Adding sepolicy sign params to sign_target_files_apks.
Bug: b/217570541
Test: sign_target_files_apks --sepolicy_key=build/make/tools/releasetools/testdata/testkey_RSA4096.key
--sepolicy_cert=build/make/tools/releasetools/testdata/testkey.x509.pem target_files.zip target_out.zip
Change-Id: I4ae9f2a3297d10de68c6444dea1cd9996ad9dd11
Change-Id: I4a1ac7009ae0d6bb53c74bd34f8c74f12ea0a3b8
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index c2c6df1..bd3af68 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -97,6 +97,7 @@
self.stash_threshold = 0.8
self.logfile = None
self.host_tools = {}
+ self.sepolicy_name = 'sepolicy.apex'
OPTIONS = Options()
diff --git a/tools/releasetools/sign_apex.py b/tools/releasetools/sign_apex.py
index 722359b..a68f1ec 100755
--- a/tools/releasetools/sign_apex.py
+++ b/tools/releasetools/sign_apex.py
@@ -61,6 +61,7 @@
import common
logger = logging.getLogger(__name__)
+OPTIONS = common.OPTIONS
def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
@@ -81,7 +82,7 @@
apk_keys=apk_keys,
signing_args=signing_args,
sign_tool=sign_tool,
- is_sepolicy=apex_file.endswith("sepolicy.apex"),
+ is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name),
sepolicy_key=sepolicy_key,
sepolicy_cert=sepolicy_cert,
fsverity_tool=fsverity_tool)
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index aaf4a34..6dc75dc 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -137,6 +137,15 @@
--android_jar_path <path>
Path to the android.jar to repack the apex file.
+ --sepolicy_key <key>
+ Optional flag that specifies the sepolicy signing key, defaults to payload_key for the sepolicy.apex.
+
+ --sepolicy_cert <cert>
+ Optional flag that specifies the sepolicy signing cert.
+
+ --fsverity_tool <path>
+ Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity.
+
--allow_gsi_debug_sepolicy
Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
(/system/system_ext|/system_ext)/etc/selinux.
@@ -196,6 +205,9 @@
OPTIONS.android_jar_path = None
OPTIONS.vendor_partitions = set()
OPTIONS.vendor_otatools = None
+OPTIONS.sepolicy_key = None
+OPTIONS.sepolicy_cert = None
+OPTIONS.fsverity_tool = None
OPTIONS.allow_gsi_debug_sepolicy = False
@@ -234,6 +246,8 @@
def IsApexFile(filename):
return filename.endswith(".apex") or filename.endswith(".capex")
+def IsSepolicyApex(filename):
+ return filename.endswith(OPTIONS.sepolicy_name)
def GetApexFilename(filename):
name = os.path.basename(filename)
@@ -256,6 +270,24 @@
return certmap
+def GetSepolicyKeys(keys_info):
+ """Gets SEPolicy signing keys applying overrides from command line options.
+
+ Args:
+ keys_info: A dict that maps from the SEPolicy APEX filename to a tuple of
+ (sepolicy_key, sepolicy_cert, fsverity_tool).
+
+ Returns:
+ A dict that contains the updated APEX key mapping, which should be used for
+ the current signing.
+ """
+ for name in keys_info:
+ (sepolicy_key, sepolicy_cert, fsverity_tool) = keys_info[name]
+ sepolicy_key = OPTIONS.sepolicy_key if OPTIONS.sepolicy_key else sepolicy_key
+ sepolicy_cert = OPTIONS.sepolicy_cert if OPTIONS.sepolicy_cert else sepolicy_cert
+ fsverity_tool = OPTIONS.fsverity_tool if OPTIONS.fsverity_tool else fsverity_tool
+ keys_info[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
+ return keys_info
def GetApexKeys(keys_info, key_map):
"""Gets APEX payload and container signing keys by applying the mapping rules.
@@ -518,7 +550,7 @@
def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
apk_keys, apex_keys, key_passwords,
platform_api_level, codename_to_api_level_map,
- compressed_extension):
+ compressed_extension, sepolicy_keys):
