Merge "Revert "VNDK library list uses installed name""
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 4e06d80..97fea05 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -678,6 +678,13 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/apex)
+# Migrate preopt files to system_other for some devices
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/*/*app/*/oat)
+
+# Remove Android Core Library artifacts from the system partition, now
+# that they live in the ART APEX (b/142944799).
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/framework/*.jar)
+
# ************************************************
# NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST
# ************************************************
diff --git a/core/Makefile b/core/Makefile
index c9b478e..6bb94cb 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -2154,6 +2154,7 @@
$(error MTD device is no longer supported and thus BOARD_NAND_SPARE_SIZE is deprecated.)
endif
+ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true)
# -----------------------------------------------------------------
# the debug ramdisk, which is the original ramdisk plus additional
# files: force_debuggable, adb_debug.prop and userdebug sepolicy.
@@ -2250,41 +2251,116 @@
# Using a test key to sign boot-debug.img to continue booting with the mismatched
# public key, if the device is unlocked.
ifneq ($(BOARD_AVB_BOOT_KEY_PATH),)
-BOARD_AVB_DEBUG_BOOT_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
-$(INSTALLED_DEBUG_BOOTIMAGE_TARGET): PRIVATE_AVB_DEBUG_BOOT_SIGNING_ARGS := \
- --algorithm SHA256_RSA2048 --key $(BOARD_AVB_DEBUG_BOOT_KEY_PATH)
-$(INSTALLED_DEBUG_BOOTIMAGE_TARGET): $(AVBTOOL) $(BOARD_AVB_DEBUG_BOOT_KEY_PATH)
+$(INSTALLED_DEBUG_BOOTIMAGE_TARGET): $(AVBTOOL) $(BOARD_AVB_BOOT_TEST_KEY_PATH)
endif
+BOARD_AVB_BOOT_TEST_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
+INTERNAL_AVB_BOOT_TEST_SIGNING_ARGS := --algorithm SHA256_RSA2048 --key $(BOARD_AVB_BOOT_TEST_KEY_PATH)
+# $(1): the bootimage to sign
+define test-key-sign-bootimage
+$(call assert-max-image-size,$(1),$(call get-hash-image-max-size,$(BOARD_BOOTIMAGE_PARTITION_SIZE)))
+$(AVBTOOL) add_hash_footer \
+ --image $(1) \
+ --partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \
+ --partition_name boot $(INTERNAL_AVB_BOOT_TEST_SIGNING_ARGS) \
+ $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)
+$(call assert-max-image-size,$(1),$(BOARD_BOOTIMAGE_PARTITION_SIZE))
+endef
+
# Depends on original boot.img and ramdisk-debug.img, to build the new boot-debug.img
$(INSTALLED_DEBUG_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(INSTALLED_BOOTIMAGE_TARGET) $(INSTALLED_DEBUG_RAMDISK_TARGET)
$(call pretty,"Target boot debug image: $@")
$(MKBOOTIMG) $(INTERNAL_DEBUG_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $@
- $(if $(BOARD_AVB_BOOT_KEY_PATH),\
- $(call assert-max-image-size,$@,$(call get-hash-image-max-size,$(BOARD_BOOTIMAGE_PARTITION_SIZE))); \
- $(AVBTOOL) add_hash_footer \
- --image $@ \
- --partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \
- --partition_name boot $(PRIVATE_AVB_DEBUG_BOOT_SIGNING_ARGS) \
- $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS), \
- $(call assert-max-image-size,$@,$(BOARD_BOOTIMAGE_PARTITION_SIZE)))
+ $(if $(BOARD_AVB_BOOT_KEY_PATH),$(call test-key-sign-bootimage,$@))
.PHONY: bootimage_debug-nodeps
bootimage_debug-nodeps: $(MKBOOTIMG)
echo "make $@: ignoring dependencies"
$(MKBOOTIMG) $(INTERNAL_DEBUG_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(INSTALLED_DEBUG_BOOTIMAGE_TARGET)
- $(if $(BOARD_AVB_BOOT_KEY_PATH),\
- $(call assert-max-image-size,$(INSTALLED_DEBUG_BOOTIMAGE_TARGET),$(call get-hash-image-max-size,$(BOARD_BOOTIMAGE_PARTITION_SIZE))); \
- $(AVBTOOL) add_hash_footer \
- --image $(INSTALLED_DEBUG_BOOTIMAGE_TARGET) \
- --partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \
- --partition_name boot $(PRIVATE_AVB_DEBUG_BOOT_SIGNING_ARGS) \
- $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS), \
- $(call assert-max-image-size,$(INSTALLED_DEBUG_BOOTIMAGE_TARGET),$(BOARD_BOOTIMAGE_PARTITION_SIZE)))
+ $(if $(BOARD_AVB_BOOT_KEY_PATH),$(call test-key-sign-bootimage,$(INSTALLED_DEBUG_BOOTIMAGE_TARGET)))
endif # TARGET_NO_KERNEL
# -----------------------------------------------------------------
+# The test harness ramdisk, which is based off debug_ramdisk, plus a
+# few additional test-harness-specific properties in adb_debug.prop.
+
+ifdef BUILDING_RAMDISK_IMAGE
+BUILT_TEST_HARNESS_RAMDISK_TARGET := $(PRODUCT_OUT)/ramdisk-test-harness.img
+INSTALLED_TEST_HARNESS_RAMDISK_TARGET := $(BUILT_TEST_HARNESS_RAMDISK_TARGET)
+
+# rsync the content from ramdisk-debug.img to ramdisk-test-harness.img, then
+# appends a few test harness specific properties into the adb_debug.prop.
+TEST_HARNESS_RAMDISK_SYNC_DIR := $(PRODUCT_OUT)/debug_ramdisk
+TEST_HARNESS_RAMDISK_ROOT_DIR := $(PRODUCT_OUT)/test_harness_ramdisk
+
+# The following TARGET_TEST_HARNESS_RAMDISK_OUT will be $(PRODUCT_OUT)/test_harness_ramdisk/first_stage_ramdisk,
+# if BOARD_USES_RECOVERY_AS_BOOT is true. Otherwise, it will be $(PRODUCT_OUT)/test_harness_ramdisk.
+TEST_HARNESS_PROP_TARGET := $(TARGET_TEST_HARNESS_RAMDISK_OUT)/adb_debug.prop
+ADDITIONAL_TEST_HARNESS_PROPERTIES := ro.audio.silent=1
+ADDITIONAL_TEST_HARNESS_PROPERTIES += ro.test_harness=1
+
+# $(1): a list of key=value pairs for additional property assignments
+# $(2): the target .prop file to append the properties from $(1)
+define append-test-harness-props
+ echo "#" >> $(2); \
+ echo "# ADDITIONAL TEST HARNESS_PROPERTIES" >> $(2); \
+ echo "#" >> $(2);
+ $(foreach line,$(1), echo "$(line)" >> $(2);)
+endef
+
+$(INSTALLED_TEST_HARNESS_RAMDISK_TARGET): $(INSTALLED_DEBUG_RAMDISK_TARGET)
+$(INSTALLED_TEST_HARNESS_RAMDISK_TARGET): $(MKBOOTFS) $(INTERNAL_TEST_HARNESS_RAMDISK_FILES) | $(MINIGZIP)
+ $(call pretty,"Target test harness ram disk: $@")
+ rsync -a $(TEST_HARNESS_RAMDISK_SYNC_DIR)/ $(TEST_HARNESS_RAMDISK_ROOT_DIR)
+ $(call append-test-harness-props,$(ADDITIONAL_TEST_HARNESS_PROPERTIES),$(TEST_HARNESS_PROP_TARGET))
+ $(MKBOOTFS) -d $(TARGET_OUT) $(TEST_HARNESS_RAMDISK_ROOT_DIR) | $(MINIGZIP) > $@
+
+.PHONY: ramdisk_test_harness-nodeps
+ramdisk_test_harness-nodeps: $(MKBOOTFS) | $(MINIGZIP)
+ echo "make $@: ignoring dependencies"
+ rsync -a $(TEST_HARNESS_RAMDISK_SYNC_DIR)/ $(TEST_HARNESS_RAMDISK_ROOT_DIR)
+ $(call append-test-harness-props,$(ADDITIONAL_TEST_HARNESS_PROPERTIES),$(TEST_HARNESS_PROP_TARGET))
+ $(MKBOOTFS) -d $(TARGET_OUT) $(TEST_HARNESS_RAMDISK_ROOT_DIR) | $(MINIGZIP) > $(INSTALLED_TEST_HARNESS_RAMDISK_TARGET)
+
+endif # BUILDING_RAMDISK_IMAGE
+
+# -----------------------------------------------------------------
+# the boot-test-harness.img, which is the kernel plus ramdisk-test-harness.img
+#
+# Note: it's intentional to skip signing for boot-test-harness.img, because it
+# can only be used if the device is unlocked with verification error.
+ifneq ($(strip $(TARGET_NO_KERNEL)),true)
+
+INSTALLED_TEST_HARNESS_BOOTIMAGE_TARGET := $(PRODUCT_OUT)/boot-test-harness.img
+
+# Replace ramdisk-debug.img in $(MKBOOTIMG) ARGS with ramdisk-test-harness.img to build boot-test-harness.img
+INTERNAL_TEST_HARNESS_BOOTIMAGE_ARGS := $(subst $(INSTALLED_DEBUG_RAMDISK_TARGET),$(INSTALLED_TEST_HARNESS_RAMDISK_TARGET),$(INTERNAL_DEBUG_BOOTIMAGE_ARGS))
+
+# If boot.img is chained but boot-test-harness.img is not signed, libavb in bootloader
+# will fail to find valid AVB metadata from the end of /boot, thus stop booting.
+# Using a test key to sign boot-test-harness.img to continue booting with the mismatched
+# public key, if the device is unlocked.
