Merge "Add PRODUCT_EXTRA_OTA_KEYS to add extra ota keys in otacerts.zip" am: bff997fd1f
Original change: https://android-review.googlesource.com/c/platform/build/+/1934214 Change-Id: I46e405153c4a87a960d037312eb99c31103c8efc
This commit is contained in:
Jacky Liu
Automerger Merge Worker
commit
4f9eb6b9e4
6 changed files with 45 additions and 11 deletions
|
|
@ -4622,6 +4622,9 @@ else
|
|||
endif
|
||||
$(hide) echo "tool_extensions=$(tool_extensions)" >> $@
|
||||
$(hide) echo "default_system_dev_certificate=$(DEFAULT_SYSTEM_DEV_CERTIFICATE)" >> $@
|
||||
ifdef PRODUCT_EXTRA_OTA_KEYS
|
||||
$(hide) echo "extra_ota_keys=$(PRODUCT_EXTRA_OTA_KEYS)" >> $@
|
||||
endif
|
||||
ifdef PRODUCT_EXTRA_RECOVERY_KEYS
|
||||
$(hide) echo "extra_recovery_keys=$(PRODUCT_EXTRA_RECOVERY_KEYS)" >> $@
|
||||
endif
|
||||
|
|
|
|||
|
|
@ -126,6 +126,7 @@ $(OUT_DIR)/products/$(strip $(1)).txt: $(this_makefile)
|
|||
$(hide) echo 'PRODUCT_CHARACTERISTICS=$(call get-product-var,$(1),PRODUCT_CHARACTERISTICS)' >> $$@
|
||||
$(hide) echo 'PRODUCT_COPY_FILES=$(call get-product-var,$(1),PRODUCT_COPY_FILES)' >> $$@
|
||||
$(hide) echo 'PRODUCT_OTA_PUBLIC_KEYS=$(call get-product-var,$(1),PRODUCT_OTA_PUBLIC_KEYS)' >> $$@
|
||||
$(hide) echo 'PRODUCT_EXTRA_OTA_KEYS=$(call get-product-var,$(1),PRODUCT_EXTRA_OTA_KEYS)' >> $$@
|
||||
$(hide) echo 'PRODUCT_EXTRA_RECOVERY_KEYS=$(call get-product-var,$(1),PRODUCT_EXTRA_RECOVERY_KEYS)' >> $$@
|
||||
$(hide) echo 'PRODUCT_PACKAGE_OVERLAYS=$(call get-product-var,$(1),PRODUCT_PACKAGE_OVERLAYS)' >> $$@
|
||||
$(hide) echo 'DEVICE_PACKAGE_OVERLAYS=$(call get-product-var,$(1),DEVICE_PACKAGE_OVERLAYS)' >> $$@
|
||||
|
|
|
|||
|
|
@ -183,6 +183,7 @@ _product_list_vars += PRODUCT_COPY_FILES
|
|||
# signing tools can substitute them for the test key embedded by
|
||||
# default.
|
||||
_product_list_vars += PRODUCT_OTA_PUBLIC_KEYS
|
||||
_product_list_vars += PRODUCT_EXTRA_OTA_KEYS
|
||||
_product_list_vars += PRODUCT_EXTRA_RECOVERY_KEYS
|
||||
|
||||
# Should we use the default resources or add any product specific overlays
|
||||
|
|
|
|||
|
|
@ -381,6 +381,7 @@ ENFORCE_SYSTEM_CERTIFICATE := $(PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQU
|
|||
ENFORCE_SYSTEM_CERTIFICATE_ALLOW_LIST := $(PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_ALLOW_LIST)
|
||||
|
||||
PRODUCT_OTA_PUBLIC_KEYS := $(sort $(PRODUCT_OTA_PUBLIC_KEYS))
|
||||
PRODUCT_EXTRA_OTA_KEYS := $(sort $(PRODUCT_EXTRA_OTA_KEYS))
|
||||
PRODUCT_EXTRA_RECOVERY_KEYS := $(sort $(PRODUCT_EXTRA_RECOVERY_KEYS))
