os_version is important for keymaster version binding, where it
refuses to perform operations with a key that is bound to an old
system version. This ensures that an attacker who discovers a
weakness in an old version of system or TEE software cannot roll a
device back to the vulnerable version and use keys created with the
newer version.
Previously, os_version for system.img is added into boot.img header
for bootloader to read the value then pass to TEE before booting the
HLOS. However, with project Treble to modularize each partition, all
images are now in the trajectory to be built independently (still
on-going). Also, in the Generic System Image (GSI) compliance test,
the os_version in OEM's boot.img cannot reflect the actual version of
GSI.
This CL adds per-partition os_versions into AVB metadata, which is
readable by bootloader via libavb without file system dependency. It's
still unclear for how os_version in non-system partition should be used.
We just add them for completeness here.
See more details in:
https://source.android.com/security/keystore/version-binding
Bug: 132233601
Test: build and avbtool info_image $OUT/vbmeta.img
- Prop: com.android.build.boot.os_version -> '10'
- Prop: com.android.build.system.os_version -> '10'
- Prop: com.android.build.system.security_patch -> '2019-06-05'
- Prop: com.android.build.vendor.os_version -> '10'
- Prop: com.android.build.vendor.security_patch -> '2019-06-05'
- Prop: com.android.build.product.os_version -> '10'
- Prop: com.android.build.product.security_patch -> '2019-06-05'
Change-Id: I21a77420f2e8a3456f7a8cae5158eb8fc41319e7
They should only be in the Runtime APEX, c.f. discussion on
http://r.android.com/957159.
Test: build/soong/build_test.bash through Forrest
Bug: 124293228
Change-Id: I33e97a56e67c3f4734d14f38e0f1597b697a2604
Should be in product_config.mk, before the variables are readonly'd, or
the default will fail to work.
Bug: 131576555
Test: set PRODUCT_SHIPPING_API_LEVEL := 29 in mainline_arm64.mk && lunch
Change-Id: I25faee7ec0a3fff17e1d08b834d868834effda36
This is the first commit to generate VNDK snapshot with Soong: .so
files, some txt files, and notice files are captured with Soong. As
ld.config.txt is currently in Android.mk and will be deprecated soon,
configs files (and zipping all of artifacts) are still handled with
Makefile.
Bug: 131564934
Test: 1) DIST_DIR=out/dist development/vndk/snapshot/build.sh
Test: 2) try installing vndk snapshot with:
development/vndk/snapshot/update.py
Change-Id: Ia904e8a1b44824d6c9556ada93bf1616620a1363
Values should be comma-separated, and things won't go down well
if there are multiple words in this variable.
Bug: 123783710
Test: Put this in product_config.mk and ran multiproduct_kati:
ifneq (1,$(words $(PRODUCT_CHARACTERISTICS)))
$(error oops)
endif
Change-Id: I5627f416093d68d8d19916a914739686b74d392f
This has been a warning for a long time. Make it an error instead.
Once this has been verified to not cause any problems, it can
likely be changed to instead default to setting
TARGET_SUPPORTS_64_BIT_APPS := true.
Test: build_test
Change-Id: I0d03fed2085009c64880a594d5a3aadf72187e60
Move the dexpreopt.config passed to Soong to out/soong/dexpreopt.config
and let it write a new copy in a rule and pass the path back to make
as DEX_PREOPT_CONFIG_FOR_MAKE.
Bug: 132379813
Test: m checkbuild
Change-Id: Iac29beac3af8864d36d1563ce42bed11b685548d
LOCAL_STATIC_LIBRARIES may contain .native_bridge suffix
when built for translated targets.
This CL makes the NOTICE file exception apply for them too.
Bug: http://b/77159578
Test: make
Change-Id: Ic8a18f06afa0c460751f21587b7f751ac0ae4a3f
The current EXPERIMENTAL_USE_OPENJDK9 environment variable is a legacy
from when the 8 -> 9 toolchain upgrade was happening. That migration
is done and the variable only affects the language level, so it should
have a name that reflects that. (The current situation would be
especially confusing if we started a 9 -> 11 toolchain upgrade,
presumably controlled by a variable like EXPERIMENTAL_USE_OPENJDK11,
since the two settings look incompatible but are actually orthogonal.)
