For PRESIGNED APEXes, we should keep carrying the matching public keys
at /system/etc/security/apex.
Bug: 129148142
Test: Run sign_target_files_apks.py on a target_files.zip with presigned
APEXes. Check the output zip.
Change-Id: I2e941fd9b10e99d2db9df1e5308cbbe8c760177b
(cherry picked from commit bf3fb024cd)
/product/etc/security/avb/system_other.avbpubkey is only needed
when BOARD_AVB_ENABLE is true. This fixes the build error of
Marlin/Sailfish.
Bug: 123611926
Bug: 129029207
Test: make
Change-Id: I73f948d84f91cd6fbe49a2de7bf12e46eebe6ede
This reverts commit 5516d37f41.
The previous issue in unzipping non-matching files has been addressed
with commit a49054ca2f2959f50f3188914ec0faebc90ebcbe. This CL rolls
forward to allow dumping container certifcates for APEXes.
Bug: 128848294
Test: Run check_target_files_signatures.py on target_files.zips w/ and
w/o APEX files.
Change-Id: I662aab3d96fc40ac8e5e206e32b73ac763220b70
common.UnzipTemp() calls `unzip` to do the unzipping, which will
complain if there's non-existent names in the given list. Prior to this
CL, callers had to do the work to remove non-existent entries. This CL
filters out the given patterns in common.UnzipTemp()/common.UnzipToDir()
to make callers' works easier.
Bug: 128848294
Test: `m dist` with aosp_taimen-userdebug (which calls
ota_from_target_files.py on a target_files.zip that doesn't
contain RADIO/*).
Test: `python -m unittest test_common.CommonZipTest`
Change-Id: I5e741c27ea8d0b8126c398a7e1b56a8deb4a3d7f
When TARGET_VNDK_USE_CORE_VARIANT is set to true, the vendor variant of
VNDK libraries are by default not installed. Instead, the core variant
will be used by vendor binaries at runtime.
To ensure the core variant of VNDK libraries are installed, we also add
a flag LOCAL_VNDK_DEPEND_ON_CORE_VARIANT to indicate that the vendor
variant module depends on the core variant module. This flag should be
set by Soong for all VNDK libraries without the vendor variant
installed. When the flag is set, the vendor variant binary is also
compared against the core variant binary to ensure they are
functionally identical.
As we are merging the two variants for some libraries, we need a new
link type to denote a module is usable as both native:vndk and
native:platform. We add native:platform_vndk for this.
Bug: 119423884
Test: With the corresponding Soong change, build with
TARGET_VNDK_USE_CORE_VARIANT set to true.
Test: Add a dummy VNDK library and a dummy vendor binary that depends
on it. Build with no-vendor-variant VNDK and check the core
variant is installed.
Test: Add conditional compilation based on __ANDROID_VNDK__ in the
dummy VNDK library and check build fails.
Change-Id: I40000f2728e8193212113c1ee950e9d697f2d40d
This is similar to module-built-files, except that it only returns
files built for the target, not the host.
Bug: 119423884
Test: Build with the no-vendor-variant VNDK change that uses this
function.
Change-Id: I2a3d99003b05999eae01c0b90bb62b5263d65592
It used to be depended on by something on /product, but this
is no longer the case.
Bug: 119619080
Test: build downstream users of mainline_system
Change-Id: Iabe1dbb45499b25295f741a62336cb86e4565d60
Skips the step that invokes dot from the build, and instead
prints suitable commands to convert to image formats.
Bug: 114729998
Test: m product-graph
Change-Id: I172e1a792c32c2685d2f439f414dc66267ed6b83
Currently system_other AVB public key is placed in system.img.
However, this makes it's harder to have a *generic* system.img
across different product configs. Moving the key to /product
partition to allow more product-specific AVB keys.
Device board config can add /product/etc/fstab.postinstall,
to mount system_other with this key in /product. It can specify
different mount options, file systems, verity settings, etc., in
this product-specific fstab as well.
Bug: 123611926
Test: `make productimage` checks the following is generated.
$OUT/product/etc/security/avb/system_other.avbpubkey
Also checks it's included in $OUT/installed-files-product.{json, txt}
Test: run the following command and checks that
PRODUCT/etc/security/avb/system_other.avbpubkey is updated:
./build/tools/releasetools/sign_target_files_apks \
--avb_system_other_algorithm SHA256_RSA2048 \
--avb_system_other_key external/avb/test/data/testkey_rsa2048.pem \
out/dist/*-target_files-*.zip signed-target_files.zip
Change-Id: I6804f29941bec54375d80bd68a5aedb5c23b842e
This commit updates how `check_elf_file.py` parses the symbol name
because the `llvm-readobj` (from clang-r353983) does not print "@" if
the symbol is not versioned.