+ifneq ($(BOARD_AVB_BOOT_KEY_PATH),)
+$(INSTALLED_TEST_HARNESS_BOOTIMAGE_TARGET): $(AVBTOOL) $(BOARD_AVB_BOOT_TEST_KEY_PATH)
+endif
+
+# Build the new boot-test-harness.img, based on boot-debug.img and ramdisk-test-harness.img.
+$(INSTALLED_TEST_HARNESS_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(INSTALLED_DEBUG_BOOTIMAGE_TARGET) $(INSTALLED_TEST_HARNESS_RAMDISK_TARGET)
+ $(call pretty,"Target boot test harness image: $@")
+ $(MKBOOTIMG) $(INTERNAL_TEST_HARNESS_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $@
+ $(if $(BOARD_AVB_BOOT_KEY_PATH),$(call test-key-sign-bootimage,$@))
+
+.PHONY: bootimage_test_harness-nodeps
+bootimage_test_harness-nodeps: $(MKBOOTIMG)
+ echo "make $@: ignoring dependencies"
+ $(MKBOOTIMG) $(INTERNAL_TEST_HARNESS_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(INSTALLED_TEST_HARNESS_BOOTIMAGE_TARGET)
+ $(if $(BOARD_AVB_BOOT_KEY_PATH),$(call test-key-sign-bootimage,$(INSTALLED_TEST_HARNESS_BOOTIMAGE_TARGET)))
+
+endif # TARGET_NO_KERNEL
+endif # BOARD_BUILD_SYSTEM_ROOT_IMAGE is not true
+
+# -----------------------------------------------------------------
# system image
#
# Remove overridden packages from $(ALL_PDK_FUSION_FILES)
@@ -2481,7 +2557,7 @@
$(if $(filter $(DEXPREOPT.$(m).INSTALLED_STRIPPED),$(ALL_DEFAULT_INSTALLED_MODULES)),$(m))))
pdk_classes_dex := $(strip \
$(foreach m,$(pdk_odex_javalibs),$(call intermediates-dir-for,JAVA_LIBRARIES,$(m),,COMMON)/javalib.jar) \
- $(foreach m,$(pdk_odex_apps),$(call intermediates-dir-for,APPS,$(m))/package.dex.apk))
+ $(foreach m,$(pdk_odex_apps),$(call intermediates-dir-for,APPS,$(m))/package.apk))
pdk_odex_config_mk := $(PRODUCT_OUT)/pdk_dexpreopt_config.mk
$(pdk_odex_config_mk): PRIVATE_JAVA_LIBRARIES := $(pdk_odex_javalibs)
@@ -2499,7 +2575,7 @@
$(hide) echo "PDK.DEXPREOPT.$(m).DEX_PREOPT_FLAGS:=$(DEXPREOPT.$(m).DEX_PREOPT_FLAGS)" >> $@$(newline)\
)
$(foreach m,$(PRIVATE_APPS),\
- $(hide) echo "PDK.DEXPREOPT.$(m).SRC:=$(patsubst $(OUT_DIR)/%,%,$(call intermediates-dir-for,APPS,$(m))/package.dex.apk)" >> $@$(newline)\
+ $(hide) echo "PDK.DEXPREOPT.$(m).SRC:=$(patsubst $(OUT_DIR)/%,%,$(call intermediates-dir-for,APPS,$(m))/package.apk)" >> $@$(newline)\
$(hide) echo "PDK.DEXPREOPT.$(m).DEX_PREOPT:=$(DEXPREOPT.$(m).DEX_PREOPT)" >> $@$(newline)\
$(hide) echo "PDK.DEXPREOPT.$(m).MULTILIB:=$(DEXPREOPT.$(m).MULTILIB)" >> $@$(newline)\
$(hide) echo "PDK.DEXPREOPT.$(m).DEX_PREOPT_FLAGS:=$(DEXPREOPT.$(m).DEX_PREOPT_FLAGS)" >> $@$(newline)\
@@ -3213,29 +3289,55 @@
$(error BOARD_AVB_VBMETA_SYSTEM and BOARD_AVB_VBMETA_VENDOR cannot have duplicates)
endif
+# When building a standalone recovery image for non-A/B devices, recovery image must be self-signed
+# to be verified independently, and cannot be chained into vbmeta.img. See the link below for
+# details.
+ifneq ($(AB_OTA_UPDATER),true)
+ifneq ($(INSTALLED_RECOVERYIMAGE_TARGET),)
+$(if $(BOARD_AVB_RECOVERY_KEY_PATH),,\
+ $(error BOARD_AVB_RECOVERY_KEY_PATH must be defined for non-A/B devices. \
+ See https://android.googlesource.com/platform/external/avb/+/master/README.md#booting-into-recovery))
+endif
+endif
+
# Appends os version and security patch level as a AVB property descriptor
BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS += \
+ --prop com.android.build.system.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \
--prop com.android.build.system.os_version:$(PLATFORM_VERSION) \
--prop com.android.build.system.security_patch:$(PLATFORM_SECURITY_PATCH)
BOARD_AVB_PRODUCT_ADD_HASHTREE_FOOTER_ARGS += \
+ --prop com.android.build.product.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \
--prop com.android.build.product.os_version:$(PLATFORM_VERSION) \
--prop com.android.build.product.security_patch:$(PLATFORM_SECURITY_PATCH)
BOARD_AVB_SYSTEM_EXT_ADD_HASHTREE_FOOTER_ARGS += \
+ --prop com.android.build.system_ext.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \
--prop com.android.build.system_ext.os_version:$(PLATFORM_VERSION) \
--prop com.android.build.system_ext.security_patch:$(PLATFORM_SECURITY_PATCH)
BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS += \
+ --prop com.android.build.boot.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \
--prop com.android.build.boot.os_version:$(PLATFORM_VERSION)
+BOARD_AVB_VENDOR_BOOT_ADD_HASH_FOOTER_ARGS += \
+ --prop com.android.build.vendor_boot.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \
+
+BOARD_AVB_RECOVERY_ADD_HASH_FOOTER_ARGS += \
+ --prop com.android.build.recovery.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE)
+
BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS += \
+ --prop com.android.build.vendor.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \
--prop com.android.build.vendor.os_version:$(PLATFORM_VERSION)
BOARD_AVB_ODM_ADD_HASHTREE_FOOTER_ARGS += \
+ --prop com.android.build.odm.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \
--prop com.android.build.odm.os_version:$(PLATFORM_VERSION)
+BOARD_AVB_DTBO_ADD_HASH_FOOTER_ARGS += \
+ --prop com.android.build.dtbo.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE)
+
# The following vendor- and odm-specific images needs explicit SPL set per board.
ifdef BOOT_SECURITY_PATCH
BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS += \
@@ -3282,8 +3384,11 @@
$(eval $(_signing_args) := \
--algorithm $($(_signing_algorithm)) --key $($(_key_path)))
-$(eval INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += \
- --chain_partition $(part):$($(_rollback_index_location)):$(AVB_CHAIN_KEY_DIR)/$(part).avbpubkey)
+# The recovery partition in non-A/B devices should be verified separately. Skip adding the chain
+# partition descriptor for recovery partition into vbmeta.img.
+$(if $(or $(filter true,$(AB_OTA_UPDATER)),$(filter-out recovery,$(part))),\
+ $(eval INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += \
+ --chain_partition $(part):$($(_rollback_index_location)):$(AVB_CHAIN_KEY_DIR)/$(part).avbpubkey))
# Set rollback_index via footer args for non-chained vbmeta image. Chained vbmeta image will pick up
# the index via a separate flag (e.g. BOARD_AVB_VBMETA_SYSTEM_ROLLBACK_INDEX).
@@ -4136,10 +4241,6 @@
$(HOST_OUT_EXECUTABLES)/fs_config \
$(ADD_IMG_TO_TARGET_FILES) \
$(MAKE_RECOVERY_PATCH) \
- $(BUILT_ASSEMBLED_FRAMEWORK_MANIFEST) \
- $(BUILT_ASSEMBLED_VENDOR_MANIFEST) \
- $(BUILT_SYSTEM_MATRIX) \
- $(BUILT_VENDOR_MATRIX) \
$(BUILT_KERNEL_CONFIGS_FILE) \
$(BUILT_KERNEL_VERSION_FILE) \
| $(ACP)
@@ -4402,16 +4503,6 @@
$(hide) $(call fs_config,$(zip_root)/SYSTEM_OTHER,system/) > $(zip_root)/META/system_other_filesystem_config.txt
endif
@# Metadata for compatibility verification.
- $(hide) cp $(BUILT_SYSTEM_MATRIX) $(zip_root)/META/system_matrix.xml
-ifdef BUILT_ASSEMBLED_FRAMEWORK_MANIFEST
- $(hide) cp $(BUILT_ASSEMBLED_FRAMEWORK_MANIFEST) $(zip_root)/META/system_manifest.xml
-endif
-ifdef BUILT_ASSEMBLED_VENDOR_MANIFEST
- $(hide) cp $(BUILT_ASSEMBLED_VENDOR_MANIFEST) $(zip_root)/META/vendor_manifest.xml
-endif
-ifdef BUILT_VENDOR_MATRIX
- $(hide) cp $(BUILT_VENDOR_MATRIX) $(zip_root)/META/vendor_matrix.xml
-endif
ifdef BUILT_KERNEL_CONFIGS_FILE
$(hide) cp $(BUILT_KERNEL_CONFIGS_FILE) $(zip_root)/META/kernel_configs.txt
endif
@@ -4433,9 +4524,8 @@
ifeq ($(PRODUCT_VIRTUAL_AB_OTA),true)
echo "virtual_ab=true" >> $(zip_root)/META/dynamic_partitions_info.txt
endif # PRODUCT_VIRTUAL_AB_OTA
- @# TODO(b/134525174): Remove `-r` after addressing the issue with recovery patch generation.
- $(hide) PATH=$(INTERNAL_USERIMAGES_BINARY_PATHS):$$PATH MKBOOTIMG=$(MKBOOTIMG) \
- $(ADD_IMG_TO_TARGET_FILES) -a -r -v -p $(HOST_OUT) $(zip_root)
+ PATH=$(INTERNAL_USERIMAGES_BINARY_PATHS):$$PATH MKBOOTIMG=$(MKBOOTIMG) \
+ $(ADD_IMG_TO_TARGET_FILES) -a -v -p $(HOST_OUT) $(zip_root)
ifeq ($(BUILD_QEMU_IMAGES),true)
$(hide) AVBTOOL=$(AVBTOOL) $(MK_VBMETA_BOOT_KERNEL_CMDLINE_SH) $(zip_root)/IMAGES/vbmeta.img \
$(zip_root)/IMAGES/system.img $(zip_root)/IMAGES/VerifiedBootParams.textproto
@@ -4976,6 +5066,7 @@
$(target_notice_file_txt) \
$(tools_notice_file_txt) \
$(OUT_DOCS)/offline-sdk-timestamp \
+ $(SDK_METADATA_FILES) \
$(SYMBOLS_ZIP) \
$(COVERAGE_ZIP) \
$(APPCOMPAT_ZIP) \
diff --git a/core/app_prebuilt_internal.mk b/core/app_prebuilt_internal.mk
index 399d173..ce554c9 100644
--- a/core/app_prebuilt_internal.mk
+++ b/core/app_prebuilt_internal.mk
@@ -215,17 +215,6 @@
$(LOCAL_BUILT_MODULE): PRIVATE_INSTALLED_MODULE := $(LOCAL_INSTALLED_MODULE)
endif
-ifneq ($(BUILD_PLATFORM_ZIP),)
-$(built_module) : .KATI_IMPLICIT_OUTPUTS := $(dir $(LOCAL_BUILT_MODULE))package.dex.apk
-endif
-ifneq ($(LOCAL_CERTIFICATE),PRESIGNED)
-ifdef LOCAL_DEX_PREOPT
-$(built_module) : PRIVATE_STRIP_SCRIPT := $(intermediates)/strip.sh
-$(built_module) : $(intermediates)/strip.sh
-$(built_module) : | $(DEXPREOPT_STRIP_DEPS)
-$(built_module) : .KATI_DEPFILE := $(built_module).d
-endif
-endif
ifeq ($(module_run_appcompat),true)
$(built_module) : $(AAPT2)
endif
@@ -235,23 +224,11 @@
ifeq (true, $(LOCAL_UNCOMPRESS_DEX))
$(uncompress-dexs)
endif # LOCAL_UNCOMPRESS_DEX
-ifdef LOCAL_DEX_PREOPT
-ifneq ($(BUILD_PLATFORM_ZIP),)
- @# Keep a copy of apk with classes.dex unstripped
- $(hide) cp -f $@ $(dir $@)package.dex.apk
-endif # BUILD_PLATFORM_ZIP
-endif # LOCAL_DEX_PREOPT
ifneq ($(LOCAL_CERTIFICATE),PRESIGNED)
- @# Only strip out files if we can re-sign the package.
-# Run appcompat before stripping the classes.dex file.
ifeq ($(module_run_appcompat),true)
$(call appcompat-header, aapt2)
$(run-appcompat)
endif # module_run_appcompat
-ifdef LOCAL_DEX_PREOPT
- mv -f $@ $@.tmp
- $(PRIVATE_STRIP_SCRIPT) $@.tmp $@
-endif # LOCAL_DEX_PREOPT
$(sign-package)
# No need for align-package because sign-package takes care of alignment
else # LOCAL_CERTIFICATE == PRESIGNED
diff --git a/core/binary.mk b/core/binary.mk
index d9763f9..51259b2 100644
--- a/core/binary.mk
+++ b/core/binary.mk
@@ -120,8 +120,6 @@
$(error $(LOCAL_PATH): LOCAL_SDK_VERSION cannot be used in host module)
endif
- my_cflags += -D__ANDROID_NDK__
-
# Make sure we've built the NDK.
my_additional_dependencies += $(SOONG_OUT_DIR)/ndk_base.timestamp
diff --git a/core/board_config.mk b/core/board_config.mk
index 3127c19..4c128f1 100644
--- a/core/board_config.mk
+++ b/core/board_config.mk
@@ -87,6 +87,7 @@
_build_broken_var_list := \
BUILD_BROKEN_DUP_RULES \
BUILD_BROKEN_PREBUILT_ELF_FILES \
+ BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW \
BUILD_BROKEN_USES_NETWORK \
_build_broken_var_list += \
@@ -263,6 +264,7 @@
# Now we can substitute with the real value of TARGET_COPY_OUT_DEBUG_RAMDISK
ifeq ($(BOARD_USES_RECOVERY_AS_BOOT),true)
TARGET_COPY_OUT_DEBUG_RAMDISK := debug_ramdisk/first_stage_ramdisk
+TARGET_COPY_OUT_TEST_HARNESS_RAMDISK := test_harness_ramdisk/first_stage_ramdisk
endif
###########################################
@@ -505,9 +507,9 @@
###########################################
# Now we can substitute with the real value of TARGET_COPY_OUT_ODM
ifeq ($(TARGET_COPY_OUT_ODM),$(_odm_path_placeholder))
- TARGET_COPY_OUT_ODM := vendor/odm
-else ifeq ($(filter odm vendor/odm,$(TARGET_COPY_OUT_ODM)),)
- $(error TARGET_COPY_OUT_ODM must be either 'odm' or 'vendor/odm', seeing '$(TARGET_COPY_OUT_ODM)'.)
+ TARGET_COPY_OUT_ODM := $(TARGET_COPY_OUT_VENDOR)/odm
+else ifeq ($(filter odm system/vendor/odm vendor/odm,$(TARGET_COPY_OUT_ODM)),)
+ $(error TARGET_COPY_OUT_ODM must be either 'odm', 'system/vendor/odm' or 'vendor/odm', seeing '$(TARGET_COPY_OUT_ODM)'.)
endif
PRODUCT_COPY_FILES := $(subst $(_odm_path_placeholder),$(TARGET_COPY_OUT_ODM),$(PRODUCT_COPY_FILES))
diff --git a/core/clear_vars.mk b/core/clear_vars.mk
index 24cca5a..4818c01 100644
--- a/core/clear_vars.mk
+++ b/core/clear_vars.mk
@@ -56,7 +56,7 @@
LOCAL_DEX_PREOPT_FLAGS:=
LOCAL_DEX_PREOPT_GENERATE_PROFILE:=
LOCAL_DEX_PREOPT_PROFILE_CLASS_LISTING:=
-LOCAL_DEX_PREOPT:= # '',true,false,nostripping
+LOCAL_DEX_PREOPT:= # '',true,false
LOCAL_DISABLE_AUTO_GENERATE_TEST_CONFIG:=
LOCAL_DISABLE_RESOLVE_SUPPORT_LIBRARIES:=
LOCAL_DONT_CHECK_MODULE:=
@@ -73,6 +73,7 @@
LOCAL_DROIDDOC_DOC_ZIP :=
LOCAL_DROIDDOC_JDIFF_DOC_ZIP :=
LOCAL_DROIDDOC_HTML_DIR:=
+LOCAL_DROIDDOC_METADATA_ZIP:=
LOCAL_DROIDDOC_OPTIONS:=
LOCAL_DROIDDOC_SOURCE_PATH:=
LOCAL_DROIDDOC_STUB_OUT_DIR:=
diff --git a/core/config.mk b/core/config.mk
index d120d61..241ac8d 100644
--- a/core/config.mk
+++ b/core/config.mk
@@ -630,9 +630,11 @@
USE_OPENJDK9 := true
ifeq ($(EXPERIMENTAL_JAVA_LANGUAGE_LEVEL_9),)
-TARGET_OPENJDK9 :=
+TARGET_OPENJDK9 := true
else ifeq ($(EXPERIMENTAL_JAVA_LANGUAGE_LEVEL_9),true)
TARGET_OPENJDK9 := true
+else ifeq ($(EXPERIMENTAL_JAVA_LANGUAGE_LEVEL_9),false)
+TARGET_OPENJDK9 :=
endif
# Path to tools.jar
@@ -1171,8 +1173,10 @@
systemotherimage-nodeps \
ramdisk-nodeps \
ramdisk_debug-nodeps \
+ ramdisk_test_harness-nodeps \
bootimage-nodeps \
bootimage_debug-nodeps \
+ bootimage_test_harness-nodeps \
recoveryimage-nodeps \
vbmetaimage-nodeps \
product-graph dump-products
diff --git a/core/definitions.mk b/core/definitions.mk
index 7450d4f..a8bf4d5 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -2279,7 +2279,7 @@
# Align STORED entries of a package on 4-byte boundaries to make them easier to mmap.
#
define align-package
-$(hide) if ! $(ZIPALIGN) -c $(ZIPALIGN_PAGE_ALIGN_FLAGS) 4 $@ >/dev/null ; then \
+$(hide) if ! $(ZIPALIGN) -c -p 4 $@ >/dev/null ; then \
mv $@ $@.unaligned; \
$(ZIPALIGN) \
-f \
diff --git a/core/dex_preopt_config.mk b/core/dex_preopt_config.mk
index 69eaea1..3875815 100644
--- a/core/dex_preopt_config.mk
+++ b/core/dex_preopt_config.mk
@@ -4,7 +4,8 @@
DEX_PREOPT_DEFAULT ?= true
# The default filter for which files go into the system_other image (if it is
-# being used). To bundle everything one should set this to '%'
+# being used). Note that each pattern p here matches both '/<p>' and /system/<p>'.
+# To bundle everything one should set this to '%'.
SYSTEM_OTHER_ODEX_FILTER ?= \
app/% \
priv-app/% \
@@ -13,16 +14,9 @@
product/app/% \
product/priv-app/% \
-# The default values for pre-opting. To support the runtime module we ensure no dex files
-# get stripped.
