Merge "releasetools: Return the actual image size when building logical partitions."
diff --git a/core/Makefile b/core/Makefile
index d7b3ab7..a248f5e 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -3255,6 +3255,27 @@
updatepackage: $(INTERNAL_UPDATE_PACKAGE_TARGET)
# -----------------------------------------------------------------
+# A zip of the appcompat directory containing logs
+APPCOMPAT_ZIP := $(PRODUCT_OUT)/appcompat.zip
+# For apps_only build we'll establish the dependency later in build/make/core/main.mk.
+ifndef TARGET_BUILD_APPS
+$(APPCOMPAT_ZIP): $(INSTALLED_SYSTEMIMAGE) \
+ $(INSTALLED_BOOTIMAGE_TARGET) \
+ $(INSTALLED_USERDATAIMAGE_TARGET) \
+ $(INSTALLED_VENDORIMAGE_TARGET) \
+ $(INSTALLED_PRODUCTIMAGE_TARGET) \
+ $(INSTALLED_PRODUCT_SERVICESIMAGE_TARGET)
+endif
+$(APPCOMPAT_ZIP): PRIVATE_LIST_FILE := $(call intermediates-dir-for,PACKAGING,appcompat)/filelist
+$(APPCOMPAT_ZIP): $(SOONG_ZIP)
+ @echo "appcompat logs: $@"
+ $(hide) rm -rf $@ $(PRIVATE_LIST_FILE)
+ $(hide) mkdir -p $(dir $@) $(PRODUCT_OUT)/appcompat $(dir $(PRIVATE_LIST_FILE))
+ $(hide) find $(PRODUCT_OUT)/appcompat | sort >$(PRIVATE_LIST_FILE)
+ $(hide) $(SOONG_ZIP) -d -o $@ -C $(PRODUCT_OUT)/appcompat -l $(PRIVATE_LIST_FILE)
+
+
+# -----------------------------------------------------------------
# A zip of the symbols directory. Keep the full paths to make it
# more obvious where these files came from.
#
@@ -3478,6 +3499,7 @@
$(ALL_DEFAULT_INSTALLED_MODULES) \
$(INSTALLED_RAMDISK_TARGET) \
$(ALL_DOCS) \
+ $(TARGET_OUT_COMMON_INTERMEDIATES)/PACKAGING/metalava-api-stubs-docs_annotations.zip \
$(ALL_SDK_FILES)
endif
@@ -3510,6 +3532,7 @@
$(OUT_DOCS)/offline-sdk-timestamp \
$(SYMBOLS_ZIP) \
$(COVERAGE_ZIP) \
+ $(APPCOMPAT_ZIP) \
$(INSTALLED_SYSTEMIMAGE) \
$(INSTALLED_QEMU_SYSTEMIMAGE) \
$(INSTALLED_QEMU_VENDORIMAGE) \
diff --git a/core/base_rules.mk b/core/base_rules.mk
index b4cb55b..744740f 100644
--- a/core/base_rules.mk
+++ b/core/base_rules.mk
@@ -356,6 +356,7 @@
## make clean- targets
###########################################################
cleantarget := clean-$(my_register_name)
+.PHONY: $(cleantarget)
$(cleantarget) : PRIVATE_MODULE := $(my_register_name)
$(cleantarget) : PRIVATE_CLEAN_FILES := \
$(LOCAL_BUILT_MODULE) \
diff --git a/core/clear_vars.mk b/core/clear_vars.mk
index 75587bb..e7116a5 100644
--- a/core/clear_vars.mk
+++ b/core/clear_vars.mk
@@ -253,6 +253,7 @@
LOCAL_SOONG_STATIC_LIBRARY_EXTRA_PACKAGES :=
LOCAL_DROIDDOC_STUBS_SRCJAR :=
LOCAL_DROIDDOC_DOC_ZIP :=
+LOCAL_DROIDDOC_ANNOTATIONS_ZIP :=
# '',true
LOCAL_SOURCE_FILES_ALL_GENERATED:=
LOCAL_SRC_FILES:=
diff --git a/core/config.mk b/core/config.mk
index 5ebbd9c..33f1b7b 100644
--- a/core/config.mk
+++ b/core/config.mk
@@ -719,6 +719,7 @@
DEXDUMP := $(HOST_OUT_EXECUTABLES)/dexdump2$(BUILD_EXECUTABLE_SUFFIX)
PROFMAN := $(HOST_OUT_EXECUTABLES)/profman
HIDDENAPI := $(HOST_OUT_EXECUTABLES)/hiddenapi
+CLASS2GREYLIST := $(HOST_OUT_EXECUTABLES)/class2greylist
FINDBUGS_DIR := external/owasp/sanitizer/tools/findbugs/bin
FINDBUGS := $(FINDBUGS_DIR)/findbugs
diff --git a/core/definitions.mk b/core/definitions.mk
index 7108e09..4341c62 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -2866,6 +2866,16 @@
PRIVATE_DEX_INPUTS := $$(PRIVATE_DEX_INPUTS) $(1)
endef
+# Generate a greylist.txt from a classes.jar
+define hiddenapi-generate-greylist-txt
+$(2): $(1) $(CLASS2GREYLIST)
+ $(CLASS2GREYLIST) $(1) > $(2)
+
+$(INTERNAL_PLATFORM_HIDDENAPI_LIGHT_GREYLIST): $(2)
+$(INTERNAL_PLATFORM_HIDDENAPI_LIGHT_GREYLIST): \
+ PRIVATE_GREYLIST_INPUTS := $$(PRIVATE_GREYLIST_INPUTS) $(2)
