Reland: Generate fs-verity build manifst APK for other partitions
* Expand the allowlist to include {system_ext, vendor, odm,
product}/framework/*. Generate .fsv_meta for them.
* Add BuildManifest.apk for those partitions.
* Rename PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA to remove "SYSTEM".
* (new in reland): add apkcerts
Bug: 245957815
Test: m
Test: ls -l $ANDROID_PRODUCT_OUT/*/etc/security/fsverity/BuildManifest.apk
Test: extract assets/build_manifest.pb from apk, inpsect
Test: run asit/ota/signing
Change-Id: I48a5e473aa5eedb24edab54357a9141fc8d78759
diff --git a/core/product.mk b/core/product.mk
index ee2fa5a..277fa74 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -356,15 +356,12 @@
# This option is only meant to be set by compliance GSI targets.
_product_single_value_vars += PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT
-# If set, metadata files for the following artifacts will be generated.
-# - system/framework/*.jar
-# - system/framework/oat/<arch>/*.{oat,vdex,art}
-# - system/etc/boot-image.prof
-# - system/etc/dirty-image-objects
-# One fsverity metadata container file per one input file will be generated in
-# system.img, with a suffix ".fsv_meta". e.g. a container file for
-# "/system/framework/foo.jar" will be "system/framework/foo.jar.fsv_meta".
-_product_single_value_vars += PRODUCT_SYSTEM_FSVERITY_GENERATE_METADATA
+# If set, fsverity metadata files will be generated for each files in the
+# allowlist, plus an manifest APK per partition. For example,
+# /system/framework/service.jar will come with service.jar.fsv_meta in the same
+# directory; the file information will also be included in
+# /system/etc/security/fsverity/BuildManifest.apk
+_product_single_value_vars += PRODUCT_FSVERITY_GENERATE_METADATA
# If true, sets the default for MODULE_BUILD_FROM_SOURCE. This overrides
# BRANCH_DEFAULT_MODULE_BUILD_FROM_SOURCE but not an explicitly set value.