|
||||
|
||||
# Resolve and setup per-module dex-preopt configs.
|
||||
|
|
|
|||
|
|
@ -63,9 +63,17 @@ LOCAL_MODULE_CLASS := ETC
|
|||
LOCAL_MODULE_STEM := otacerts.zip
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
extra_ota_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_OTA_KEYS))
|
||||
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
|
||||
$(LOCAL_BUILT_MODULE): $(SOONG_ZIP) $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
|
||||
$(SOONG_ZIP) -o $@ -j -symlinks=false -f $(PRIVATE_CERT)
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_OTA_KEYS := $(extra_ota_keys)
|
||||
$(LOCAL_BUILT_MODULE): \
|
||||
$(SOONG_ZIP) \
|
||||
$(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
|
||||
$(extra_ota_keys)
|
||||
$(SOONG_ZIP) -o $@ -j -symlinks=false \
|
||||
$(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_OTA_KEYS))
|
||||
|
||||
|
||||
#######################################
|
||||
|
|
@ -80,7 +88,7 @@ LOCAL_MODULE_STEM := otacerts.zip
|
|||
LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
extra_recovery_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
|
||||
extra_recovery_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
|
||||
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_RECOVERY_KEYS := $(extra_recovery_keys)
|
||||
|
|
@ -89,4 +97,4 @@ $(LOCAL_BUILT_MODULE): \
|
|||
$(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
|
||||
$(extra_recovery_keys)
|
||||
$(SOONG_ZIP) -o $@ -j -symlinks=false \
|
||||
$(foreach key_file, $(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS), -f $(key_file))
|
||||
$(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS))
|
||||
|
|
|
|||
|
|
@ -888,14 +888,27 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
|
|||
except KeyError:
|
||||
raise common.ExternalError("can't read META/otakeys.txt from input")
|
||||
|
||||
extra_recovery_keys = misc_info.get("extra_recovery_keys")
|
||||
if extra_recovery_keys:
|
||||
extra_ota_keys_info = misc_info.get("extra_ota_keys")
|
||||
if extra_ota_keys_info:
|
||||
extra_ota_keys = [OPTIONS.key_map.get(k, k) + ".x509.pem"
|
||||
for k in extra_ota_keys_info.split()]
|
||||
print("extra ota key(s): " + ", ".join(extra_ota_keys))
|
||||
else:
|
||||
extra_ota_keys = []
|
||||
for k in extra_ota_keys:
|
||||
if not os.path.isfile(k):
|
||||
raise common.ExternalError(k + " does not exist or is not a file")
|
||||
|
||||
extra_recovery_keys_info = misc_info.get("extra_recovery_keys")
|
||||
if extra_recovery_keys_info:
|
||||
extra_recovery_keys = [OPTIONS.key_map.get(k, k) + ".x509.pem"
|
||||
for k in extra_recovery_keys.split()]
|
||||
if extra_recovery_keys:
|
||||
print("extra recovery-only key(s): " + ", ".join(extra_recovery_keys))
|
||||
for k in extra_recovery_keys_info.split()]
|
||||
print("extra recovery-only key(s): " + ", ".join(extra_recovery_keys))
|
||||
else:
|
||||
extra_recovery_keys = []
|
||||
for k in extra_recovery_keys:
|
||||
if not os.path.isfile(k):
|
||||
raise common.ExternalError(k + " does not exist or is not a file")
|
||||
|
||||
mapped_keys = []
|
||||
for k in keylist:
|
||||
|
|
@ -918,13 +931,20 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
|
|||
mapped_keys.append(mapped_devkey + ".x509.pem")
|
||||
print("META/otakeys.txt has no keys; using %s for OTA package"
|
||||
" verification." % (mapped_keys[0],))
|
||||
for k in mapped_keys:
|
||||
if not os.path.isfile(k):
|
||||
raise common.ExternalError(k + " does not exist or is not a file")
|
||||
|
||||
otacerts = [info
|
||||
for info in input_tf_zip.infolist()
|
||||
if info.filename.endswith("/otacerts.zip")]
|
||||
for info in otacerts:
|
||||
print("Rewriting OTA key:", info.filename, mapped_keys)
|
||||
WriteOtacerts(output_tf_zip, info.filename, mapped_keys)
|
||||
if info.filename.startswith(("BOOT/", "RECOVERY/", "VENDOR_BOOT/")):
|
||||
extra_keys = extra_recovery_keys
|
||||
else:
|
||||
extra_keys = extra_ota_keys
|
||||
print("Rewriting OTA key:", info.filename, mapped_keys + extra_keys)
|
||||
WriteOtacerts(output_tf_zip, info.filename, mapped_keys + extra_keys)
|
||||
|
||||
|
||||
def ReplaceVerityPublicKey(output_zip, filename, key_path):
|
||||
|
|
|
|||
Loading…
Reference in a new issue