Merge "Update hmm text for mgrep."
diff --git a/CleanSpec.mk b/CleanSpec.mk
index a82a0bd..a93e79e 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -627,6 +627,11 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/adb_debug.prop)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/lib*/libjavacrypto.so)
+
+# Clean up old verity tools.
+$(call add-clean-step, rm -rf $(HOST_OUT_JAVA_LIBRARIES)/BootSignature.jar)
+$(call add-clean-step, rm -rf $(HOST_OUT_JAVA_LIBRARIES)/VeritySigner.jar)
+$(call add-clean-step, rm -rf $(HOST_OUT_EXECUTABLES)/build_verity_metadata.py)
# ************************************************
# NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST
# ************************************************
diff --git a/Deprecation.md b/Deprecation.md
index 6468f46..01825b2 100644
--- a/Deprecation.md
+++ b/Deprecation.md
@@ -14,8 +14,8 @@
| Module type | State |
| -------------------------- | --------- |
-| `BUILD_HOST_TEST_CONFIG` | Warning |
-| `BUILD_TARGET_TEST_CONFIG` | Warning |
+| `BUILD_HOST_TEST_CONFIG` | Error |
+| `BUILD_TARGET_TEST_CONFIG` | Error |
| `BUILD_*` | Available |
## Module Type Deprecation Process
diff --git a/core/Makefile b/core/Makefile
index 89df131..c4cd57a 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -2158,109 +2158,13 @@
endef
endif
-# Check that libraries that should only be in APEXes don't end up in the system
-# image. For the Runtime APEX this complements the checks in
-# art/build/apex/art_apex_test.py.
-# TODO(b/128708192): Implement this restriction in Soong instead.
-
-# Runtime APEX libraries
-APEX_MODULE_LIBS := \
- libadbconnection.so \
- libandroidicu.so \
- libandroidio.so \
- libart-compiler.so \
- libart-dexlayout.so \
- libart.so \
- libartbase.so \
- libartpalette.so \
- libdexfile.so \
- libdexfile_external.so \
- libdexfiled_external.so \
- libdt_fd_forward.so \
- libdt_socket.so \
- libicui18n.so \
- libicuuc.so \
- libjavacore.so \
- libjdwp.so \
- libnativebridge.so \
- libnativehelper.so \
- libnativeloader.so \
- libnpt.so \
- libopenjdk.so \
- libopenjdkjvm.so \
- libopenjdkjvmti.so \
- libpac.so \
- libprofile.so \
- libsigchain.so \
-
-# Conscrypt APEX libraries
-APEX_MODULE_LIBS += \
- libjavacrypto.so \
-
-# An option to disable the check below, for local use since some build targets
-# still may create these libraries in /system (b/129006418).
-DISABLE_APEX_LIBS_ABSENCE_CHECK ?=
-
-# Exclude lib/arm and lib/arm64 which contain the native bridge proxy libs.
-# They are compiled for the guest architecture and used with an entirely
-# different linker config. The native libs are then linked to as usual via
-# exported interfaces, so the proxy libs do not violate the interface boundaries
-# on the native architecture.
-# TODO(b/130630776): Introduce a make variable for the appropriate directory
-# when native bridge is active.
-APEX_LIBS_ABSENCE_CHECK_EXCLUDE := lib/arm lib/arm64
-
-# Exclude vndk-sp-* subdirectories which contain prebuilts from older releases.
-APEX_LIBS_ABSENCE_CHECK_EXCLUDE += lib/vndk-% lib64/vndk-%
-
-# If the check below fails, some library has ended up in system/lib or
-# system/lib64 that is intended to only go into some APEX package. The likely
-# cause is that a library or binary in /system has grown a dependency that
-# directly or indirectly pulls in the prohibited library.
-#
-# To resolve this, look for the APEX package that the library belong to - search
-# for it in 'native_shared_lib' properties in 'apex' build modules (see
-# art/build/apex/Android.bp for an example). Then check if there is an exported
-# library in that APEX package that should be used instead, i.e. one listed in
-# its 'native_shared_lib' property for which the corresponding 'cc_library'
-# module has a 'stubs' clause (like libdexfile_external in
-# art/libdexfile/Android.bp).
-#
-# If you cannot find an APEX exported library that fits your needs, or you think
-# that the library you want to depend on should be allowed in /system, then
-# please contact the owners of the APEX package containing the library.