+endef
+
# File names for intermediate dex files of `hiddenapi-copy-soong-jar`.
hiddenapi-soong-input-dex = $(dir $(1))/hiddenapi/dex-input/classes.dex
hiddenapi-soong-output-dex = $(dir $(1))/hiddenapi/dex-output/classes.dex
diff --git a/core/dex_preopt_libart_boot.mk b/core/dex_preopt_libart_boot.mk
index 977f852..5a68738 100644
--- a/core/dex_preopt_libart_boot.mk
+++ b/core/dex_preopt_libart_boot.mk
@@ -100,7 +100,9 @@
$(PRIVATE_BOOT_IMAGE_FLAGS) \
$(addprefix --dex-file=,$(LIBART_TARGET_BOOT_DEX_FILES)) \
$(addprefix --dex-location=,$(LIBART_TARGET_BOOT_DEX_LOCATIONS)) \
+ --generate-debug-info --generate-build-id \
--oat-symbols=$($(PRIVATE_2ND_ARCH_VAR_PREFIX)LIBART_TARGET_BOOT_OAT_UNSTRIPPED) \
+ --strip \
--oat-file=$(patsubst %.art,%.oat,$@) \
--oat-location=$(patsubst %.art,%.oat,$($(PRIVATE_2ND_ARCH_VAR_PREFIX)LIBART_BOOT_IMAGE_FILENAME)) \
--image=$@ --base=$(LIBART_IMG_TARGET_BASE_ADDRESS) \
@@ -109,7 +111,6 @@
--instruction-set-features=$($(PRIVATE_2ND_ARCH_VAR_PREFIX)DEX2OAT_TARGET_INSTRUCTION_SET_FEATURES) \
--android-root=$(PRODUCT_OUT)/system \
--runtime-arg -Xnorelocate --compile-pic \
- --no-generate-debug-info --generate-build-id \
--multi-image --no-inline-from=core-oj.jar \
--abort-on-hard-verifier-error \
--abort-on-soft-verifier-error \
diff --git a/core/droiddoc.mk b/core/droiddoc.mk
index deaee56..5425e31 100644
--- a/core/droiddoc.mk
+++ b/core/droiddoc.mk
@@ -287,6 +287,7 @@
$(hide) ( F=$$(pwd)/$@ ; cd $(PRIVATE_DOCS_DIR) && zip -rqX $$F * )
$(LOCAL_MODULE)-docs.zip : $(out_zip)
+.PHONY: $(LOCAL_MODULE)-docs.zip
$(call dist-for-goals,docs,$(out_zip))
diff --git a/core/host_java_library.mk b/core/host_java_library.mk
index db24542..2aed61e 100644
--- a/core/host_java_library.mk
+++ b/core/host_java_library.mk
@@ -93,6 +93,7 @@
javac-check : $(full_classes_compiled_jar)
javac-check-$(LOCAL_MODULE) : $(full_classes_compiled_jar)
+.PHONY: javac-check-$(LOCAL_MODULE)
$(full_classes_combined_jar): $(full_classes_compiled_jar) \
$(jar_manifest_file) \
diff --git a/core/java.mk b/core/java.mk
index 78b492d..a094ecd 100644
--- a/core/java.mk
+++ b/core/java.mk
@@ -79,6 +79,7 @@
built_dex_hiddenapi := $(intermediates.COMMON)/dex-hiddenapi/classes.dex
full_classes_stubs_jar := $(intermediates.COMMON)/stubs.jar
java_source_list_file := $(intermediates.COMMON)/java-source-list
+greylist_txt := $(intermediates.COMMON)/greylist.txt
ifeq ($(LOCAL_MODULE_CLASS)$(LOCAL_SRC_FILES)$(LOCAL_STATIC_JAVA_LIBRARIES)$(LOCAL_SOURCE_FILES_ALL_GENERATED),APPS)
@@ -308,6 +309,7 @@
javac-check : $(full_classes_compiled_jar)
javac-check-$(LOCAL_MODULE) : $(full_classes_compiled_jar)
+.PHONY: javac-check-$(LOCAL_MODULE)
$(full_classes_combined_jar): PRIVATE_DONT_DELETE_JAR_META_INF := $(LOCAL_DONT_DELETE_JAR_META_INF)
$(full_classes_combined_jar): $(full_classes_compiled_jar) \
@@ -544,6 +546,13 @@
endif
ifneq ($(filter $(LOCAL_MODULE),$(PRODUCT_BOOT_JARS)),) # is_boot_jar
+ # Derive API greylist from the classes jar.
