Merge "Provide android_app_certificate module that always points to AOSP certificate."
diff --git a/CleanSpec.mk b/CleanSpec.mk
index a82a0bd..a93e79e 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -627,6 +627,11 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/adb_debug.prop)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/lib*/libjavacrypto.so)
+
+# Clean up old verity tools.
+$(call add-clean-step, rm -rf $(HOST_OUT_JAVA_LIBRARIES)/BootSignature.jar)
+$(call add-clean-step, rm -rf $(HOST_OUT_JAVA_LIBRARIES)/VeritySigner.jar)
+$(call add-clean-step, rm -rf $(HOST_OUT_EXECUTABLES)/build_verity_metadata.py)
# ************************************************
# NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST
# ************************************************
diff --git a/Deprecation.md b/Deprecation.md
index 6468f46..01825b2 100644
--- a/Deprecation.md
+++ b/Deprecation.md
@@ -14,8 +14,8 @@
| Module type | State |
| -------------------------- | --------- |
-| `BUILD_HOST_TEST_CONFIG` | Warning |
-| `BUILD_TARGET_TEST_CONFIG` | Warning |
+| `BUILD_HOST_TEST_CONFIG` | Error |
+| `BUILD_TARGET_TEST_CONFIG` | Error |
| `BUILD_*` | Available |
## Module Type Deprecation Process
diff --git a/core/Makefile b/core/Makefile
index 89df131..c4cd57a 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -2158,109 +2158,13 @@
endef
endif
-# Check that libraries that should only be in APEXes don't end up in the system
-# image. For the Runtime APEX this complements the checks in
-# art/build/apex/art_apex_test.py.
-# TODO(b/128708192): Implement this restriction in Soong instead.
-
-# Runtime APEX libraries
-APEX_MODULE_LIBS := \
- libadbconnection.so \
- libandroidicu.so \
- libandroidio.so \
- libart-compiler.so \
- libart-dexlayout.so \
- libart.so \
- libartbase.so \
- libartpalette.so \
- libdexfile.so \
- libdexfile_external.so \
- libdexfiled_external.so \
- libdt_fd_forward.so \
- libdt_socket.so \
- libicui18n.so \
- libicuuc.so \
- libjavacore.so \
- libjdwp.so \
- libnativebridge.so \
- libnativehelper.so \
- libnativeloader.so \
- libnpt.so \
- libopenjdk.so \
- libopenjdkjvm.so \
- libopenjdkjvmti.so \
- libpac.so \
- libprofile.so \
- libsigchain.so \
-
-# Conscrypt APEX libraries
-APEX_MODULE_LIBS += \
- libjavacrypto.so \
-
-# An option to disable the check below, for local use since some build targets
-# still may create these libraries in /system (b/129006418).
-DISABLE_APEX_LIBS_ABSENCE_CHECK ?=
-
-# Exclude lib/arm and lib/arm64 which contain the native bridge proxy libs.
-# They are compiled for the guest architecture and used with an entirely
-# different linker config. The native libs are then linked to as usual via
-# exported interfaces, so the proxy libs do not violate the interface boundaries
-# on the native architecture.
-# TODO(b/130630776): Introduce a make variable for the appropriate directory
-# when native bridge is active.
-APEX_LIBS_ABSENCE_CHECK_EXCLUDE := lib/arm lib/arm64
-
-# Exclude vndk-sp-* subdirectories which contain prebuilts from older releases.
-APEX_LIBS_ABSENCE_CHECK_EXCLUDE += lib/vndk-% lib64/vndk-%
-
-# If the check below fails, some library has ended up in system/lib or
-# system/lib64 that is intended to only go into some APEX package. The likely
-# cause is that a library or binary in /system has grown a dependency that
-# directly or indirectly pulls in the prohibited library.
