From b2dd6834218c257f291011c9495e77c6b6988e7c Mon Sep 17 00:00:00 2001 From: hungweichen Date: Mon, 8 Aug 2022 09:16:30 +0000 Subject: [PATCH 1/3] Remove BOOT_SIGNER and PRODUCT_SUPPORTS_BOOT_SIGNER These varaibles are going to be deprecated since we removed VB 1.0 support. This change removes the related references. boot.img can be verified by a AVB 2.0 hash descriptor now. Bug: 241044073 Test: atest under build/make Change-Id: I267da2d591525ffc0cabf92791cf66a36ef8ff62 --- core/Makefile | 35 +---------------------------------- core/config.mk | 3 +-- core/product.mk | 1 - target/product/verity.mk | 1 - 4 files changed, 2 insertions(+), 38 deletions(-) diff --git a/core/Makefile b/core/Makefile index e724a43e80..7603def34a 100644 --- a/core/Makefile +++ b/core/Makefile @@ -1108,30 +1108,7 @@ bootimage-nodeps: $(MKBOOTIMG) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH) $(INTERNAL_ @echo "make $@: ignoring dependencies" $(foreach b,$(INSTALLED_BOOTIMAGE_TARGET),$(call build_boot_board_avb_enabled,$(b))) -else ifeq (true,$(PRODUCT_SUPPORTS_BOOT_SIGNER)) # BOARD_AVB_ENABLE != true - -# $1: boot image target -define build_boot_supports_boot_signer - $(MKBOOTIMG) --kernel $(call bootimage-to-kernel,$(1)) $(INTERNAL_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1) - $(BOOT_SIGNER) /boot $@ $(PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCT_VERITY_SIGNING_KEY).x509.pem $(1) - $(call assert-max-image-size,$(1),$(call get-bootimage-partition-size,$(1),boot)) -endef - -$(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_FILES) $(BOOT_SIGNER) - $(call pretty,"Target boot image: $@") - $(call build_boot_supports_boot_signer,$@) - -$(call declare-1p-container,$(INSTALLED_BOOTIMAGE_TARGET),) -$(call declare-container-license-deps,$(INSTALLED_BOOTIMAGE_TARGET),$(INTERNAL_BOOTIMAGE_FILES),$(PRODUCT_OUT)/:/) - -UNMOUNTED_NOTICE_DEPS += $(INSTALLED_BOOTIMAGE_TARGET) - -.PHONY: bootimage-nodeps -bootimage-nodeps: $(MKBOOTIMG) $(BOOT_SIGNER) - @echo "make $@: ignoring dependencies" - $(foreach b,$(INSTALLED_BOOTIMAGE_TARGET),$(call build_boot_supports_boot_signer,$(b))) - -else ifeq (true,$(PRODUCT_SUPPORTS_VBOOT)) # PRODUCT_SUPPORTS_BOOT_SIGNER != true +else ifeq (true,$(PRODUCT_SUPPORTS_VBOOT)) # BOARD_AVB_ENABLE != true # $1: boot image target define build_boot_supports_vboot @@ -1949,7 +1926,6 @@ $(if $(BOARD_EROFS_USE_LEGACY_COMPRESSION),$(hide) echo "erofs_use_legacy_compre $(if $(BOARD_EXT4_SHARE_DUP_BLOCKS),$(hide) echo "ext4_share_dup_blocks=$(BOARD_EXT4_SHARE_DUP_BLOCKS)" >> $(1)) $(if $(BOARD_FLASH_LOGICAL_BLOCK_SIZE), $(hide) echo "flash_logical_block_size=$(BOARD_FLASH_LOGICAL_BLOCK_SIZE)" >> $(1)) $(if $(BOARD_FLASH_ERASE_BLOCK_SIZE), $(hide) echo "flash_erase_block_size=$(BOARD_FLASH_ERASE_BLOCK_SIZE)" >> $(1)) -$(if $(PRODUCT_SUPPORTS_BOOT_SIGNER),$(hide) echo "boot_signer=$(PRODUCT_SUPPORTS_BOOT_SIGNER)" >> $(1)) $(if $(PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity=$(PRODUCT_SUPPORTS_VERITY)" >> $(1)) $(if $(PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_key=$(PRODUCT_VERITY_SIGNING_KEY)" >> $(1)) $(if $(PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(notdir $(VERITY_SIGNER))" >> $(1)) @@ -2483,12 +2459,6 @@ define build-recoveryimage-target $(MKBOOTIMG) $(if $(strip $(2)),--kernel $(strip $(2))) $(INTERNAL_RECOVERYIMAGE_ARGS) \ $(INTERNAL_MKBOOTIMG_VERSION_ARGS) \ $(BOARD_RECOVERY_MKBOOTIMG_ARGS) --output $(1)) - $(if $(filter true,$(PRODUCT_SUPPORTS_BOOT_SIGNER)),\ - $(if $(filter true,$(BOARD_USES_RECOVERY_AS_BOOT)),\ - $(BOOT_SIGNER) /boot $(1) $(PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCT_VERITY_SIGNING_KEY).x509.pem $(1),\ - $(BOOT_SIGNER) /recovery $(1) $(PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCT_VERITY_SIGNING_KEY).x509.pem $(1)\ - )\ - ) $(if $(filter true,$(PRODUCT_SUPPORTS_VBOOT)), \ $(VBOOT_SIGNER) $(FUTILITY) $(1).unsigned $(PRODUCT_VBOOT_SIGNING_KEY).vbpubk $(PRODUCT_VBOOT_SIGNING_KEY).vbprivk $(PRODUCT_VBOOT_SIGNING_SUBKEY).vbprivk $(1).keyblock $(1)) $(if $(filter true,$(BOARD_USES_RECOVERY_AS_BOOT)), \ @@ -2501,9 +2471,6 @@ define build-recoveryimage-target endef recoveryimage-deps := $(MKBOOTIMG) $(recovery_ramdisk) $(recovery_kernel) -ifeq (true,$(PRODUCT_SUPPORTS_BOOT_SIGNER)) - recoveryimage-deps += $(BOOT_SIGNER) -endif ifeq (true,$(PRODUCT_SUPPORTS_VBOOT)) recoveryimage-deps += $(VBOOT_SIGNER) endif diff --git a/core/config.mk b/core/config.mk index c0dea95e33..8fb07fb470 100644 --- a/core/config.mk +++ b/core/config.mk @@ -161,7 +161,7 @@ $(KATI_obsolete_var TARGET_NO_VENDOR_BOOT,Use PRODUCT_BUILD_VENDOR_BOOT_IMAGE in $(KATI_obsolete_var PRODUCT_CHECK_ELF_FILES,Use BUILD_BROKEN_PREBUILT_ELF_FILES instead) $(KATI_obsolete_var ALL_GENERATED_SOURCES,ALL_GENERATED_SOURCES is no longer used) $(KATI_obsolete_var ALL_ORIGINAL_DYNAMIC_BINARIES,ALL_ORIGINAL_DYNAMIC_BINARIES is no longer used) - +$(KATI_obsolete_var PRODUCT_SUPPORTS_BOOT_SIGNER,VB 1.0 and related variables are no longer supported) # Used to force goals to build. Only use for conditionally defined goals. .PHONY: FORCE FORCE: @@ -629,7 +629,6 @@ APPEND2SIMG := $(HOST_OUT_EXECUTABLES)/append2simg VERITY_SIGNER := $(HOST_OUT_EXECUTABLES)/verity_signer BUILD_VERITY_METADATA := $(HOST_OUT_EXECUTABLES)/build_verity_metadata BUILD_VERITY_TREE := $(HOST_OUT_EXECUTABLES)/build_verity_tree -BOOT_SIGNER := $(HOST_OUT_EXECUTABLES)/boot_signer FUTILITY := $(HOST_OUT_EXECUTABLES)/futility-host VBOOT_SIGNER := $(HOST_OUT_EXECUTABLES)/vboot_signer FEC := $(HOST_OUT_EXECUTABLES)/fec diff --git a/core/product.mk b/core/product.mk index 73513134b5..2e0c9a7d85 100644 --- a/core/product.mk +++ b/core/product.mk @@ -136,7 +136,6 @@ _product_list_vars += PRODUCT_BOOT_JARS # PRODUCT_BOOT_JARS, so that device-specific jars go after common jars. _product_list_vars += PRODUCT_BOOT_JARS_EXTRA -_product_single_value_vars += PRODUCT_SUPPORTS_BOOT_SIGNER _product_single_value_vars += PRODUCT_SUPPORTS_VBOOT _product_single_value_vars += PRODUCT_SUPPORTS_VERITY _product_single_value_vars += PRODUCT_SUPPORTS_VERITY_FEC diff --git a/target/product/verity.mk b/target/product/verity.mk index 5f09283f06..81da64c643 100644 --- a/target/product/verity.mk +++ b/target/product/verity.mk @@ -16,7 +16,6 @@ # Provides dependencies necessary for verified boot. -PRODUCT_SUPPORTS_BOOT_SIGNER := true PRODUCT_SUPPORTS_VERITY := true PRODUCT_SUPPORTS_VERITY_FEC := true From bf11e3489781a1bbd7f3588e1f08178e0d931a2a Mon Sep 17 00:00:00 2001 From: hungweichen Date: Mon, 8 Aug 2022 09:34:47 +0000 Subject: [PATCH 2/3] Remove PRODUCT_SUPPORTS_VERITY(_FEC) reference PRODUCT_SUPPORTS_VERITY and PRODUCT_SUPPORTS_VERITY_FEC are going to be deprecated since we removed VB 1.0 support. This change removes the related references. Bug: 241044073 Test: atest under build/make Change-Id: Icee659ff0606cda1ab44e92372d86a394ddf1466 --- core/Makefile | 33 ++------------------------ core/config.mk | 3 ++- core/product.mk | 2 -- core/tasks/build_custom_images.mk | 2 -- core/tasks/tools/build_custom_image.mk | 12 ---------- target/product/verity.mk | 3 --- 6 files changed, 4 insertions(+), 51 deletions(-) diff --git a/core/Makefile b/core/Makefile index 7603def34a..8f6dbb770d 100644 --- a/core/Makefile +++ b/core/Makefile @@ -984,14 +984,8 @@ endif INTERNAL_BOOTIMAGE_FILES := $(filter-out --%,$(INTERNAL_BOOTIMAGE_ARGS)) -ifeq ($(PRODUCT_SUPPORTS_VERITY),true) -ifeq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) -VERITY_KEYID := veritykeyid=id:`openssl x509 -in $(PRODUCT_VERITY_SIGNING_KEY).x509.pem -text \ - | grep keyid | sed 's/://g' | tr -d '[:space:]' | tr '[:upper:]' '[:lower:]' | sed 's/keyid//g'` -endif -endif - -INTERNAL_KERNEL_CMDLINE := $(strip $(INTERNAL_KERNEL_CMDLINE) buildvariant=$(TARGET_BUILD_VARIANT) $(VERITY_KEYID)) +# TODO(b/241346584) Remove this when BOARD_BUILD_SYSTEM_ROOT_IMAGE is deprecated +INTERNAL_KERNEL_CMDLINE := $(strip $(INTERNAL_KERNEL_CMDLINE) buildvariant=$(TARGET_BUILD_VARIANT)) # kernel cmdline/base/pagesize in boot. # - If using GKI, use GENERIC_KERNEL_CMDLINE. Remove kernel base and pagesize because they are @@ -1262,10 +1256,6 @@ endif # BUILDING_INIT_BOOT_IMAGE is not true INSTALLED_FILES_OUTSIDE_IMAGES := $(filter-out $(TARGET_VENDOR_RAMDISK_OUT)/%, $(INSTALLED_FILES_OUTSIDE_IMAGES)) ifeq ($(BUILDING_VENDOR_BOOT_IMAGE),true) -ifeq ($(PRODUCT_SUPPORTS_VERITY),true) - $(error vboot 1.0 does not support vendor_boot partition) -endif - INTERNAL_VENDOR_RAMDISK_FILES := $(filter $(TARGET_VENDOR_RAMDISK_OUT)/%, \ $(ALL_DEFAULT_INSTALLED_MODULES)) @@ -1786,13 +1776,6 @@ ifneq ($(filter \ INTERNAL_USERIMAGES_DEPS += $(MKSQUASHFSUSERIMG) endif -ifeq (true,$(PRODUCT_SUPPORTS_VERITY)) -INTERNAL_USERIMAGES_DEPS += $(BUILD_VERITY_METADATA) $(BUILD_VERITY_TREE) $(APPEND2SIMG) $(VERITY_SIGNER) -ifeq (true,$(PRODUCT_SUPPORTS_VERITY_FEC)) -INTERNAL_USERIMAGES_DEPS += $(FEC) -endif -endif - ifeq ($(BOARD_AVB_ENABLE),true) INTERNAL_USERIMAGES_DEPS += $(AVBTOOL) endif @@ -1809,14 +1792,6 @@ SELINUX_FC := $(call intermediates-dir-for,ETC,file_contexts.bin)/file_contexts. INTERNAL_USERIMAGES_DEPS += $(SELINUX_FC) -ifeq (true,$(PRODUCT_USE_DYNAMIC_PARTITIONS)) - -ifeq ($(PRODUCT_SUPPORTS_VERITY),true) - $(error vboot 1.0 doesn't support logical partition) -endif - -endif # PRODUCT_USE_DYNAMIC_PARTITIONS - # $(1) the