From d13b9a24bca0b05c903e465cb54f8beebdfdcc6a Mon Sep 17 00:00:00 2001
From: Justin Yun <justinyun@google.com>
Date: Thu, 4 Jul 2024 14:44:44 +0900
Subject: [PATCH] Move otacerts module from Android.mk to Android.bp

Remove the otacerts module defined in Android.mk. Instead, provide
variables to soong.

Bug: 335364209
Test: Define "PRODUCT_DEFAULT_DEV_CERTIFICATE := \
                 build/make/target/product/security/testkey" and
      m aosp_cf_system_x86_64
Change-Id: I99a484e04984da8bd7f58deecd90c880de16fd71
---
 core/soong_config.mk               |  2 ++
 target/product/security/Android.bp | 12 +++++++
 target/product/security/Android.mk | 51 ------------------------------
 3 files changed, 14 insertions(+), 51 deletions(-)

diff --git a/core/soong_config.mk b/core/soong_config.mk
index 068034bb13..12b41358f7 100644
--- a/core/soong_config.mk
+++ b/core/soong_config.mk
@@ -109,6 +109,8 @@ $(call add_json_str,  AAPTPreferredConfig,               $(PRODUCT_AAPT_PREF_CON
 $(call add_json_list, AAPTPrebuiltDPI,                   $(PRODUCT_AAPT_PREBUILT_DPI))
 
 $(call add_json_str,  DefaultAppCertificate,             $(PRODUCT_DEFAULT_DEV_CERTIFICATE))
+$(call add_json_list, ExtraOtaKeys,                      $(PRODUCT_EXTRA_OTA_KEYS))
+$(call add_json_list, ExtraOtaRecoveryKeys,              $(PRODUCT_EXTRA_RECOVERY_KEYS))
 $(call add_json_str,  MainlineSepolicyDevCertificates,   $(MAINLINE_SEPOLICY_DEV_CERTIFICATES))
 
 $(call add_json_str,  AppsDefaultVersionName,            $(APPS_DEFAULT_VERSION_NAME))
diff --git a/target/product/security/Android.bp b/target/product/security/Android.bp
index 1e26d598da..0d7b35e1c9 100644
--- a/target/product/security/Android.bp
+++ b/target/product/security/Android.bp
@@ -25,3 +25,15 @@ prebuilt_etc {
     sub_dir: "security/fsverity",
     filename_from_src: true,
 }
+
+// otacerts: A keystore with the authorized keys in it, which is used to verify
+// the authenticity of downloaded OTA packages.
+// This module zips files defined in PRODUCT_DEFAULT_DEV_CERTIFICATE and
+// PRODUCT_EXTRA_OTA_KEYS for system or PRODUCT_EXTRA_RECOVERY_KEYS for recovery
+// image
+otacerts_zip {
+    name: "otacerts",
+    recovery_available: true,
+    relative_install_path: "security",
+    filename: "otacerts.zip",
+}
diff --git a/target/product/security/Android.mk b/target/product/security/Android.mk
index 4bd8efc0fe..91b272c1bd 100644
--- a/target/product/security/Android.mk
+++ b/target/product/security/Android.mk
@@ -15,54 +15,3 @@ ifdef PRODUCT_ADB_KEYS
     include $(BUILD_PREBUILT)
   endif
 endif
-
-
-#######################################
-# otacerts: A keystore with the authorized keys in it, which is used to verify the authenticity of
-# downloaded OTA packages.
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := otacerts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
-LOCAL_LICENSE_CONDITIONS := notice
-LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_STEM := otacerts.zip
-LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
-include $(BUILD_SYSTEM)/base_rules.mk
-
-extra_ota_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_OTA_KEYS))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
-$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_OTA_KEYS := $(extra_ota_keys)
-$(LOCAL_BUILT_MODULE): \
-	    $(SOONG_ZIP) \
-	    $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
-	    $(extra_ota_keys)
-	$(SOONG_ZIP) -o $@ -j -symlinks=false \
-	    $(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_OTA_KEYS))
-
-
-#######################################
-# otacerts for recovery image.
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := otacerts.recovery
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
-LOCAL_LICENSE_CONDITIONS := notice
-LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_STEM := otacerts.zip
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security
-include $(BUILD_SYSTEM)/base_rules.mk
-
-extra_recovery_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
-
-$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
-$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_RECOVERY_KEYS := $(extra_recovery_keys)
-$(LOCAL_BUILT_MODULE): \
-	    $(SOONG_ZIP) \
-	    $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
-	    $(extra_recovery_keys)
-	$(SOONG_ZIP) -o $@ -j -symlinks=false \
-	    $(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS))