Commit Graph

7278 Commits

Author SHA1 Message Date
Tianjie Xu
4772ec7583 Merge "Write the vbmeta digest to the output zipfile also" 2021-07-15 04:43:36 +00:00
Tianjie
c3bf3d00a3 Write the vbmeta digest to the output zipfile also
During signing, we write the entry directly to the output zip, intead
of a temp directory. Add the logic to write vbmeta_digest.txt to output
zipfile too. So the digest file will show up in the signed target files.

Bug: 189926233
Test: add_img_to_target_files -a <target-files.zip>
Change-Id: Ibf28a8f97512bda8c8c695e06190e1fb6573c53e
2021-07-14 16:03:08 -07:00
Justin Yun
9d3356b306 fs_config reads headers from snapshots, if available
fs_config requires the information from the header files in
system/core and bionic/libc. To build the vendor side fs_config,
use the header files in the vendor snashot if the required version
exists.

Bug: 187222756
Test: check ninja depedency with and without snasphots.
Change-Id: Ibf96eab4d9a129745be1a19b2aa2e4c8f57cf6bf
2021-07-13 11:42:18 +09:00
Daniel Norman
571e182e9c Regenerate odm or vendor using combined sepolicy if --rebuild-sepolicy.
This allows merged devices to boot using a precompiled_sepolicy built
from merged sources, rather than recompiling this sepolicy at boot
time every boot.

Bug: 178727214
Test: Merge an R+S build using --rebuild-sepolicy and --vendor-otatools.
      Observe odm.img is rebuilt by the vendor otatools.zip
        when merging.
      Observe device boots using ODM's precompiled_sepolicy file.
Test: Same as above, for S+S.
Test: Merge an S+S build using --rebuild-sepolicy and *not*
        --vendor-otatools.
      Observe odm.img is rebuilt without using a separate otatools.zip.
      Observe device boots using ODM's precompiled_sepolicy file.
Change-Id: I9595b8a3296d6deec21db8f0c9bc5b7ec4debd57
2021-07-01 16:29:15 -07:00
Tianjie Xu
8b92dab126 Merge "Add apex info to the streaming property file" 2021-06-29 23:58:47 +00:00
Jan Monsch
e147d481fe Removing AFTL integration from release tools.
Bug: 158639560
Test: Treehugger
Change-Id: I6949385e3448ad539099966c41ce99f156e3fdc4
2021-06-29 12:38:59 +00:00
Jaegeuk Kim
3dc47280e2 Support block_list and readonly for f2fs
Bug: 190760483
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I9bb3a91d46494ce5ea5c842c3927ea7d97fa24f3
2021-06-24 22:29:05 -07:00
Elliott Hughes
47066addcf Update OWNERS for signapk.
Test: treehugger
Change-Id: I8914a5386fe51fdf544367826ea643ad785e558d
2021-06-17 15:06:44 -07:00
Treehugger Robot
c09cda8c6c Merge "Add ro.vendor.build.dont_use_vabc to disable VABC OTA" 2021-06-14 18:37:29 +00:00
Kelvin Zhang
10eac08fe1 Add ro.vendor.build.dont_use_vabc to disable VABC OTA
This prop is owned by OEM, OEM can set this if they want to disable
VABC.

Test: m dist, make sure generated OTA has VABC disabled
Bug: 185400304

Change-Id: Iceb2fb1f399d38a51722352a86ddf68af05fa24e
2021-06-14 10:23:14 -04:00
Treehugger Robot
6497a1b7f8 Merge "Handles capex in signing script" 2021-06-12 11:40:08 +00:00
Tianjie
4d48d50036 Handles capex in signing script
Today, the signing script simply ignores capex files, because it
looks for hardcoded '.apex' suffix. Add support to handle capex
as well.

Bug: 190574334
Test: Sign a target file locally
Change-Id: I3085ca7b0396a4fbf1b220f7de44d4eafb60c3d8
2021-06-11 17:14:22 -07:00
Tianjie
d868c12467 Add apex info to the streaming property file
So updaters can streaming download the file, and query the apex info
inside the file.