+ # We use full_classes_proguard_jar here, as that is what is converted to dex
+ # later on. The difference is academic currently, as we don't proguard any
+ # bootclasspath code at the moment. If we were to do that, we should add keep
+ # rules for all members with the @UnsupportedAppUsage annotation.
+ $(eval $(call hiddenapi-generate-greylist-txt,$(full_classes_proguard_jar),$(greylist_txt)))
+ LOCAL_INTERMEDIATE_TARGETS += $(greylist_txt)
$(eval $(call hiddenapi-copy-dex-files,$(built_dex_intermediate),$(built_dex_hiddenapi)))
built_dex_copy_from := $(built_dex_hiddenapi)
else # !is_boot_jar
@@ -576,6 +585,7 @@
findbugs_html := $(PRODUCT_OUT)/findbugs/$(LOCAL_MODULE).html
$(findbugs_html) : PRIVATE_XML_FILE := $(findbugs_xml)
$(LOCAL_MODULE)-findbugs : $(findbugs_html)
+.PHONY: $(LOCAL_MODULE)-findbugs
$(findbugs_html) : $(findbugs_xml)
@mkdir -p $(dir $@)
@echo ConvertXmlToText: $@
diff --git a/core/main.mk b/core/main.mk
index fb845df..a991d88 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -977,6 +977,39 @@
ifdef FULL_BUILD
product_FILES := $(call product-installed-files, $(INTERNAL_PRODUCT))
+
+ # Verify the artifact path requirements made by included products.
+ all_offending_files :=
+ $(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\
+ $(eval requirements := $(PRODUCTS.$(makefile).ARTIFACT_PATH_REQUIREMENTS)) \
+ $(eval ### Verify that the product only produces files inside its path requirements.) \
+ $(eval whitelist := $(PRODUCTS.$(makefile).ARTIFACT_PATH_WHITELIST)) \
+ $(eval path_patterns := $(call resolve-product-relative-paths,$(requirements),%)) \
+ $(eval whitelist_patterns := $(call resolve-product-relative-paths,$(whitelist))) \
+ $(eval files := $(call product-installed-files, $(makefile))) \
+ $(eval files := $(filter-out $(TARGET_OUT_FAKE)/% $(HOST_OUT)/%,$(files))) \
+ $(eval # RROs become REQUIRED by the source module, but are always placed on the vendor partition.) \
+ $(eval files := $(filter-out %__auto_generated_rro.apk,$(files))) \
+ $(eval offending_files := $(filter-out $(path_patterns) $(whitelist_patterns),$(files))) \
+ $(call maybe-print-list-and-error,$(offending_files),$(makefile) produces files outside its artifact path requirement.) \
+ $(eval unused_whitelist := $(filter-out $(files),$(whitelist_patterns))) \
+ $(call maybe-print-list-and-error,$(unused_whitelist),$(makefile) includes redundant whitelist entries in its artifact path requirement.) \
+ $(eval ### Optionally verify that nothing else produces files inside this artifact path requirement.) \
+ $(eval extra_files := $(filter-out $(files) $(HOST_OUT)/%,$(product_FILES))) \
+ $(eval files_in_requirement := $(filter $(path_patterns),$(extra_files))) \
+ $(eval all_offending_files += $(files_in_requirement)) \
+ $(eval whitelist := $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST)) \
+ $(eval whitelist_patterns := $(call resolve-product-relative-paths,$(whitelist))) \
+ $(eval offending_files := $(filter-out $(whitelist_patterns),$(files_in_requirement))) \