# maxsize measures the maximum filename length, including the ones to be
# skipped.
try:
@@ -586,6 +618,17 @@
print(" : %-*s payload (%s)" % (
maxsize, name, payload_key))
+ sepolicy_key = None
+ sepolicy_cert = None
+ fsverity_tool = None
+
+ if IsSepolicyApex(name):
+ (sepolicy_key, sepolicy_cert, fsverity_tool) = sepolicy_keys[name]
+ print(" : %-*s sepolicy key (%s)" % (
+ maxsize, name, sepolicy_key))
+ print(" : %-*s sepolicy cert (%s)" % (
+ maxsize, name, sepolicy_cert))
+
signed_apex = apex_utils.SignApex(
misc_info['avb_avbtool'],
data,
@@ -596,7 +639,11 @@
codename_to_api_level_map,
no_hashtree=None, # Let apex_util determine if hash tree is needed
signing_args=OPTIONS.avb_extra_args.get('apex'),
- sign_tool=sign_tool)
+ sign_tool=sign_tool,
+ is_sepolicy=IsSepolicyApex(name),
+ sepolicy_key=sepolicy_key,
+ sepolicy_cert=sepolicy_cert,
+ fsverity_tool=fsverity_tool)
common.ZipWrite(output_tf_zip, signed_apex, filename)
else:
@@ -1206,20 +1253,24 @@
def ReadApexKeysInfo(tf_zip):
"""Parses the APEX keys info from a given target-files zip.
- Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a
- dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a
- tuple of (payload_key, container_key, sign_tool).
+ Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns
+ two dicts, the first one contains the mapping from APEX names
+ (e.g. com.android.tzdata) to a tuple of (payload_key, container_key,
+ sign_tool). The second one maps the sepolicy APEX name to a tuple containing
+ (sepolicy_key, sepolicy_cert, fsverity_tool).
Args:
tf_zip: The input target_files ZipFile (already open).
Returns:
- (payload_key, container_key, sign_tool):
+ name : (payload_key, container_key, sign_tool)
- payload_key contains the path to the payload signing key
- container_key contains the path to the container signing key
- sign_tool is an apex-specific signing tool for its payload contents
+ name : (sepolicy_key, sepolicy_cert, fsverity_tool)
"""
keys = {}
+ sepolicy_keys = {}
for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'):
line = line.strip()
if not line:
@@ -1230,6 +1281,9 @@
r'private_key="(?P<PAYLOAD_PRIVATE_KEY>.*)"\s+'
r'container_certificate="(?P<CONTAINER_CERT>.*)"\s+'
r'container_private_key="(?P<CONTAINER_PRIVATE_KEY>.*?)"'
+ r'(\s+sepolicy_key="(?P<SEPOLICY_KEY>.*?)")?'
+ r'(\s+sepolicy_certificate="(?P<SEPOLICY_CERT>.*?)")?'
+ r'(\s+fsverity_tool="(?P<FSVERITY_TOOL>.*?)")?'
r'(\s+partition="(?P<PARTITION>.*?)")?'
r'(\s+sign_tool="(?P<SIGN_TOOL>.*?)")?$',
line)
@@ -1258,12 +1312,18 @@
container_private_key, OPTIONS.private_key_suffix):
container_key = container_cert[:-len(OPTIONS.public_key_suffix)]
else:
- raise ValueError("Failed to parse container keys: \n{}".format(line))
+ raise ValueError("Failed to parse container keys: \n{} **** {}".format(container_cert, container_private_key))
sign_tool = matches.group("SIGN_TOOL")
keys[name] = (payload_private_key, container_key, sign_tool)
- return keys
+ if IsSepolicyApex(name):
+ sepolicy_key = matches.group('SEPOLICY_KEY')
+ sepolicy_cert = matches.group('SEPOLICY_CERT')
+ fsverity_tool = matches.group('FSVERITY_TOOL')
+ sepolicy_keys[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
+
+ return keys, sepolicy_keys
def BuildVendorPartitions(output_zip_path):
@@ -1460,6 +1520,12 @@
OPTIONS.vendor_otatools = a
elif o == "--vendor_partitions":
OPTIONS.vendor_partitions = set(a.split(","))
+ elif o == '--sepolicy_key':
+ OPTIONS.sepolicy_key = a
+ elif o == '--sepolicy_cert':
+ OPTIONS.sepolicy_cert = a
+ elif o == '--fsverity_tool':
+ OPTIONS.fsverity_tool = a
elif o == "--allow_gsi_debug_sepolicy":
OPTIONS.allow_gsi_debug_sepolicy = True
else:
@@ -1514,6 +1580,9 @@
"gki_signing_extra_args=",
"vendor_partitions=",
"vendor_otatools=",
+ "sepolicy_key=",
+ "sepolicy_cert=",
+ "fsverity_tool=",
"allow_gsi_debug_sepolicy",
],
extra_option_handler=option_handler)
@@ -1536,8 +1605,9 @@
apk_keys_info, compressed_extension = common.ReadApkCerts(input_zip)
apk_keys = GetApkCerts(apk_keys_info)
- apex_keys_info = ReadApexKeysInfo(input_zip)
+ apex_keys_info, sepolicy_keys_info = ReadApexKeysInfo(input_zip)
apex_keys = GetApexKeys(apex_keys_info, apk_keys)
+ sepolicy_keys = GetSepolicyKeys(sepolicy_keys_info)
