There are 2 choices to build system_dlkm.img for
the system_dlkm partition for Android T launch
devices and must choose one.
1. Use kernel prebuilt system_dlkm.img
- BOARD_PREBUILT_SYSTEM_DLKM_IMAGE to point image
2. Build from kernel prebuilt system_dlkm_staging
- PRODUCT_BUILD_SYSTEM_DLKM_IMAGE
Both requires: BOARD_SYSTEM_DLKM_PARTITION_SIZE and
must be 64MB or higher in size (enforced via vts).
Bug: 200082547
Test: TH
Test: atest vts_system_dlkm_partition_test
Signed-off-by: Ramji Jiyani <ramjiyani@google.com>
Change-Id: I83435123bd8aa3d04ab8a8b650a95fbab0bc49f2
win_sdk is deprecated, if given on the command line
sdk will be build instead.
Bug: 212724080
Test: Presubmits
Change-Id: Ib3bd51923142b00100b49585ad88bc1292da2463
New scheme is to certify kernel & ramdisk image separately, and
effectively decouple kernel & user space ramdisk image.
Under the new scheme, the --os_version and --os_patch_level boot header
field must be empty in order to maintain consistency.
Instead, these values must be in the vbmeta hash descriptor and
GKI certificate.
The new scheme also validates the image metadata, including the security
patch level.
The 'generic_kernel' certificate is associated with the 'boot' partition
and 'generic_ramdisk' certificate with 'init_boot' partition.
The 'generic_ramdisk' certificate may be packed into the 'boot' image if
product configuration doesn't have 'init_boot' image, this is only for
testing purposes and would be removed eventually.
Bug: 210367929
Bug: 211741246
Bug: 203698939
Test: unpack_bootimg --boot_img boot.img
Test: unpack_bootimg --boot_img init_boot.img
Test: avbtool info_image --image out/boot_signature
Change-Id: Iaf48a6e3d4b97fa6bfb5e1635a288b045baa248f
This file will be used by OTA generator to compress generated patches.
We need the host copy of LZ4 to ensure that compressed bytes matches
what the device would get if the compression were to be done on device.
For more details see go/lz4diff
Bug: 206729162
Test: m dist
Change-Id: I9c4ab772b001bf47da75cb87b028a1f27e2321a8
sign_target_files_apks demands it.
Bug: 213823227
Test: run com.google.android.tradefed.ota.SigningToolTest#Testcase1_Signingtest
Change-Id: I1bba2b25a71449a57d284024e77fb76d1b79a0ee
Else the branch condition would always evaluate to true, making the
other branch useless and wrong!
Bug: 211741246
Test: m dist
Change-Id: I4791712632cbe0d5a9e20962c8425dd20bbe0bfd
For system/framework, it now also includes *.jar.prof (needed by
odrefresh), *.vdex and <arch>/*.{odex,art} (for future-proof).
system/etc/classpaths/*.pb are also added so that we can run
derive_classpath to collect from.
system/etc/updatable-bcp-packages.txt is removed because it's no longer
used by ART.
Bug: 206869687
Test: see new files in `unzip -p $OUT/system/etc/security/fsverity/ \
BuildManifest.apk assets/build_manifest.pb`
Change-Id: Id759f5caec8ba683af8629956b9268a4fbd74186
This variable can be set instead of TARGET_RECOVERY_FSTAB
in order to specify a generated fstab file.
Bug: 201700692
Test: Presubmits
Change-Id: If0fae81ec53915e9ed4bab2e8b1a9f8376894537
Otheriwse, the build complains about missing files when
PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA is enabled (aosp/1937717).
Bug: 206326351
Test: clobber, set PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA := true, build
Change-Id: I11d18914d63cab0b84ae711f2334747cb26ca234
build_image.py has been handling fsverity metadata generation in the
packing step, but it can cause issues because the metadata files are
missing in the $OUT directory, and they only exist in result system.img.
This change moves the generation logic into Makefile, and makes the
metadata tracked by ninja graph.
Bug: 206326351
Test: PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA := true and build
Change-Id: I1f910d8ac6e2cc3c54f35916871733c632f18e44
releasetools preconditions requires build metadata defined in
SYSTEM/build.prop even when building a system.img-less product.
Copy the SYSTEM/build.prop into the build artifact archive whenever
possible to make add_img_to_target_files happy.
Bug: 212486689
Bug: 213028932
Test: Dist build a system.img-less product. Product properties are
read from SYSTEM/build.prop and no build error occurred.
Change-Id: I2ce7f8b8ae981eaf06e2d8d2485b55b4e975caa9
Equivalent to PRODUCT_EXTRA_RECOVERY_KEYS but for A/B OTA.
