Build otacerts as a module.
Bug: 30414428
Test: `m -j dist` with aosp_taimen-userdebug. Check
/system/etc/security/otacerts.zip available under system and
recovery images.
Change-Id: I5abeb2da441fb3e3231e094063c2383eb3807852
Merged-In: I5abeb2da441fb3e3231e094063c2383eb3807852
diff --git a/core/Makefile b/core/Makefile
index 6602a29..ca3c827 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -1248,42 +1248,6 @@
$(hide) mkdir -p $(dir $@)
$(hide) $(ACP) $< $@
-# -----------------------------------------------------------------
-# Build a keystore with the authorized keys in it, used to verify the
-# authenticity of downloaded OTA packages.
-#
-# This rule adds to ALL_DEFAULT_INSTALLED_MODULES, so it needs to come
-# before the rules that use that variable to build the image.
-ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_OUT_ETC)/security/otacerts.zip
-$(TARGET_OUT_ETC)/security/otacerts.zip: PRIVATE_CERT := $(DEFAULT_KEY_CERT_PAIR).x509.pem
-$(TARGET_OUT_ETC)/security/otacerts.zip: $(SOONG_ZIP)
-$(TARGET_OUT_ETC)/security/otacerts.zip: $(DEFAULT_KEY_CERT_PAIR).x509.pem
- $(hide) rm -f $@
- $(hide) mkdir -p $(dir $@)
- $(hide) $(SOONG_ZIP) -o $@ -C $(dir $(PRIVATE_CERT)) -f $(PRIVATE_CERT)
-
-# Carry the public key for update_engine if it's a non-IoT target that
-# uses the AB updater. We use the same key as otacerts but in RSA public key
-# format.
-ifeq ($(AB_OTA_UPDATER),true)
-ifneq ($(PRODUCT_IOT),true)
-ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem
-$(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem: $(DEFAULT_KEY_CERT_PAIR).x509.pem
- $(hide) rm -f $@
- $(hide) mkdir -p $(dir $@)
- $(hide) openssl x509 -pubkey -noout -in $< > $@
-
-ALL_DEFAULT_INSTALLED_MODULES += \
- $(TARGET_RECOVERY_ROOT_OUT)/system/etc/update_engine/update-payload-key.pub.pem
-$(TARGET_RECOVERY_ROOT_OUT)/system/etc/update_engine/update-payload-key.pub.pem: \
- $(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem
- $(hide) cp -f $< $@
-endif
-endif
-
-.PHONY: otacerts
-otacerts: $(TARGET_OUT_ETC)/security/otacerts.zip
-
# #################################################################
# Targets for user images
@@ -1848,22 +1812,6 @@
INTERNAL_RECOVERYIMAGE_ARGS += --dtb $(INSTALLED_DTBIMAGE_TARGET)
endif
-# Keys authorized to sign OTA packages this build will accept. The
-# build always uses dev-keys for this; release packaging tools will
-# substitute other keys for this one.
-OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
-
-# Generate a file containing the keys that will be read by the
-# recovery binary.
-RECOVERY_INSTALL_OTA_KEYS := \
- $(call intermediates-dir-for,PACKAGING,ota_keys)/otacerts.zip
-$(RECOVERY_INSTALL_OTA_KEYS): PRIVATE_OTA_PUBLIC_KEYS := $(OTA_PUBLIC_KEYS)
-$(RECOVERY_INSTALL_OTA_KEYS): extra_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
-$(RECOVERY_INSTALL_OTA_KEYS): $(SOONG_ZIP) $(OTA_PUBLIC_KEYS) $(extra_keys)
- $(hide) rm -f $@
- $(hide) mkdir -p $(dir $@)
- $(hide) $(SOONG_ZIP) -o $@ $(foreach key_file, $(PRIVATE_OTA_PUBLIC_KEYS) $(extra_keys), -C $(dir $(key_file)) -f $(key_file))
-
RECOVERYIMAGE_ID_FILE := $(PRODUCT_OUT)/recovery.id
# $(1): output file
@@ -1895,8 +1843,6 @@
cp -f $(item) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.fstab)
$(if $(strip $(recovery_wipe)), \
$(hide) cp -f $(recovery_wipe) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/recovery.wipe)
- $(hide) mkdir -p $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security
- $(hide) cp $(RECOVERY_INSTALL_OTA_KEYS) $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security/otacerts.zip
$(hide) ln -sf prop.default $(TARGET_RECOVERY_ROOT_OUT)/default.prop
$(BOARD_RECOVERY_IMAGE_PREPARE)
$(hide) $(MKBOOTFS) -d $(TARGET_OUT) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk)
@@ -1953,7 +1899,6 @@
$(INSTALLED_RECOVERY_BUILD_PROP_TARGET) \
$(recovery_resource_deps) \
$(recovery_fstab) \
- $(RECOVERY_INSTALL_OTA_KEYS) \
$(BOARD_RECOVERY_KERNEL_MODULES) \
$(DEPMOD)
$(call pretty,"Target boot image from recovery: $@")
@@ -1984,7 +1929,6 @@
$(INSTALLED_RECOVERY_BUILD_PROP_TARGET) \
$(recovery_resource_deps) \
$(recovery_fstab) \
- $(RECOVERY_INSTALL_OTA_KEYS) \
$(BOARD_RECOVERY_KERNEL_MODULES) \
$(DEPMOD)
$(call build-recoveryimage-target, $@)
diff --git a/target/product/base_system.mk b/target/product/base_system.mk
index 46bf350..e9e8b49 100644
--- a/target/product/base_system.mk
+++ b/target/product/base_system.mk
@@ -210,6 +210,7 @@
netd \
NetworkStack \
org.apache.http.legacy \
+ otacerts \
perfetto \
ping \
ping6 \
diff --git a/target/product/base_vendor.mk b/target/product/base_vendor.mk
index bf01957..c45f870 100644
--- a/target/product/base_vendor.mk
+++ b/target/product/base_vendor.mk
@@ -23,6 +23,7 @@
init_second_stage.recovery \
ld.config.recovery.txt \
linker.recovery \
+ otacerts.recovery \
recovery \
shell_and_utilities_recovery \
watchdogd.recovery \
diff --git a/target/product/security/Android.mk b/target/product/security/Android.mk
index 4142ea9..1d695ae 100644
--- a/target/product/security/Android.mk
+++ b/target/product/security/Android.mk
@@ -23,3 +23,40 @@
include $(BUILD_PREBUILT)
endif
endif
+
+
+#######################################
+# otacerts: A keystore with the authorized keys in it, which is used to verify the authenticity of
+# downloaded OTA packages.
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := otacerts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_STEM := otacerts.zip
+LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
+include $(BUILD_SYSTEM)/base_rules.mk
+$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+$(LOCAL_BUILT_MODULE): $(SOONG_ZIP) $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+ $(SOONG_ZIP) -o $@ -j -f $(PRIVATE_CERT)
+
+
+#######################################
+# otacerts for recovery image.
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := otacerts.recovery
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_STEM := otacerts.zip
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security
+include $(BUILD_SYSTEM)/base_rules.mk
+
+extra_recovery_keys := $(patsubst %,%.x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_RECOVERY_KEYS := $(extra_recovery_keys)
+$(LOCAL_BUILT_MODULE): \
+ $(SOONG_ZIP) \
+ $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
+ $(extra_recovery_keys)
+ $(SOONG_ZIP) -o $@ -j \
+ $(foreach key_file, $(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS), -f $(key_file))