partition name (eg system) # $(2) the image prop file define add-common-flags-to-image-props @@ -1926,10 +1901,6 @@ $(if $(BOARD_EROFS_USE_LEGACY_COMPRESSION),$(hide) echo "erofs_use_legacy_compre $(if $(BOARD_EXT4_SHARE_DUP_BLOCKS),$(hide) echo "ext4_share_dup_blocks=$(BOARD_EXT4_SHARE_DUP_BLOCKS)" >> $(1)) $(if $(BOARD_FLASH_LOGICAL_BLOCK_SIZE), $(hide) echo "flash_logical_block_size=$(BOARD_FLASH_LOGICAL_BLOCK_SIZE)" >> $(1)) $(if $(BOARD_FLASH_ERASE_BLOCK_SIZE), $(hide) echo "flash_erase_block_size=$(BOARD_FLASH_ERASE_BLOCK_SIZE)" >> $(1)) -$(if $(PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity=$(PRODUCT_SUPPORTS_VERITY)" >> $(1)) -$(if $(PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_key=$(PRODUCT_VERITY_SIGNING_KEY)" >> $(1)) -$(if $(PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(notdir $(VERITY_SIGNER))" >> $(1)) -$(if $(PRODUCT_SUPPORTS_VERITY_FEC),$(hide) echo "verity_fec=$(PRODUCT_SUPPORTS_VERITY_FEC)" >> $(1)) $(if $(filter eng, $(TARGET_BUILD_VARIANT)),$(hide) echo "verity_disable=true" >> $(1)) $(if $(PRODUCT_SYSTEM_VERITY_PARTITION),$(hide) echo "system_verity_block_device=$(PRODUCT_SYSTEM_VERITY_PARTITION)" >> $(1)) $(if $(PRODUCT_VENDOR_VERITY_PARTITION),$(hide) echo "vendor_verity_block_device=$(PRODUCT_VENDOR_VERITY_PARTITION)" >> $(1)) diff --git a/core/config.mk b/core/config.mk index 8fb07fb470..ad4491cf24 100644 --- a/core/config.mk +++ b/core/config.mk @@ -161,6 +161,8 @@ $(KATI_obsolete_var TARGET_NO_VENDOR_BOOT,Use PRODUCT_BUILD_VENDOR_BOOT_IMAGE in $(KATI_obsolete_var PRODUCT_CHECK_ELF_FILES,Use BUILD_BROKEN_PREBUILT_ELF_FILES instead) $(KATI_obsolete_var ALL_GENERATED_SOURCES,ALL_GENERATED_SOURCES is no longer used) $(KATI_obsolete_var ALL_ORIGINAL_DYNAMIC_BINARIES,ALL_ORIGINAL_DYNAMIC_BINARIES is no longer used) +$(KATI_obsolete_var PRODUCT_SUPPORTS_VERITY,VB 1.0 and related variables are no longer supported) +$(KATI_obsolete_var PRODUCT_SUPPORTS_VERITY_FEC,VB 1.0 and related variables are no longer supported) $(KATI_obsolete_var PRODUCT_SUPPORTS_BOOT_SIGNER,VB 1.0 and related variables are no longer supported) # Used to force goals to build. Only use for conditionally defined goals. .PHONY: FORCE @@ -631,7 +633,6 @@ BUILD_VERITY_METADATA := $(HOST_OUT_EXECUTABLES)/build_verity_metadata BUILD_VERITY_TREE := $(HOST_OUT_EXECUTABLES)/build_verity_tree FUTILITY := $(HOST_OUT_EXECUTABLES)/futility-host VBOOT_SIGNER := $(HOST_OUT_EXECUTABLES)/vboot_signer -FEC := $(HOST_OUT_EXECUTABLES)/fec DEXDUMP := $(HOST_OUT_EXECUTABLES)/dexdump$(BUILD_EXECUTABLE_SUFFIX) PROFMAN := $(HOST_OUT_EXECUTABLES)/profman diff --git a/core/product.mk b/core/product.mk index 2e0c9a7d85..fcfe891ac1 100644 --- a/core/product.mk +++ b/core/product.mk @@ -137,8 +137,6 @@ _product_list_vars += PRODUCT_BOOT_JARS _product_list_vars += PRODUCT_BOOT_JARS_EXTRA _product_single_value_vars += PRODUCT_SUPPORTS_VBOOT -_product_single_value_vars += PRODUCT_SUPPORTS_VERITY -_product_single_value_vars += PRODUCT_SUPPORTS_VERITY_FEC _product_list_vars += PRODUCT_SYSTEM_SERVER_APPS # List of system_server classpath jars on the