-ifeq ($(PRODUCT_DEX_PREOPT_NEVER_ALLOW_STRIPPING),)
- PRODUCT_DEX_PREOPT_NEVER_ALLOW_STRIPPING := true
-endif
# Conditional to building on linux, as dex2oat currently does not work on darwin.
ifeq ($(HOST_OS),linux)
ifeq (eng,$(TARGET_BUILD_VARIANT))
- # Don't strip for quick development turnarounds.
- DEX_PREOPT_DEFAULT := nostripping
# For an eng build only pre-opt the boot image and system server. This gives reasonable performance
# and still allows a simple workflow: building in frameworks/base and syncing.
WITH_DEXPREOPT_BOOT_IMG_AND_SYSTEM_SERVER_ONLY ?= true
@@ -86,7 +80,6 @@
$(call json_start)
- $(call add_json_bool, DefaultNoStripping, $(filter nostripping,$(DEX_PREOPT_DEFAULT)))
$(call add_json_bool, DisablePreopt, $(call invert_bool,$(filter true,$(WITH_DEXPREOPT))))
$(call add_json_list, DisablePreoptModules, $(DEXPREOPT_DISABLED_MODULES))
$(call add_json_bool, OnlyPreoptBootImageAndSystemServer, $(filter true,$(WITH_DEXPREOPT_BOOT_IMG_AND_SYSTEM_SERVER_ONLY)))
@@ -173,6 +166,3 @@
$(SOONG_ZIP) \
$(ZIP2ZIP) \
$(BUILD_SYSTEM)/construct_context.sh \
-
-DEXPREOPT_STRIP_DEPS := \
- $(ZIP2ZIP) \
diff --git a/core/dex_preopt_odex_install.mk b/core/dex_preopt_odex_install.mk
index 50e922e..6705c82 100644
--- a/core/dex_preopt_odex_install.mk
+++ b/core/dex_preopt_odex_install.mk
@@ -207,8 +207,7 @@
$(call json_start)
- # DexPath, StripInputPath, and StripOutputPath are not set, they will
- # be filled in by dexpreopt_gen.
+ # DexPath is not set: it will be filled in by dexpreopt_gen.
$(call add_json_str, Name, $(LOCAL_MODULE))
$(call add_json_str, DexLocation, $(patsubst $(PRODUCT_OUT)%,%,$(LOCAL_INSTALLED_MODULE)))
@@ -237,13 +236,10 @@
$(call add_json_bool, ForceCreateAppImage, $(filter true,$(LOCAL_DEX_PREOPT_APP_IMAGE)))
$(call add_json_bool, PresignedPrebuilt, $(filter PRESIGNED,$(LOCAL_CERTIFICATE)))
- $(call add_json_bool, NoStripping, $(filter nostripping,$(LOCAL_DEX_PREOPT)))
-
$(call json_end)
my_dexpreopt_config := $(intermediates)/dexpreopt.config
my_dexpreopt_script := $(intermediates)/dexpreopt.sh
- my_strip_script := $(intermediates)/strip.sh
my_dexpreopt_zip := $(intermediates)/dexpreopt.zip
$(my_dexpreopt_config): PRIVATE_MODULE := $(LOCAL_MODULE)
@@ -252,17 +248,15 @@
@echo "$(PRIVATE_MODULE) dexpreopt.config"
echo -e -n '$(subst $(newline),\n,$(subst ','\'',$(subst \,\\,$(PRIVATE_CONTENTS))))' > $@
- .KATI_RESTAT: $(my_dexpreopt_script) $(my_strip_script)
+ .KATI_RESTAT: $(my_dexpreopt_script)
$(my_dexpreopt_script): PRIVATE_MODULE := $(LOCAL_MODULE)
$(my_dexpreopt_script): PRIVATE_GLOBAL_CONFIG := $(DEX_PREOPT_CONFIG_FOR_MAKE)
$(my_dexpreopt_script): PRIVATE_MODULE_CONFIG := $(my_dexpreopt_config)
- $(my_dexpreopt_script): PRIVATE_STRIP_SCRIPT := $(my_strip_script)
- $(my_dexpreopt_script): .KATI_IMPLICIT_OUTPUTS := $(my_strip_script)
$(my_dexpreopt_script): $(DEXPREOPT_GEN)
$(my_dexpreopt_script): $(my_dexpreopt_config) $(DEX_PREOPT_CONFIG_FOR_MAKE)
@echo "$(PRIVATE_MODULE) dexpreopt gen"
$(DEXPREOPT_GEN) -global $(PRIVATE_GLOBAL_CONFIG) -module $(PRIVATE_MODULE_CONFIG) \
- -dexpreopt_script $@ -strip_script $(PRIVATE_STRIP_SCRIPT) \
+ -dexpreopt_script $@ \
-out_dir $(OUT_DIR)
my_dexpreopt_deps := $(my_dex_jar)
@@ -302,6 +296,5 @@
my_dexpreopt_config :=
my_dexpreopt_script :=
- my_strip_script :=
my_dexpreopt_zip :=
endif # LOCAL_DEX_PREOPT
diff --git a/core/envsetup.mk b/core/envsetup.mk
index 5a615ac..0c58cd6 100644
--- a/core/envsetup.mk
+++ b/core/envsetup.mk
@@ -228,6 +228,7 @@
TARGET_COPY_OUT_OEM := oem
TARGET_COPY_OUT_RAMDISK := ramdisk
TARGET_COPY_OUT_DEBUG_RAMDISK := debug_ramdisk
+TARGET_COPY_OUT_TEST_HARNESS_RAMDISK := test_harness_ramdisk
TARGET_COPY_OUT_ROOT := root
TARGET_COPY_OUT_RECOVERY := recovery
# The directory used for optional partitions depend on the BoardConfig, so
@@ -825,6 +826,7 @@
TARGET_RAMDISK_OUT := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_RAMDISK)
TARGET_RAMDISK_OUT_UNSTRIPPED := $(TARGET_OUT_UNSTRIPPED)
TARGET_DEBUG_RAMDISK_OUT := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_DEBUG_RAMDISK)
+TARGET_TEST_HARNESS_RAMDISK_OUT := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_TEST_HARNESS_RAMDISK)
TARGET_VENDOR_RAMDISK_OUT := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_VENDOR_RAMDISK)
diff --git a/core/java_library.mk b/core/java_library.mk
index 4734eaf..3ac03dc 100644
--- a/core/java_library.mk
+++ b/core/java_library.mk
@@ -85,17 +85,6 @@
.KATI_RESTAT: $(common_javalib.jar)
-ifdef LOCAL_DEX_PREOPT
-
-$(LOCAL_BUILT_MODULE): PRIVATE_STRIP_SCRIPT := $(intermediates)/strip.sh
-$(LOCAL_BUILT_MODULE): $(intermediates)/strip.sh
-$(LOCAL_BUILT_MODULE): | $(DEXPREOPT_STRIP_DEPS)
-$(LOCAL_BUILT_MODULE): .KATI_DEPFILE := $(LOCAL_BUILT_MODULE).d
-$(LOCAL_BUILT_MODULE): $(common_javalib.jar)
- $(PRIVATE_STRIP_SCRIPT) $< $@
-
-else # LOCAL_DEX_PREOPT
$(eval $(call copy-one-file,$(common_javalib.jar),$(LOCAL_BUILT_MODULE)))
-endif # LOCAL_DEX_PREOPT
endif # !LOCAL_IS_STATIC_JAVA_LIBRARY
diff --git a/core/java_prebuilt_internal.mk b/core/java_prebuilt_internal.mk
index 5b7e9db..8a2091e 100644
--- a/core/java_prebuilt_internal.mk
+++ b/core/java_prebuilt_internal.mk
@@ -45,19 +45,8 @@
# defines built_odex along with rule to install odex
include $(BUILD_SYSTEM)/dex_preopt_odex_install.mk
#######################################
-ifdef LOCAL_DEX_PREOPT
-
-$(built_module): PRIVATE_STRIP_SCRIPT := $(intermediates)/strip.sh
-$(built_module): $(intermediates)/strip.sh
-$(built_module): | $(DEXPREOPT_STRIP_DEPS)
-$(built_module): .KATI_DEPFILE := $(built_module).d
-$(built_module): $(my_prebuilt_src_file)
- $(PRIVATE_STRIP_SCRIPT) $< $@
-
-else # ! LOCAL_DEX_PREOPT
$(built_module) : $(my_prebuilt_src_file)
$(call copy-file-to-target)
-endif # LOCAL_DEX_PREOPT
else # ! prebuilt_module_is_dex_javalib
$(built_module) : $(my_prebuilt_src_file)
diff --git a/core/main.mk b/core/main.mk
index fa203ca..a5e2456 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -220,6 +220,9 @@
ADDITIONAL_BUILD_PROPERTIES += persist.debug.dalvik.vm.core_platform_api_policy=just-warn
endif
+# Define ro.sanitize.<name> properties for all global sanitizers.
+ADDITIONAL_BUILD_PROPERTIES += $(foreach s,$(SANITIZE_TARGET),ro.sanitize.$(s)=true)
+
# Sets the default value of ro.postinstall.fstab.prefix to /system.
# Device board config should override the value to /product when needed by:
#
@@ -1138,6 +1141,7 @@
libdt_socket.so \
libicui18n.so \
libicuuc.so \
+ libicu_jni.so \
libjavacore.so \
libjdwp.so \
libm.so \
@@ -1249,6 +1253,8 @@
endef
endif
+# TODO(b/142944799): Implement Java library absence check for Core Libraries.