+ $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS),\
+ $(call maybe-print-list-and-error,$(offending_files),$(INTERNAL_PRODUCT) produces files inside $(makefile)s artifact path requirement.) \
+ $(eval unused_whitelist := $(filter-out $(extra_files),$(whitelist_patterns))) \
+ $(call maybe-print-list-and-error,$(unused_whitelist),$(INTERNAL_PRODUCT) includes redundant artifact path requirement whitelist entries.) \
+ ) \
+ )
+$(PRODUCT_OUT)/offending_artifacts.txt:
+ rm -f $@
+ $(foreach f,$(sort $(all_offending_files)),echo $(f) >> $@;)
else
# We're not doing a full build, and are probably only including
# a subset of the module makefiles. Don't try to build any modules
@@ -985,34 +1018,6 @@
product_FILES :=
endif
-# Verify the artifact path requirements made by included products.
-$(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\
- $(eval requirements := $(PRODUCTS.$(makefile).ARTIFACT_PATH_REQUIREMENTS)) \
- $(eval ### Verify that the product only produces files inside its path requirements.) \
- $(eval whitelist := $(PRODUCTS.$(makefile).ARTIFACT_PATH_WHITELIST)) \
- $(eval path_patterns := $(call resolve-product-relative-paths,$(requirements),%)) \
- $(eval whitelist_patterns := $(call resolve-product-relative-paths,$(whitelist))) \
- $(eval files := $(call product-installed-files, $(makefile))) \
- $(eval files := $(filter-out $(TARGET_OUT_FAKE)/% $(HOST_OUT)/%,$(files))) \
- $(eval # RROs become REQUIRED by the source module, but are always placed on the vendor partition.) \
- $(eval files := $(filter-out %__auto_generated_rro.apk,$(files))) \
- $(eval offending_files := $(filter-out $(path_patterns) $(whitelist_patterns),$(files))) \
- $(call maybe-print-list-and-error,$(offending_files),$(makefile) produces files outside its artifact path requirement.) \
- $(eval unused_whitelist := $(filter-out $(files),$(whitelist_patterns))) \
- $(call maybe-print-list-and-error,$(unused_whitelist),$(makefile) includes redundant whitelist entries in its artifact path requirement.) \
- $(eval ### Optionally verify that nothing else produces files inside this artifact path requirement.) \
- $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS),\
- $(eval extra_files := $(filter-out $(files) $(HOST_OUT)/%,$(product_FILES))) \
- $(eval whitelist := $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST)) \
- $(eval whitelist_patterns := $(call resolve-product-relative-paths,$(whitelist))) \
- $(eval files_in_requirement := $(filter $(path_patterns),$(extra_files))) \
- $(eval offending_files := $(filter-out $(whitelist_patterns),$(files_in_requirement))) \
- $(call maybe-print-list-and-error,$(offending_files),$(INTERNAL_PRODUCT) produces files inside $(makefile)s artifact path requirement.) \
- $(eval unused_whitelist := $(filter-out $(extra_files),$(whitelist_patterns))) \
- $(call maybe-print-list-and-error,$(unused_whitelist),$(INTERNAL_PRODUCT) includes redundant artifact path requirement whitelist entries.) \