-#
-# To resolve this, look for the APEX package that the library belong to - search
-# for it in 'native_shared_lib' properties in 'apex' build modules (see
-# art/build/apex/Android.bp for an example). Then check if there is an exported
-# library in that APEX package that should be used instead, i.e. one listed in
-# its 'native_shared_lib' property for which the corresponding 'cc_library'
-# module has a 'stubs' clause (like libdexfile_external in
-# art/libdexfile/Android.bp).
-#
-# If you cannot find an APEX exported library that fits your needs, or you think
-# that the library you want to depend on should be allowed in /system, then
-# please contact the owners of the APEX package containing the library.
-#
-# If you get this error for a library that is exported in an APEX, then the APEX
-# might be misconfigured or something is wrong in the build system. Please reach
-# out to the APEX package owners and/or soong-team@, or
-# android-building@googlegroups.com externally.
-ifndef DISABLE_APEX_LIBS_ABSENCE_CHECK
-define check-apex-libs-absence
-$(hide) ( \
- cd $(TARGET_OUT) && \
- findres=$$(find lib* \
- $(foreach dir,$(APEX_LIBS_ABSENCE_CHECK_EXCLUDE),-path "$(subst %,*,$(dir))" -prune -o) \
- -type f \( -false $(foreach lib,$(APEX_MODULE_LIBS),-o -name $(lib)) \) \
- -print) && \
- if [ -n "$$findres" ]; then \
- echo "APEX libraries found in system image (see comment in build/make/core/Makefile for details):" 1>&2; \
- echo "$$findres" | sort 1>&2; \
- false; \
- fi; \
-)
-endef
-else
-define check-apex-libs-absence
-endef
-endif
-
# $(1): output file
define build-systemimage-target
@echo "Target system fs image: $(1)"
$(call create-system-vendor-symlink)
$(call create-system-product-symlink)
$(call create-system-product_services-symlink)
- $(call check-apex-libs-absence)
+ $(call check-apex-libs-absence-on-disk)
@mkdir -p $(dir $(1)) $(systemimage_intermediates) && rm -rf $(systemimage_intermediates)/system_image_info.txt
$(call generate-image-prop-dictionary, $(systemimage_intermediates)/system_image_info.txt,system, \
skip_fsck=true)
@@ -3565,8 +3469,8 @@
$(HOST_OUT_EXECUTABLES)/bsdiff \
$(HOST_OUT_EXECUTABLES)/imgdiff \
$(HOST_OUT_JAVA_LIBRARIES)/signapk.jar \
- $(HOST_OUT_JAVA_LIBRARIES)/BootSignature.jar \
- $(HOST_OUT_JAVA_LIBRARIES)/VeritySigner.jar \
+ $(HOST_OUT_JAVA_LIBRARIES)/boot_signer.jar \
+ $(HOST_OUT_JAVA_LIBRARIES)/verity_signer.jar \
$(HOST_OUT_EXECUTABLES)/mke2fs \
$(HOST_OUT_EXECUTABLES)/mkuserimg_mke2fs \
$(HOST_OUT_EXECUTABLES)/e2fsdroid \
diff --git a/core/config.mk b/core/config.mk
index 94928a2..bf59fb1 100644
--- a/core/config.mk
+++ b/core/config.mk
@@ -604,7 +604,7 @@
BUILD_IMAGE_SRCS := $(wildcard build/make/tools/releasetools/*.py)