-#
-# If you get this error for a library that is exported in an APEX, then the APEX
-# might be misconfigured or something is wrong in the build system. Please reach
-# out to the APEX package owners and/or soong-team@, or
-# android-building@googlegroups.com externally.
-ifndef DISABLE_APEX_LIBS_ABSENCE_CHECK
-define check-apex-libs-absence
-$(hide) ( \
- cd $(TARGET_OUT) && \
- findres=$$(find lib* \
- $(foreach dir,$(APEX_LIBS_ABSENCE_CHECK_EXCLUDE),-path "$(subst %,*,$(dir))" -prune -o) \
- -type f \( -false $(foreach lib,$(APEX_MODULE_LIBS),-o -name $(lib)) \) \
- -print) && \
- if [ -n "$$findres" ]; then \
- echo "APEX libraries found in system image (see comment in build/make/core/Makefile for details):" 1>&2; \
- echo "$$findres" | sort 1>&2; \
- false; \
- fi; \
-)
-endef
-else
-define check-apex-libs-absence
-endef
-endif
-
# $(1): output file
define build-systemimage-target
@echo "Target system fs image: $(1)"
$(call create-system-vendor-symlink)
$(call create-system-product-symlink)
$(call create-system-product_services-symlink)
- $(call check-apex-libs-absence)
+ $(call check-apex-libs-absence-on-disk)
@mkdir -p $(dir $(1)) $(systemimage_intermediates) && rm -rf $(systemimage_intermediates)/system_image_info.txt
$(call generate-image-prop-dictionary, $(systemimage_intermediates)/system_image_info.txt,system, \
skip_fsck=true)
@@ -3565,8 +3469,8 @@
$(HOST_OUT_EXECUTABLES)/bsdiff \
$(HOST_OUT_EXECUTABLES)/imgdiff \
$(HOST_OUT_JAVA_LIBRARIES)/signapk.jar \
- $(HOST_OUT_JAVA_LIBRARIES)/BootSignature.jar \
- $(HOST_OUT_JAVA_LIBRARIES)/VeritySigner.jar \
+ $(HOST_OUT_JAVA_LIBRARIES)/boot_signer.jar \
+ $(HOST_OUT_JAVA_LIBRARIES)/verity_signer.jar \
$(HOST_OUT_EXECUTABLES)/mke2fs \
$(HOST_OUT_EXECUTABLES)/mkuserimg_mke2fs \
$(HOST_OUT_EXECUTABLES)/e2fsdroid \
diff --git a/core/config.mk b/core/config.mk
index 94928a2..bf59fb1 100644
--- a/core/config.mk
+++ b/core/config.mk
@@ -604,7 +604,7 @@
BUILD_IMAGE_SRCS := $(wildcard build/make/tools/releasetools/*.py)
APPEND2SIMG := $(HOST_OUT_EXECUTABLES)/append2simg
VERITY_SIGNER := $(HOST_OUT_EXECUTABLES)/verity_signer
-BUILD_VERITY_METADATA := $(HOST_OUT_EXECUTABLES)/build_verity_metadata.py
+BUILD_VERITY_METADATA := $(HOST_OUT_EXECUTABLES)/build_verity_metadata
BUILD_VERITY_TREE := $(HOST_OUT_EXECUTABLES)/build_verity_tree
BOOT_SIGNER := $(HOST_OUT_EXECUTABLES)/boot_signer
FUTILITY := $(HOST_OUT_EXECUTABLES)/futility-host
diff --git a/core/definitions.mk b/core/definitions.mk
index aa2a2a9..af6248d 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -2094,9 +2094,9 @@
$(addprefix --bootclasspath ,$(strip $(PRIVATE_BOOTCLASSPATH))) \
$(addprefix --classpath ,$(strip $(PRIVATE_ALL_JAVA_HEADER_LIBRARIES))) \
|| ( rm -rf $(dir $@)/classes-turbine ; exit 41 ) && \
- $(MERGE_ZIPS) -j --ignore-duplicates -stripDir META-INF $@.tmp $@.premerged $(call reverse-list,$(PRIVATE_STATIC_JAVA_HEADER_LIBRARIES)) ; \
+ $(MERGE_ZIPS) -j --ignore-duplicates -stripDir META-INF $@.tmp $@.premerged $(PRIVATE_STATIC_JAVA_HEADER_LIBRARIES) ; \
else \
- $(MERGE_ZIPS) -j --ignore-duplicates -stripDir META-INF $@.tmp $(call reverse-list,$(PRIVATE_STATIC_JAVA_HEADER_LIBRARIES)) ; \
+ $(MERGE_ZIPS) -j --ignore-duplicates -stripDir META-INF $@.tmp $(PRIVATE_STATIC_JAVA_HEADER_LIBRARIES) ; \
fi
$(hide) $(ZIPTIME) $@.tmp
$(hide) $(call commit-change-for-toc,$@)