- ) \
-)
-
ifeq (0,1)
$(info product_FILES for $(TARGET_DEVICE) ($(INTERNAL_PRODUCT)):)
$(foreach p,$(product_FILES),$(info : $(p)))
@@ -1258,6 +1263,9 @@
$(COVERAGE_ZIP) : $(apps_only_installed_files)
$(call dist-for-goals,apps_only, $(COVERAGE_ZIP))
+ $(APPCOMPAT_ZIP) : $(apps_only_installed_files)
+ $(call dist-for-goals,apps_only, $(APPCOMPAT_ZIP))
+
.PHONY: apps_only
apps_only: $(unbundled_build_modules)
@@ -1279,6 +1287,7 @@
$(BUILT_OTATOOLS_PACKAGE) \
$(SYMBOLS_ZIP) \
$(COVERAGE_ZIP) \
+ $(APPCOMPAT_ZIP) \
$(INSTALLED_FILES_FILE) \
$(INSTALLED_FILES_JSON) \
$(INSTALLED_FILES_FILE_VENDOR) \
@@ -1346,13 +1355,15 @@
$(ALL_SDK_TARGETS) \
$(SYMBOLS_ZIP) \
$(COVERAGE_ZIP) \
+ $(APPCOMPAT_ZIP) \
$(INSTALLED_BUILD_PROP_TARGET) \
)
# umbrella targets to assit engineers in verifying builds
.PHONY: java native target host java-host java-target native-host native-target \
java-host-tests java-target-tests native-host-tests native-target-tests \
- java-tests native-tests host-tests target-tests tests java-dex
+ java-tests native-tests host-tests target-tests tests java-dex \
+ native-host-cross
# some synonyms
.PHONY: host-java target-java host-native target-native \
target-java-tests target-native-tests
diff --git a/core/product-graph.mk b/core/product-graph.mk
index 51985df..696aabf 100644
--- a/core/product-graph.mk
+++ b/core/product-graph.mk
@@ -145,3 +145,4 @@
dot -Tsvg -Nshape=box -o $@ $<
product-graph: $(products_pdf) $(products_svg)
+.PHONY: product-graph
diff --git a/core/soong_java_prebuilt.mk b/core/soong_java_prebuilt.mk
index ef71107..44b4f5c 100644
--- a/core/soong_java_prebuilt.mk
+++ b/core/soong_java_prebuilt.mk
@@ -19,6 +19,7 @@
full_classes_pre_proguard_jar := $(intermediates.COMMON)/classes-pre-proguard.jar
full_classes_header_jar := $(intermediates.COMMON)/classes-header.jar
common_javalib.jar := $(intermediates.COMMON)/javalib.jar
+greylist_txt := $(intermediates.COMMON)/greylist.txt
$(eval $(call copy-one-file,$(LOCAL_PREBUILT_MODULE_FILE),$(full_classes_jar)))
$(eval $(call copy-one-file,$(LOCAL_PREBUILT_MODULE_FILE),$(full_classes_pre_proguard_jar)))
@@ -33,6 +34,10 @@
$(call dist-for-goals,docs,$(OUT_DOCS)/$(LOCAL_MODULE)-docs.zip)
endif
+ifdef LOCAL_DROIDDOC_ANNOTATIONS_ZIP
+$(eval $(call copy-one-file,$(LOCAL_DROIDDOC_ANNOTATIONS_ZIP),$(TARGET_OUT_COMMON_INTERMEDIATES)/PACKAGING/$(LOCAL_MODULE)_annotations.zip))
+endif
+
ifdef LOCAL_SOONG_JACOCO_REPORT_CLASSES_JAR
$(eval $(call copy-one-file,$(LOCAL_SOONG_JACOCO_REPORT_CLASSES_JAR),\
$(intermediates.COMMON)/jacoco-report-classes.jar))
@@ -82,6 +87,11 @@
ifneq ($(LOCAL_UNINSTALLABLE_MODULE),true)
ifndef LOCAL_IS_HOST_MODULE
ifneq ($(filter $(LOCAL_MODULE),$(PRODUCT_BOOT_JARS)),) # is_boot_jar
+ # Derive greylist from classes.jar.
+ # We use full_classes_jar here, which is the post-proguard jar (on the basis that we also
+ # have a full_classes_pre_proguard_jar). This is consistent with the equivalent code in
+ # java.mk.
