Merge "Reland: Generate fs-verity build manifst APK for other partitions"
This commit is contained in:
Victor Hsieh
Gerrit Code Review
commit
90195c958d
2 changed files with 106 additions and 54 deletions
145
core/Makefile
145
core/Makefile
|
|
@ -599,8 +599,16 @@ $(APKCERTS_FILE):
|
|||
$(if $(PACKAGES.$(p).EXTERNAL_KEY),\
|
||||
$(call _apkcerts_write_line,$(PACKAGES.$(p).STEM),EXTERNAL,,$(PACKAGES.$(p).COMPRESSED),$(PACKAGES.$(p).PARTITION),$@),\
|
||||
$(call _apkcerts_write_line,$(PACKAGES.$(p).STEM),$(PACKAGES.$(p).CERTIFICATE),$(PACKAGES.$(p).PRIVATE_KEY),$(PACKAGES.$(p).COMPRESSED),$(PACKAGES.$(p).PARTITION),$@))))
|
||||
$(if $(filter true,$(PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA)),\
|
||||
$(call _apkcerts_write_line,$(notdir $(basename $(FSVERITY_APK_OUT))),$(FSVERITY_APK_KEY_PATH).x509.pem,$(FSVERITY_APK_KEY_PATH).pk8,,system,$@))
|
||||
$(if $(filter true,$(PRODUCT_FSVERITY_GENERATE_METADATA)),\
|
||||
$(call _apkcerts_write_line,BuildManifest,$(FSVERITY_APK_KEY_PATH).x509.pem,$(FSVERITY_APK_KEY_PATH).pk8,,system,$@) \
|
||||
$(if $(filter true,$(BUILDING_SYSTEM_EXT_IMAGE)),\
|
||||
$(call _apkcerts_write_line,BuildManifestSystemExt,$(FSVERITY_APK_KEY_PATH).x509.pem,$(FSVERITY_APK_KEY_PATH).pk8,,system_ext,$@)) \
|
||||
$(if $(filter true,$(BUILDING_VENDOR_IMAGE)),\
|
||||
$(call _apkcerts_write_line,BuildManifestVendor,$(FSVERITY_APK_KEY_PATH).x509.pem,$(FSVERITY_APK_KEY_PATH).pk8,,vendor,$@)) \
|
||||
$(if $(filter true,$(BUILDING_ODM_IMAGE)),\
|
||||
$(call _apkcerts_write_line,BuildManifestOdm,$(FSVERITY_APK_KEY_PATH).x509.pem,$(FSVERITY_APK_KEY_PATH).pk8,,odm,$@)) \
|
||||
$(if $(filter true,$(BUILDING_PRODUCT_IMAGE)),\
|
||||
$(call _apkcerts_write_line,BuildManifestProduct,$(FSVERITY_APK_KEY_PATH).x509.pem,$(FSVERITY_APK_KEY_PATH).pk8,,product,$@)))
|
||||
# In case value of PACKAGES is empty.
|
||||
$(hide) touch $@
|
||||
|
||||
|
|
@ -2933,21 +2941,35 @@ $1
|
|||
endef
|
||||
|
||||
|
||||
# -----------------------------------------------------------------
|
||||
# system image
|
||||
|
||||
# FSVerity metadata generation
|
||||
# Generate fsverity metadata files (.fsv_meta) and build manifest
|
||||
# (system/etc/security/fsverity/BuildManifest.apk) BEFORE filtering systemimage files below
|
||||
ifeq ($(PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA),true)
