From ef92656fd4bc44c416d844e0174a61bc4fe12a82 Mon Sep 17 00:00:00 2001 From: Hongguang Chen Date: Mon, 7 Nov 2022 13:36:38 -0800 Subject: [PATCH 01/12] Support chained init_boot partition signing Bug: 256048561 Bug: 256237041 Test: sign_target_files_apks -d certs --avb_init_boot_algorithm \ SHA256_RSA4096 --avb_init_boot_key init_boot_rsa4096.pem \ xxx.zip signed.zip (Check signed.zip/META/misc_info.txt) Change-Id: I65fc7913089ae318d90df55a533d3e2ebd93b029 (cherry picked from commit 0d6b727e03efd49a77e864077a01837e993f600f) Merged-In: I65fc7913089ae318d90df55a533d3e2ebd93b029 (cherry picked from commit acf1b3afe28f03a4816575960c9e903293a80d76) (cherry picked from commit 425f7d1cb3fc5c1adc740db546c5b18227ea3c82) (cherry picked from commit ac458b10812ff5c6d54bf906ba902a4366904b9f) Merged-In: I65fc7913089ae318d90df55a533d3e2ebd93b029 --- tools/releasetools/sign_target_files_apks.py | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index 6f96d8f6a6..837eaf9c1e 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -99,14 +99,14 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files The second dir will be used for lookup if BOARD_USES_RECOVERY_AS_BOOT is set to true. - --avb_{boot,recovery,system,system_other,vendor,dtbo,vbmeta,vbmeta_system, - vbmeta_vendor}_algorithm - --avb_{boot,recovery,system,system_other,vendor,dtbo,vbmeta,vbmeta_system, - vbmeta_vendor}_key + --avb_{boot,init_boot,recovery,system,system_other,vendor,dtbo,vbmeta, + vbmeta_system,vbmeta_vendor}_algorithm + --avb_{boot,init_boot,recovery,system,system_other,vendor,dtbo,vbmeta, + vbmeta_system,vbmeta_vendor}_key Use the specified algorithm (e.g. SHA256_RSA4096) and the key to AVB-sign the specified image. Otherwise it uses the existing values in info dict. - --avb_{apex,boot,recovery,system,system_other,vendor,dtbo,vbmeta, + --avb_{apex,init_boot,boot,recovery,system,system_other,vendor,dtbo,vbmeta, vbmeta_system,vbmeta_vendor}_extra_args Specify any additional args that are needed to AVB-sign the image (e.g. "--signing_helper /path/to/helper"). The args will be appended to @@ -1427,6 +1427,12 @@ def main(argv): OPTIONS.avb_algorithms['dtbo'] = a elif o == "--avb_dtbo_extra_args": OPTIONS.avb_extra_args['dtbo'] = a + elif o == "--avb_init_boot_key": + OPTIONS.avb_keys['init_boot'] = a + elif o == "--avb_init_boot_algorithm": + OPTIONS.avb_algorithms['init_boot'] = a + elif o == "--avb_init_boot_extra_args": + OPTIONS.avb_extra_args['init_boot'] = a elif o == "--avb_recovery_key": OPTIONS.avb_keys['recovery'] = a elif o == "--avb_recovery_algorithm": @@ -1518,6 +1524,9 @@ def main(argv): "avb_dtbo_algorithm=", "avb_dtbo_key=", "avb_dtbo_extra_args=", + "avb_init_boot_algorithm=", + "avb_init_boot_key=", + "avb_init_boot_extra_args=", "avb_recovery_algorithm=", "avb_recovery_key=", "avb_recovery_extra_args=", From 398ff1a8b603e01c67725b1209ab67907cdba284 Mon Sep 17 00:00:00 2001 From: Steve Berbary Date: Wed, 7 Dec 2022 19:17:20 +0000 Subject: [PATCH 02/12] Update Security String to 2023-02-05 Bug: 261738635 Change-Id: Ifcca8fadc558099b223a39e8b2f98bcb8db40c6f (cherry picked from commit 79e595f4e3f7015c9911436d449ee7dd8fa87982) Merged-In: Ifcca8fadc558099b223a39e8b2f98bcb8db40c6f --- core/version_defaults.