platform. _product_list_vars += PRODUCT_SYSTEM_SERVER_JARS diff --git a/core/tasks/build_custom_images.mk b/core/tasks/build_custom_images.mk index c9b07da575..680ad11584 100644 --- a/core/tasks/build_custom_images.mk +++ b/core/tasks/build_custom_images.mk @@ -62,8 +62,6 @@ custom_image_parameter_variables := \ CUSTOM_IMAGE_MODULES \ CUSTOM_IMAGE_COPY_FILES \ CUSTOM_IMAGE_SELINUX \ - CUSTOM_IMAGE_SUPPORT_VERITY \ - CUSTOM_IMAGE_SUPPORT_VERITY_FEC \ CUSTOM_IMAGE_VERITY_BLOCK_DEVICE \ CUSTOM_IMAGE_AVB_HASH_ENABLE \ CUSTOM_IMAGE_AVB_ADD_HASH_FOOTER_ARGS \ diff --git a/core/tasks/tools/build_custom_image.mk b/core/tasks/tools/build_custom_image.mk index f9ae2c1a20..b89b23ce63 100644 --- a/core/tasks/tools/build_custom_image.mk +++ b/core/tasks/tools/build_custom_image.mk @@ -91,8 +91,6 @@ $(my_built_custom_image): PRIVATE_STAGING_DIR := $(my_staging_dir) $(my_built_custom_image): PRIVATE_COPY_PAIRS := $(my_copy_pairs) $(my_built_custom_image): PRIVATE_PICKUP_FILES := $(my_pickup_files) $(my_built_custom_image): PRIVATE_SELINUX := $(CUSTOM_IMAGE_SELINUX) -$(my_built_custom_image): PRIVATE_SUPPORT_VERITY := $(CUSTOM_IMAGE_SUPPORT_VERITY) -$(my_built_custom_image): PRIVATE_SUPPORT_VERITY_FEC := $(CUSTOM_IMAGE_SUPPORT_VERITY_FEC) $(my_built_custom_image): PRIVATE_VERITY_KEY := $(PRODUCT_VERITY_SIGNING_KEY) $(my_built_custom_image): PRIVATE_VERITY_BLOCK_DEVICE := $(CUSTOM_IMAGE_VERITY_BLOCK_DEVICE) $(my_built_custom_image): PRIVATE_DICT_FILE := $(CUSTOM_IMAGE_DICT_FILE) @@ -108,9 +106,6 @@ ifeq (true,$(filter true, $(CUSTOM_IMAGE_AVB_HASH_ENABLE) $(CUSTOM_IMAGE_AVB_HAS else ifneq (,$(filter true, $(CUSTOM_IMAGE_AVB_HASH_ENABLE) $(CUSTOM_IMAGE_AVB_HASHTREE_ENABLE))) $(error Cannot set both CUSTOM_IMAGE_AVB_HASH_ENABLE and CUSTOM_IMAGE_AVB_HASHTREE_ENABLE to true) endif -ifeq (true,$(CUSTOM_IMAGE_SUPPORT_VERITY_FEC)) - $(my_built_custom_image): $(FEC) -endif $(my_built_custom_image): $(INTERNAL_USERIMAGES_DEPS) $(my_built_modules) $(my_image_copy_files) $(my_custom_image_modules_dep) \ $(CUSTOM_IMAGE_DICT_FILE) @echo "Build image $@" @@ -130,13 +125,6 @@ $(my_built_custom_image): $(INTERNAL_USERIMAGES_DEPS) $(my_built_modules) $(my_i $(hide) echo "partition_size=$(PRIVATE_PARTITION_SIZE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt $(hide) echo "ext_mkuserimg=$(notdir $(MKEXTUSERIMG))" >> $(PRIVATE_INTERMEDIATES)/image_info.txt $(if $(PRIVATE_SELINUX),$(hide) echo "selinux_fc=$(SELINUX_FC)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt) - $(if $(PRIVATE_SUPPORT_VERITY),\ - $(hide) echo "verity=$(PRIVATE_SUPPORT_VERITY)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\ - echo "verity_key=$(PRIVATE_VERITY_KEY)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\ - echo "verity_signer_cmd=$(VERITY_SIGNER)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\ - echo "verity_block_device=$(PRIVATE_VERITY_BLOCK_DEVICE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt) - $(if $(PRIVATE_SUPPORT_VERITY_FEC),\ - $(hide) echo "verity_fec=$(PRIVATE_SUPPORT_VERITY_FEC)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt) $(if $(filter