tequilaOS/platform_build
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Adding sepolicy sign params to sign_target_files_apks." am: fb042449e0

Browse source 
Original change: https://android-review.googlesource.com/c/platform/build/+/2028269

Change-Id: I1602444f91240a79957089780e7c3f4f7c0750b8
This commit is contained in:
Melisa Carranza Zúñiga 2022-03-22 18:27:23 +00:00 committed by Automerger Merge Worker
commit bd8c313275
4 changed files with 158 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
tools/releasetools/common.py
View file

@ -97,6 +97,7 @@ class Options(object):
self.stash_threshold = 0.8
self.logfile = None
self.host_tools = {}
self.sepolicy_name = 'sepolicy.apex'
OPTIONS = Options()

3
tools/releasetools/sign_apex.py
View file

@ -61,6 +61,7 @@ import apex_utils
import common
logger = logging.getLogger(__name__)
OPTIONS = common.OPTIONS
def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
@ -81,7 +82,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
apk_keys=apk_keys,
signing_args=signing_args,
sign_tool=sign_tool,
is_sepolicy=apex_file.endswith("sepolicy.apex"),
is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name),
sepolicy_key=sepolicy_key,
sepolicy_cert=sepolicy_cert,
fsverity_tool=fsverity_tool)

90
tools/releasetools/sign_target_files_apks.py
View file

@ -137,6 +137,15 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files
--android_jar_path <path>
Path to the android.jar to repack the apex file.
--sepolicy_key <key>
Optional flag that specifies the sepolicy signing key, defaults to payload_key for the sepolicy.apex.
--sepolicy_cert <cert>
Optional flag that specifies the sepolicy signing cert.
--fsverity_tool <path>
Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity.
--allow_gsi_debug_sepolicy
Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
(/system/system_ext|/system_ext)/etc/selinux.
@ -196,6 +205,9 @@ OPTIONS.gki_signing_extra_args = None
OPTIONS.android_jar_path = None
OPTIONS.vendor_partitions = set()
OPTIONS.vendor_otatools = None
OPTIONS.sepolicy_key = None
OPTIONS.sepolicy_cert = None
OPTIONS.fsverity_tool = None
OPTIONS.allow_gsi_debug_sepolicy = False
@ -234,6 +246,8 @@ ALLOWED_VENDOR_PARTITIONS = set(["vendor", "odm"])
def IsApexFile(filename):
return filename.endswith(".apex") or filename.endswith(".capex")
def IsSepolicyApex(filename):
return filename.endswith(OPTIONS.sepolicy_name)
def GetApexFilename(filename):
name = os.path.basename(filename)
@ -256,6 +270,24 @@ def GetApkCerts(certmap):
return certmap
def GetSepolicyKeys(keys_info):
"""Gets SEPolicy signing keys applying overrides from command line options.
Args:
keys_info: A dict that maps from the SEPolicy APEX filename to a tuple of
(sepolicy_key, sepolicy_cert, fsverity_tool).
Returns:
A dict that contains the updated APEX key mapping, which should be used for
the current signing.
"""
for name in keys_info:
(sepolicy_key, sepolicy_cert, fsverity_tool) = keys_info[name]
sepolicy_key = OPTIONS.sepolicy_key if OPTIONS.sepolicy_key else sepolicy_key
sepolicy_cert = OPTIONS.sepolicy_cert if OPTIONS.sepolicy_cert else sepolicy_cert
fsverity_tool = OPTIONS.fsverity_tool if OPTIONS.fsverity_tool else fsverity_tool
keys_info[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
return keys_info
def GetApexKeys(keys_info, key_map):
"""Gets APEX payload and container signing keys by applying the mapping rules.
@ -518,7 +550,7 @@ def IsBuildPropFile(filename):
def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
apk_keys, apex_keys, key_passwords,
platform_api_level, codename_to_api_level_map,
compressed_extension):
compressed_extension, sepolicy_keys):
# maxsize measures the maximum filename length, including the ones to be
# skipped.
try:
@ -586,6 +618,17 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
print(" : %-*s payload (%s)" % (
maxsize, name, payload_key))
sepolicy_key = None
sepolicy_cert = None
fsverity_tool = None
if IsSepolicyApex(name):
(sepolicy_key, sepolicy_cert, fsverity_tool) = sepolicy_keys[name]
print(" : %-*s sepolicy key (%s)" % (
maxsize, name, sepolicy_key))
print(" : %-*s sepolicy cert (%s)" % (
maxsize, name, sepolicy_cert))
signed_apex = apex_utils.SignApex(