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/version_defaults.mk b/core/version_defaults.mk index 864816c969..339d36bb5c 100644 --- a/core/version_defaults.mk +++ b/core/version_defaults.mk @@ -103,7 +103,7 @@ ifndef PLATFORM_SECURITY_PATCH # It must be of the form "YYYY-MM-DD" on production devices. # It must match one of the Android Security Patch Level strings of the Public Security Bulletins. # If there is no $PLATFORM_SECURITY_PATCH set, keep it empty. - PLATFORM_SECURITY_PATCH := 2023-01-05 + PLATFORM_SECURITY_PATCH := 2023-02-05 endif include $(BUILD_SYSTEM)/version_util.mk From 8b020043efc29638c77e432306da12cba295ead1 Mon Sep 17 00:00:00 2001 From: Android Build Coastguard Worker Date: Wed, 14 Dec 2022 02:55:45 +0000 Subject: [PATCH 03/12] Version bump to TQ1A.230205.001.B1 [core/build_id.mk] Change-Id: I8896b4c7d1ecbc9ae4c25130a09a1607f091086e --- core/build_id.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/build_id.mk b/core/build_id.mk index b894546102..a1fc9e963d 100644 --- a/core/build_id.mk +++ b/core/build_id.mk @@ -18,4 +18,4 @@ # (like "CRB01"). It must be a single word, and is # capitalized by convention. -BUILD_ID=TQ1A.230205.001 +BUILD_ID=TQ1A.230205.001.B1 From d03d26813e758ba159fe9c31816830df8a6820a9 Mon Sep 17 00:00:00 2001 From: Android Build Coastguard Worker Date: Thu, 15 Dec 2022 18:41:34 +0000 Subject: [PATCH 04/12] Version bump to TQ1A.230105.001.A3 [core/build_id.mk] Change-Id: Ib04211abef53e3c1b0165b22d9aa05f6a41d4da2 --- core/build_id.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/build_id.mk b/core/build_id.mk index f601483ba9..642e342852 100644 --- a/core/build_id.mk +++ b/core/build_id.mk @@ -18,4 +18,4 @@ # (like "CRB01"). It must be a single word, and is # capitalized by convention. -BUILD_ID=TQ1A.230105.001.A2 +BUILD_ID=TQ1A.230105.001.A3 From f5764a17d4eca30615aa5e5fe43d10c703c60f80 Mon Sep 17 00:00:00 2001 From: Android Build Coastguard Worker Date: Thu, 15 Dec 2022 19:06:29 +0000 Subject: [PATCH 05/12] Version bump to TQ1A.230105.002.A1 [core/build_id.mk] Change-Id: I9cf4faefe8ff7030f5d7a44799053d290384ffa9 --- core/build_id.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/build_id.mk b/core/build_id.mk index 314491ca4b..75f32334d9 100644 --- a/core/build_id.mk +++ b/core/build_id.mk @@ -18,4 +18,4 @@ # (like "CRB01"). It must be a single word, and is # capitalized by convention. -BUILD_ID=TQ1A.230105.002 +BUILD_ID=TQ1A.230105.002.A1 From a43cf1c8431563934a66251fda124a86617a6abd Mon Sep 17 00:00:00 2001 From: Android Build Coastguard Worker Date: Thu, 15 Dec 2022 19:29:42 +0000 Subject: [PATCH 06/12] Version bump to TQ1A.230205.001.A1 [core/build_id.mk] Change-Id: I38109b9792b52d798210cd39cd85604d73727c82 --- core/build_id.