+
ifdef FULL_BUILD
ifneq (true,$(ALLOW_MISSING_DEPENDENCIES))
# Check to ensure that all modules in PRODUCT_PACKAGES exist (opt in per product)
@@ -1490,6 +1496,9 @@
.PHONY: ramdisk_debug
ramdisk_debug: $(INSTALLED_DEBUG_RAMDISK_TARGET)
+.PHONY: ramdisk_test_harness
+ramdisk_test_harness: $(INSTALLED_TEST_HARNESS_RAMDISK_TARGET)
+
.PHONY: userdataimage
userdataimage: $(INSTALLED_USERDATAIMAGE_TARGET)
@@ -1530,6 +1539,9 @@
.PHONY: bootimage_debug
bootimage_debug: $(INSTALLED_DEBUG_BOOTIMAGE_TARGET)
+.PHONY: bootimage_test_harness
+bootimage_test_harness: $(INSTALLED_TEST_HARNESS_BOOTIMAGE_TARGET)
+
.PHONY: vbmetaimage
vbmetaimage: $(INSTALLED_VBMETAIMAGE_TARGET)
@@ -1697,6 +1709,10 @@
$(INSTALLED_DEBUG_RAMDISK_TARGET) \
$(INSTALLED_DEBUG_BOOTIMAGE_TARGET) \
)
+ $(call dist-for-goals, bootimage_test_harness, \
+ $(INSTALLED_TEST_HARNESS_RAMDISK_TARGET) \
+ $(INSTALLED_TEST_HARNESS_BOOTIMAGE_TARGET) \
+ )
endif
ifeq ($(EMMA_INSTRUMENT),true)
diff --git a/core/package_internal.mk b/core/package_internal.mk
index eb3c67d..7bbaeb6 100644
--- a/core/package_internal.mk
+++ b/core/package_internal.mk
@@ -538,15 +538,6 @@
ifeq (true, $(LOCAL_UNCOMPRESS_DEX))
$(LOCAL_BUILT_MODULE) : $(ZIP2ZIP)
endif
-ifneq ($(BUILD_PLATFORM_ZIP),)
-$(LOCAL_BUILT_MODULE) : .KATI_IMPLICIT_OUTPUTS := $(dir $(LOCAL_BUILT_MODULE))package.dex.apk
-endif
-ifdef LOCAL_DEX_PREOPT
-$(LOCAL_BUILT_MODULE) : PRIVATE_STRIP_SCRIPT := $(intermediates)/strip.sh
-$(LOCAL_BUILT_MODULE) : $(intermediates)/strip.sh
-$(LOCAL_BUILT_MODULE) : | $(DEXPREOPT_STRIP_DEPS)
-$(LOCAL_BUILT_MODULE): .KATI_DEPFILE := $(LOCAL_BUILT_MODULE).d
-endif
$(LOCAL_BUILT_MODULE): PRIVATE_USE_EMBEDDED_NATIVE_LIBS := $(LOCAL_USE_EMBEDDED_NATIVE_LIBS)
$(LOCAL_BUILT_MODULE):
@echo "target Package: $(PRIVATE_MODULE) ($@)"
@@ -569,19 +560,11 @@
@# No need to align, sign-package below will do it.
$(uncompress-dexs)
endif
-# Run appcompat before stripping the classes.dex file.
+# Run appcompat before signing.
ifeq ($(module_run_appcompat),true)
$(appcompat-header)
$(run-appcompat)
endif # module_run_appcompat
-ifdef LOCAL_DEX_PREOPT
-ifneq ($(BUILD_PLATFORM_ZIP),)
- @# Keep a copy of apk with classes.dex unstripped
- $(hide) cp -f $@ $(dir $@)package.dex.apk
-endif # BUILD_PLATFORM_ZIP
- mv -f $@ $@.tmp
- $(PRIVATE_STRIP_SCRIPT) $@.tmp $@
-endif # LOCAL_DEX_PREOPT
$(sign-package)
ifdef LOCAL_COMPRESSED_MODULE
$(compress-package)
diff --git a/core/soong_app_prebuilt.mk b/core/soong_app_prebuilt.mk
index 8fc2e4c..c402717 100644
--- a/core/soong_app_prebuilt.mk
+++ b/core/soong_app_prebuilt.mk
@@ -97,10 +97,6 @@
java-dex: $(LOCAL_SOONG_DEX_JAR)
-ifneq ($(BUILD_PLATFORM_ZIP),)
- $(eval $(call copy-one-file,$(LOCAL_SOONG_DEX_JAR),$(dir $(LOCAL_BUILT_MODULE))package.dex.apk))
-endif
-
my_built_installed := $(foreach f,$(LOCAL_SOONG_BUILT_INSTALLED),\
$(call word-colon,1,$(f)):$(PRODUCT_OUT)$(call word-colon,2,$(f)))
my_installed := $(call copy-many-files, $(my_built_installed))
diff --git a/core/soong_droiddoc_prebuilt.mk b/core/soong_droiddoc_prebuilt.mk
index bf1f10b..c0467df 100644
--- a/core/soong_droiddoc_prebuilt.mk
+++ b/core/soong_droiddoc_prebuilt.mk
@@ -38,3 +38,7 @@
.PHONY: $(LOCAL_MODULE) $(LOCAL_MODULE)-jdiff
$(LOCAL_MODULE) $(LOCAL_MODULE)-jdiff : $(OUT_DOCS)/$(LOCAL_MODULE)-jdiff-docs.zip
endif
+
+ifdef LOCAL_DROIDDOC_METADATA_ZIP
+$(eval $(call copy-one-file,$(LOCAL_DROIDDOC_METADATA_ZIP),$(TARGET_OUT_COMMON_INTERMEDIATES)/PACKAGING/$(LOCAL_MODULE)-metadata.zip))
+endif
diff --git a/core/android_vts_host_config.mk b/core/suite_host_config.mk
similarity index 89%
rename from core/android_vts_host_config.mk
rename to core/suite_host_config.mk
index 38ba19d..d575c5b 100644
--- a/core/android_vts_host_config.mk
+++ b/core/suite_host_config.mk
@@ -16,11 +16,9 @@
LOCAL_MODULE_CLASS := FAKE
LOCAL_IS_HOST_MODULE := true
-LOCAL_COMPATIBILITY_SUITE := vts
include $(BUILD_SYSTEM)/base_rules.mk
$(LOCAL_BUILT_MODULE):
- @echo "VTS host-driven test target: $(PRIVATE_MODULE)"
+ @echo "$(LOCAL_COMPATIBILITY_SUITE) host-driven test target: $(PRIVATE_MODULE)"
$(hide) touch $@
-
diff --git a/core/version_defaults.mk b/core/version_defaults.mk
index 30890c0..ff5fb42 100644
--- a/core/version_defaults.mk
+++ b/core/version_defaults.mk
@@ -250,7 +250,7 @@
# It must be of the form "YYYY-MM-DD" on production devices.
# It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
# If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
- PLATFORM_SECURITY_PATCH := 2019-09-05
+ PLATFORM_SECURITY_PATCH := 2019-10-05
endif
.KATI_READONLY := PLATFORM_SECURITY_PATCH
diff --git a/target/product/base_system.mk b/target/product/base_system.mk
index f49218a..7cc3270 100644
--- a/target/product/base_system.mk
+++ b/target/product/base_system.mk
@@ -364,6 +364,7 @@
logpersist.start \
logtagd.rc \
procrank \
+ remount \
showmap \
sqlite3 \
ss \
diff --git a/target/product/gsi/current.txt b/target/product/gsi/current.txt
index 6649f28..8fed53c 100644
--- a/target/product/gsi/current.txt
+++ b/target/product/gsi/current.txt
@@ -137,6 +137,7 @@
VNDK-core: android.hardware.neuralnetworks@1.0.so
VNDK-core: android.hardware.neuralnetworks@1.1.so
VNDK-core: android.hardware.neuralnetworks@1.2.so
+VNDK-core: android.hardware.neuralnetworks@1.3.so
VNDK-core: android.hardware.nfc@1.0.so
VNDK-core: android.hardware.nfc@1.1.so
VNDK-core: android.hardware.nfc@1.2.so
@@ -180,6 +181,7 @@
VNDK-core: android.hardware.vibrator@1.1.so
VNDK-core: android.hardware.vibrator@1.2.so
VNDK-core: android.hardware.vibrator@1.3.so
+VNDK-core: android.hardware.vibrator@1.4.so
VNDK-core: android.hardware.vr@1.0.so
VNDK-core: android.hardware.weaver@1.0.so
VNDK-core: android.hardware.wifi.hostapd@1.0.so
diff --git a/target/product/mainline_system.mk b/target/product/mainline_system.mk
index b8f2838..cd6a0f7 100644
--- a/target/product/mainline_system.mk
+++ b/target/product/mainline_system.mk
@@ -64,8 +64,8 @@
# For ringtones that rely on forward lock encryption
PRODUCT_PACKAGES += libfwdlockengine
-# System libraries commonly depended on by things on the product partition.
-# This list will be pruned periodically.
+# System libraries commonly depended on by things on the system_ext or product partitions.
+# These lists will be pruned periodically.
PRODUCT_PACKAGES += \
android.hardware.biometrics.fingerprint@2.1 \
android.hardware.radio@1.0 \
@@ -78,6 +78,7 @@
android.hardware.secure_element@1.0 \
android.hardware.wifi@1.0 \
libaudio-resampler \
+ libaudiohal \
libdrm \
liblogwrap \
liblz4 \
@@ -85,6 +86,13 @@
libnl \
libprotobuf-cpp-full \
+# These libraries are empty and have been combined into libhidlbase, but are still depended
+# on by things off /system.
+# TODO(b/135686713): remove these
+PRODUCT_PACKAGES += \
+ libhidltransport \
+ libhwbinder \
+
# Camera service uses 'libdepthphoto' for adding dynamic depth
# metadata inside depth jpegs.
PRODUCT_PACKAGES += \
diff --git a/target/product/runtime_libart.mk b/target/product/runtime_libart.mk
index 581a72b..b8cb2ff 100644
--- a/target/product/runtime_libart.mk
+++ b/target/product/runtime_libart.mk
@@ -20,11 +20,6 @@
$(error TARGET_CORE_JARS is empty; cannot update PRODUCT_PACKAGES variable)
endif
-# Minimal boot classpath. This should be a subset of PRODUCT_BOOT_JARS, and equivalent to
-# TARGET_CORE_JARS.