See also. https://reviews.llvm.org/D56319
Bug: 128959554
Test: CHECK_ELF_FILES=true make check-elf-files
Change-Id: I0dee5e505225e57750a2c86cf0d25a151c218eb1
The soong-only variable is used to specify the location where the symbol
file is located. When unspecified, LOCAL_MODULE_PATH is used instead as
before.
This is needed when the path that a file is installed to is different
from the path that the file is accessed from at runtime. For example, if
TARGET_FLATTEN_APEX=true, a file lib/libX.so in an APEX com.android.foo
is installed to /system/apex/com.android.foo/lib/libX.so. However, it's
runtime path is /apex/com.android.foo/lib/libX.so as
/system/apex/com.android.foo is bind-mounted to /apex/com,android.foo.
Bug: 120846816
Test: m and inspect that symbol files exist under
$(PRODUCT_OUT)/symbols/apex/com.android.runtime/
Change-Id: I1b39f6e0cde115d442f14380c365796feff3437b
This is part of prebuilt_internal.mk refactoring work and also a
preliminary task to design and implement its Soong counterpart.
Test: built and flashed an image for a Pixel device + TreeHugger
Change-Id: I89b13b1e0a2780b02fda7ee888e73052ac1abd9c
This CL adds support that allows treating an APEX as pre-signed. We can
skip signing an APEX with `-e <apex-name>=` and
`--extra_apex_payload_key <apex-name>=`. Note that the payload_key and
container_key must be in consistent state - either they're both
PRESIGNED or none of them is. CheckApkAndApexKeysAvailable() has been
updated to perform the sanity check.
Bug: 123716522
Test: Run sign_target_files_apks.py with the above flags.
Test: python -m unittest test_sign_target_files_apks
Change-Id: Id1e2f3f2facd4a97a385983cc9b78c028f7e7e73
Like If1f817d855cbe329b83caee9fdd68c2cce55f02b, but for
PRODUCT_PACKAGES, which is only enabled for a few builds.
Also share the ALLOW_MISSING_DEPENDENCIES check with the host
version.
Test: m product-graph
Change-Id: Iab55072e7d7c0fc9f4680cc515e139a5214dc3b4
This validation is to help ensure that any usage of custom merge config
files does not accidentally exclude any item that has been added to the
default config lists.
Bug: 124197349
Test: Run merge_target_files with custom merge config files.
Change-Id: I34c51cb75212368146a2944d37621f311060d24d
This reverts commit d8469727bc. The script
is broken on target_files.zip that don't contain any APEX.
Bug: 128848294
Test: Run check_target_files_signatures.py on target_files.zip w/o APEX.
After migrating the primary install location of test modules into a
generic testcase folder. All test modules will install to
out/target/product/<product>/testcase/<module_name>/ if they don't
specify their LOCAL_MODULE_PATH.
But the dependent test module should also be copied to testcase
folder even its LOCAL_MODULE_PATH be set.
BUG: 128815093
Test: 1. vi cts/tests/signature/api-check/Android.mk
add LOCAL_MODULE_PATH for cts-hiddenapi_flags-csv
2. m CtsHiddenApiBlacklistDebugClassTestCases
Then, hiddenapi_flags.csv should also be copied to testcase
folder.
Change-Id: Iff872447348e74b2728e0913d04e46ccbaa4e972
OTA tools should pick up the avbtool, as listed in dict['avb_avbtool'],
from the current PATH (plus bin/ under the dir specified via `--path`),
the same way as handling all other host tools.
Test: `m dist`
Change-Id: I3eb4d2c61979b03d9c23b2403d9a38cf052d87ea
After I25163e91886cea6941afa25cdb529ed053278dcb there is no longer
a dependency on $(LOCAL_BUILT_MODULE) for boot jars, as boot.art
is installed instead. Add a dependency from boot.art to
$(LOCAL_BUILT_MODULE) so that $(LOCAL_BUILT_MODULE) and its
dependencies (which may include jacoco-report-classes.jar) is
copied for every build.
Fixes: 127702563
Test: forrest
Change-Id: I4db2d1f5fe2e1141fe93317cd7a2a58a33f8fbff
