Merge "Put DEVICE/PRODUCT overlays in different partitions"
diff --git a/core/Makefile b/core/Makefile
index 6d8e629..1c53459 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -2148,12 +2148,80 @@
endef
endif
+# Check that libraries that should only be in APEXes don't end up in the system
+# image. For the Runtime APEX this complements the checks in
+# art/build/apex/art_apex_test.py.
+# TODO(b/128708192): Implement this restriction in Soong instead.
+
+# TODO(b/124293228): Fix remaining bugs and add these libraries to the list:
+# libart-compiler.so
+# libart-dexlayout.so
+# libart.so
+# libartbase.so
+# libartpalette.so
+# libdexfile.so
+# libdexfile_external.so - aosp_marlin-userdebug gets this in a vndk-sp-Q subdirectory.
+# libicui18n.so
+# libicuuc.so
+# libnativehelper.so - cf_x86_phone-userdebug builds get this in system/lib/arm
+# libprofile.so
+# libsigchain.so
+# libtombstoned_client.so
+APEX_MODULE_LIBS= \
+ libadbconnection.so \
+ libandroidicu.so \
+ libdt_fd_forward.so \
+ libdt_socket.so \
+ libjavacore.so \
+ libjdwp.so \
+ libnativebridge.so \
+ libnativeloader.so \
+ libnpt.so \
+ libopenjdk.so \
+ libopenjdkjvm.so \
+ libopenjdkjvmti.so \
+ libpac.so \
+
+# If the check below fails, some library has ended up in system/lib or
+# system/lib64 that is intended to only go into some APEX package. The likely
+# cause is that a library or binary in /system has grown a dependency that
+# directly or indirectly pulls in the prohibited library.
+#
+# To resolve this, look for the APEX package that the library belong to - search
+# for it in 'native_shared_lib' properties in 'apex' build modules (see
+# art/build/apex/Android.bp for an example). Then check if there is an exported
+# library in that APEX package that should be used instead, i.e. one listed in
+# its 'native_shared_lib' property for which the corresponding 'cc_library'
+# module has a 'stubs' clause (like libdexfile_external in
+# art/libdexfile/Android.bp).
+#
+# If you cannot find an APEX exported library that fits your needs, or you think
+# that the library you want to depend on should be allowed in /system, then
+# please contact the owners of the APEX package containing the library.
+#
+# If you get this error for a library that is exported in an APEX, then the APEX
+# might be misconfigured or something is wrong in the build system. Please reach
+# out to the APEX package owners and/or soong-team@, or
+# android-building@googlegroups.com externally.
+define check-apex-libs-absence
+$(hide) ( \
+ cd $(TARGET_OUT); \
+ findres=$$(find lib* -type f \( -false $(foreach lib,$(APEX_MODULE_LIBS),-o -name $(lib)) \) -print) || exit 1; \
+ if [ -n "$$findres" ]; then \
+ echo "APEX libraries found in system image (see comment in this makefile for details):" 1>&2; \
+ echo "$$findres" | sort 1>&2; \
+ false; \
+ fi; \
+)
+endef
+
# $(1): output file
define build-systemimage-target
@echo "Target system fs image: $(1)"
$(call create-system-vendor-symlink)
$(call create-system-product-symlink)
$(call create-system-product_services-symlink)
+ $(call check-apex-libs-absence)
@mkdir -p $(dir $(1)) $(systemimage_intermediates) && rm -rf $(systemimage_intermediates)/system_image_info.txt
$(call generate-image-prop-dictionary, $(systemimage_intermediates)/system_image_info.txt,system, \
skip_fsck=true)
diff --git a/target/board/BoardConfigGsiCommon.mk b/target/board/BoardConfigGsiCommon.mk