Bug: 190244686
Test: generate an OTA package, check the streaming property
Change-Id: I17078d3f8d60ca53c6afe82f74b232e2fb242467
2021-06-10 14:44:26 -07:00
Chih-Hung Hsieh
56aa27bf12 Add one more Java warning pattern
Test: warn.py --url=http://cs/android --separator='?l=' build.log > warnings.html
Test: warn.py --gencsv build.log > warnings.csv
Change-Id: Ibc0ef7d1df29485ab4389f5c595fac77f69e19e7
2021-06-10 14:33:54 -07:00
Chih-hung Hsieh
9c17b26ee7 Merge "Add one Asm warning pattern" 2021-06-10 21:32:30 +00:00
Tianjie Xu
d3c78b8cde Merge "Amend the apex info for ota package" 2021-06-09 20:16:08 +00:00
Jaegeuk Kim
1f50a36c62 Missing required packages for f2fs when building ota package
Bug: 171942852
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Ib2ecc0cf88d71f358bd04e6c4ac129607fe4054c
2021-06-08 19:12:15 -07:00
Chih-Hung Hsieh
e40e2bf8db Add one Asm warning pattern
Test: warn.py --url=http://cs/android --separator='?l=' build.log > warnings.html
Test: warn.py --gencsv build.log > warnings.csv
Change-Id: I85b53c15b5a9e705e939e2cf810a0344df6dbeda
2021-06-08 14:52:45 -07:00
Tianjie
a5fca03e0a Amend the apex info for ota package
We have already logged the compressed apexes in the target-files.
Because we want to support the apex metrics during OTA update, also
include the uncompressed apexes in the META/apex_info.pb.

For incremental OTA packages, include the source apex version for
each apex package as well.

Bug: 190244686
Test: unit test
Change-Id: I5cf2647c56c4feb5517f9a81aa1e9abc52515bf1
2021-06-07 20:33:46 -07:00
Kelvin Zhang
766eea72ef Handle caremap for partial OTAs
When generating a partial OTA, filter care_map.pb to include only the
partial partitions, then generate OTA.

Test: Generate a partial OTA, make sure care map is included.

Change-Id: I0eaa12772eb1d06a57451e64f70689d3183f0115
2021-06-04 16:17:32 -04:00
Chih-Hung Hsieh
5d9ee04f56 Add new Asm/C++/Java/Make warning patterns
* Change some incorrectly-classified logtags warnings to C++.
* Fix gpylint warnings of long lines in html_writer.py.

Test: warn.py --url=http://cs/android --separator='?l=' build.log > warnings.html
Test: warn.py --gencsv build.log > warnings.csv
Change-Id: I98c01dadfd72b202d81ef7c94e93c42182f6065c
2021-06-02 21:34:49 +00:00
Jaegeuk Kim
d56fb727ba Merge changes from topic "f2fs-system"
* changes:
  Enable f2fs compression for other partitions
  Enable --readonly for system compression
2021-05-27 18:42:28 +00:00
Tianjie Xu
f4ca0567dd Merge "Check super size for factory OTA at build time" 2021-05-26 21:33:14 +00:00
Kelvin Zhang
ea7c944d62 Merge "Validate AVB props in vbmeta image" 2021-05-26 20:41:17 +00:00
Kelvin Zhang
4093d60f35 Validate AVB props in vbmeta image
Bug: 183055693
Test: th
Test: validate_target_files signed-redfin-target_files-7119741.zip

Change-Id: I027d474ba3eb6af5e05866551ff9ea506825a326
2021-05-26 17:59:24 +00:00
Jaegeuk Kim
1369654d8d Enable f2fs compression for other partitions
Bug: 171942852
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I231f7a2b808cc792fd582cd444825e4a47722984
2021-05-25 14:54:45 -07:00
Jaegeuk Kim
46e0ea2ce1 Enable --readonly for system compression
This option is to reduce system partition size.

Bug: 171942852
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Idc849cfce33ac0badb2b9b7953bb821c46a24472
2021-05-25 14:50:04 -07:00
Bowgo Tsai
cf9ead8972 Support AVB signing for BOARD_PREBUILT_BOOTIMAGE
Devices using GKI architecture will use a prebuilt boot.img.
However, we should still sign this prebuilt boot.img with
device-specific AVB keys.

