Merge "Install the ota keys under recovery as a zipfile"
am: 1e0742e2c3
Change-Id: Ib23d4607754a5aee1a3d4102e64cfbeb0b642cf8
This commit is contained in:
Tianjie Xu
android-build-merger
@@ -1638,15 +1638,13 @@ OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
|
|||||||
# Generate a file containing the keys that will be read by the
|
# Generate a file containing the keys that will be read by the
|
||||||
# recovery binary.
|
# recovery binary.
|
||||||
RECOVERY_INSTALL_OTA_KEYS := \
|
RECOVERY_INSTALL_OTA_KEYS := \
|
||||||
$(call intermediates-dir-for,PACKAGING,ota_keys)/keys
|
$(call intermediates-dir-for,PACKAGING,ota_keys)/otacerts.zip
|
||||||
DUMPKEY_JAR := $(HOST_OUT_JAVA_LIBRARIES)/dumpkey.jar
|
|
||||||
$(RECOVERY_INSTALL_OTA_KEYS): PRIVATE_OTA_PUBLIC_KEYS := $(OTA_PUBLIC_KEYS)
|
$(RECOVERY_INSTALL_OTA_KEYS): PRIVATE_OTA_PUBLIC_KEYS := $(OTA_PUBLIC_KEYS)
|
||||||
$(RECOVERY_INSTALL_OTA_KEYS): extra_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
|
$(RECOVERY_INSTALL_OTA_KEYS): extra_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
|
||||||
$(RECOVERY_INSTALL_OTA_KEYS): $(OTA_PUBLIC_KEYS) $(DUMPKEY_JAR) $(extra_keys)
|
$(RECOVERY_INSTALL_OTA_KEYS): $(SOONG_ZIP) $(OTA_PUBLIC_KEYS) $(extra_keys)
|
||||||
@echo "DumpPublicKey: $@ <= $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys)"
|
$(hide) rm -f $@
|
||||||
@rm -rf $@
|
$(hide) mkdir -p $(dir $@)
|
||||||
@mkdir -p $(dir $@)
|
$(hide) $(SOONG_ZIP) -o $@ $(foreach key_file, $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys), -C $(dir $(key_file)) -f $(key_file))
|
||||||
$(JAVA) -jar $(DUMPKEY_JAR) $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys) > $@
|
|
||||||
|
|
||||||
RECOVERYIMAGE_ID_FILE := $(PRODUCT_OUT)/recovery.id
|
RECOVERYIMAGE_ID_FILE := $(PRODUCT_OUT)/recovery.id
|
||||||
|
|
||||||
@@ -1677,7 +1675,8 @@ define build-recoveryimage-target
|
|||||||
cp -f $(item) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.fstab)
|
cp -f $(item) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.fstab)
|
||||||
$(if $(strip $(recovery_wipe)), \
|
$(if $(strip $(recovery_wipe)), \
|
||||||
$(hide) cp -f $(recovery_wipe) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.wipe)
|
$(hide) cp -f $(recovery_wipe) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.wipe)
|
||||||
$(hide) cp $(RECOVERY_INSTALL_OTA_KEYS) $(TARGET_RECOVERY_ROOT_OUT)/res/keys
|
$(hide) mkdir -p $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security
|
||||||
|
$(hide) cp $(RECOVERY_INSTALL_OTA_KEYS) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security/otacerts.zip
|
||||||
$(hide) ln -sf prop.default $(TARGET_RECOVERY_ROOT_OUT)/default.prop
|
$(hide) ln -sf prop.default $(TARGET_RECOVERY_ROOT_OUT)/default.prop
|
||||||
$(BOARD_RECOVERY_IMAGE_PREPARE)
|
$(BOARD_RECOVERY_IMAGE_PREPARE)
|
||||||
$(hide) $(MKBOOTFS) -d $(TARGET_OUT) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk)
|
$(hide) $(MKBOOTFS) -d $(TARGET_OUT) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk)
|
||||||
@@ -3094,7 +3093,6 @@ OTATOOLS := $(HOST_OUT_EXECUTABLES)/minigzip \
|
|||||||