The current variable historically allowed a value or "1.8" which meant
"use the OpenJDK 9 toolchain but target language level 8". That value
no longer has any meaning and the new variable doesn't allow it.
Bug: 131678633
Test: `make` with `EXPERIMENTAL_JAVA_LANGUAGE_LEVEL_9=true`
Test: `javap -v $OUT_DIR/soong/.intermediates/libcore/core-oj/android_common/javac/classes/java/util/List.class | grep 'major version'` shows 53
Change-Id: Ic1f76a656bea30713b356a28e82f908a46933893
Test: Audit all mentions of the old string here and downstream
TARGET_FLATTEN_APEX and ro.apex.updatable cannot be independently set.
For a device where updating APEXes is not supported, ro.apex.updatable
should not be set (or set to false) and TARGET_FLATTEN_APEX should be
set to true. For APEX-supporting devices, it is the opposite;
ro.apex.updatable == true and TARGET_FLATTEN_APEX is false (or not set).
To ensure this relationship, TARGET_FLATTEN_APEX is by default set to
true, and overridden to false when updatable_apex.mk is inherited.
Bug: 130623080
Test: choosecombo to Pixels 2 and later; get_build_var
TARGET_FLATTEN_APEX returns false.
choosecombo to the original Pixel and other non-Pixel targets;
get_build_var TARGET_FLATTEN_APEX returns true.
choosecombo to the cuttlefish; get_build_var TARGET_FLATTEN_APEX
returns false
Merged-In: Id73a594dd9838457e68e2793122592c11a84fc83
Change-Id: Id73a594dd9838457e68e2793122592c11a84fc83
(cherry picked from commit 18411a42f0)
BUILD_AUX_EXECUTABLE
BUILD_AUX_STATIC_LIBRARY
These shouldn't be used anymore, they were an intermediate state to
build some firmware that is no longer being built in Android.
BUILD_HOST_FUZZ_TEST
BUILD_HOST_NATIVE_TEST
BUILD_HOST_STATIC_TEST_LIBRARY
BUILD_NATIVE_BENCHMARK
BUILD_STATIC_TEST_LIBRARY
There are no users of these left.
Bug: 130735607
Bug: 130735003
Bug: 130691889
Bug: 130723134
Bug: 130722660
Bug: 130734558
Bug: 130735594
Test: build_test & check logs
Change-Id: I8a9385040316495f7e7262d045be871e91712920
Bug: 132197773
Test: property present in vendor/build.prop
Currently, the property resides in product partition which gets
overwritten by the GSI image. Moving it to vendor will ensure
that the property is set even when a GSI image is flashed on the device.
Change-Id: I4d4a3c473194e15ba124a121f89bbb3ec1a73d19
PRODUCT_EXTRA_VNDK_VERSIONS should be in _product_list_vars
because it's used as a list with probably more than one version
included/set in differemt makefiles.
Bug: 132046980
Test: $ lunch aosp_x86_ab-userdebug
$ m -j
$ find $OUT/system/ -name vndk-* # vndk-27 directory is included
Change-Id: Iee9b7b678a23eed781cc761d820db9ff67ae5d34
symbols.zip is created while files that are not part of the platform
build but were requested on the Make command line (for example by
passing "tests") are still being installed. Installation often
involves removing and then recreating the file. If the file
exists when the list of files to be zipped is created, but is
removed when soong_zip is zipping, it fails with an error. Pass
--ignore_missing_files to silence the error and keep zipping.
Fixes: 79503862
Test: m checkbuild
Change-Id: I1fbbf1f1396948288ee133c319b2e19dee97983b
Bug: 123428770
Test: Built system-only image and checked that no boot.img or
recovery.img files where created. Booted the resulting merged build on
device.
Change-Id: I760476502775e68125907c39e66b8665e789a798