Steps to test the CL.
1. In a device BoardConfig.mk:

   # Uses a prebuilt boot.img
   TARGET_NO_KERNEL := true
   BOARD_PREBUILT_BOOTIMAGE := device/google/redbull/boot.img

   # Enable chained vbmeta for the boot image.
   # The following can be absent, where the hash descriptor of the
   # 'boot' partition will be stored then signed in vbmeta.img instead.
   BOARD_AVB_BOOT_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem
   BOARD_AVB_BOOT_ALGORITHM := SHA256_RSA4096
   BOARD_AVB_BOOT_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
   BOARD_AVB_BOOT_ROLLBACK_INDEX_LOCATION := 2

2. `make bootimage`, then `avbtool info_image --image $OUT/boot.img`,
    checks the image is re-signed with a device-specific key

3. `make dist` to generate out/dist/TF.zip

4. `unzip out/dist/TF.zip IMAGES/boot.img`

5. `avbtool info_image --image out/dist/IMAGES/boot.img`,
    checks the image is re-signed with a device-specific key

6. `sign_target_files_apks \
      --avb_boot_key=external/avb/test/data/testkey_rsa8192.pem \
      --avb_boot_algorithm=SHA256_RSA8192 \
      --avb_boot_extra_args="--prop test:sign" \
      ./out/dist/*-target_files-eng.*.zip signed.zip`, resign the TF.zip

7. `unzip signed.zip IMAGES/boot.img`, then use `avbtool info_image` to
   check the boot.img is re-signed with the --avb_boot_key in step 6.

Bug: 188485657
Test: above steps
Change-Id: I7ee8b3ffe6a86aaca34bbb7a8898a97b3f8bd801
2021-05-21 08:44:37 +00:00
Kelvin Zhang
51c8f9f34c Merge "Expose ota_metadata_proto for consumption" 2021-05-19 12:59:43 +00:00
Tianjie Xu
77e0d86f26 Merge "When checking if mke2fs is used, compare using basename" 2021-05-18 02:10:02 +00:00
Treehugger Robot
20fed4ad29 Merge "check_target_files_signatures actually needs aapt2, not aapt." 2021-05-15 00:36:09 +00:00
Elliott Hughes
16a5cac394 check_target_files_signatures actually needs aapt2, not aapt.
Test: treehugger
Change-Id: Ia0ff6d16a64f96fd9e2b9d33711cc9b94734c4ff
2021-05-14 15:27:23 -07:00
Kelvin Zhang
a3a74b69ac Expose ota_metadata_proto for consumption
Recovery needs to parse OTA metadata and perform various safety checks

Test: th
Change-Id: Ibbfa55a8ec8a15d37adb57299ed6ee89b06ba368
2021-05-14 17:18:43 -04:00
Kelvin Zhang
4de9bb23f2 Reland: Enable verity computation on VABC devices
Test: th
Test: Manual OTA test on bramble, pause/resume multiple times
Test: verity enabled, VABC enabled OTA
Test: verity enabled, VABC disabled OTA
Test: verity disabled, VABC enabled OTA
Test: verity disabled, VABC disabled OTA

Change-Id: Ia236984b158761f84f54ab7a6d3d49491c249546
2021-05-14 12:38:28 -04:00
Tianjie
294ec7d9e5 Check super size for factory OTA at build time
For VAB launched device, factory OTA will write system_other
partition to the super image. So we want to check that
sum(dynamic partitions) + system_other + overhead <= super at
build time.

Since we don't know the overhead at build time, we might instead
check sum(all partitions) < super.

Bug: 185809374
Test: m check-all-partition-sizes, unittests
Change-Id: Ia7ba5999d23924a1927e9a9463856a4d0ea90c20
2021-05-13 17:41:52 -07:00
Tianjie Xu
fc15d50d6d Merge "Calculate the runtime ro.build.id in ota scripts" 2021-05-11 19:19:09 +00:00
Håkan Kvist
2e1f5271c5 When checking if mke2fs is used, compare using basename
build_image adds additional parameters (uuid, hash_seed) if
prop_dict["ext_mkuserimg"] is set to "mkuserimg_mke2fs".
The comparison does not take paths into consideration, so passing a
full path to mkuserimg_mke2fs would cause the parameters to not
be included.

This is currently not an issue for aosp builds, but could cause problems
for customized build systems.