diff --git a/core/deprecation.mk b/core/deprecation.mk
index cbc938a..9d57527 100644
--- a/core/deprecation.mk
+++ b/core/deprecation.mk
@@ -37,13 +37,13 @@
# relevant BUILD_BROKEN_USES_BUILD_* variables, then these would move to
# DEFAULT_ERROR_BUILD_MODULE_TYPES.
DEFAULT_WARNING_BUILD_MODULE_TYPES :=$= \
- BUILD_HOST_TEST_CONFIG \
- BUILD_TARGET_TEST_CONFIG \
# These are BUILD_* variables that are errors to reference, but you can set
# BUILD_BROKEN_USES_BUILD_* in your BoardConfig.mk in order to turn them back
# to warnings.
DEFAULT_ERROR_BUILD_MODULE_TYPES :=$= \
+ BUILD_HOST_TEST_CONFIG \
+ BUILD_TARGET_TEST_CONFIG \
# These are BUILD_* variables that are always errors to reference.
# Setting the BUILD_BROKEN_USES_BUILD_* variables is also an error.
diff --git a/core/dex_preopt.mk b/core/dex_preopt.mk
index 180edaf..32690fe 100644
--- a/core/dex_preopt.mk
+++ b/core/dex_preopt.mk
@@ -26,7 +26,7 @@
# We can do this only if preopt is enabled and if the product uses libart config (which sets the
# default properties for preopting).
ifeq ($(WITH_DEXPREOPT), true)
-ifeq ($(PRODUCT_USES_ART), true)
+ifeq ($(PRODUCT_USES_DEFAULT_ART_CONFIG), true)
boot_zip := $(PRODUCT_OUT)/boot.zip
bootclasspath_jars := $(DEXPREOPT_BOOTCLASSPATH_DEX_FILES)
@@ -45,5 +45,5 @@
$(call dist-for-goals, droidcore, $(boot_zip))
-endif #PRODUCT_USES_ART
+endif #PRODUCT_USES_DEFAULT_ART_CONFIG
endif #WITH_DEXPREOPT
diff --git a/core/host_dalvik_java_library.mk b/core/host_dalvik_java_library.mk
index 1545f63..423575c 100644
--- a/core/host_dalvik_java_library.mk
+++ b/core/host_dalvik_java_library.mk
@@ -141,7 +141,7 @@
$(PRIVATE_JAR_MANIFEST) > $(dir $@)/manifest.mf)
$(MERGE_ZIPS) -j --ignore-duplicates $(if $(PRIVATE_JAR_MANIFEST),-m $(dir $@)/manifest.mf) \
$(if $(PRIVATE_DONT_DELETE_JAR_META_INF),,-stripDir META-INF -zipToNotStrip $<) \
- $@ $< $(call reverse-list,$(PRIVATE_STATIC_JAVA_LIBRARIES))
+ $@ $< $(PRIVATE_STATIC_JAVA_LIBRARIES)
# Run jarjar if necessary, otherwise just copy the file.
ifneq ($(strip $(LOCAL_JARJAR_RULES)),)
diff --git a/core/host_java_library.mk b/core/host_java_library.mk
index f7bf337..1225fa9 100644
--- a/core/host_java_library.mk
+++ b/core/host_java_library.mk
@@ -103,7 +103,7 @@
$(PRIVATE_JAR_MANIFEST) > $(dir $@)/manifest.mf)
$(MERGE_ZIPS) -j --ignore-duplicates $(if $(PRIVATE_JAR_MANIFEST),-m $(dir $@)/manifest.mf) \
$(if $(PRIVATE_DONT_DELETE_JAR_META_INF),,-stripDir META-INF -zipToNotStrip $<) \
- $@ $< $(call reverse-list,$(PRIVATE_STATIC_JAVA_LIBRARIES))
+ $@ $< $(PRIVATE_STATIC_JAVA_LIBRARIES)