misc_info['avb_avbtool'],
data,
@ -596,7 +639,11 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
codename_to_api_level_map,
no_hashtree=None, # Let apex_util determine if hash tree is needed
signing_args=OPTIONS.avb_extra_args.get('apex'),
sign_tool=sign_tool)
sign_tool=sign_tool,
is_sepolicy=IsSepolicyApex(name),
sepolicy_key=sepolicy_key,
sepolicy_cert=sepolicy_cert,
fsverity_tool=fsverity_tool)
common.ZipWrite(output_tf_zip, signed_apex, filename)
else:
@ -1206,20 +1253,24 @@ def GetCodenameToApiLevelMap(input_tf_zip):
def ReadApexKeysInfo(tf_zip):
"""Parses the APEX keys info from a given target-files zip.
Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a
dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a
tuple of (payload_key, container_key, sign_tool).
Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns
two dicts, the first one contains the mapping from APEX names
(e.g. com.android.tzdata) to a tuple of (payload_key, container_key,
sign_tool). The second one maps the sepolicy APEX name to a tuple containing
(sepolicy_key, sepolicy_cert, fsverity_tool).
Args:
tf_zip: The input target_files ZipFile (already open).
Returns:
(payload_key, container_key, sign_tool):
name : (payload_key, container_key, sign_tool)
- payload_key contains the path to the payload signing key
- container_key contains the path to the container signing key
- sign_tool is an apex-specific signing tool for its payload contents
name : (sepolicy_key, sepolicy_cert, fsverity_tool)
"""
keys = {}
sepolicy_keys = {}
for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'):
line = line.strip()
if not line:
@ -1230,6 +1281,9 @@ def ReadApexKeysInfo(tf_zip):
r'private_key="(?P<PAYLOAD_PRIVATE_KEY>.*)"\s+'
r'container_certificate="(?P<CONTAINER_CERT>.*)"\s+'
r'container_private_key="(?P<CONTAINER_PRIVATE_KEY>.*?)"'
r'(\s+sepolicy_key="(?P<SEPOLICY_KEY>.*?)")?'
r'(\s+sepolicy_certificate="(?P<SEPOLICY_CERT>.*?)")?'
r'(\s+fsverity_tool="(?P<FSVERITY_TOOL>.*?)")?'
r'(\s+partition="(?P<PARTITION>.*?)")?'
r'(\s+sign_tool="(?P<SIGN_TOOL>.*?)")?$',
line)
@ -1258,12 +1312,18 @@ def ReadApexKeysInfo(tf_zip):
container_private_key, OPTIONS.private_key_suffix):
container_key = container_cert[:-len(OPTIONS.public_key_suffix)]
else:
raise ValueError("Failed to parse container keys: \n{}".format(line))
raise ValueError("Failed to parse container keys: \n{} **** {}".format(container_cert, container_private_key))
sign_tool = matches.group("SIGN_TOOL")
keys[name] = (payload_private_key, container_key, sign_tool)
return keys
if IsSepolicyApex(name):
sepolicy_key = matches.group('SEPOLICY_KEY')
sepolicy_cert = matches.group('SEPOLICY_CERT')
fsverity_tool = matches.group('FSVERITY_TOOL')
sepolicy_keys[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
return keys, sepolicy_keys
def BuildVendorPartitions(output_zip_path):
@ -1475,6 +1535,12 @@ def main(argv):
OPTIONS.vendor_otatools = a
elif o == "--vendor_partitions":
OPTIONS.vendor_partitions = set(a.split(","))
elif o == '--sepolicy_key':
OPTIONS.sepolicy_key = a
elif o == '--sepolicy_cert':
OPTIONS.sepolicy_cert = a
elif o == '--fsverity_tool':
OPTIONS.fsverity_tool = a
elif o == "--allow_gsi_debug_sepolicy":
OPTIONS.allow_gsi_debug_sepolicy = True
else:
@ -1529,6 +1595,9 @@ def main(argv):
"gki_signing_extra_args=",
"vendor_partitions=",
"vendor_otatools=",
"sepolicy_key=",
"sepolicy_cert=",
"fsverity_tool=",
"allow_gsi_debug_sepolicy",
],
extra_option_handler=option_handler)
@ -1551,8 +1620,9 @@ def main(argv):
apk_keys_info, compressed_extension = common.ReadApkCerts(input_zip)
apk_keys = GetApkCerts(apk_keys_info)
apex_keys_info = ReadApexKeysInfo(input_zip)
apex_keys_info, sepolicy_keys_info = ReadApexKeysInfo(input_zip)
apex_keys = GetApexKeys(apex_keys_info, apk_keys)
sepolicy_keys = GetSepolicyKeys(sepolicy_keys_info)
# TODO(xunchang) check for the apks inside the apex files, and abort early if
# the keys are not available.
@ -1570,7 +1640,7 @@ def main(argv):
ProcessTargetFiles(input_zip, output_zip, misc_info,
apk_keys, apex_keys, key_passwords,
platform_api_level, codename_to_api_level_map,
compressed_extension)
compressed_extension, sepolicy_keys)
common.ZipClose(input_zip)
common.ZipClose(output_zip)