APPEND2SIMG := $(HOST_OUT_EXECUTABLES)/append2simg
VERITY_SIGNER := $(HOST_OUT_EXECUTABLES)/verity_signer
-BUILD_VERITY_METADATA := $(HOST_OUT_EXECUTABLES)/build_verity_metadata.py
+BUILD_VERITY_METADATA := $(HOST_OUT_EXECUTABLES)/build_verity_metadata
BUILD_VERITY_TREE := $(HOST_OUT_EXECUTABLES)/build_verity_tree
BOOT_SIGNER := $(HOST_OUT_EXECUTABLES)/boot_signer
FUTILITY := $(HOST_OUT_EXECUTABLES)/futility-host
diff --git a/core/deprecation.mk b/core/deprecation.mk
index cbc938a..9d57527 100644
--- a/core/deprecation.mk
+++ b/core/deprecation.mk
@@ -37,13 +37,13 @@
# relevant BUILD_BROKEN_USES_BUILD_* variables, then these would move to
# DEFAULT_ERROR_BUILD_MODULE_TYPES.
DEFAULT_WARNING_BUILD_MODULE_TYPES :=$= \
- BUILD_HOST_TEST_CONFIG \
- BUILD_TARGET_TEST_CONFIG \
# These are BUILD_* variables that are errors to reference, but you can set
# BUILD_BROKEN_USES_BUILD_* in your BoardConfig.mk in order to turn them back
# to warnings.
DEFAULT_ERROR_BUILD_MODULE_TYPES :=$= \
+ BUILD_HOST_TEST_CONFIG \
+ BUILD_TARGET_TEST_CONFIG \
# These are BUILD_* variables that are always errors to reference.
# Setting the BUILD_BROKEN_USES_BUILD_* variables is also an error.
diff --git a/core/main.mk b/core/main.mk
index 7e1bdd5..6f92ff1 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -1200,6 +1200,117 @@
)
endef
+# Check that libraries that should only be in APEXes don't end up in the system
+# image. For the Runtime APEX this complements the checks in
+# art/build/apex/art_apex_test.py.
+# TODO(b/128708192): Implement this restriction in Soong instead.
+
+# Runtime APEX libraries
+APEX_MODULE_LIBS := \
+ libadbconnection.so \
+ libandroidicu.so \
+ libandroidio.so \
+ libart-compiler.so \
+ libart-dexlayout.so \
+ libart.so \
+ libartbase.so \
+ libartpalette.so \
+ libdexfile.so \
+ libdexfile_external.so \
+ libdexfiled_external.so \
+ libdt_fd_forward.so \
+ libdt_socket.so \
+ libicui18n.so \
+ libicuuc.so \
+ libjavacore.so \
+ libjdwp.so \
+ libnativebridge.so \
+ libnativehelper.so \
+ libnativeloader.so \
+ libnpt.so \
+ libopenjdk.so \
+ libopenjdkjvm.so \
+ libopenjdkjvmti.so \
+ libpac.so \
+ libprofile.so \
+ libsigchain.so \
+
+# Conscrypt APEX libraries
+APEX_MODULE_LIBS += \
+ libjavacrypto.so \
+
+# An option to disable the check below, for local use since some build targets
+# still may create these libraries in /system (b/129006418).
+DISABLE_APEX_LIBS_ABSENCE_CHECK ?=
+
+# Exclude lib/arm and lib/arm64 which contain the native bridge proxy libs. They
+# are compiled for the guest architecture and used with an entirely different
+# linker config. The native libs are then linked to as usual via exported
+# interfaces, so the proxy libs do not violate the interface boundaries on the
+# native architecture.
+# TODO(b/130630776): Introduce a make variable for the appropriate directory
+# when native bridge is active.
+APEX_LIBS_ABSENCE_CHECK_EXCLUDE := lib/arm lib/arm64
+
+# Exclude vndk-* subdirectories which contain prebuilts from older releases.
+APEX_LIBS_ABSENCE_CHECK_EXCLUDE += lib/vndk-% lib64/vndk-%
+
+ifdef DISABLE_APEX_LIBS_ABSENCE_CHECK
+ check-apex-libs-absence :=
+ check-apex-libs-absence-on-disk :=
+else
+ # If the check below fails, some library has ended up in system/lib or
+ # system/lib64 that is intended to only go into some APEX package. The likely
+ # cause is that a library or binary in /system has grown a dependency that
+ # directly or indirectly pulls in the prohibited library.