$(HOST_OUT_EXECUTABLES)/zipalign \
|
$(HOST_OUT_EXECUTABLES)/zipalign \
|
||||||
$(HOST_OUT_EXECUTABLES)/bsdiff \
|
$(HOST_OUT_EXECUTABLES)/bsdiff \
|
||||||
$(HOST_OUT_EXECUTABLES)/imgdiff \
|
$(HOST_OUT_EXECUTABLES)/imgdiff \
|
||||||
$(HOST_OUT_JAVA_LIBRARIES)/dumpkey.jar \
|
|
||||||
$(HOST_OUT_JAVA_LIBRARIES)/signapk.jar \
|
$(HOST_OUT_JAVA_LIBRARIES)/signapk.jar \
|
||||||
$(HOST_OUT_JAVA_LIBRARIES)/BootSignature.jar \
|
$(HOST_OUT_JAVA_LIBRARIES)/BootSignature.jar \
|
||||||
$(HOST_OUT_JAVA_LIBRARIES)/VeritySigner.jar \
|
$(HOST_OUT_JAVA_LIBRARIES)/VeritySigner.jar \
|
||||||
|
|||||||
@@ -369,13 +369,13 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
|||||||
"SYSTEM/bin/install-recovery.sh"):
|
"SYSTEM/bin/install-recovery.sh"):
|
||||||
OPTIONS.rebuild_recovery = True
|
OPTIONS.rebuild_recovery = True
|
||||||
|
|
||||||
# Don't copy OTA keys if we're replacing them.
|
# Don't copy OTA certs if we're replacing them.
|
||||||
elif (
|
elif (
|
||||||
OPTIONS.replace_ota_keys and
|
OPTIONS.replace_ota_keys and
|
||||||
filename in (
|
filename in (
|
||||||
"BOOT/RAMDISK/res/keys",
|
"BOOT/RAMDISK/system/etc/security/otacerts.zip",
|
||||||
"BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem",
|
"BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem",
|
||||||
"RECOVERY/RAMDISK/res/keys",
|
"RECOVERY/RAMDISK/system/etc/security/otacerts.zip",
|
||||||
"SYSTEM/etc/security/otacerts.zip",
|
"SYSTEM/etc/security/otacerts.zip",
|
||||||
"SYSTEM/etc/update_engine/update-payload-key.pub.pem")):
|
"SYSTEM/etc/update_engine/update-payload-key.pub.pem")):
|
||||||
pass
|
pass
|
||||||
@@ -548,6 +548,27 @@ def RewriteProps(data):
|
|||||||
return "\n".join(output) + "\n"
|
return "\n".join(output) + "\n"
|
||||||
|
|
||||||
|
|
||||||
|
def WriteOtacerts(output_zip, filename, keys):
|
||||||
|
"""Constructs a zipfile from given keys; and writes it to output_zip.
|
||||||
|
|
||||||
|
Args:
|
||||||
|
output_zip: The output target_files zip.
|
||||||
|
filename: The archive name in the output zip.
|
||||||
|
keys: A list of public keys to use during OTA package verification.
|
||||||
|
"""
|
||||||
|
|
||||||
|
try:
|
||||||
|
from StringIO import StringIO
|
||||||
|
except ImportError:
|
||||||
|
from io import StringIO
|
||||||
|
temp_file = StringIO()
|
||||||
|
certs_zip = zipfile.ZipFile(temp_file, "w")
|
||||||
|
for k in keys:
|
||||||
|
common.ZipWrite(certs_zip, k)
|
||||||
|
common.ZipClose(certs_zip)
|
||||||
|
common.ZipWriteStr(output_zip, filename, temp_file.getvalue())
|
||||||
|
|
||||||
|
|
||||||
def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
|
def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
|
||||||
try:
|
try:
|
||||||
keylist = input_tf_zip.read("META/otakeys.txt").split()
|
keylist = input_tf_zip.read("META/otakeys.txt").split()
|
||||||
@@ -585,39 +606,20 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
|
|||||||
print("META/otakeys.txt has no keys; using %s for OTA package"
|
print("META/otakeys.txt has no keys; using %s for OTA package"
|
||||||
" verification." % (mapped_keys[0],))
|
" verification." % (mapped_keys[0],))