# TODO(xunchang) check for the apks inside the apex files, and abort early if
# the keys are not available.
@@ -1555,7 +1625,7 @@
ProcessTargetFiles(input_zip, output_zip, misc_info,
apk_keys, apex_keys, key_passwords,
platform_api_level, codename_to_api_level_map,
- compressed_extension)
+ compressed_extension, sepolicy_keys)
common.ZipClose(input_zip)
common.ZipClose(output_zip)
diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py
index 0f13add..144a3cd 100644
--- a/tools/releasetools/test_sign_target_files_apks.py
+++ b/tools/releasetools/test_sign_target_files_apks.py
@@ -476,7 +476,7 @@
target_files_zip.writestr('META/apexkeys.txt', self.APEX_KEYS_TXT)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info = ReadApexKeysInfo(target_files_zip)
+ keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -486,6 +486,7 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
+ self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_mismatchingContainerKeys(self):
# Mismatching payload public / private keys.
@@ -515,7 +516,7 @@
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info = ReadApexKeysInfo(target_files_zip)
+ keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -525,6 +526,7 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
+ self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_missingPayloadPublicKey(self):
# Invalid lines will be skipped.
@@ -538,7 +540,7 @@
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info = ReadApexKeysInfo(target_files_zip)
+ keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -548,6 +550,7 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
+ self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_presignedKeys(self):
apex_keys = self.APEX_KEYS_TXT + (
@@ -561,7 +564,7 @@
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info = ReadApexKeysInfo(target_files_zip)
+ keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -571,6 +574,7 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
+ self.assertEqual({}, sepolicy_keys_info)
def test_ReadApexKeysInfo_presignedKeys(self):
apex_keys = self.APEX_KEYS_TXT + (
@@ -584,7 +588,7 @@
target_files_zip.writestr('META/apexkeys.txt', apex_keys)
with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
- keys_info = ReadApexKeysInfo(target_files_zip)
+ keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
self.assertEqual({
'apex.apexd_test.apex': (
@@ -594,6 +598,72 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
+ self.assertEqual({}, sepolicy_keys_info)
+
+ def test_ReadApexKeysInfo_withSepolicyKeys(self):
+ apex_keys = self.APEX_KEYS_TXT + (
+ 'name="sepolicy.apex" '
+ 'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
+ 'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
+ 'container_certificate="build/make/target/product/security/testkey.x509.pem" '
+ 'container_private_key="build/make/target/product/security/testkey.pk8" '
+ 'sepolicy_key="build/make/target/product/security/testkey.key" '
+ 'sepolicy_certificate="build/make/target/product/security/testkey.x509.pem" '
+ 'fsverity_tool="fsverity"')
+ target_files = common.MakeTempFile(suffix='.zip')
+ with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
+ target_files_zip.writestr('META/apexkeys.txt', apex_keys)
+
+ with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
+ keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+
+ self.assertEqual({
+ 'apex.apexd_test.apex': (
+ 'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
+ 'build/make/target/product/security/testkey', None),
+ 'apex.apexd_test_different_app.apex': (
+ 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
+ 'build/make/target/product/security/testkey', None),
+ 'sepolicy.apex': (
+ 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
+ 'build/make/target/product/security/testkey', None),
+ }, keys_info)
+ self.assertEqual({'sepolicy.apex': (
+ 'build/make/target/product/security/testkey.key',
+ 'build/make/target/product/security/testkey.x509.pem',
+ 'fsverity'),
+ }, sepolicy_keys_info)
+
+ def test_ReadApexKeysInfo_withSepolicyApex(self):
+ apex_keys = self.APEX_KEYS_TXT + (
+ 'name="sepolicy.apex" '
+ 'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
+ 'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
+ 'container_certificate="build/make/target/product/security/testkey.x509.pem" '
+ 'container_private_key="build/make/target/product/security/testkey.pk8" ')
+ target_files = common.MakeTempFile(suffix='.zip')
+ with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
+ target_files_zip.writestr('META/apexkeys.txt', apex_keys)
+
+ with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
+ keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+
+ self.assertEqual({
+ 'apex.apexd_test.apex': (
+ 'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
+ 'build/make/target/product/security/testkey', None),
+ 'apex.apexd_test_different_app.apex': (
+ 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
+ 'build/make/target/product/security/testkey', None),
+ 'sepolicy.apex': (
+ 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
+ 'build/make/target/product/security/testkey', None),
+ }, keys_info)
+ self.assertEqual({'sepolicy.apex': (
+ None,
+ None,
+ None),
+ }, sepolicy_keys_info)
def test_ReplaceGkiSigningKey(self):
common.OPTIONS.gki_signing_key = 'release_gki_key'