# Run jarjar if necessary, otherwise just copy the file.
ifneq ($(strip $(LOCAL_JARJAR_RULES)),)
diff --git a/core/java.mk b/core/java.mk
index afc77d6..b951f14 100644
--- a/core/java.mk
+++ b/core/java.mk
@@ -309,7 +309,7 @@
$(PRIVATE_JAR_MANIFEST) > $(dir $@)/manifest.mf)
$(MERGE_ZIPS) -j --ignore-duplicates $(if $(PRIVATE_JAR_MANIFEST),-m $(dir $@)/manifest.mf) \
$(if $(PRIVATE_DONT_DELETE_JAR_META_INF),,-stripDir META-INF -zipToNotStrip $<) \
- $@ $< $(call reverse-list,$(PRIVATE_STATIC_JAVA_LIBRARIES))
+ $@ $< $(PRIVATE_STATIC_JAVA_LIBRARIES)
ifdef LOCAL_JAR_PROCESSOR
# LOCAL_JAR_PROCESSOR_ARGS must be evaluated here to set up the rule-local
diff --git a/core/main.mk b/core/main.mk
index 7e1bdd5..6f92ff1 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -1200,6 +1200,117 @@
)
endef
+# Check that libraries that should only be in APEXes don't end up in the system
+# image. For the Runtime APEX this complements the checks in
+# art/build/apex/art_apex_test.py.
+# TODO(b/128708192): Implement this restriction in Soong instead.
+
+# Runtime APEX libraries
+APEX_MODULE_LIBS := \
+ libadbconnection.so \
+ libandroidicu.so \
+ libandroidio.so \
+ libart-compiler.so \
+ libart-dexlayout.so \
+ libart.so \
+ libartbase.so \
+ libartpalette.so \
+ libdexfile.so \
+ libdexfile_external.so \
+ libdexfiled_external.so \
+ libdt_fd_forward.so \
+ libdt_socket.so \
+ libicui18n.so \
+ libicuuc.so \
+ libjavacore.so \
+ libjdwp.so \
+ libnativebridge.so \
+ libnativehelper.so \
+ libnativeloader.so \
+ libnpt.so \
+ libopenjdk.so \
+ libopenjdkjvm.so \
+ libopenjdkjvmti.so \
+ libpac.so \
+ libprofile.so \
+ libsigchain.so \
+
+# Conscrypt APEX libraries
+APEX_MODULE_LIBS += \
+ libjavacrypto.so \
+
+# An option to disable the check below, for local use since some build targets
+# still may create these libraries in /system (b/129006418).
+DISABLE_APEX_LIBS_ABSENCE_CHECK ?=
+
+# Exclude lib/arm and lib/arm64 which contain the native bridge proxy libs. They
+# are compiled for the guest architecture and used with an entirely different
+# linker config. The native libs are then linked to as usual via exported
+# interfaces, so the proxy libs do not violate the interface boundaries on the
+# native architecture.
+# TODO(b/130630776): Introduce a make variable for the appropriate directory
+# when native bridge is active.
+APEX_LIBS_ABSENCE_CHECK_EXCLUDE := lib/arm lib/arm64
+
+# Exclude vndk-* subdirectories which contain prebuilts from older releases.
+APEX_LIBS_ABSENCE_CHECK_EXCLUDE += lib/vndk-% lib64/vndk-%
+
+ifdef DISABLE_APEX_LIBS_ABSENCE_CHECK
+ check-apex-libs-absence :=
+ check-apex-libs-absence-on-disk :=
+else
+ # If the check below fails, some library has ended up in system/lib or
+ # system/lib64 that is intended to only go into some APEX package. The likely
+ # cause is that a library or binary in /system has grown a dependency that
+ # directly or indirectly pulls in the prohibited library.
+ #
+ # To resolve this, look for the APEX package that the library belong to -
+ # search for it in 'native_shared_lib' properties in 'apex' build modules (see
+ # art/build/apex/Android.bp for an example). Then check if there is an
+ # exported library in that APEX package that should be used instead, i.e. one
+ # listed in its 'native_shared_lib' property for which the corresponding
+ # 'cc_library' module has a 'stubs' clause (like libdexfile_external in
+ # art/libdexfile/Android.bp).
+ #
+ # If you cannot find an APEX exported library that fits your needs, or you
+ # think that the library you want to depend on should be allowed in /system,
+ # then please contact the owners of the APEX package containing the library.
+ #
+ # If you get this error for a library that is exported in an APEX, then the
+ # APEX might be misconfigured or something is wrong in the build system.
+ # Please reach out to the APEX package owners and/or soong-team@, or
+ # android-building@googlegroups.com externally.