+ $(eval $(call hiddenapi-generate-greylist-txt,$(full_classes_jar),$(greylist_txt)))
$(eval $(call hiddenapi-copy-soong-jar,$(LOCAL_SOONG_DEX_JAR),$(common_javalib.jar)))
else # !is_boot_jar
$(eval $(call copy-one-file,$(LOCAL_SOONG_DEX_JAR),$(common_javalib.jar)))
@@ -131,6 +141,7 @@
javac-check : $(full_classes_jar)
javac-check-$(LOCAL_MODULE) : $(full_classes_jar)
+.PHONY: javac-check-$(LOCAL_MODULE)
ifndef LOCAL_IS_HOST_MODULE
ifeq ($(LOCAL_SDK_VERSION),system_current)
diff --git a/core/tasks/vndk.mk b/core/tasks/vndk.mk
index ba48df7..1bde7a6 100644
--- a/core/tasks/vndk.mk
+++ b/core/tasks/vndk.mk
@@ -145,8 +145,10 @@
# vndk_snapshot_zip
vndk_snapshot_variant := $(vndk_snapshot_out)/$(TARGET_ARCH)
binder :=
-ifneq ($(TARGET_USES_64_BIT_BINDER), true)
- binder := binder32
+ifneq ($(TARGET_IS_64_BIT), true)
+ ifneq ($(TARGET_USES_64_BIT_BINDER), true)
+ binder := binder32
+ endif
endif
vndk_lib_dir := $(subst $(space),/,$(strip $(vndk_snapshot_variant) $(binder) arch-$(TARGET_ARCH)-$(TARGET_ARCH_VARIANT)))
vndk_lib_dir_2nd := $(subst $(space),/,$(strip $(vndk_snapshot_variant) $(binder) arch-$(TARGET_2ND_ARCH)-$(TARGET_2ND_ARCH_VARIANT)))
diff --git a/tools/releasetools/add_img_to_target_files.py b/tools/releasetools/add_img_to_target_files.py
index 235883a..6a97182 100755
--- a/tools/releasetools/add_img_to_target_files.py
+++ b/tools/releasetools/add_img_to_target_files.py
@@ -373,22 +373,9 @@
# Check if chain partition is used.
key_path = OPTIONS.info_dict.get("avb_" + partition + "_key_path")
if key_path:
- # extract public key in AVB format to be included in vbmeta.img
- avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"]
- pubkey_path = common.MakeTempFile(prefix="avb-", suffix=".pubkey")
- proc = common.Run(
- [avbtool, "extract_public_key", "--key", key_path, "--output",
- pubkey_path],
- stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
- stdoutdata, _ = proc.communicate()
- assert proc.returncode == 0, \
- "Failed to extract pubkey for {}:\n{}".format(
- partition, stdoutdata)
-
- rollback_index_location = OPTIONS.info_dict[
- "avb_" + partition + "_rollback_index_location"]
- cmd.extend(["--chain_partition", "%s:%s:%s" % (
- partition, rollback_index_location, pubkey_path)])
+ chained_partition_arg = common.GetAvbChainedPartitionArg(
+ partition, OPTIONS.info_dict)
+ cmd.extend(["--chain_partition", chained_partition_arg])
else:
cmd.extend(["--include_descriptors_from_image", image])
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index 5b5e6ed..c10e57c 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -371,6 +371,40 @@
cmd.extend(["--salt", avb_salt])
+def GetAvbChainedPartitionArg(partition, info_dict, key=None):
+ """Constructs and returns the arg to build or verify a chained partition.
+
+ Args:
+ partition: The partition name.
+ info_dict: The info dict to look up the key info and rollback index
+ location.
+ key: The key to be used for building or verifying the partition. Defaults to
+ the key listed in info_dict.
+
+ Returns:
+ A string of form "partition:rollback_index_location:key" that can be used to
+ build or verify vbmeta image.
+
+ Raises:
+ AssertionError: When it fails to extract the public key with avbtool.
+ """
+ if key is None:
+ key = info_dict["avb_" + partition + "_key_path"]
+ avbtool = os.getenv('AVBTOOL') or info_dict["avb_avbtool"]
+ pubkey_path = MakeTempFile(prefix="avb-", suffix=".pubkey")
+ proc = Run(
+ [avbtool, "extract_public_key", "--key", key, "--output", pubkey_path],
+ stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+ stdoutdata, _ = proc.communicate()
+ assert proc.returncode == 0, \
+ "Failed to extract pubkey for {}:\n{}".format(
+ partition, stdoutdata)
+
+ rollback_index_location = info_dict[
+ "avb_" + partition + "_rollback_index_location"]
+ return "{}:{}:{}".format(partition, rollback_index_location, pubkey_path)
+
+
def _BuildBootableImage(sourcedir, fs_config_file, info_dict=None,
has_ramdisk=False, two_step_image=False):
"""Build a bootable image from the specified sourcedir.