-PRODUCT_PACKAGES += \
- $(TARGET_CORE_JARS)
-
# Additional mixins to the boot classpath.
PRODUCT_PACKAGES += \
android.test.base \
@@ -37,6 +32,9 @@
PRODUCT_PACKAGES += com.android.runtime
# ART APEX module.
+# Note that this package includes the minimal boot classpath JARs (listed in
+# TARGET_CORE_JARS), which should no longer be added directly to
+# PRODUCT_PACKAGES.
PRODUCT_PACKAGES += com.android.art
PRODUCT_HOST_PACKAGES += com.android.art
diff --git a/target/product/security/Android.mk b/target/product/security/Android.mk
index 3631cfd..d6a8b53 100644
--- a/target/product/security/Android.mk
+++ b/target/product/security/Android.mk
@@ -80,30 +80,3 @@
$(extra_recovery_keys)
$(SOONG_ZIP) -o $@ -j \
$(foreach key_file, $(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS), -f $(key_file))
-
-
-#######################################
-# update_engine_payload_key, used by update_engine. We use the same key as otacerts but in RSA
-# public key format.
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := update_engine_payload_key
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_STEM := update-payload-key.pub.pem
-LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/update_engine
-include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
- openssl x509 -pubkey -noout -in $< > $@
-
-
-#######################################
-# update_engine_payload_key for recovery image, used by update_engine.
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := update_engine_payload_key.recovery
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_STEM := update-payload-key.pub.pem
-LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/update_engine
-include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
- openssl x509 -pubkey -noout -in $< > $@
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index d73628f..031db1d 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -47,22 +47,23 @@
class Options(object):
+
def __init__(self):
- base_out_path = os.getenv('OUT_DIR_COMMON_BASE')
- if base_out_path is None:
- base_search_path = "out"
- else:
- base_search_path = os.path.join(base_out_path,
- os.path.basename(os.getcwd()))
+ # Set up search path, in order to find framework/ and lib64/. At the time of
+ # running this function, user-supplied search path (`--path`) hasn't been
+ # available. So the value set here is the default, which might be overridden
+ # by commandline flag later.
+ exec_path = sys.argv[0]
+ if exec_path.endswith('.py'):
+ script_name = os.path.basename(exec_path)
+ # logger hasn't been initialized yet at this point. Use print to output
+ # warnings.
+ print(
+ 'Warning: releasetools script should be invoked as hermetic Python '
+ 'executable -- build and run `{}` directly.'.format(script_name[:-3]),
+ file=sys.stderr)
+ self.search_path = os.path.realpath(os.path.join(exec_path, '..'))
- # Python >= 3.3 returns 'linux', whereas Python 2.7 gives 'linux2'.
- platform_search_path = {
- "linux": os.path.join(base_search_path, "host/linux-x86"),
- "linux2": os.path.join(base_search_path, "host/linux-x86"),
- "darwin": os.path.join(base_search_path, "host/darwin-x86"),
- }
-
- self.search_path = platform_search_path.get(sys.platform)
self.signapk_path = "framework/signapk.jar" # Relative to search_path
self.signapk_shared_library_path = "lib64" # Relative to search_path
self.extra_signapk_args = []
@@ -873,10 +874,20 @@
# Check if chain partition is used.
key_path = info_dict.get("avb_" + partition + "_key_path")
- if key_path:
- chained_partition_arg = GetAvbChainedPartitionArg(partition, info_dict)
- return ["--chain_partition", chained_partition_arg]
- return ["--include_descriptors_from_image", image]
+ if not key_path:
+ return ["--include_descriptors_from_image", image]
+
+ # For a non-A/B device, we don't chain /recovery nor include its descriptor
+ # into vbmeta.img. The recovery image will be configured on an independent
+ # boot chain, to be verified with AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION.
+ # See details at
+ # https://android.googlesource.com/platform/external/avb/+/master/README.md#booting-into-recovery.
+ if info_dict.get("ab_update") != "true" and partition == "recovery":
+ return []
+
+ # Otherwise chain the partition into vbmeta.
+ chained_partition_arg = GetAvbChainedPartitionArg(partition, info_dict)
+ return ["--chain_partition", chained_partition_arg]
def GetAvbChainedPartitionArg(partition, info_dict, key=None):
diff --git a/tools/releasetools/ota_from_target_files.py b/tools/releasetools/ota_from_target_files.py
index 1e7bb3a..dfcfb49 100755
--- a/tools/releasetools/ota_from_target_files.py
+++ b/tools/releasetools/ota_from_target_files.py
@@ -171,8 +171,16 @@
--payload_signer_args <args>
Specify the arguments needed for payload signer.
+ --payload_signer_maximum_signature_size <signature_size>
+ The maximum signature size (in bytes) that would be generated by the given
+ payload signer. Only meaningful when custom payload signer is specified
+ via '--payload_signer'.
+ If the signer uses a RSA key, this should be the number of bytes to
+ represent the modulus. If it uses an EC key, this is the size of a
+ DER-encoded ECDSA signature.
+
--payload_signer_key_size <key_size>
- Specify the key size in bytes of the payload signer.
+ Deprecated. Use the '--payload_signer_maximum_signature_size' instead.
--skip_postinstall
Skip the postinstall hooks when generating an A/B OTA package (default:
@@ -231,7 +239,7 @@
OPTIONS.log_diff = None
OPTIONS.payload_signer = None
OPTIONS.payload_signer_args = []
-OPTIONS.payload_signer_key_size = None
+OPTIONS.payload_signer_maximum_signature_size = None
OPTIONS.extracted_input = None
OPTIONS.key_passwords = []
OPTIONS.skip_postinstall = False
@@ -288,35 +296,31 @@
self.signer = "openssl"
self.signer_args = ["pkeyutl", "-sign", "-inkey", signing_key,
"-pkeyopt", "digest:sha256"]
- self.key_size = self._GetKeySizeInBytes(signing_key)
+ self.maximum_signature_size = self._GetMaximumSignatureSizeInBytes(
+ signing_key)
else:
self.signer = OPTIONS.payload_signer
self.signer_args = OPTIONS.payload_signer_args
- if OPTIONS.payload_signer_key_size:
- self.key_size = int(OPTIONS.payload_signer_key_size)
- assert self.key_size == 256 or self.key_size == 512, \
- "Unsupported key size {}".format(OPTIONS.payload_signer_key_size)
+ if OPTIONS.payload_signer_maximum_signature_size:
+ self.maximum_signature_size = int(
+ OPTIONS.payload_signer_maximum_signature_size)
else:
- self.key_size = 256
+ # The legacy config uses RSA2048 keys.
+ logger.warning("The maximum signature size for payload signer is not"
+ " set, default to 256 bytes.")
+ self.maximum_signature_size = 256
@staticmethod
- def _GetKeySizeInBytes(signing_key):
- modulus_file = common.MakeTempFile(prefix="modulus-")
- cmd = ["openssl", "rsa", "-inform", "PEM", "-in", signing_key, "-modulus",
- "-noout", "-out", modulus_file]
- common.RunAndCheckOutput(cmd, verbose=False)
-
- with open(modulus_file) as f:
- modulus_string = f.read()
- # The modulus string has the format "Modulus=$data", where $data is the
- # concatenation of hex dump of the modulus.
- MODULUS_PREFIX = "Modulus="
- assert modulus_string.startswith(MODULUS_PREFIX)
- modulus_string = modulus_string[len(MODULUS_PREFIX):]
- key_size = len(modulus_string) // 2
- assert key_size == 256 or key_size == 512, \
- "Unsupported key size {}".format(key_size)
- return key_size
+ def _GetMaximumSignatureSizeInBytes(signing_key):
+ out_signature_size_file = common.MakeTempFile("signature_size")
+ cmd = ["delta_generator", "--out_maximum_signature_size_file={}".format(
+ out_signature_size_file), "--private_key={}".format(signing_key)]
+ common.RunAndCheckOutput(cmd)
+ with open(out_signature_size_file) as f:
+ signature_size = f.read().rstrip()
+ logger.info("% outputs the maximum signature size: %", cmd[0],
+ signature_size)
+ return int(signature_size)
def Sign(self, in_file):
"""Signs the given input file. Returns the output filename."""
@@ -396,7 +400,7 @@
metadata_sig_file = common.MakeTempFile(prefix="sig-", suffix=".bin")
cmd = ["brillo_update_payload", "hash",
"--unsigned_payload", self.payload_file,
- "--signature_size", str(payload_signer.key_size),
+ "--signature_size", str(payload_signer.maximum_signature_size),
"--metadata_hash_file", metadata_sig_file,
"--payload_hash_file", payload_sig_file]
self._Run(cmd)
@@ -411,7 +415,7 @@
cmd = ["brillo_update_payload", "sign",
"--unsigned_payload", self.payload_file,
"--payload", signed_payload_file,
- "--signature_size", str(payload_signer.key_size),
+ "--signature_size", str(payload_signer.maximum_signature_size),
"--metadata_signature_file", signed_metadata_sig_file,
"--payload_signature_file", signed_payload_sig_file]
self._Run(cmd)
@@ -2005,8 +2009,13 @@
OPTIONS.payload_signer = a
elif o == "--payload_signer_args":
OPTIONS.payload_signer_args = shlex.split(a)
+ elif o == "--payload_signer_maximum_signature_size":
+ OPTIONS.payload_signer_maximum_signature_size = a
elif o == "--payload_signer_key_size":
- OPTIONS.payload_signer_key_size = a
+ # TODO(Xunchang) remove this option after cleaning up the callers.
+ logger.warning("The option '--payload_signer_key_size' is deprecated."
+ " Use '--payload_signer_maximum_signature_size' instead.")