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/build_id.mk b/core/build_id.mk index b894546102..3b8debaa06 100644 --- a/core/build_id.mk +++ b/core/build_id.mk @@ -18,4 +18,4 @@ # (like "CRB01"). It must be a single word, and is # capitalized by convention. -BUILD_ID=TQ1A.230205.001 +BUILD_ID=TQ1A.230205.001.A1 From 54b662812df02293540658b22ddb7c271a3e5b0f Mon Sep 17 00:00:00 2001 From: Android Build Coastguard Worker Date: Thu, 22 Dec 2022 01:28:31 +0000 Subject: [PATCH 07/12] Version bump to TQ1A.230105.001.C1 [core/build_id.mk] Change-Id: I79de18dc4a04e92ca4d814680f75405abde452e0 --- core/build_id.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/build_id.mk b/core/build_id.mk index 3529db3126..01c47ffa14 100644 --- a/core/build_id.mk +++ b/core/build_id.mk @@ -18,4 +18,4 @@ # (like "CRB01"). It must be a single word, and is # capitalized by convention. -BUILD_ID=TQ1A.230105.001 +BUILD_ID=TQ1A.230105.001.C1 From 0c589f16e2b8f3ce3cd3db0629c5987e26c2ad43 Mon Sep 17 00:00:00 2001 From: Android Build Coastguard Worker Date: Thu, 22 Dec 2022 02:25:50 +0000 Subject: [PATCH 08/12] Version bump to TQ1A.230105.001.C2 [core/build_id.mk] Change-Id: I3d0a4c0fcd0dd38a934355b4e174121584161e57 --- core/build_id.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/build_id.mk b/core/build_id.mk index 01c47ffa14..074a1251da 100644 --- a/core/build_id.mk +++ b/core/build_id.mk @@ -18,4 +18,4 @@ # (like "CRB01"). It must be a single word, and is # capitalized by convention. -BUILD_ID=TQ1A.230105.001.C1 +BUILD_ID=TQ1A.230105.001.C2 From ced530443431f078c6a694f12df989feb763f36d Mon Sep 17 00:00:00 2001 From: Hongguang Chen Date: Mon, 7 Nov 2022 13:36:38 -0800 Subject: [PATCH 09/12] Support chained init_boot partition signing Bug: 256048561 Bug: 256237041 Test: sign_target_files_apks -d certs --avb_init_boot_algorithm \ SHA256_RSA4096 --avb_init_boot_key init_boot_rsa4096.pem \ xxx.zip signed.zip (Check signed.zip/META/misc_info.txt) Change-Id: I65fc7913089ae318d90df55a533d3e2ebd93b029 (cherry picked from commit 0d6b727e03efd49a77e864077a01837e993f600f) Merged-In: I65fc7913089ae318d90df55a533d3e2ebd93b029 (cherry picked from commit acf1b3afe28f03a4816575960c9e903293a80d76) Merged-In: I65fc7913089ae318d90df55a533d3e2ebd93b029 --- tools/releasetools/sign_target_files_apks.py | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index 6f96d8f6a6..837eaf9c1e 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -99,14 +99,14 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files The second dir will be used for lookup if BOARD_USES_RECOVERY_AS_BOOT is set to true. - --avb_{boot,recovery,system,system_other,vendor,dtbo,vbmeta,vbmeta_system, - vbmeta_vendor}_algorithm - --avb_{boot,recovery,system,system_other,vendor,dtbo,vbmeta,vbmeta_system, - vbmeta_vendor}_key + --avb_{boot,init_boot,recovery,system,system_other,vendor,dtbo,vbmeta, + vbmeta_system,vbmeta_vendor}_algorithm + --avb_{boot,init_boot,recovery,system,system_other,vendor,dtbo,vbmeta, + vbmeta_system,vbmeta_vendor}_key Use the specified algorithm (e.g. SHA256_RSA4096) and