+ define check-apex-libs-absence
+ $(call maybe-print-list-and-error, \
+ $(filter $(foreach lib,$(APEX_MODULE_LIBS),%/$(lib)), \
+ $(filter-out $(foreach dir,$(APEX_LIBS_ABSENCE_CHECK_EXCLUDE), \
+ $(TARGET_OUT)/$(if $(findstring %,$(dir)),$(dir),$(dir)/%)), \
+ $(filter $(TARGET_OUT)/lib/% $(TARGET_OUT)/lib64/%,$(1)))), \
+ APEX libraries found in system image (see comment for check-apex-libs-absence in \
+ build/make/core/main.mk for details))
+ endef
+
+ # TODO(b/129006418): The check above catches libraries through product
+ # dependencies visible to make, but as long as they have install rules in
+ # /system they may still be created there through other make targets. To catch
+ # that we also do a check on disk just before the system image is built.
+ define check-apex-libs-absence-on-disk
+ $(hide) ( \
+ cd $(TARGET_OUT) && \
+ findres=$$(find lib* \
+ $(foreach dir,$(APEX_LIBS_ABSENCE_CHECK_EXCLUDE),-path "$(subst %,*,$(dir))" -prune -o) \
+ -type f \( -false $(foreach lib,$(APEX_MODULE_LIBS),-o -name $(lib)) \) \
+ -print) && \
+ if [ -n "$$findres" ]; then \
+ echo "APEX libraries found in system image (see comment for check-apex-libs-absence" 1>&2; \
+ echo "in build/make/core/main.mk for details):" 1>&2; \
+ echo "$$findres" | sort 1>&2; \
+ false; \
+ fi; \
+ )
+ endef
+endif
+
ifdef FULL_BUILD
ifneq (true,$(ALLOW_MISSING_DEPENDENCIES))
# Check to ensure that all modules in PRODUCT_PACKAGES exist (opt in per product)
@@ -1312,6 +1423,8 @@
rm -f $@
$(foreach f,$(sort $(all_offending_files)),echo $(f) >> $@;)
endif
+
+ $(call check-apex-libs-absence,$(product_target_FILES))
else
# We're not doing a full build, and are probably only including
# a subset of the module makefiles. Don't try to build any modules
diff --git a/core/product.mk b/core/product.mk
index f3c9a98..66570e4 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -246,7 +246,7 @@
_product_var_list += \
PRODUCT_USE_PROFILE_FOR_BOOT_IMAGE \
PRODUCT_DEX_PREOPT_BOOT_IMAGE_PROFILE_LOCATION \
- PRODUCT_USES_ART \
+ PRODUCT_USES_DEFAULT_ART_CONFIG \
_product_var_list += PRODUCT_SYSTEM_SERVER_COMPILER_FILTER
# Per-module sanitizer configs
diff --git a/core/soong_app_prebuilt.mk b/core/soong_app_prebuilt.mk
index 8153d78..d873cc4 100644
--- a/core/soong_app_prebuilt.mk
+++ b/core/soong_app_prebuilt.mk
@@ -129,7 +129,15 @@
my_2nd_arch_prefix :=
PACKAGES := $(PACKAGES) $(LOCAL_MODULE)
-ifdef LOCAL_CERTIFICATE
+ifeq ($(LOCAL_CERTIFICATE),PRESIGNED)
+ # The magic string "PRESIGNED" means this package is already checked
+ # signed with its release key.
+ #
+ # By setting .CERTIFICATE but not .PRIVATE_KEY, this package will be
+ # mentioned in apkcerts.txt (with certificate set to "PRESIGNED")
+ # but the dexpreopt process will not try to re-sign the app.