Bug: 187742822
Test: Manual, using vendor build system, also executed 'm droid'
Change-Id: I7a8973dd0c4d8a39aea5aafcfe1aa69750fb1449
2021-05-11 16:48:53 +02:00
Treehugger Robot
dcadb68011 Merge "sign_target_files_apks: replacing GKI signing args completely" 2021-05-11 07:30:16 +00:00
Tianjie
fdda51d2ae Calculate the runtime ro.build.id in ota scripts
If the build prop ro.build.id isn't set at build time, init will
set it at runtime. The logic is appending the vbmeta digest to
the ro.build.legacy.id.

Make the same change in ota scripts, so the correct build fingerprint
will be saved in the ota metadata.

Bug: 186786987
Test: generate an OTA, check the metadata
Change-Id: I278f59c41c1f98d4cbea749e5d9e4eaf7a6b9565
2021-05-10 11:35:48 -07:00
Bowgo Tsai
bcae74def7 sign_target_files_apks: replacing GKI signing args completely
Commit I8bd8ad3acf324931b47d45fd30bc590206b1927e adds a default
value of "gki_signing_signature_args" in the misc_info.txt for
release signing to work. However, it's better to replace the default
value entirely (e.g., --prop foo:bar) as there is no need to include
them in the final release-signed image.

Bug: 178559811
Bug: 177862434
Test: atest releasetools_test
Test: atest releasetools_py3_test
Change-Id: I060b5a7076ff3e5d883abeb7d72f3db887c9fd69
2021-05-10 17:43:52 +08:00
Tianjie Xu
a530481db1 Merge "Don't set the build id if we need to append the digest" 2021-05-08 22:56:56 +00:00
Treehugger Robot
e86abec252 Merge "Add ota_metadata_proto_java" 2021-05-08 21:44:57 +00:00
Tianjie Xu
efc00ca7b2 Merge "Calculate the vbmeta digest when building images" 2021-05-07 19:06:32 +00:00
Tianjie
9797623c2a Don't set the build id if we need to append the digest
Background in http://go/compatible-build-fingerprint. If we want
to append unique vbmeta digest to build id, we cannot setup the
prop value at build time. Instead, set the old value as
ro.build.legacy.id; and let init set ro.build.id at runtime.

Bug: 186786987
Test: build a target file with the flag on
Change-Id: Ie139725bb7e5c65bd3f28f43b9975ba48ee10354
2021-05-06 00:32:56 +00:00
Tianjie
bbde59f9eb Calculate the vbmeta digest when building images
Calculate the vbmeta digest if the device builds vbmeta image. The
digest will used later to determine the build fingerprint in new
format.

One sample usage is the ota package generation, where we put the
build fingerprint in the ota metadata. But we don't have the runtime
vbmeta digest provided the bootloader.

Bug: 186786987
Test: unit tests
Change-Id: If572e2b973e295a6c95a9e23a65bb20b3afbf1b0
2021-05-05 18:04:51 +00:00
Kelvin Zhang
2b6a9c3133 Add ota_metadata_proto_java
Test: th
Change-Id: Iac9b679299db6a23cdf85d7c46f20d0538ba6015
2021-05-05 09:08:12 -04:00
Kelvin Zhang
2a3e5b1cf5 Disable downgrade VABC OTAs
Downgrade VABC OTA causes users to wait in recovery for merge to
complete, disable by default.

Test: th
Test: generate downgrade OTA, make sure VABC disabled
Test: generate upgrade OTA with --wipe_user_data, make sure VABC
disabled
Test: generate upgrade OTA, make sure VABC is used
Test: generate downgrade OTA with --vabc_downgrade, make sure VABC is
enabled
Bug: 187215486

Change-Id: Ib7e6165252d47f1ecaac4fc2329b580274c8d70e
2021-05-05 09:08:12 -04:00
Chih-hung Hsieh
73524b6bdd Merge "Fix more pylint warnings." 2021-05-03 17:37:58 +00:00
Treehugger Robot
34949e63da Merge "Avoid to print undefined image_size and partition_size" 2021-05-01 03:45:13 +00:00
Chih-Hung Hsieh
a606822f35 Fix more pylint warnings.
* add .pylintrc to use 2 space indentation
* rename single-letter local variables

Test: ./warn.py build.log > warnings.html
Change-Id: I2ca56a6cb130a9d6c73328c5592ad7cde8a974ab
2021-04-30 14:32:25 -07:00