index 68d29c8..a0f43af 100644
--- a/target/board/BoardConfigGsiCommon.mk
+++ b/target/board/BoardConfigGsiCommon.mk
@@ -27,6 +27,7 @@
# GSI forces product packages to /system for now.
TARGET_COPY_OUT_PRODUCT := system/product
+BOARD_PRODUCTIMAGE_FILE_SYSTEM_TYPE :=
# Creates metadata partition mount point under root for
# the devices with metadata parition
diff --git a/target/board/BoardConfigMainlineCommon.mk b/target/board/BoardConfigMainlineCommon.mk
index e13317f..ed69357 100644
--- a/target/board/BoardConfigMainlineCommon.mk
+++ b/target/board/BoardConfigMainlineCommon.mk
@@ -10,7 +10,10 @@
# Mainline devices must have /vendor and /product partitions.
TARGET_COPY_OUT_VENDOR := vendor
+BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE := ext4
+
TARGET_COPY_OUT_PRODUCT := product
+BOARD_PRODUCTIMAGE_FILE_SYSTEM_TYPE := ext4
# system-as-root is mandatory from Android P
TARGET_NO_RECOVERY := true
@@ -39,3 +42,7 @@
BOARD_AVB_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
BOARD_CHARGER_ENABLE_SUSPEND := true
+
+# Enable A/B update
+AB_OTA_UPDATER := true
+AB_OTA_PARTITIONS := system
diff --git a/target/product/gsi/adb_debug.prop b/target/product/gsi/adb_debug.prop
new file mode 100644
index 0000000..37e2f2d
--- /dev/null
+++ b/target/product/gsi/adb_debug.prop
@@ -0,0 +1,12 @@
+# Note: This file will be loaded with highest priority to override
+# other system properties, if a special ramdisk with "/force_debuggable"
+# is used and the device is unlocked.
+
+# Disable adb authentication to allow test automation on user build GSI
+ro.adb.secure=0
+
+# Allow 'adb root' on user build GSI
+ro.debuggable=1
+
+# Introduce this property to indicate that init has loaded adb_debug.prop
+ro.force.debuggable=1
diff --git a/target/product/gsi_common.mk b/target/product/gsi_common.mk
index fb0478d..5e73e63 100644
--- a/target/product/gsi_common.mk
+++ b/target/product/gsi_common.mk
@@ -51,23 +51,19 @@
PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST += \
system/etc/init/config/skip_mount.cfg \
system/etc/init/init.gsi.rc \
+ system/etc/adb_debug.prop \
# Exclude all files under system/product and system/product_services
PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST += \
system/product/% \
system/product_services/%
-
# Split selinux policy
PRODUCT_FULL_TREBLE_OVERRIDE := true
# Enable dynamic partition size
PRODUCT_USE_DYNAMIC_PARTITION_SIZE := true
-# Enable A/B update
-AB_OTA_UPDATER := true
-AB_OTA_PARTITIONS := system
-
# Needed by Pi newly launched device to pass VtsTrebleSysProp on GSI
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE := true
@@ -97,3 +93,7 @@
# Provide a libnfc-nci.conf to GSI product
PRODUCT_COPY_FILES += \
device/generic/common/nfc/libnfc-nci.conf:$(TARGET_COPY_OUT_PRODUCT)/etc/libnfc-nci.conf
+
+# Allow 'adb root' on user build GSI
+PRODUCT_COPY_FILES += \
+ build/make/target/product/gsi/adb_debug.prop:$(TARGET_COPY_OUT_SYSTEM)/etc/adb_debug.prop
diff --git a/target/product/mainline_system_arm64.mk b/target/product/mainline_system_arm64.mk
index 0b0929e..f01cc54 100644
--- a/target/product/mainline_system_arm64.mk
+++ b/target/product/mainline_system_arm64.mk
@@ -18,6 +18,16 @@
$(call inherit-product, $(SRC_TARGET_DIR)/product/mainline_system.mk)
$(call enforce-product-packages-exist,)
+PRODUCT_BUILD_CACHE_IMAGE := false
+PRODUCT_BUILD_ODM_IMAGE := false
+PRODUCT_BUILD_PRODUCT_IMAGE := false
+PRODUCT_BUILD_PRODUCT_SERVICES_IMAGE := false
+PRODUCT_BUILD_RAMDISK_IMAGE := false
+PRODUCT_BUILD_SYSTEM_IMAGE := true
+PRODUCT_BUILD_SYSTEM_OTHER_IMAGE := false
+PRODUCT_BUILD_USERDATA_IMAGE := false
+PRODUCT_BUILD_VENDOR_IMAGE := false
+
PRODUCT_NAME := mainline_system_arm64
PRODUCT_DEVICE := mainline_arm64
PRODUCT_BRAND := generic
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index 34c1359..632c1e2 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -1008,7 +1008,8 @@
def SignFile(input_name, output_name, key, password, min_api_level=None,
- codename_to_api_level_map=None, whole_file=False):
+ codename_to_api_level_map=None, whole_file=False,
+ extra_signapk_args=None):
"""Sign the input_name zip/jar/apk, producing output_name. Use the
given key and password (the latter may be None if the key does not
have a password.
