From b2c4bb7e3ddcaa27242c1e4e78f69d7e39524cf9 Mon Sep 17 00:00:00 2001
From: Jeongik Cha <jeongik@google.com>
Date: Mon, 17 Dec 2018 14:45:15 +0900
Subject: [PATCH] Dump and enforce certificate for apks

Dump the list of APKs that aren't located at system partition and signed
with system certificate.
And when enforcement option is enabled, it makes build error if there is
the apk that satisfies the condition above.

Bug: 74699609

Test: m -j
Test: m out/target/product/$(get_build_var TARGET_DEVICE)/certificate_violation_modules.txt

Change-Id: I23c41f2665dd97abac3e77d1c82d81ff91b894eb
---
 core/app_certificate_validate.mk | 12 ++++++++++++
 core/definitions.mk              |  3 +++
 core/main.mk                     |  7 +++++++
 core/package_internal.mk         |  1 +
 core/prebuilt_internal.mk        |  2 ++
 core/product.mk                  |  2 ++
 core/product_config.mk           |  5 +++++
 core/soong_app_prebuilt.mk       |  2 +-
 core/soong_config.mk             |  3 +++
 9 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 core/app_certificate_validate.mk

diff --git a/core/app_certificate_validate.mk b/core/app_certificate_validate.mk
new file mode 100644
index 0000000000..15ddd94500
--- /dev/null
+++ b/core/app_certificate_validate.mk
@@ -0,0 +1,12 @@
+
+ifeq (true,$(filter true, \
+   $(LOCAL_PRODUCT_MODULE) $(LOCAL_PRODUCT_SERVICES_MODULE) \
+   $(LOCAL_VENDOR_MODULE) $(LOCAL_PROPRIETARY_MODULE)))
+  ifneq (,$(filter $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))%,$(LOCAL_CERTIFICATE)))
+    CERTIFICATE_VIOLATION_MODULES += $(LOCAL_MODULE)
+    ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT))
+      $(if $(filter $(LOCAL_MODULE),$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST)),,\
+        $(call pretty-error,The module in product partition cannot be signed with certificate in system.))
+    endif
+  endif
+endif
\ No newline at end of file
diff --git a/core/definitions.mk b/core/definitions.mk
index a67508018c..2ffc0176d9 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -77,6 +77,9 @@ ALL_FINDBUGS_FILES:=
 # GPL module license files
 ALL_GPL_MODULE_LICENSE_FILES:=
 
+# Packages with certificate violation
+CERTIFICATE_VIOLATION_MODULES :=
+
 # Target and host installed module's dependencies on shared libraries.
 # They are list of "<module_name>:<installed_file>:lib1,lib2...".
 TARGET_DEPENDENCIES_ON_SHARED_LIBRARIES :=
diff --git a/core/main.mk b/core/main.mk
index 9fd1c35c52..660290a1b7 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -1096,6 +1096,13 @@ ifdef FULL_BUILD
       $(TARGET_OUT_SYSTEM_OTHER)/%.vdex \
       $(TARGET_OUT_SYSTEM_OTHER)/%.art
   endif
+
+CERTIFICATE_VIOLATION_MODULES_FILENAME := $(PRODUCT_OUT)/certificate_violation_modules.txt
+$(CERTIFICATE_VIOLATION_MODULES_FILENAME):
+	rm -f $@
+	$(foreach m,$(sort $(CERTIFICATE_VIOLATION_MODULES)), echo $(m) >> $@;)
+$(call dist-for-goals,droidcore,$(CERTIFICATE_VIOLATION_MODULES_FILENAME))
+
   all_offending_files :=
   $(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\
     $(eval requirements := $(PRODUCTS.$(makefile).ARTIFACT_PATH_REQUIREMENTS)) \
diff --git a/core/package_internal.mk b/core/package_internal.mk
index 75cc547be7..c657f2edba 100644
--- a/core/package_internal.mk
+++ b/core/package_internal.mk
@@ -535,6 +535,7 @@ endif
 ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./)
     LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE)
 endif
+include $(BUILD_SYSTEM)/app_certificate_validate.mk
 private_key := $(LOCAL_CERTIFICATE).pk8
 certificate := $(LOCAL_CERTIFICATE).x509.pem
 additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)
diff --git a/core/prebuilt_internal.mk b/core/prebuilt_internal.mk
index 66913c1ac3..960d8d1c50 100644
--- a/core/prebuilt_internal.mk
+++ b/core/prebuilt_internal.mk
@@ -306,6 +306,8 @@ else
   $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
 endif
 
+include $(BUILD_SYSTEM)/app_certificate_validate.mk
+
 # Disable dex-preopt of prebuilts to save space, if requested.
 ifndef LOCAL_DEX_PREOPT
 ifeq ($(DONT_DEXPREOPT_PREBUILTS),true)
diff --git a/core/product.mk b/core/product.mk
index 1420b46e10..2d7ace2fa3 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -204,6 +204,8 @@ _product_var_list := \
     PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE \
     PRODUCT_ACTIONABLE_COMPATIBLE_PROPERTY_DISABLE \
     PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS \
+    PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT \
+    PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST \
     PRODUCT_ARTIFACT_PATH_REQUIREMENT_HINT \
     PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST \
     PRODUCT_USE_DYNAMIC_PARTITION_SIZE \
diff --git a/core/product_config.mk b/core/product_config.mk
index 47b4c7aa03..c58405cb2f 100644
--- a/core/product_config.mk
+++ b/core/product_config.mk
@@ -367,6 +367,11 @@ PRODUCT_PRODUCT_PROPERTIES := \
     $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_PRODUCT_PROPERTIES))
 .KATI_READONLY := PRODUCT_PRODUCT_PROPERTIES
 
+ENFORCE_SYSTEM_CERTIFICATE := \
+    $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT)
+
+ENFORCE_SYSTEM_CERTIFICATE_WHITELIST := \
+    $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST))
 
 # A list of property assignments, like "key = value", with zero or more
 # whitespace characters on either side of the '='.
diff --git a/core/soong_app_prebuilt.mk b/core/soong_app_prebuilt.mk
index 73d934bf99..f7236335bd 100644
--- a/core/soong_app_prebuilt.mk
+++ b/core/soong_app_prebuilt.mk
@@ -108,7 +108,7 @@ ifdef LOCAL_CERTIFICATE
   PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE)
   PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(patsubst %.x509.pem,%.pk8,$(LOCAL_CERTIFICATE))
 endif
-
+include $(BUILD_SYSTEM)/app_certificate_validate.mk
 PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES))
 
 ifdef LOCAL_SOONG_BUNDLE
diff --git a/core/soong_config.mk b/core/soong_config.mk
index 31c77d4b88..58e1a03ae9 100644
--- a/core/soong_config.mk
+++ b/core/soong_config.mk
@@ -146,6 +146,9 @@ $(call add_json_str,  DexpreoptGlobalConfig,             $(DEX_PREOPT_CONFIG))
 
 $(call add_json_list, ManifestPackageNameOverrides,      $(PRODUCT_MANIFEST_PACKAGE_NAME_OVERRIDES))
 
+$(call add_json_bool, EnforceSystemCertificate,          $(ENFORCE_SYSTEM_CERTIFICATE))
+$(call add_json_list, EnforceSystemCertificateWhitelist, $(ENFORCE_SYSTEM_CERTIFICATE_WHITELIST))
+
 $(call add_json_map, VendorVars)
 $(foreach namespace,$(SOONG_CONFIG_NAMESPACES),\
   $(call add_json_map, $(namespace))\