_vabc",
+                                 "spl_downgrade"
                              ], extra_option_handler=option_handler)
 
   if len(args) != 2:
@@ -1400,6 +1406,19 @@ def main(argv):
     # Get signing keys
     OPTIONS.key_passwords = common.GetKeyPasswords([OPTIONS.package_key])
 
+  if OPTIONS.source_info_dict:
+    source_build_prop = OPTIONS.source_info_dict["build.prop"]
+    target_build_prop = OPTIONS.target_info_dict["build.prop"]
+    source_spl = source_build_prop.GetProp(SECURITY_PATCH_LEVEL_PROP_NAME)
+    target_spl = target_build_prop.GetProp(SECURITY_PATCH_LEVEL_PROP_NAME)
+    if target_spl < source_spl and not OPTIONS.spl_downgrade:
+      raise common.ExternalError(
+        "Target security patch level {} is older than source SPL {} applying "
+        "such OTA will likely cause device fail to boot. Pass --spl-downgrade "
+        "to override this check. This script expects security patch level to "
+        "be in format yyyy-mm-dd (e.x. 2021-02-05). It's possible to use "
+        "separators other than -, so as long as it's used consistenly across "
+        "all SPL dates".format(target_spl, source_spl))
   if generate_ab:
     GenerateAbOtaPackage(
         target_file=args[0],