|
||||
# (<partition>/etc/security/fsverity/BuildManifest<suffix>.apk) BEFORE filtering systemimage,
|
||||
# vendorimage, odmimage, productimage files below.
|
||||
ifeq ($(PRODUCT_FSVERITY_GENERATE_METADATA),true)
|
||||
|
||||
# Generate fsv_meta
|
||||
fsverity-metadata-targets := $(sort $(filter \
|
||||
fsverity-metadata-targets-patterns := \
|
||||
$(TARGET_OUT)/framework/% \
|
||||
$(TARGET_OUT)/etc/boot-image.prof \
|
||||
$(TARGET_OUT)/etc/dirty-image-objects \
|
||||
$(TARGET_OUT)/etc/preloaded-classes \
|
||||
$(TARGET_OUT)/etc/classpaths/%.pb, \
|
||||
$(TARGET_OUT)/etc/classpaths/%.pb \
|
||||
|
||||
ifdef BUILDING_SYSTEM_EXT_IMAGE
|
||||
fsverity-metadata-targets-patterns += $(TARGET_OUT_SYSTEM_EXT)/framework/%
|
||||
endif
|
||||
ifdef BUILDING_VENDOR_IMAGE
|
||||
fsverity-metadata-targets-patterns += $(TARGET_OUT_VENDOR)/framework/%
|
||||
endif
|
||||
ifdef BUILDING_ODM_IMAGE
|
||||
fsverity-metadata-targets-patterns += $(TARGET_OUT_ODM)/framework/%
|
||||
endif
|
||||
ifdef BUILDING_PRODUCT_IMAGE
|
||||
fsverity-metadata-targets-patterns += $(TARGET_OUT_PRODUCT)/framework/%
|
||||
endif
|
||||
|
||||
# Generate fsv_meta
|
||||
fsverity-metadata-targets := $(sort $(filter \
|
||||
$(fsverity-metadata-targets-patterns), \
|
||||
$(ALL_DEFAULT_INSTALLED_MODULES)))
|
||||
|
||||
define fsverity-generate-metadata
|
||||
|
|
@ -2961,47 +2983,80 @@ endef
|
|||
$(foreach f,$(fsverity-metadata-targets),$(eval $(call fsverity-generate-metadata,$(f))))
|
||||
ALL_DEFAULT_INSTALLED_MODULES += $(addsuffix .fsv_meta,$(fsverity-metadata-targets))
|
||||
|
||||
# Generate BuildManifest.apk
|
||||
FSVERITY_APK_KEY_PATH := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
|
||||
FSVERITY_APK_OUT := $(TARGET_OUT)/etc/security/fsverity/BuildManifest.apk
|
||||
FSVERITY_APK_MANIFEST_PATH := system/security/fsverity/AndroidManifest.xml
|
||||
$(FSVERITY_APK_OUT): PRIVATE_FSVERITY := $(HOST_OUT_EXECUTABLES)/fsverity
|
||||
$(FSVERITY_APK_OUT): PRIVATE_AAPT2 := $(HOST_OUT_EXECUTABLES)/aapt2
|
||||
$(FSVERITY_APK_OUT): PRIVATE_MIN_SDK_VERSION := $(DEFAULT_APP_TARGET_SDK)
|
||||
$(FSVERITY_APK_OUT): PRIVATE_VERSION_CODE := $(PLATFORM_SDK_VERSION)
|
||||
$(FSVERITY_APK_OUT): PRIVATE_VERSION_NAME := $(APPS_DEFAULT_VERSION_NAME)
|
||||
$(FSVERITY_APK_OUT): PRIVATE_APKSIGNER := $(HOST_OUT_EXECUTABLES)/apksigner
|
||||
$(FSVERITY_APK_OUT): PRIVATE_MANIFEST := $(FSVERITY_APK_MANIFEST_PATH)
|
||||
$(FSVERITY_APK_OUT): PRIVATE_FRAMEWORK_RES := $(call intermediates-dir-for,APPS,framework-res,,COMMON)/package-export.apk
|
||||
$(FSVERITY_APK_OUT): PRIVATE_KEY := $(FSVERITY_APK_KEY_PATH)
|
||||
$(FSVERITY_APK_OUT): PRIVATE_INPUTS := $(fsverity-metadata-targets)
|
||||
$(FSVERITY_APK_OUT): PRIVATE_ASSETS := $(call intermediates-dir-for,ETC,build_manifest)/assets
|
||||
$(FSVERITY_APK_OUT): $(HOST_OUT_EXECUTABLES)/fsverity_manifest_generator \
|
||||
FSVERITY_APK_MANIFEST_TEMPLATE_PATH := system/security/fsverity/AndroidManifest.xml
|
||||
|
||||
# Generate and install BuildManifest<suffix>.apk for the given partition
|