the key to AVB-sign the specified image. Otherwise it uses the existing values in info dict. - --avb_{apex,boot,recovery,system,system_other,vendor,dtbo,vbmeta, + --avb_{apex,init_boot,boot,recovery,system,system_other,vendor,dtbo,vbmeta, vbmeta_system,vbmeta_vendor}_extra_args Specify any additional args that are needed to AVB-sign the image (e.g. "--signing_helper /path/to/helper"). The args will be appended to @@ -1427,6 +1427,12 @@ def main(argv): OPTIONS.avb_algorithms['dtbo'] = a elif o == "--avb_dtbo_extra_args": OPTIONS.avb_extra_args['dtbo'] = a + elif o == "--avb_init_boot_key": + OPTIONS.avb_keys['init_boot'] = a + elif o == "--avb_init_boot_algorithm": + OPTIONS.avb_algorithms['init_boot'] = a + elif o == "--avb_init_boot_extra_args": + OPTIONS.avb_extra_args['init_boot'] = a elif o == "--avb_recovery_key": OPTIONS.avb_keys['recovery'] = a elif o == "--avb_recovery_algorithm": @@ -1518,6 +1524,9 @@ def main(argv): "avb_dtbo_algorithm=", "avb_dtbo_key=", "avb_dtbo_extra_args=", + "avb_init_boot_algorithm=", + "avb_init_boot_key=", + "avb_init_boot_extra_args=", "avb_recovery_algorithm=", "avb_recovery_key=", "avb_recovery_extra_args=", From ab296fe28ab07edc49eac3ff55870e4ce53dba1f Mon Sep 17 00:00:00 2001 From: Android Build Coastguard Worker Date: Thu, 22 Dec 2022 22:06:59 +0000 Subject: [PATCH 10/12] Version bump to TQ1A.230105.001.D2 [core/build_id.mk] Change-Id: I1fcfa2f6239eb559d2517b885ef5e774b0e001df --- core/build_id.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/build_id.mk b/core/build_id.mk index 7d2c0e66da..11245ada6a 100644 --- a/core/build_id.mk +++ b/core/build_id.mk @@ -18,4 +18,4 @@ # (like "CRB01"). It must be a single word, and is # capitalized by convention. -BUILD_ID=TQ1A.230105.001.D1 +BUILD_ID=TQ1A.230105.001.D2 From 1072cba844707f88a61a6dac0d7c08b1c3fd1843 Mon Sep 17 00:00:00 2001 From: Android Build Coastguard Worker Date: Fri, 6 Jan 2023 18:06:54 +0000 Subject: [PATCH 11/12] Version bump to TQ1A.230205.001.D1 [core/build_id.mk] Change-Id: Ib387236fafadba71c79627edf7265f1d6a63d139 --- core/build_id.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/build_id.mk b/core/build_id.mk index b894546102..f0c3e1f7b0 100644 --- a/core/build_id.mk +++ b/core/build_id.mk @@ -18,4 +18,4 @@ # (like "CRB01"). It must be a single word, and is # capitalized by convention. -BUILD_ID=TQ1A.230205.001 +BUILD_ID=TQ1A.230205.001.D1 From 390c2376d486e0cfb4ff9539107e786302fe6e21 Mon Sep 17 00:00:00 2001 From: Android Build Coastguard Worker Date: Tue, 10 Jan 2023 00:11:24 +0000 Subject: [PATCH 12/12] Version bump to TQ1A.230205.002 [core/build_id.mk] Change-Id: If255da6baf0a179cf7fde3f69b34346c64d178d6 --- core/build_id.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/build_id.mk b/core/build_id.mk index b894546102..b99f98c03f 100644 --- a/core/build_id.mk +++ b/core/build_id.mk @@ -18,4 +18,4 @@ # (like "CRB01"). It must be a single word, and is # capitalized by convention. -BUILD_ID=TQ1A.230205.001 +BUILD_ID=TQ1A.230205.002