eng, $(TARGET_BUILD_VARIANT)),$(hide) echo "verity_disable=true" >> $(PRIVATE_INTERMEDIATES)/image_info.txt) $(hide) echo "avb_avbtool=$(PRIVATE_AVB_AVBTOOL)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt $(if $(PRIVATE_AVB_KEY_PATH),\ diff --git a/target/product/verity.mk b/target/product/verity.mk index 81da64c643..961567c76d 100644 --- a/target/product/verity.mk +++ b/target/product/verity.mk @@ -16,9 +16,6 @@ # Provides dependencies necessary for verified boot. -PRODUCT_SUPPORTS_VERITY := true -PRODUCT_SUPPORTS_VERITY_FEC := true - # The dev key is used to sign boot and recovery images, and the verity # metadata table. Actual product deliverables will be re-signed by hand. # We expect this file to exist with the suffixes ".x509.pem" and ".pk8". From e3ca398a1ecadb18ff491b33066100d3f1ab5963 Mon Sep 17 00:00:00 2001 From: hungweichen Date: Mon, 8 Aug 2022 09:49:14 +0000 Subject: [PATCH 3/3] Remove verity.mk, verity_key, PRODUCT_VERITY_SIGNING_KEY verity.mk is used to set the related variable for VB 1.0 support, but we already removed VB 1.0. This change removes the unused code. We also remove and block PRODUCT_VERITY_SIGNING_KEY in this change. Bug: 241044073 Test: atest under build/make Change-Id: Ifbcde7da27a931ef3b9d746b1c5a279d88c0ec85 --- core/config.mk | 1 + core/product.mk | 1 - core/tasks/tools/build_custom_image.mk | 1 - target/product/security/Android.mk | 37 ------------------------ target/product/security/verity.pk8 | Bin 1219 -> 0 bytes target/product/security/verity.x509.pem | 24 --------------- target/product/security/verity_key | Bin 524 -> 0 bytes target/product/verity.mk | 25 ---------------- 8 files changed, 1 insertion(+), 88 deletions(-) delete mode 100644 target/product/security/verity.pk8 delete mode 100644 target/product/security/verity.x509.pem delete mode 100644 target/product/security/verity_key delete mode 100644 target/product/verity.mk diff --git a/core/config.mk b/core/config.mk index ad4491cf24..181bdcfb07 100644 --- a/core/config.mk +++ b/core/config.mk @@ -164,6 +164,7 @@ $(KATI_obsolete_var ALL_ORIGINAL_DYNAMIC_BINARIES,ALL_ORIGINAL_DYNAMIC_BINARIES $(KATI_obsolete_var PRODUCT_SUPPORTS_VERITY,VB 1.0 and related variables are no longer supported) $(KATI_obsolete_var PRODUCT_SUPPORTS_VERITY_FEC,VB 1.0 and related variables are no longer supported) $(KATI_obsolete_var PRODUCT_SUPPORTS_BOOT_SIGNER,VB 1.0 and related variables are no longer supported) +$(KATI_obsolete_var PRODUCT_VERITY_SIGNING_KEY,VB 1.0 and related variables are no longer supported) # Used to force goals to build. Only use for conditionally defined goals. .PHONY: FORCE FORCE: diff --git a/core/product.mk b/core/product.mk index fcfe891ac1..ee2fa5a4b8 100644 --- a/core/product.mk +++ b/core/product.mk @@ -165,7 +165,6 @@ _product_list_vars += PRODUCT_DEXPREOPT_SPEED_APPS _product_list_vars += PRODUCT_LOADED_BY_PRIVILEGED_MODULES _product_single_value_vars += PRODUCT_VBOOT_SIGNING_KEY _product_single_value_vars += PRODUCT_VBOOT_SIGNING_SUBKEY -_product_single_value_vars += PRODUCT_VERITY_SIGNING_KEY _product_single_value_vars += PRODUCT_SYSTEM_VERITY_PARTITION _product_single_value_vars += PRODUCT_VENDOR_VERITY_PARTITION _product_single_value_vars += PRODUCT_PRODUCT_VERITY_PARTITION diff --git a/core/tasks/tools/build_custom_image.mk b/core/tasks/tools/build_custom_image.mk index b89b23ce63..2626120eb0 100644 --- a/core/tasks/tools/build_custom_image.mk +++ b/core/tasks/tools/build_custom_image.mk @@ -91,7 +91,6 @@ $(my_built_custom_image): PRIVATE_STAGING_DIR := $(my_staging_dir) $(my_built_custom_image): PRIVATE_COPY_PAIRS := $(my_copy_pairs) $(my_built_custom_image): PRIVATE_PICKUP_FILES := $(my_pickup_files) $(my_built_custom_image): PRIVATE_SELINUX := $(CUSTOM_IMAGE_SELINUX) -$(my_built_custom_image): PRIVATE_VERITY_KEY := $(PRODUCT_VERITY_SIGNING_KEY) $(my_built_custom_image): PRIVATE_VERITY_BLOCK_DEVICE := $(CUSTOM_IMAGE_VERITY_BLOCK_DEVICE) $(my_built_custom_image): PRIVATE_DICT_FILE := $(CUSTOM_IMAGE_DICT_FILE) $(my_built_custom_image): PRIVATE_AVB_AVBTOOL := $(AVBTOOL) diff --git a/target/product/security/Android.mk b/target/product/security/Android.mk index ad25a9261c..4bd8efc0fe 100644 --- a/target/product/security/Android.mk +++ b/target/product/security/Android.mk @@ -1,42 +1,5 @@ LOCAL_PATH:= $(call my-dir) -####################################### -# verity_key (installed to /, i.e. part of system.img) -include $(CLEAR_VARS) - -LOCAL_MODULE := verity_key -LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 -LOCAL_LICENSE_CONDITIONS := notice -LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE -LOCAL_SRC_FILES := $(LOCAL_MODULE) -LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) - -# For devices using a separate ramdisk, we need a copy there to establish the chain of trust. -ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) -LOCAL_REQUIRED_MODULES := verity_key_ramdisk -endif - -include $(BUILD_PREBUILT) - -####################################### -# verity_key (installed to ramdisk) -# -# Enabling the target when using system-as-root would cause build failure, as TARGET_RAMDISK_OUT -# points to the same location as TARGET_ROOT_OUT. -ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) - include $(CLEAR_VARS) - LOCAL_MODULE := verity_key_ramdisk - LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 - LOCAL_LICENSE_CONDITIONS := notice - LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE - LOCAL_MODULE_CLASS := ETC - LOCAL_SRC_FILES := verity_key - LOCAL_MODULE_STEM := verity_key - LOCAL_MODULE_PATH := $(TARGET_RAMDISK_OUT) - include $(BUILD_PREBUILT) -endif - ####################################### # adb key, if configured via PRODUCT_ADB_KEYS ifdef PRODUCT_ADB_KEYS diff --git a/target/product/security/verity.pk8 b/target/product/security/verity.pk8 deleted file mode 100644 index bebf216cb6004b5c6665d044916c8a5a70f4a12b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1219 zcmV;!1U&mNf&{+;0RS)!1_>&LNQUrsW5^Br2+u}0)hbn0O;#@O)pJU zk$QWxJKN`JXXMf3GhwFmf~sQc5HpLXW)JJ2phAh6v*Nf;L&5#EipG7q6%@NiP&1C5 zD~cQ|6A`V+<{KQH7JjIH&CU#y7dlJ!fThd)S6dMGLvI}2yUh2>PnPSuoiq2=?Pl6T zaL&?6?)ogsYESo1ja=sH7nu(=P}@Mw5wjV{O;vLyTI9w$NIFyP2-!D#E6lG@#i0RX