||||
# $(1): path of the output APK
|
||||
# $(2): partition name
|
||||
define fsverity-generate-and-install-manifest-apk
|
||||
fsverity-metadata-targets-$(2) := $(filter $(PRODUCT_OUT)/$(2)/%,\
|
||||
$(fsverity-metadata-targets))
|
||||
$(1): PRIVATE_FSVERITY := $(HOST_OUT_EXECUTABLES)/fsverity
|
||||
$(1): PRIVATE_AAPT2 := $(HOST_OUT_EXECUTABLES)/aapt2
|
||||
$(1): PRIVATE_MIN_SDK_VERSION := $(DEFAULT_APP_TARGET_SDK)
|
||||
$(1): PRIVATE_VERSION_CODE := $(PLATFORM_SDK_VERSION)
|
||||
$(1): PRIVATE_VERSION_NAME := $(APPS_DEFAULT_VERSION_NAME)
|
||||
$(1): PRIVATE_APKSIGNER := $(HOST_OUT_EXECUTABLES)/apksigner
|
||||
$(1): PRIVATE_MANIFEST := $(FSVERITY_APK_MANIFEST_TEMPLATE_PATH)
|
||||
$(1): PRIVATE_FRAMEWORK_RES := $(call intermediates-dir-for,APPS,framework-res,,COMMON)/package-export.apk
|
||||
$(1): PRIVATE_KEY := $(FSVERITY_APK_KEY_PATH)
|
||||
$(1): PRIVATE_INPUTS := $$(fsverity-metadata-targets-$(2))
|
||||
$(1): PRIVATE_ASSETS := $(call intermediates-dir-for,ETC,build_manifest-$(2))/assets
|
||||
$(1): $(HOST_OUT_EXECUTABLES)/fsverity_manifest_generator \
|
||||
$(HOST_OUT_EXECUTABLES)/fsverity $(HOST_OUT_EXECUTABLES)/aapt2 \
|
||||
$(HOST_OUT_EXECUTABLES)/apksigner $(FSVERITY_APK_MANIFEST_PATH) \
|
||||
$(HOST_OUT_EXECUTABLES)/apksigner $(FSVERITY_APK_MANIFEST_TEMPLATE_PATH) \
|
||||
$(FSVERITY_APK_KEY_PATH).x509.pem $(FSVERITY_APK_KEY_PATH).pk8 \
|
||||
$(call intermediates-dir-for,APPS,framework-res,,COMMON)/package-export.apk \
|
||||
$(fsverity-metadata-targets)
|
||||
rm -rf $(PRIVATE_ASSETS)
|
||||
mkdir -p $(PRIVATE_ASSETS)
|
||||
$< --fsverity-path $(PRIVATE_FSVERITY) \
|
||||
--base-dir $(PRODUCT_OUT) \
|
||||
--output $(PRIVATE_ASSETS)/build_manifest.pb \
|
||||
$(PRIVATE_INPUTS)
|
||||
$(PRIVATE_AAPT2) link -o $@ \
|
||||
-A $(PRIVATE_ASSETS) \
|
||||
-I $(PRIVATE_FRAMEWORK_RES) \
|
||||
--min-sdk-version $(PRIVATE_MIN_SDK_VERSION) \
|
||||
--version-code $(PRIVATE_VERSION_CODE) \
|
||||
--version-name $(PRIVATE_VERSION_NAME) \
|
||||
--manifest $(PRIVATE_MANIFEST)
|
||||
$(PRIVATE_APKSIGNER) sign --in $@ \
|
||||
--cert $(PRIVATE_KEY).x509.pem \
|
||||
--key $(PRIVATE_KEY).pk8
|
||||
$$(fsverity-metadata-targets-$(2))
|
||||
rm -rf $$(PRIVATE_ASSETS)
|
||||
mkdir -p $$(PRIVATE_ASSETS)
|
||||
ifdef fsverity-metadata-targets-$(2)
|
||||
$$< --fsverity-path $$(PRIVATE_FSVERITY) \
|
||||
--base-dir $$(PRODUCT_OUT) \
|
||||
--output $$(PRIVATE_ASSETS)/build_manifest.pb \
|
||||
$$(PRIVATE_INPUTS)
|
||||
endif # fsverity-metadata-targets-$(2)
|
||||
$$(PRIVATE_AAPT2) link -o $$@ \
|
||||
-A $$(PRIVATE_ASSETS) \
|
||||
-I $$(PRIVATE_FRAMEWORK_RES) \
|
||||
--min-sdk-version $$(PRIVATE_MIN_SDK_VERSION) \
|
||||
--version-code $$(PRIVATE_VERSION_CODE) \
|
||||
--version-name $$(PRIVATE_VERSION_NAME) \
|
||||
--manifest $$(PRIVATE_MANIFEST) \
|
||||
--rename-manifest-package com.android.security.fsverity_metadata.$(2)
|
||||
$$(PRIVATE_APKSIGNER) sign --in $$@ \
|
||||
--cert $$(PRIVATE_KEY).x509.pem \
|
||||
--key $$(PRIVATE_KEY).pk8
|
||||
|
||||