+ OPTIONS.payload_signer_maximum_signature_size = a
elif o == "--extracted_input_target_files":
OPTIONS.extracted_input = a
elif o == "--skip_postinstall":
@@ -2047,6 +2056,7 @@
"log_diff=",
"payload_signer=",
"payload_signer_args=",
+ "payload_signer_maximum_signature_size=",
"payload_signer_key_size=",
"extracted_input_target_files=",
"skip_postinstall",
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 710147b..0f4f1da 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -153,6 +153,20 @@
OPTIONS.avb_extra_args = {}
+AVB_FOOTER_ARGS_BY_PARTITION = {
+ 'boot' : 'avb_boot_add_hash_footer_args',
+ 'dtbo' : 'avb_dtbo_add_hash_footer_args',
+ 'recovery' : 'avb_recovery_add_hash_footer_args',
+ 'system' : 'avb_system_add_hashtree_footer_args',
+ 'system_other' : 'avb_system_other_add_hashtree_footer_args',
+ 'vendor' : 'avb_vendor_add_hashtree_footer_args',
+ 'vendor_boot' : 'avb_vendor_boot_add_hash_footer_args',
+ 'vbmeta' : 'avb_vbmeta_args',
+ 'vbmeta_system' : 'avb_vbmeta_system_args',
+ 'vbmeta_vendor' : 'avb_vbmeta_vendor_args',
+}
+
+
def GetApkCerts(certmap):
# apply the key remapping to the contents of the file
for apk, cert in certmap.items():
@@ -543,14 +557,13 @@
OPTIONS.rebuild_recovery = True
# Don't copy OTA certs if we're replacing them.
+ # Replacement of update-payload-key.pub.pem was removed in b/116660991.
elif (
OPTIONS.replace_ota_keys and
filename in (
"BOOT/RAMDISK/system/etc/security/otacerts.zip",
- "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem",
"RECOVERY/RAMDISK/system/etc/security/otacerts.zip",
- "SYSTEM/etc/security/otacerts.zip",
- "SYSTEM/etc/update_engine/update-payload-key.pub.pem")):
+ "SYSTEM/etc/security/otacerts.zip")):
pass
# Skip META/misc_info.txt since we will write back the new values later.
@@ -622,6 +635,10 @@
# Replace the AVB signing keys, if any.
ReplaceAvbSigningKeys(misc_info)
+ # Rewrite the props in AVB signing args.
+ if misc_info.get('avb_enable') == 'true':
+ RewriteAvbProps(misc_info)
+
# Write back misc_info with the latest values.
ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info)
@@ -814,24 +831,6 @@
# We DO NOT include the extra_recovery_keys (if any) here.
WriteOtacerts(output_tf_zip, "SYSTEM/etc/security/otacerts.zip", mapped_keys)
- # For A/B devices, update the payload verification key.
- if misc_info.get("ab_update") == "true":
- # Unlike otacerts.zip that may contain multiple keys, we can only specify
- # ONE payload verification key.
- if len(mapped_keys) > 1:
- print("\n WARNING: Found more than one OTA keys; Using the first one"
- " as payload verification key.\n\n")
-
- print("Using %s for payload verification." % (mapped_keys[0],))
- pubkey = common.ExtractPublicKey(mapped_keys[0])
- common.ZipWriteStr(
- output_tf_zip,
- "SYSTEM/etc/update_engine/update-payload-key.pub.pem",
- pubkey)
- common.ZipWriteStr(
- output_tf_zip,
- "BOOT/RAMDISK/system/etc/update_engine/update-payload-key.pub.pem",
- pubkey)
def ReplaceVerityPublicKey(output_zip, filename, key_path):
@@ -910,18 +909,6 @@
def ReplaceAvbSigningKeys(misc_info):
"""Replaces the AVB signing keys."""
- AVB_FOOTER_ARGS_BY_PARTITION = {
- 'boot' : 'avb_boot_add_hash_footer_args',
- 'dtbo' : 'avb_dtbo_add_hash_footer_args',
- 'recovery' : 'avb_recovery_add_hash_footer_args',
- 'system' : 'avb_system_add_hashtree_footer_args',
- 'system_other' : 'avb_system_other_add_hashtree_footer_args',
- 'vendor' : 'avb_vendor_add_hashtree_footer_args',
- 'vbmeta' : 'avb_vbmeta_args',
- 'vbmeta_system' : 'avb_vbmeta_system_args',
- 'vbmeta_vendor' : 'avb_vbmeta_vendor_args',
- }
-
def ReplaceAvbPartitionSigningKey(partition):
key = OPTIONS.avb_keys.get(partition)
if not key:
@@ -946,6 +933,32 @@
ReplaceAvbPartitionSigningKey(partition)
+def RewriteAvbProps(misc_info):
+ """Rewrites the props in AVB signing args."""
+ for partition, args_key in AVB_FOOTER_ARGS_BY_PARTITION.items():
+ args = misc_info.get(args_key)
+ if not args:
+ continue
+
+ tokens = []
+ changed = False
+ for token in args.split(' '):
+ fingerprint_key = 'com.android.build.{}.fingerprint'.format(partition)
+ if not token.startswith(fingerprint_key):
+ tokens.append(token)
+ continue
+ prefix, tag = token.rsplit('/', 1)
+ tokens.append('{}/{}'.format(prefix, EditTags(tag)))
+ changed = True
+
+ if changed:
+ result = ' '.join(tokens)
+ print('Rewriting AVB prop for {}:\n'.format(partition))
+ print(' replace: {}'.format(args))
+ print(' with: {}'.format(result))
+ misc_info[args_key] = result
+
+
def BuildKeyMap(misc_info, key_mapping_options):
for s, d in key_mapping_options:
if s is None: # -d option
diff --git a/tools/releasetools/test_common.py b/tools/releasetools/test_common.py
index 59b05e9..8a52419 100644
--- a/tools/releasetools/test_common.py
+++ b/tools/releasetools/test_common.py
@@ -1373,6 +1373,39 @@
self.assertEqual('5', chained_partition_args[1])
self.assertTrue(os.path.exists(chained_partition_args[2]))
+ @test_utils.SkipIfExternalToolsUnavailable()
+ def test_AppendVBMetaArgsForPartition_recoveryAsChainedPartition_nonAb(self):
+ testdata_dir = test_utils.get_testdata_dir()
+ pubkey = os.path.join(testdata_dir, 'testkey.pubkey.pem')
+ info_dict = {
+ 'avb_avbtool': 'avbtool',
+ 'avb_recovery_key_path': pubkey,
+ 'avb_recovery_rollback_index_location': 3,
+ }
+ cmd = common.GetAvbPartitionArg(
+ 'recovery', '/path/to/recovery.img', info_dict)
+ self.assertFalse(cmd)
+
+ @test_utils.SkipIfExternalToolsUnavailable()
+ def test_AppendVBMetaArgsForPartition_recoveryAsChainedPartition_ab(self):
+ testdata_dir = test_utils.get_testdata_dir()
+ pubkey = os.path.join(testdata_dir, 'testkey.pubkey.pem')
+ info_dict = {
+ 'ab_update': 'true',
+ 'avb_avbtool': 'avbtool',
+ 'avb_recovery_key_path': pubkey,
+ 'avb_recovery_rollback_index_location': 3,
+ }
+ cmd = common.GetAvbPartitionArg(
+ 'recovery', '/path/to/recovery.img', info_dict)
+ self.assertEqual(2, len(cmd))
+ self.assertEqual('--chain_partition', cmd[0])
+ chained_partition_args = cmd[1].split(':')
+ self.assertEqual(3, len(chained_partition_args))
+ self.assertEqual('recovery', chained_partition_args[0])
+ self.assertEqual('3', chained_partition_args[1])
+ self.assertTrue(os.path.exists(chained_partition_args[2]))
+
class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
"""Checks the format of install-recovery.sh.
diff --git a/tools/releasetools/test_ota_from_target_files.py b/tools/releasetools/test_ota_from_target_files.py
index c3021a1..38faf64 100644
--- a/tools/releasetools/test_ota_from_target_files.py
+++ b/tools/releasetools/test_ota_from_target_files.py
@@ -885,10 +885,28 @@
payload_offset, metadata_total = (
property_files._GetPayloadMetadataOffsetAndSize(input_zip))
- # Read in the metadata signature directly.
+ # The signature proto has the following format (details in
+ # /platform/system/update_engine/update_metadata.proto):
+ # message Signature {
+ # optional uint32 version = 1;
+ # optional bytes data = 2;
+ # optional fixed32 unpadded_signature_size = 3;
+ # }
+ #
+ # According to the protobuf encoding, the tail of the signature message will
+ # be [signature string(256 bytes) + encoding of the fixed32 number 256]. And
+ # 256 is encoded as 'x1d\x00\x01\x00\x00':
+ # [3 (field number) << 3 | 5 (type) + byte reverse of 0x100 (256)].