@@ -1023,9 +1024,14 @@
codename_to_api_level_map is needed to translate the codename which may be
encountered as the APK's minSdkVersion.
+
+ Caller may optionally specify extra args to be passed to SignApk, which
+ defaults to OPTIONS.extra_signapk_args if omitted.
"""
if codename_to_api_level_map is None:
codename_to_api_level_map = {}
+ if extra_signapk_args is None:
+ extra_signapk_args = OPTIONS.extra_signapk_args
java_library_path = os.path.join(
OPTIONS.search_path, OPTIONS.signapk_shared_library_path)
@@ -1033,7 +1039,7 @@
cmd = ([OPTIONS.java_path] + OPTIONS.java_args +
["-Djava.library.path=" + java_library_path,
"-jar", os.path.join(OPTIONS.search_path, OPTIONS.signapk_path)] +
- OPTIONS.extra_signapk_args)
+ extra_signapk_args)
if whole_file:
cmd.append("-w")
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 75a98fd..16c1840 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -400,7 +400,6 @@
APEX_PAYLOAD_IMAGE = 'apex_payload.img'
- # Signing an APEX is a two step process.
# 1. Extract and sign the APEX_PAYLOAD_IMAGE entry with the given payload_key.
payload_dir = common.MakeTempDir(prefix='apex-payload-')
with zipfile.ZipFile(apex_file) as apex_fd:
@@ -420,21 +419,28 @@
common.ZipWrite(apex_zip, payload_file, arcname=APEX_PAYLOAD_IMAGE)
common.ZipClose(apex_zip)
- # 2. Sign the overall APEX container with container_key.
+ # 2. Align the files at page boundary (same as in apexer).
+ aligned_apex = common.MakeTempFile(
+ prefix='apex-container-', suffix='.apex')
+ common.RunAndCheckOutput(
+ ['zipalign', '-f', '4096', apex_file, aligned_apex])
+
+ # 3. Sign the APEX container with container_key.
signed_apex = common.MakeTempFile(prefix='apex-container-', suffix='.apex')
+
+ # Specify the 4K alignment when calling SignApk.
+ extra_signapk_args = OPTIONS.extra_signapk_args[:]
+ extra_signapk_args.extend(['-a', '4096'])
+
common.SignFile(
- apex_file,
+ aligned_apex,
signed_apex,
container_key,
container_pw,
- codename_to_api_level_map=codename_to_api_level_map)
+ codename_to_api_level_map=codename_to_api_level_map,
+ extra_signapk_args=extra_signapk_args)
- signed_and_aligned_apex = common.MakeTempFile(
- prefix='apex-container-', suffix='.apex')
- common.RunAndCheckOutput(
- ['zipalign', '-f', '4096', signed_apex, signed_and_aligned_apex])
-
- return (signed_and_aligned_apex, payload_info['apex.key'])
+ return (signed_apex, payload_info['apex.key'])
def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
@@ -600,7 +606,7 @@
else:
common.ZipWriteStr(output_tf_zip, out_info, data)
- # Update APEX payload public keys.
+ # Copy or update APEX payload public keys.
for info in input_tf_zip.infolist():
filename = info.filename
if (os.path.dirname(filename) != 'SYSTEM/etc/security/apex' or
@@ -609,8 +615,10 @@
name = os.path.basename(filename)
- # Skip PRESIGNED APEXes.
+ # Copy the keys for PRESIGNED APEXes.
if name not in updated_apex_payload_keys:
+ data = input_tf_zip.read(filename)
+ common.ZipWriteStr(output_tf_zip, info, data)
continue
key_path = updated_apex_payload_keys[name]