ALL_DEFAULT_INSTALLED_MODULES += $(FSVERITY_APK_OUT)
|
||||
ALL_DEFAULT_INSTALLED_MODULES += $(1)
|
||||
|
||||
endif # PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA
|
||||
endef # fsverity-generate-and-install-manifest-apk
|
||||
|
||||
$(eval $(call fsverity-generate-and-install-manifest-apk, \
|
||||
$(TARGET_OUT)/etc/security/fsverity/BuildManifest.apk,system))
|
||||
ifdef BUILDING_SYSTEM_EXT_IMAGE
|
||||
$(eval $(call fsverity-generate-and-install-manifest-apk, \
|
||||
$(TARGET_OUT_SYSTEM_EXT)/etc/security/fsverity/BuildManifestSystemExt.apk,system_ext))
|
||||
endif
|
||||
ifdef BUILDING_VENDOR_IMAGE
|
||||
$(eval $(call fsverity-generate-and-install-manifest-apk, \
|
||||
$(TARGET_OUT_VENDOR)/etc/security/fsverity/BuildManifestVendor.apk,vendor))
|
||||
endif
|
||||
ifdef BUILDING_ODM_IMAGE
|
||||
$(eval $(call fsverity-generate-and-install-manifest-apk, \
|
||||
$(TARGET_OUT_ODM)/etc/security/fsverity/BuildManifestOdm.apk,odm))
|
||||
endif
|
||||
ifdef BUILDING_PRODUCT_IMAGE
|
||||
$(eval $(call fsverity-generate-and-install-manifest-apk, \
|
||||
$(TARGET_OUT_PRODUCT)/etc/security/fsverity/BuildManifestProduct.apk,product))
|
||||
endif
|
||||
|
||||
endif # PRODUCT_FSVERITY_GENERATE_METADATA
|
||||
|
||||
|
||||
# -----------------------------------------------------------------
|
||||
# system image
|
||||
|
||||
INSTALLED_FILES_OUTSIDE_IMAGES := $(filter-out $(TARGET_OUT)/%, $(INSTALLED_FILES_OUTSIDE_IMAGES))
|
||||
INTERNAL_SYSTEMIMAGE_FILES := $(sort $(filter $(TARGET_OUT)/%, \
|
||||
|
|
|
|||
|
|
@ -356,15 +356,12 @@ _product_single_value_vars += PRODUCT_INSTALL_EXTRA_FLATTENED_APEXES
|
|||
# This option is only meant to be set by compliance GSI targets.
|
||||
_product_single_value_vars += PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT
|
||||
|
||||
# If set, metadata files for the following artifacts will be generated.
|
||||
# - system/framework/*.jar
|
||||
# - system/framework/oat/<arch>/*.{oat,vdex,art}
|
||||
# - system/etc/boot-image.prof
|
||||
# - system/etc/dirty-image-objects
|
||||
# One fsverity metadata container file per one input file will be generated in
|
||||
# system.img, with a suffix ".fsv_meta". e.g. a container file for
|
||||
# "/system/framework/foo.jar" will be "system/framework/foo.jar.fsv_meta".
|
||||
_product_single_value_vars += PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA
|
||||
# If set, fsverity metadata files will be generated for each files in the
|
||||
# allowlist, plus an manifest APK per partition. For example,
|
||||
# /system/framework/service.jar will come with service.jar.fsv_meta in the same
|
||||
# directory; the file information will also be included in
|
||||
# /system/etc/security/fsverity/BuildManifest.apk
|
||||
_product_single_value_vars += PRODUCT_FSVERITY_GENERATE_METADATA
|
||||
|
||||
# If true, sets the default for MODULE_BUILD_FROM_SOURCE. This overrides
|
||||
# BRANCH_DEFAULT_MODULE_BUILD_FROM_SOURCE but not an explicitly set value.
|
||||
|
|
|
|||
Loading…
Reference in a new issue