z&!nR5RDWv#zEjRN4M*Lg&C;CDa3e;-HwifHrX@fGXP418BSkBj2eQ2ou6i9`juh0o zBU4X}(EAjGp~z`!sh3nbKon($r*4=YPm_BShO<@1mVAVlm$ zD9=yWK|e}|G5TSFSQRFzdH*xY zgIPN*BNBwfol-TXX5#p5)M)dPl7jmJQ2Gv(*Ym!j$FB{5swvIpd-Slm)`GxcHM>N< z=qwC5ks5erFMHPzIEXs4156qVPhcaHx|jz4_eld#x|4N6g;ISU`V^mclfpv-O5-}s zCDaLL1Up}63MrecTJ4u}ku{vxgXcqjtWUEC09s5Q2)zY>lWfc=XuX&M^1V3`QYB$9*s{u3$!abr0$fUJ z-12GL=T3KRPhSrASRWxC4Q0urGV;N^XA z(~i%%tC+CGVzR;ACxiZOzztALDPz}*l?T220d|ALu*L%VKTw`qR9YCy6s^XC;N|^x zul{=N zxMq-2@ZMecjS-do1NIF#cZ?k}jaJ5br_xSWG zb~V#f9(rZtO=Is~*?;GDu(P&EhR3l3vD*_CUl`&1rfw4z)+vb2OAfb9b>HpD2)1|X zHff6lW9d0QbM@FopS{X-j{?^ndXUUrpQG5+qVDrwoszQpxbtr<-zTL5q~cNgVs+&@ z2C)KxfdHOmL!fWm!wfP<2Mlq=g8;nS3Mq#2s_*R^>nR|;8&bwy?9T|Fo6wYa_|xdV zOUsZ*;cW!aem(yO0-@)ToG{KSNO$)g^D87t%DobVP%fxxWmfP hk4vOBJnVsAiAcI)+4Ln>*X%OBo25xJ{%5YX31a)eQE>nO diff --git a/target/product/security/verity.x509.pem b/target/product/security/verity.x509.pem deleted file mode 100644 index 86399c3c1d..0000000000 --- a/target/product/security/verity.x509.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID/TCCAuWgAwIBAgIJAJcPmDkJqolJMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4g -VmlldzEQMA4GA1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UE -AwwHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe -Fw0xNDExMDYxOTA3NDBaFw00MjAzMjQxOTA3NDBaMIGUMQswCQYDVQQGEwJVUzET -MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G -A1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UEAwwHQW5kcm9p -ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAOjreE0vTVSRenuzO9vnaWfk0eQzYab0gqpi -6xAzi6dmD+ugoEKJmbPiuE5Dwf21isZ9uhUUu0dQM46dK4ocKxMRrcnmGxydFn6o -fs3ODJMXOkv2gKXL/FdbEPdDbxzdu8z3yk+W67udM/fW7WbaQ3DO0knu+izKak/3 -T41c5uoXmQ81UNtAzRGzGchNVXMmWuTGOkg6U+0I2Td7K8yvUMWhAWPPpKLtVH9r -AL5TzjYNR92izdKcz3AjRsI3CTjtpiVABGeX0TcjRSuZB7K9EK56HV+OFNS6I1NP -jdD7FIShyGlqqZdUOkAUZYanbpgeT5N7QL6uuqcGpoTOkalu6kkCAwEAAaNQME4w -HQYDVR0OBBYEFH5DM/m7oArf4O3peeKO0ZIEkrQPMB8GA1UdIwQYMBaAFH5DM/m7 -oArf4O3peeKO0ZIEkrQPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB -AHO3NSvDE5jFvMehGGtS8BnFYdFKRIglDMc4niWSzhzOVYRH4WajxdtBWc5fx0ix -NF/+hVKVhP6AIOQa+++sk+HIi7RvioPPbhjcsVlZe7cUEGrLSSveGouQyc+j0+m6 -JF84kszIl5GGNMTnx0XRPO+g8t6h5LWfnVydgZfpGRRg+WHewk1U2HlvTjIceb0N -dcoJ8WKJAFWdcuE7VIm4w+vF/DYX/A2Oyzr2+QRhmYSv1cusgAeC1tvH4ap+J1Lg -UnOu5Kh/FqPLLSwNVQp4Bu7b9QFfqK8Moj84bj88NqRGZgDyqzuTrFxn6FW7dmyA -yttuAJAEAymk1mipd9+zp38= ------END CERTIFICATE----- diff --git a/target/product/security/verity_key b/target/product/security/verity_key deleted file mode 100644 index 31982d95ad57005430b65bb28dbfd39adb231347..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 524 zcmV+n0`vVq00007*!mSo>Tao#&V;50r@F4bKzox<9++;YhGi5$I#idbYH7%!gcSSG zjZae}y3`boUmbd`5WTVonJYyjH_?}81VAOG?KlZH!bT%-&z#cDqTNRgHqKMN0Be6# z?V_a5V*#PXP_N7@dpFq#?Nd5PI>zK$CUaFy$QiQ{%|P2wH4m8=>gHUHPxnu1$}IZs zNz%@6L)vET*7q}=yX%%u%J-5hU2_YhlG{L7_)_Deb!lMK$yeyDyHog5qH$*mC+ zD;$a|osKh5N4pdix_!oqwf(_EPPpQ;nTbN6pz9B2r;9TX>td>c^rm4mRQO5Icr(+stoA0|`|}7FmS+A=VX_>8 zY{CI-h?eiWdWapYX_c4Z!3_b~H#5fBwAQHXK>snOd)%677I<*-H^|dT5Y^3neCwAV z5g%<5@KOth19r#9E`RiKU>MT}%f}#VQ~0Nv^RDDd7csx@I@O`AG3{dh1+U@!cT>&$ z`t<&6{lIv