+ PACKAGES.$(LOCAL_MODULE).CERTIFICATE := PRESIGNED
+else ifneq ($(LOCAL_CERTIFICATE),)
PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE)
PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(patsubst %.x509.pem,%.pk8,$(LOCAL_CERTIFICATE))
endif
diff --git a/core/soong_config.mk b/core/soong_config.mk
index 19326dd..48db6b1 100644
--- a/core/soong_config.mk
+++ b/core/soong_config.mk
@@ -58,6 +58,16 @@
$(call add_json_str, DeviceSecondaryCpuVariant, $(TARGET_2ND_CPU_VARIANT))
$(call add_json_list, DeviceSecondaryAbi, $(TARGET_2ND_CPU_ABI) $(TARGET_2ND_CPU_ABI2))
+$(call add_json_str, NativeBridgeArch, $(TARGET_NATIVE_BRIDGE_ARCH))
+$(call add_json_str, NativeBridgeArchVariant, $(TARGET_NATIVE_BRIDGE_ARCH_VARIANT))
+$(call add_json_str, NativeBridgeCpuVariant, $(TARGET_NATIVE_BRIDGE_CPU_VARIANT))
+$(call add_json_list, NativeBridgeAbi, $(TARGET_NATIVE_BRIDGE_ABI))
+
+$(call add_json_str, NativeBridgeSecondaryArch, $(TARGET_NATIVE_BRIDGE_2ND_ARCH))
+$(call add_json_str, NativeBridgeSecondaryArchVariant, $(TARGET_NATIVE_BRIDGE_2ND_ARCH_VARIANT))
+$(call add_json_str, NativeBridgeSecondaryCpuVariant, $(TARGET_NATIVE_BRIDGE_2ND_CPU_VARIANT))
+$(call add_json_list, NativeBridgeSecondaryAbi, $(TARGET_NATIVE_BRIDGE_2ND_ABI))
+
$(call add_json_str, HostArch, $(HOST_ARCH))
$(call add_json_str, HostSecondaryArch, $(HOST_2ND_ARCH))
$(call add_json_bool, HostStaticBinaries, $(BUILD_HOST_static))
diff --git a/target/board/BoardConfigEmuCommon.mk b/target/board/BoardConfigEmuCommon.mk
index c871d7e..9ec71d0 100644
--- a/target/board/BoardConfigEmuCommon.mk
+++ b/target/board/BoardConfigEmuCommon.mk
@@ -26,7 +26,7 @@
# ~140 MB vendor image. Please adjust system image / vendor image sizes
# when finalizing them. The partition size needs to be a multiple of image
# block size: 4096.
-BOARD_VENDORIMAGE_PARTITION_SIZE := 140963840
+BOARD_VENDORIMAGE_PARTITION_SIZE := 146800640
BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE := ext4
BOARD_FLASH_BLOCK_SIZE := 512
DEVICE_MATRIX_FILE := device/generic/goldfish/compatibility_matrix.xml
diff --git a/target/product/runtime_libart.mk b/target/product/runtime_libart.mk
index a88ba3c..5db32f2 100644
--- a/target/product/runtime_libart.mk
+++ b/target/product/runtime_libart.mk
@@ -96,4 +96,4 @@
PRODUCT_SYSTEM_DEFAULT_PROPERTIES += \
ro.iorapd.enable=false
-PRODUCT_USES_ART := true
+PRODUCT_USES_DEFAULT_ART_CONFIG := true
diff --git a/target/product/security/Android.bp b/target/product/security/Android.bp
new file mode 100644
index 0000000..080706b
--- /dev/null
+++ b/target/product/security/Android.bp
@@ -0,0 +1,5 @@
+// AOSP test certificate
+android_app_certificate {
+ name: "aosp-testkey",
+ certificate: "testkey",
+}
diff --git a/tools/releasetools/add_img_to_target_files.py b/tools/releasetools/add_img_to_target_files.py
index 4af10ca..99ffa31 100755
--- a/tools/releasetools/add_img_to_target_files.py
+++ b/tools/releasetools/add_img_to_target_files.py
@@ -113,7 +113,7 @@
Returns:
(which, care_map_ranges): care_map_ranges is the raw string of the care_map
- RangeSet; or an empty list.
+ RangeSet; or None.
"""
assert which in common.PARTITIONS_WITH_CARE_MAP
@@ -123,7 +123,7 @@
# invalid reads.
image_size = OPTIONS.info_dict.get(which + "_image_size")
if not image_size:
- return []
+ return None
image_blocks = int(image_size) / 4096 - 1
assert image_blocks > 0, "blocks for {} must be positive".format(which)
@@ -592,7 +592,11 @@
OPTIONS.info_dict.get(avb_hashtree_enable) == "true"):
image_path = image_paths[partition]
assert os.path.exists(image_path)
- care_map_list += GetCareMap(partition, image_path)
+
+ care_map = GetCareMap(partition, image_path)
+ if not care_map:
+ continue
+ care_map_list += care_map
# adds fingerprint field to the care_map
build_props = OPTIONS.info_dict.get(partition + ".build.prop", {})
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 7b5f000..d25ae0c 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -558,6 +558,13 @@