+ # Details in (https://developers.google.com/protocol-buffers/docs/encoding)
+ signature_tail_length = self.SIGNATURE_SIZE + 5
+ self.assertGreater(metadata_total, signature_tail_length)
with open(output_file, 'rb') as verify_fp:
- verify_fp.seek(payload_offset + metadata_total - self.SIGNATURE_SIZE)
- metadata_signature = verify_fp.read(self.SIGNATURE_SIZE)
+ verify_fp.seek(payload_offset + metadata_total - signature_tail_length)
+ metadata_signature_proto_tail = verify_fp.read(signature_tail_length)
+
+ self.assertEqual(b'\x1d\x00\x01\x00\x00',
+ metadata_signature_proto_tail[-5:])
+ metadata_signature = metadata_signature_proto_tail[:-5]
# Now we extract the metadata hash via brillo_update_payload script, which
# will serve as the oracle result.
@@ -1050,11 +1068,13 @@
with open(file1, 'rb') as fp1, open(file2, 'rb') as fp2:
self.assertEqual(fp1.read(), fp2.read())
+ @test_utils.SkipIfExternalToolsUnavailable()
def test_init(self):
payload_signer = PayloadSigner()
self.assertEqual('openssl', payload_signer.signer)
- self.assertEqual(256, payload_signer.key_size)
+ self.assertEqual(256, payload_signer.maximum_signature_size)
+ @test_utils.SkipIfExternalToolsUnavailable()
def test_init_withPassword(self):
common.OPTIONS.package_key = os.path.join(
self.testdata_dir, 'testkey_with_passwd')
@@ -1067,18 +1087,27 @@
def test_init_withExternalSigner(self):
common.OPTIONS.payload_signer = 'abc'
common.OPTIONS.payload_signer_args = ['arg1', 'arg2']
- common.OPTIONS.payload_signer_key_size = '512'
+ common.OPTIONS.payload_signer_maximum_signature_size = '512'
payload_signer = PayloadSigner()
self.assertEqual('abc', payload_signer.signer)
self.assertEqual(['arg1', 'arg2'], payload_signer.signer_args)
- self.assertEqual(512, payload_signer.key_size)
+ self.assertEqual(512, payload_signer.maximum_signature_size)
- def test_GetKeySizeInBytes_512Bytes(self):
+ @test_utils.SkipIfExternalToolsUnavailable()
+ def test_GetMaximumSignatureSizeInBytes_512Bytes(self):
signing_key = os.path.join(self.testdata_dir, 'testkey_RSA4096.key')
# pylint: disable=protected-access
- key_size = PayloadSigner._GetKeySizeInBytes(signing_key)
- self.assertEqual(512, key_size)
+ signature_size = PayloadSigner._GetMaximumSignatureSizeInBytes(signing_key)
+ self.assertEqual(512, signature_size)
+ @test_utils.SkipIfExternalToolsUnavailable()
+ def test_GetMaximumSignatureSizeInBytes_ECKey(self):
+ signing_key = os.path.join(self.testdata_dir, 'testkey_EC.key')
+ # pylint: disable=protected-access
+ signature_size = PayloadSigner._GetMaximumSignatureSizeInBytes(signing_key)
+ self.assertEqual(72, signature_size)
+
+ @test_utils.SkipIfExternalToolsUnavailable()
def test_Sign(self):
payload_signer = PayloadSigner()
input_file = os.path.join(self.testdata_dir, self.SIGFILE)
diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py
index e0a635a..2b84413 100644
--- a/tools/releasetools/test_sign_target_files_apks.py
+++ b/tools/releasetools/test_sign_target_files_apks.py
@@ -23,7 +23,8 @@
import test_utils
from sign_target_files_apks import (
CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo,
- ReplaceCerts, ReplaceVerityKeyId, RewriteProps, WriteOtacerts)
+ ReplaceCerts, ReplaceVerityKeyId, RewriteAvbProps, RewriteProps,
+ WriteOtacerts)
class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase):
@@ -52,6 +53,40 @@
# Tags are sorted.
self.assertEqual(EditTags('xyz,abc,dev-keys,xyz'), ('abc,release-keys,xyz'))
+ def test_RewriteAvbProps(self):
+ misc_info = {
+ 'avb_boot_add_hash_footer_args':
+ ('--prop com.android.build.boot.os_version:R '
+ '--prop com.android.build.boot.security_patch:2019-09-05'),
+ 'avb_system_add_hashtree_footer_args':
+ ('--prop com.android.build.system.os_version:R '
+ '--prop com.android.build.system.security_patch:2019-09-05 '
+ '--prop com.android.build.system.fingerprint:'
+ 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/test-keys'),
+ 'avb_vendor_add_hashtree_footer_args':
+ ('--prop com.android.build.vendor.os_version:R '
+ '--prop com.android.build.vendor.security_patch:2019-09-05 '
+ '--prop com.android.build.vendor.fingerprint:'
+ 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/dev-keys'),
+ }
+ expected_dict = {
+ 'avb_boot_add_hash_footer_args':
+ ('--prop com.android.build.boot.os_version:R '
+ '--prop com.android.build.boot.security_patch:2019-09-05'),
+ 'avb_system_add_hashtree_footer_args':
+ ('--prop com.android.build.system.os_version:R '
+ '--prop com.android.build.system.security_patch:2019-09-05 '
+ '--prop com.android.build.system.fingerprint:'
+ 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/release-keys'),
+ 'avb_vendor_add_hashtree_footer_args':
+ ('--prop com.android.build.vendor.os_version:R '
+ '--prop com.android.build.vendor.security_patch:2019-09-05 '
+ '--prop com.android.build.vendor.fingerprint:'
+ 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/release-keys'),
+ }
+ RewriteAvbProps(misc_info)
+ self.assertDictEqual(expected_dict, misc_info)
+
def test_RewriteProps(self):
props = (
('', ''),
diff --git a/tools/releasetools/testdata/testkey_EC.key b/tools/releasetools/testdata/testkey_EC.key
new file mode 100644
index 0000000..9e65a68
--- /dev/null
+++ b/tools/releasetools/testdata/testkey_EC.key
@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgGaguGj8Yb1KkqKHd
+ISblUsjtOCbzAuVpX81i02sm8FWhRANCAARBnuotwKOsuvjH6iwTDhOAi7Q5pLWz
+xDkZjg2pcfbfi9FFTvLYETas7B2W6fx9PUezUmHTFTDV2JZuMYYFdZOw
+-----END PRIVATE KEY-----
diff --git a/tools/releasetools/validate_target_files.py b/tools/releasetools/validate_target_files.py
index 383ef7b..9c2bc51 100755
--- a/tools/releasetools/validate_target_files.py
+++ b/tools/releasetools/validate_target_files.py
@@ -346,20 +346,25 @@
key = info_dict['avb_vbmeta_key_path']
# avbtool verifies all the images that have descriptors listed in vbmeta.
+ # Using `--follow_chain_partitions` so it would additionally verify chained
+ # vbmeta partitions (e.g. vbmeta_system).
image = os.path.join(input_tmp, 'IMAGES', 'vbmeta.img')
cmd = [info_dict['avb_avbtool'], 'verify_image', '--image', image,
- '--key', key]
+ '--key', key, '--follow_chain_partitions']
# Append the args for chained partitions if any.
for partition in common.AVB_PARTITIONS + common.AVB_VBMETA_PARTITIONS:
key_name = 'avb_' + partition + '_key_path'
if info_dict.get(key_name) is not None:
+ if info_dict.get('ab_update') != 'true' and partition == 'recovery':
+ continue
+
# Use the key file from command line if specified; otherwise fall back
# to the one in info dict.
key_file = options.get(key_name, info_dict[key_name])
chained_partition_arg = common.GetAvbChainedPartitionArg(
partition, info_dict, key_file)
- cmd.extend(["--expected_chain_partition", chained_partition_arg])
+ cmd.extend(['--expected_chain_partition', chained_partition_arg])
proc = common.Run(cmd)
stdoutdata, _ = proc.communicate()
@@ -371,6 +376,22 @@
'Verified %s with avbtool (key: %s):\n%s', image, key,
stdoutdata.rstrip())
+ # avbtool verifies recovery image for non-A/B devices.
+ if (info_dict.get('ab_update') != 'true' and
+ info_dict.get('no_recovery') != 'true'):
+ image = os.path.join(input_tmp, 'IMAGES', 'recovery.img')
+ key = info_dict['avb_recovery_key_path']
+ cmd = [info_dict['avb_avbtool'], 'verify_image', '--image', image,
+ '--key', key]
+ proc = common.Run(cmd)
+ stdoutdata, _ = proc.communicate()
+ assert proc.returncode == 0, \
+ 'Failed to verify {} with avbtool (key: {}):\n{}'.format(
+ image, key, stdoutdata)
+ logging.info(
+ 'Verified %s with avbtool (key: %s):\n%s', image, key,
+ stdoutdata.rstrip())
+
def main():
parser = argparse.ArgumentParser(
diff --git a/tools/warn.py b/tools/warn.py
index 5994124..6218f93 100755
--- a/tools/warn.py
+++ b/tools/warn.py
@@ -2264,7 +2264,7 @@
i['compiled_patterns'].append(re.compile(pat))
-def find_android_root(path):
+def find_warn_py_and_android_root(path):
"""Set and return android_root path if it is found."""
global android_root
parts = path.split('/')
@@ -2273,8 +2273,36 @@
# Android root directory should contain this script.
if os.path.exists(root_path + '/build/make/tools/warn.py'):
android_root = root_path
- return root_path
- return ''
+ return True
+ return False
+
+
+def find_android_root():
+ """Guess android_root from common prefix of file paths."""
+ # Use the longest common prefix of the absolute file paths
+ # of the first 10000 warning messages as the android_root.
+ global android_root
+ warning_lines = set()
+ warning_pattern = re.compile('^/[^ ]*/[^ ]*: warning: .*')
+ count = 0
+ infile = io.open(args.buildlog, mode='r', encoding='utf-8')
+ for line in infile:
+ if warning_pattern.match(line):
+ warning_lines.add(line)
+ count += 1
+ if count > 9999:
+ break
+ # Try to find warn.py and use its location to find
+ # the source tree root.
+ if count < 100:
+ path = os.path.normpath(re.sub(':.*$', '', line))
+ if find_warn_py_and_android_root(path):
+ return
+ # Do not use common prefix of a small number of paths.
+ if count > 10:
+ root_path = os.path.commonprefix(warning_lines)
+ if len(root_path) > 2 and root_path[len(root_path) - 1] == '/':
+ android_root = root_path[:-1]
def remove_android_root_prefix(path):
@@ -2289,13 +2317,10 @@
"""Normalize file path relative to android_root."""
# If path is not an absolute path, just normalize it.
path = os.path.normpath(path)
- if path[0] != '/':
- return path
# Remove known prefix of root path and normalize the suffix.
- if android_root or find_android_root(path):
+ if path[0] == '/' and android_root:
return remove_android_root_prefix(path)
- else:
- return path
+ return path
def normalize_warning_line(line):
@@ -2670,6 +2695,7 @@
def main():
+ find_android_root()
# We must use 'utf-8' codec to parse some non-ASCII code in warnings.
warning_lines = parse_input_file(
io.open(args.buildlog, mode='r', encoding='utf-8'))