+ #
+ # To resolve this, look for the APEX package that the library belong to -
+ # search for it in 'native_shared_lib' properties in 'apex' build modules (see
+ # art/build/apex/Android.bp for an example). Then check if there is an
+ # exported library in that APEX package that should be used instead, i.e. one
+ # listed in its 'native_shared_lib' property for which the corresponding
+ # 'cc_library' module has a 'stubs' clause (like libdexfile_external in
+ # art/libdexfile/Android.bp).
+ #
+ # If you cannot find an APEX exported library that fits your needs, or you
+ # think that the library you want to depend on should be allowed in /system,
+ # then please contact the owners of the APEX package containing the library.
+ #
+ # If you get this error for a library that is exported in an APEX, then the
+ # APEX might be misconfigured or something is wrong in the build system.
+ # Please reach out to the APEX package owners and/or soong-team@, or
+ # android-building@googlegroups.com externally.
+ define check-apex-libs-absence
+ $(call maybe-print-list-and-error, \
+ $(filter $(foreach lib,$(APEX_MODULE_LIBS),%/$(lib)), \
+ $(filter-out $(foreach dir,$(APEX_LIBS_ABSENCE_CHECK_EXCLUDE), \
+ $(TARGET_OUT)/$(if $(findstring %,$(dir)),$(dir),$(dir)/%)), \
+ $(filter $(TARGET_OUT)/lib/% $(TARGET_OUT)/lib64/%,$(1)))), \
+ APEX libraries found in system image (see comment for check-apex-libs-absence in \
+ build/make/core/main.mk for details))
+ endef
+
+ # TODO(b/129006418): The check above catches libraries through product
+ # dependencies visible to make, but as long as they have install rules in
+ # /system they may still be created there through other make targets. To catch
+ # that we also do a check on disk just before the system image is built.
+ define check-apex-libs-absence-on-disk
+ $(hide) ( \
+ cd $(TARGET_OUT) && \
+ findres=$$(find lib* \
+ $(foreach dir,$(APEX_LIBS_ABSENCE_CHECK_EXCLUDE),-path "$(subst %,*,$(dir))" -prune -o) \
+ -type f \( -false $(foreach lib,$(APEX_MODULE_LIBS),-o -name $(lib)) \) \
+ -print) && \
+ if [ -n "$$findres" ]; then \
+ echo "APEX libraries found in system image (see comment for check-apex-libs-absence" 1>&2; \
+ echo "in build/make/core/main.mk for details):" 1>&2; \
+ echo "$$findres" | sort 1>&2; \
+ false; \
+ fi; \
+ )
+ endef
+endif
+
ifdef FULL_BUILD
ifneq (true,$(ALLOW_MISSING_DEPENDENCIES))
# Check to ensure that all modules in PRODUCT_PACKAGES exist (opt in per product)
@@ -1312,6 +1423,8 @@
rm -f $@
$(foreach f,$(sort $(all_offending_files)),echo $(f) >> $@;)
endif
+
+ $(call check-apex-libs-absence,$(product_target_FILES))
else
# We're not doing a full build, and are probably only including
# a subset of the module makefiles. Don't try to build any modules
diff --git a/tools/releasetools/verity_utils.py b/tools/releasetools/verity_utils.py
index 3a58755..3063800 100644
--- a/tools/releasetools/verity_utils.py
+++ b/tools/releasetools/verity_utils.py
@@ -52,7 +52,7 @@
def GetVerityMetadataSize(image_size):
- cmd = ["build_verity_metadata.py", "size", str(image_size)]
+ cmd = ["build_verity_metadata", "size", str(image_size)]
output = common.RunAndCheckOutput(cmd, verbose=False)
return int(output)
@@ -97,7 +97,7 @@
def BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt,
block_device, signer_path, key, signer_args,
verity_disable):
- cmd = ["build_verity_metadata.py", "build", str(image_size),
+ cmd = ["build_verity_metadata", "build", str(image_size),
verity_metadata_path, root_hash, salt, block_device, signer_path, key]
if signer_args:
cmd.append("--signer_args=\"%s\"" % (' '.join(signer_args),))