# System properties.
elif filename in ("SYSTEM/build.prop",
"VENDOR/build.prop",
+ "SYSTEM/vendor/build.prop",
+ "ODM/build.prop",
+ "VENDOR/odm/build.prop",
+ "PRODUCT/build.prop",
+ "SYSTEM/product/build.prop",
+ "PRODUCT_SERVICES/build.prop",
+ "SYSTEM/product_services/build.prop",
"SYSTEM/etc/prop.default",
"BOOT/RAMDISK/prop.default",
"BOOT/RAMDISK/default.prop", # legacy
@@ -752,8 +759,8 @@
original_line = line
if line and line[0] != '#' and "=" in line:
key, value = line.split("=", 1)
- if key in ("ro.build.fingerprint", "ro.build.thumbprint",
- "ro.vendor.build.fingerprint", "ro.vendor.build.thumbprint"):
+ if (key.startswith("ro.") and
+ key.endswith((".build.fingerprint", ".build.thumbprint"))):
pieces = value.split("/")
pieces[-1] = EditTags(pieces[-1])
value = "/".join(pieces)
@@ -766,7 +773,7 @@
assert len(pieces) == 5
pieces[-1] = EditTags(pieces[-1])
value = " ".join(pieces)
- elif key == "ro.build.tags":
+ elif key.startswith("ro.") and key.endswith(".build.tags"):
value = EditTags(value)
elif key == "ro.build.display.id":
# change, eg, "JWR66N dev-keys" to "JWR66N"
diff --git a/tools/releasetools/test_add_img_to_target_files.py b/tools/releasetools/test_add_img_to_target_files.py
index 422262c..08e0190 100644
--- a/tools/releasetools/test_add_img_to_target_files.py
+++ b/tools/releasetools/test_add_img_to_target_files.py
@@ -283,6 +283,35 @@
self._verifyCareMap(expected, care_map_file)
+ @test_utils.SkipIfExternalToolsUnavailable()
+ def test_AddCareMapForAbOta_skipPartition(self):
+ image_paths = self._test_AddCareMapForAbOta()
+
+ # Remove vendor_image_size to invalidate the care_map for vendor.img.
+ del OPTIONS.info_dict['vendor_image_size']
+
+ AddCareMapForAbOta(None, ['system', 'vendor'], image_paths)
+
+ care_map_file = os.path.join(OPTIONS.input_tmp, 'META', 'care_map.pb')
+ expected = ['system', RangeSet("0-5 10-15").to_string_raw(),
+ "ro.system.build.fingerprint",
+ "google/sailfish/12345:user/dev-keys"]
+
+ self._verifyCareMap(expected, care_map_file)
+
+ @test_utils.SkipIfExternalToolsUnavailable()
+ def test_AddCareMapForAbOta_skipAllPartitions(self):
+ image_paths = self._test_AddCareMapForAbOta()
+
+ # Remove the image_size properties for all the partitions.
+ del OPTIONS.info_dict['system_image_size']
+ del OPTIONS.info_dict['vendor_image_size']
+
+ AddCareMapForAbOta(None, ['system', 'vendor'], image_paths)
+
+ self.assertFalse(
+ os.path.exists(os.path.join(OPTIONS.input_tmp, 'META', 'care_map.pb')))
+
def test_AddCareMapForAbOta_verityNotEnabled(self):
"""No care_map.pb should be generated if verity not enabled."""