|
||||||
|
|
||||||
# recovery uses a version of the key that has been slightly
|
# recovery now uses the same x509.pem version of the keys.
|
||||||
# predigested (by DumpPublicKey.java) and put in res/keys.
|
|
||||||
# extra_recovery_keys are used only in recovery.
|
# extra_recovery_keys are used only in recovery.
|
||||||
cmd = ([OPTIONS.java_path] + OPTIONS.java_args +
|
|
||||||
["-jar",
|
|
||||||
os.path.join(OPTIONS.search_path, "framework", "dumpkey.jar")] +
|
|
||||||
mapped_keys + extra_recovery_keys)
|
|
||||||
p = common.Run(cmd, stdout=subprocess.PIPE)
|
|
||||||
new_recovery_keys, _ = p.communicate()
|
|
||||||
if p.returncode != 0:
|
|
||||||
raise common.ExternalError("failed to run dumpkeys")
|
|
||||||
|
|
||||||
if misc_info.get("recovery_as_boot") == "true":
|
if misc_info.get("recovery_as_boot") == "true":
|
||||||
recovery_keys_location = "BOOT/RAMDISK/res/keys"
|
recovery_keys_location = "BOOT/RAMDISK/system/etc/security/otacerts.zip"
|
||||||
else:
|
else:
|
||||||
recovery_keys_location = "RECOVERY/RAMDISK/res/keys"
|
recovery_keys_location = "RECOVERY/RAMDISK/system/etc/security/otacerts.zip"
|
||||||
common.ZipWriteStr(output_tf_zip, recovery_keys_location, new_recovery_keys)
|
|
||||||
|
WriteOtacerts(output_tf_zip, recovery_keys_location,
|
||||||
|
mapped_keys + extra_recovery_keys)
|
||||||
|
|
||||||
# SystemUpdateActivity uses the x509.pem version of the keys, but
|
# SystemUpdateActivity uses the x509.pem version of the keys, but
|
||||||
# put into a zipfile system/etc/security/otacerts.zip.
|
# put into a zipfile system/etc/security/otacerts.zip.
|
||||||
# We DO NOT include the extra_recovery_keys (if any) here.
|
# We DO NOT include the extra_recovery_keys (if any) here.
|
||||||
|
WriteOtacerts(output_tf_zip, "SYSTEM/etc/security/otacerts.zip", mapped_keys)
|
||||||
try:
|
|
||||||
from StringIO import StringIO
|
|
||||||
except ImportError:
|
|
||||||
from io import StringIO
|
|
||||||
temp_file = StringIO()
|
|
||||||
certs_zip = zipfile.ZipFile(temp_file, "w")
|
|
||||||
for k in mapped_keys:
|
|
||||||
common.ZipWrite(certs_zip, k)
|
|
||||||
common.ZipClose(certs_zip)
|
|
||||||
common.ZipWriteStr(output_tf_zip, "SYSTEM/etc/security/otacerts.zip",
|
|
||||||
temp_file.getvalue())
|
|
||||||
|
|
||||||
# For A/B devices, update the payload verification key.
|
# For A/B devices, update the payload verification key.
|
||||||
if misc_info.get("ab_update") == "true":
|
if misc_info.get("ab_update") == "true":
|
||||||
@@ -638,8 +640,6 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
|
|||||||
"BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem",
|
"BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem",
|
||||||
pubkey)
|
pubkey)
|
||||||
|
|
||||||
return new_recovery_keys
|
|
||||||
|
|
||||||
|
|
||||||
def ReplaceVerityPublicKey(output_zip, filename, key_path):
|
def ReplaceVerityPublicKey(output_zip, filename, key_path):
|
||||||
"""Replaces the verity public key at the given path in the given zip.
|
"""Replaces the verity public key at the given path in the given zip.
|
||||||
|
|||||||
Reference in New Issue
Block a user