diff --git a/tools/releasetools/test_common.py b/tools/releasetools/test_common.py
index 1c75d19..2a28db4 100644
--- a/tools/releasetools/test_common.py
+++ b/tools/releasetools/test_common.py
@@ -524,6 +524,9 @@
class CommonUtilsTest(unittest.TestCase):
+ def setUp(self):
+ self.testdata_dir = test_utils.get_testdata_dir()
+
def tearDown(self):
common.Cleanup()
@@ -730,6 +733,56 @@
AssertionError, common.GetSparseImage, 'system', tempdir, input_zip,
False)
+ def test_GetAvbChainedPartitionArg(self):
+ pubkey = os.path.join(self.testdata_dir, 'testkey.pubkey.pem')
+ info_dict = {
+ 'avb_avbtool': 'avbtool',
+ 'avb_system_key_path': pubkey,
+ 'avb_system_rollback_index_location': 2,
+ }
+ args = common.GetAvbChainedPartitionArg('system', info_dict).split(':')
+ self.assertEqual(3, len(args))
+ self.assertEqual('system', args[0])
+ self.assertEqual('2', args[1])
+ self.assertTrue(os.path.exists(args[2]))
+
+ def test_GetAvbChainedPartitionArg_withPrivateKey(self):
+ key = os.path.join(self.testdata_dir, 'testkey.key')
+ info_dict = {
+ 'avb_avbtool': 'avbtool',
+ 'avb_product_key_path': key,
+ 'avb_product_rollback_index_location': 2,
+ }
+ args = common.GetAvbChainedPartitionArg('product', info_dict).split(':')
+ self.assertEqual(3, len(args))
+ self.assertEqual('product', args[0])
+ self.assertEqual('2', args[1])
+ self.assertTrue(os.path.exists(args[2]))
+
+ def test_GetAvbChainedPartitionArg_withSpecifiedKey(self):
+ info_dict = {
+ 'avb_avbtool': 'avbtool',
+ 'avb_system_key_path': 'does-not-exist',
+ 'avb_system_rollback_index_location': 2,
+ }
+ pubkey = os.path.join(self.testdata_dir, 'testkey.pubkey.pem')
+ args = common.GetAvbChainedPartitionArg(
+ 'system', info_dict, pubkey).split(':')
+ self.assertEqual(3, len(args))
+ self.assertEqual('system', args[0])
+ self.assertEqual('2', args[1])
+ self.assertTrue(os.path.exists(args[2]))
+
+ def test_GetAvbChainedPartitionArg_invalidKey(self):
+ pubkey = os.path.join(self.testdata_dir, 'testkey_with_passwd.x509.pem')
+ info_dict = {
+ 'avb_avbtool': 'avbtool',
+ 'avb_system_key_path': pubkey,
+ 'avb_system_rollback_index_location': 2,
+ }
+ self.assertRaises(
+ AssertionError, common.GetAvbChainedPartitionArg, 'system', info_dict)
+
class InstallRecoveryScriptFormatTest(unittest.TestCase):
"""Checks the format of install-recovery.sh.
diff --git a/tools/releasetools/testdata/testkey.key b/tools/releasetools/testdata/testkey.key
new file mode 100644
index 0000000..3a84607
--- /dev/null
+++ b/tools/releasetools/testdata/testkey.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC+O/I7YvBaCZA3
+KrvP7ErTh6DS3cAvjLY2GkAA7NWcXIICsVwWMtMZAMO+Rtk/o3XY7r53Amg8ue2e
+b0D5Wc8gUVEeDQdRZJscz5CTwmC/b/YBWQBSPknWv23hf7ZYjR5HMk/XlmOfrylA
+oaZzJyKvLSBu+Zi9cvZlSZObnoOYR8JQJEhjYgYn8JwycV4i1VTQvEqxXkyW3kE7
+RW/8JXgRqI4vDIKehm5SFi2jt0eU7/ju/8f3OGQkLng4DV2QPfwQ+A7kad+EYVI1
+dBGYkNNesWB3o75A7jJQ1fyVg/XQzOKZSki1lrTm3rw0AOrBiXdPudbO+4L2vgip