Bug: 211848136
Test: set PRODUCT_EXTRA_OTA_KEYS and check otacerts.zip
Change-Id: I81e27d12a22b405f6227b09c01ed684dfcede19e
These options are for certifying official GKI release, so they should
never be added to build command of recovery.img and boot-debug.img.
Also define gki_signing_signature_args in misc_info.txt iff.
BOARD_GKI_SIGNING_KEY_PATH is defined, so there's one less conditional.
We need to define it even if BOARD_GKI_SIGNING_SIGNATURE_ARGS is empty,
so that sign_target_files_apks.py can modify the option during image
signing.
Bug: 210367929
Test: Presubmit
Change-Id: I9546fcda796586d97af244955e15c1b8dc9f6d92
Some targets, e.g., the newly added `gki_arm64`:
https://r.android.com/1935340, have no system.img.
To avoid the build error when making the vbmeta.img on a no-system-image
target, only sets system.img's AVB settings when it exists,.
Bug: 212486689
Test: `lunch gki_arm64-userdebug; make` with BOARD_AVB_ENABLE := true
Change-Id: I5e3c531e74116e421506a86ffce83848e7a9d6ea
Macro images-for-partitions() returns $(INSTALLED_INIT_BOOTIMAGE_TARGET)
for the 'init_boot' partition, which is empty. It should return
$(INSTALLED_INIT_BOOT_IMAGE_TARGET) instead.
Bug: 203698939
Test: `make` without chaining 'init_boot' partition
Change-Id: I387813283dfad7e1b2f762a5fa4065775977caf7
If a build target does not contain system image, it doesn't
output anything to root folder. The patch fix the build error for
the case the root folder is empty.
Bug: 212486689
Test: make bootimage dist
Test: Build pass
Change-Id: I4f1376eb7e615f48171ed9c3057c5a78074abaa6
This ramdisk used to be in boot.img, and is now placed into this new
init_boot.img instead.
This new image is used for a new init parition to seperate Android
platform artifacts from the kernel artifacts in boot.img.
Test: boot Cuttlefish
Bug: 203698939
Change-Id: Iaaf82486259979ab728730ce72a4e847ae005c18
OTA will need to know the compression parameter used to construct EROFS
images. Currently, mkfs.erofs uses lz4hc,9 if the user didn't specify
one. But mkfs's default behavior is subject to change in future
versions. Therefore, explicitly specify the compression parameters so
OTA tooling can properly encode/decode erofs images.
Test: th
Change-Id: Ibbf67502827ee79437b766349be289048e685759
external/zucchini/version_info.h contains version info for zucchini
diffing algorithm. OTA tools will use these version info to check for
compatibility and determine if zucchini can be used safely. Owners of
zucchini agreed to keep the format of version_info.h stable so it's
parser friendly.
Bug: 194237829
Test: m dist
Change-Id: If8e37533933b346d3f03adab9263679910ab328c
fsverity digest manifest stores a map from files to fsverity digests.
The manifest is installed as a serialized protobuf file, to a signed apk
system/etc/security/fsverity/BuildManifest.apk.
Bug: 193113311
Test: build with PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA := true
Change-Id: I55fc10400206b8ce0d5f198faea08fe3930b362c
Using fsverity tool, fsverity metadata for specific artifacts in system
mage can be generated. Users can do that by setting a makefile variable
PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA to true.
If set to true, the following artifacts will be signed.
- system/framework/*.jar
- system/framework/oat/<arch>/*.{oat,vdex,art}
- system/etc/boot-image.prof
- system/etc/dirty-image-objects
One fsverity metadata container file per one input file will be
generated in system.img, with a suffix ".fsv_meta". e.g. a container
file for "system/framework/foo.jar" will be
"system/framework/foo.jar.fsv_meta".
Bug: 193113311
Test: build with PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA := true
Change-Id: Ib70d591a72d23286b5debcb05fbad799dfd79b94
Gets rid of .meta_module files and instead defers emitting rules until
after all the non-module targets have been processed. Allows direct
dependency on .meta_lic files, which in turn depend on license text
files.
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Test: m systemlicense
Test: m reportmissinglicenses
Change-Id: I2c467feac6e13a9366ff66f924889f1dbd48c3f1
When an APEX specifies its custom signing tool (custom_sign_tool:),
apexkeys.txt contains the info and sign_target_files_apks pass the value
to apex_util.
For now the Virt APEX has its own custom signing tool (sign_virt_apex),
which is added to OTATOOLS.
Bug: 193504286
Test: sign_target_files_apks invokes sign_virt_apex
Change-Id: Iba845723fe3e18f542963324b9c58cd00914c5ba
This reverts commit a2a5db4466.
Reason for revert: original change was obsoleted by
I3161e42b00a93177a1a4cb3b22da2218d294b7a7
Bug: 202129499
Test: Presubmit; change should be noop
Change-Id: Ib7be1ed73dbf08758276666f8ce35ed9cbf18a36