80
tools/releasetools/test_sign_target_files_apks.py
View file

@ -476,7 +476,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
target_files_zip.writestr('META/apexkeys.txt', self.APEX_KEYS_TXT)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info = ReadApexKeysInfo(target_files_zip)
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@ -486,6 +486,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_mismatchingContainerKeys(self):
# Mismatching payload public / private keys.
@ -515,7 +516,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info = ReadApexKeysInfo(target_files_zip)
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@ -525,6 +526,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_missingPayloadPublicKey(self):
# Invalid lines will be skipped.
@ -538,7 +540,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info = ReadApexKeysInfo(target_files_zip)
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@ -548,6 +550,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_presignedKeys(self):
apex_keys = self.APEX_KEYS_TXT + (
@ -561,7 +564,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info = ReadApexKeysInfo(target_files_zip)
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@ -571,6 +574,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_presignedKeys(self):
apex_keys = self.APEX_KEYS_TXT + (
@ -584,7 +588,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info = ReadApexKeysInfo(target_files_zip)
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@ -594,6 +598,72 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_withSepolicyKeys(self):
apex_keys = self.APEX_KEYS_TXT + (
'name="sepolicy.apex" '
'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
'container_certificate="build/make/target/product/security/testkey.x509.pem" '
'container_private_key="build/make/target/product/security/testkey.pk8" '
'sepolicy_key="build/make/target/product/security/testkey.key" '
'sepolicy_certificate="build/make/target/product/security/testkey.x509.pem" '
'fsverity_tool="fsverity"')
target_files = common.MakeTempFile(suffix='.zip')
with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
'build/make/target/product/security/testkey', None),
'apex.apexd_test_different_app.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
'sepolicy.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({'sepolicy.apex': (
'build/make/target/product/security/testkey.key',
'build/make/target/product/security/testkey.x509.pem',
'fsverity'),
}, sepolicy_keys_info)
def test_ReadApexKeysInfo_withSepolicyApex(self):
apex_keys = self.APEX_KEYS_TXT + (
'name="sepolicy.apex" '
'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
'container_certificate="build/make/target/product/security/testkey.x509.pem" '
'container_private_key="build/make/target/product/security/testkey.pk8" ')
target_files = common.MakeTempFile(suffix='.zip')
with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
'build/make/target/product/security/testkey', None),
'apex.apexd_test_different_app.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
'sepolicy.apex': (
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
self.assertEqual({'sepolicy.apex': (
None,
None,
None),
}, sepolicy_keys_info)
def test_ReplaceGkiSigningKey(self):
common.OPTIONS.gki_signing_key = 'release_gki_key'