image_paths = self._test_AddCareMapForAbOta()
diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py
index a7bf977..e142ebb 100644
--- a/tools/releasetools/test_sign_target_files_apks.py
+++ b/tools/releasetools/test_sign_target_files_apks.py
@@ -53,36 +53,60 @@
def test_RewriteProps(self):
props = (
- ('', '\n'),
+ ('', ''),
('ro.build.fingerprint=foo/bar/dev-keys',
- 'ro.build.fingerprint=foo/bar/release-keys\n'),
+ 'ro.build.fingerprint=foo/bar/release-keys'),
('ro.build.thumbprint=foo/bar/dev-keys',
- 'ro.build.thumbprint=foo/bar/release-keys\n'),
+ 'ro.build.thumbprint=foo/bar/release-keys'),
('ro.vendor.build.fingerprint=foo/bar/dev-keys',
- 'ro.vendor.build.fingerprint=foo/bar/release-keys\n'),
+ 'ro.vendor.build.fingerprint=foo/bar/release-keys'),
('ro.vendor.build.thumbprint=foo/bar/dev-keys',
- 'ro.vendor.build.thumbprint=foo/bar/release-keys\n'),
- ('# comment line 1', '# comment line 1\n'),
+ 'ro.vendor.build.thumbprint=foo/bar/release-keys'),
+ ('ro.odm.build.fingerprint=foo/bar/test-keys',
+ 'ro.odm.build.fingerprint=foo/bar/release-keys'),
+ ('ro.odm.build.thumbprint=foo/bar/test-keys',
+ 'ro.odm.build.thumbprint=foo/bar/release-keys'),
+ ('ro.product.build.fingerprint=foo/bar/dev-keys',
+ 'ro.product.build.fingerprint=foo/bar/release-keys'),
+ ('ro.product.build.thumbprint=foo/bar/dev-keys',
+ 'ro.product.build.thumbprint=foo/bar/release-keys'),
+ ('ro.product_services.build.fingerprint=foo/bar/test-keys',
+ 'ro.product_services.build.fingerprint=foo/bar/release-keys'),
+ ('ro.product_services.build.thumbprint=foo/bar/test-keys',
+ 'ro.product_services.build.thumbprint=foo/bar/release-keys'),
+ ('# comment line 1', '# comment line 1'),
('ro.bootimage.build.fingerprint=foo/bar/dev-keys',
- 'ro.bootimage.build.fingerprint=foo/bar/release-keys\n'),
+ 'ro.bootimage.build.fingerprint=foo/bar/release-keys'),
('ro.build.description='
'sailfish-user 8.0.0 OPR6.170623.012 4283428 dev-keys',
'ro.build.description='
- 'sailfish-user 8.0.0 OPR6.170623.012 4283428 release-keys\n'),
- ('ro.build.tags=dev-keys', 'ro.build.tags=release-keys\n'),
- ('# comment line 2', '# comment line 2\n'),
+ 'sailfish-user 8.0.0 OPR6.170623.012 4283428 release-keys'),
+ ('ro.build.tags=dev-keys', 'ro.build.tags=release-keys'),
+ ('ro.build.tags=test-keys', 'ro.build.tags=release-keys'),
+ ('ro.system.build.tags=dev-keys',
+ 'ro.system.build.tags=release-keys'),
+ ('ro.vendor.build.tags=dev-keys',
+ 'ro.vendor.build.tags=release-keys'),
+ ('ro.odm.build.tags=dev-keys',
+ 'ro.odm.build.tags=release-keys'),
+ ('ro.product.build.tags=dev-keys',
+ 'ro.product.build.tags=release-keys'),
+ ('ro.product_services.build.tags=dev-keys',
+ 'ro.product_services.build.tags=release-keys'),
+ ('# comment line 2', '# comment line 2'),
('ro.build.display.id=OPR6.170623.012 dev-keys',
- 'ro.build.display.id=OPR6.170623.012\n'),
- ('# comment line 3', '# comment line 3\n'),
+ 'ro.build.display.id=OPR6.170623.012'),
+ ('# comment line 3', '# comment line 3'),
)
# Assert the case for each individual line.
- for prop, output in props:
- self.assertEqual(RewriteProps(prop), output)
+ for prop, expected in props:
+ self.assertEqual(expected + '\n', RewriteProps(prop))
# Concatenate all the input lines.
- self.assertEqual(RewriteProps('\n'.join([prop[0] for prop in props])),
- ''.join([prop[1] for prop in props]))
+ self.assertEqual(
+ '\n'.join([prop[1] for prop in props]) + '\n',
+ RewriteProps('\n'.join([prop[0] for prop in props])))
def test_ReplaceVerityKeyId(self):
BOOT_CMDLINE1 = (
diff --git a/tools/releasetools/verity_utils.py b/tools/releasetools/verity_utils.py
index 3a58755..3063800 100644
--- a/tools/releasetools/verity_utils.py
+++ b/tools/releasetools/verity_utils.py
@@ -52,7 +52,7 @@
def GetVerityMetadataSize(image_size):
- cmd = ["build_verity_metadata.py", "size", str(image_size)]
+ cmd = ["build_verity_metadata", "size", str(image_size)]
output = common.RunAndCheckOutput(cmd, verbose=False)
return int(output)
@@ -97,7 +97,7 @@
def BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt,
block_device, signer_path, key, signer_args,
verity_disable):
- cmd = ["build_verity_metadata.py", "build", str(image_size),
+ cmd = ["build_verity_metadata", "build", str(image_size),
verity_metadata_path, root_hash, salt, block_device, signer_path, key]
if signer_args:
cmd.append("--signer_args=\"%s\"" % (' '.join(signer_args),))