+kPI9/bVNAgMBAAECggEABGjBSY0Wgw+7rvunlL8mUNbQ7HJFVRTO2FwtZZgXr2MZ
+hFR2DPGqoOa6ortjp6zzO071TS7aGaY5krWDbQQe3+Hinm6w37sUOUu6TyJvOaCv
+tAJLFpzo+zg+pL5gDJdgv0e0QAv1TSszKpNUl1Ct5h+Go+vXFXUHrvtQl4fKBwqA
+efxcd3R4z3p/3Cl2ZYIRz9I7UXUZZYwJE7bDNDz3aFZ1jUoELGmhe1O5w0hJY1q6
+PxuOM9bL60yDn0vu0eiCjaPlHeHyGe9pQ1aQLEuwQz9zpWC01dWPVkLmny7HDygC
+VBsdg8MNlzJQ1WV2en11BH72IqZ59U8pD0xEB7a4BQKBgQDxenfXyYZw4AKcaJlP
+ncJmsx/wcgEvWNxiI4etArXES4VIyP2OlSw+q9JbOOpaSk8TJP5PNfUkgTbC4B2y
+gh/AobJP5b7Wn5LrsHc3GY6CzF1i8T4xXQRxnaKWE86SOmZQlEmyCnpyCmfFVuaR
+E8p8CPW/gQLhpxSlQdGZ0bYLiwKBgQDJrJRDdyaI/Isusog/OwKHVGBU6CmRa5tM
+gx+GIlxheqhuDqnBkr0h1kL20Zi80JeG7vKWr+dwfqkEarfdTe+juwlIuQ3MEuXL
+AbsKNuaU1naOqOLm9rjZgRtR7oNLVH5AbkKMaJz1zM6YiMl54FEDX7ZVY8b6q1Kz
+YXT3sGi9hwKBgBsNa0ujagpPLjuzhCllNRgoTRW0z+kr/VSJQnPhb9eT1lS3H6DP
+mWtT+Hb7w1VmKcGtTUg2dUYnq6jdTrZm2YPNGZrV1DFbIyyAUnq7xDlnB7dD64HA
+N/U6gbJqeaPsIvY4BqGJhvorrEBxYdcy7mZC4rUXkOkSvL9exkqDMe/NAoGARaHU
+v0aQg5PO6pyx9kMFqHw1lptiXtdsk4pihAmxI+cZ6IYfjrp/mwNDs7zCo87RwsEV
++Xlay7iv2tqOCVczerDFj9p1LRUJSoKadfhmvNUfsjoVvfFJ+a9eI3fa1VOjE9P+
+HkSwjR3d50Sza+VLk4Kkje8ZcMtejpkDrdG3GFkCgYBXHqciwlFn5nMPFRe8v426
+6YBiUtzCQCZxDtMeeZYCJslFfjrqPXNUcU/flxWwaikjFsLJEtl7aT3Hpdi5I7T8
+yCYkUWqAAh7twEYTOeG6v/tEa/PmsBjZXPD2zkCp76EQmv3gbvsH4F/nA55gT/GR
+2in6XS/4rHBvjn5gF6MFyg==
+-----END PRIVATE KEY-----
diff --git a/tools/releasetools/validate_target_files.py b/tools/releasetools/validate_target_files.py
index 4e40b86..09f800f 100755
--- a/tools/releasetools/validate_target_files.py
+++ b/tools/releasetools/validate_target_files.py
@@ -315,9 +315,19 @@
key = options['verity_key']
if key is None:
key = info_dict['avb_vbmeta_key_path']
+
# avbtool verifies all the images that have descriptors listed in vbmeta.
image = os.path.join(input_tmp, 'IMAGES', 'vbmeta.img')
cmd = ['avbtool', 'verify_image', '--image', image, '--key', key]
+
+ # Append the args for chained partitions if any.
+ for partition in common.AVB_PARTITIONS:
+ key_name = 'avb_' + partition + '_key_path'
+ if info_dict.get(key_name) is not None:
+ chained_partition_arg = common.GetAvbChainedPartitionArg(
+ partition, info_dict, options[key_name])
+ cmd.extend(["--expected_chain_partition", chained_partition_arg])
+
proc = common.Run(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
stdoutdata, _ = proc.communicate()
assert proc.returncode == 0, \
@@ -339,8 +349,13 @@
parser.add_argument(
'--verity_key',
help='the verity public key to verify the bootable images (Verified '
- 'Boot 1.0), or the vbmeta image (Verified Boot 2.0), where '
+ 'Boot 1.0), or the vbmeta image (Verified Boot 2.0, aka AVB), where '
'applicable')
+ for partition in common.AVB_PARTITIONS:
+ parser.add_argument(
+ '--avb_' + partition + '_key_path',
+ help='the public or private key in PEM format to verify AVB chained '
+ 'partition of {}'.format(partition))
parser.add_argument(
'--verity_key_mincrypt',
help='the verity public key in mincrypt format to verify the system '