Make Security_patch an `android_filesystem` property
Make-built partitions use partition specific security_patches for
build_image, but Soong-built partitions currently use the platform
security patch for all partitions (including vendor,odm,...). This CL
introduces a `Security_patch` property to set this value explicity. The
name and description have been copied from `bootimg`.
This CL also updates `fsgen` to set this property on the autogenerated
partitions. The logic has been copied from `build/make/core/Makefile`.
It is currently missing `boot` and `init_boot` (I have not tested
bit-identical for those partitions yet).
Bug: 383357338
Test: lunch aosp_cf_x86_64_phone-trunk_staging-userdebug
Setup
- export COPY_IMAGES_FOR_TARGET_FILES_ZIP=true
- export BUILD_DATETIME=10
- commented out installed_*_notice_xml_gz in build/make/core/Makefile
Test: verified that the following .img files are bit identical in top of
CL stack
odm,system_dlkm,vendor_dlkm,odm_dlkm
Change-Id: I9ae9bf957ffd479c57f12a49864589d285d93a71
diff --git a/android/variable.go b/android/variable.go
index 69e0337..3cf66ea 100644
--- a/android/variable.go
+++ b/android/variable.go
@@ -617,7 +617,11 @@
ProductUseDynamicPartitionSize bool `json:",omitempty"`
CopyImagesForTargetFilesZip bool `json:",omitempty"`
- VendorSecurityPatch string `json:",omitempty"`
+ VendorSecurityPatch string `json:",omitempty"`
+ OdmSecurityPatch string `json:",omitempty"`
+ SystemDlkmSecurityPatch string `json:",omitempty"`
+ VendorDlkmSecurityPatch string `json:",omitempty"`
+ OdmDlkmSecurityPatch string `json:",omitempty"`
// Boot image stuff
BuildingRamdiskImage bool `json:",omitempty"`
diff --git a/filesystem/filesystem.go b/filesystem/filesystem.go
index eea54a9..4b4dc40 100644
--- a/filesystem/filesystem.go
+++ b/filesystem/filesystem.go
@@ -121,6 +121,9 @@
// avbtool. Default used by avbtool is sha1.
Avb_hash_algorithm *string
+ // The security patch passed to as the com.android.build.<type>.security_patch avb property.
+ Security_patch *string
+
// Whether or not to use forward-error-correction codes when signing with AVB. Defaults to true.
Use_fec *bool
@@ -685,7 +688,9 @@
}
avb_add_hashtree_footer_args += fmt.Sprintf(" --prop com.android.build.%s.os_version:%s", f.partitionName(), ctx.Config().PlatformVersionLastStable())
avb_add_hashtree_footer_args += fmt.Sprintf(" --prop com.android.build.%s.fingerprint:{CONTENTS_OF:%s}", f.partitionName(), ctx.Config().BuildFingerprintFile(ctx))
- avb_add_hashtree_footer_args += fmt.Sprintf(" --prop com.android.build.%s.security_patch:%s", f.partitionName(), ctx.Config().PlatformSecurityPatch())
+ if f.properties.Security_patch != nil && proptools.String(f.properties.Security_patch) != "" {
+ avb_add_hashtree_footer_args += fmt.Sprintf(" --prop com.android.build.%s.security_patch:%s", f.partitionName(), proptools.String(f.properties.Security_patch))
+ }
addStr("avb_add_hashtree_footer_args", avb_add_hashtree_footer_args)
}
diff --git a/fsgen/filesystem_creator.go b/fsgen/filesystem_creator.go
index 2dc5077..918e7d0 100644
--- a/fsgen/filesystem_creator.go
+++ b/fsgen/filesystem_creator.go
@@ -266,6 +266,7 @@
)
fsProps.Base_dir = proptools.StringPtr("system")
fsProps.Dirs = proptools.NewSimpleConfigurable(commonPartitionDirs)
+ fsProps.Security_patch = proptools.StringPtr(ctx.Config().PlatformSecurityPatch())
case "system_ext":
if partitionVars.ProductFsverityGenerateMetadata {
fsProps.Fsverity.Inputs = []string{
@@ -275,12 +276,14 @@
}
fsProps.Fsverity.Libs = []string{":framework-res{.export-package.apk}"}
}
+ fsProps.Security_patch = proptools.StringPtr(ctx.Config().PlatformSecurityPatch())
case "product":
fsProps.Gen_aconfig_flags_pb = proptools.BoolPtr(true)
fsProps.Android_filesystem_deps.System = proptools.StringPtr(generatedModuleNameForPartition(ctx.Config(), "system"))
if ctx.DeviceConfig().SystemExtPath() == "system_ext" {
fsProps.Android_filesystem_deps.System_ext = proptools.StringPtr(generatedModuleNameForPartition(ctx.Config(), "system_ext"))
}
+ fsProps.Security_patch = proptools.StringPtr(ctx.Config().PlatformSecurityPatch())
case "vendor":
fsProps.Gen_aconfig_flags_pb = proptools.BoolPtr(true)
fsProps.Symlinks = []filesystem.SymlinkDefinition{
@@ -297,6 +300,7 @@
if ctx.DeviceConfig().SystemExtPath() == "system_ext" {
fsProps.Android_filesystem_deps.System_ext = proptools.StringPtr(generatedModuleNameForPartition(ctx.Config(), "system_ext"))
}
+ fsProps.Security_patch = proptools.StringPtr(partitionVars.VendorSecurityPatch)
case "odm":
fsProps.Symlinks = []filesystem.SymlinkDefinition{
filesystem.SymlinkDefinition{
@@ -304,6 +308,7 @@
Name: proptools.StringPtr("lib/modules"),
},
}
+ fsProps.Security_patch = proptools.StringPtr(partitionVars.OdmSecurityPatch)
case "userdata":
fsProps.Base_dir = proptools.StringPtr("data")
case "ramdisk":
@@ -358,6 +363,12 @@
Target: proptools.StringPtr("prop.default"),
Name: proptools.StringPtr("default.prop"),
}), "root")
+ case "system_dlkm":
+ fsProps.Security_patch = proptools.StringPtr(partitionVars.SystemDlkmSecurityPatch)
+ case "vendor_dlkm":
+ fsProps.Security_patch = proptools.StringPtr(partitionVars.VendorDlkmSecurityPatch)
+ case "odm_dlkm":
+ fsProps.Security_patch = proptools.StringPtr(partitionVars.OdmDlkmSecurityPatch)
}
}