Merge "Adding Android verified boot 1.0 metadata into ENG builds"
diff --git a/core/Makefile b/core/Makefile
index 4959e0e..c913553 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -997,6 +997,7 @@
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY)" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(notdir $(VERITY_SIGNER))" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY_FEC),$(hide) echo "verity_fec=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY_FEC)" >> $(1))
+$(if $(filter eng, $(TARGET_BUILD_VARIANT)),$(hide) echo "verity_disable=true" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION),$(hide) echo "system_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION)" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION),$(hide) echo "vendor_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION)" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)" >> $(1))
diff --git a/core/tasks/tools/build_custom_image.mk b/core/tasks/tools/build_custom_image.mk
index 370934b..7c38546 100644
--- a/core/tasks/tools/build_custom_image.mk
+++ b/core/tasks/tools/build_custom_image.mk
@@ -135,6 +135,7 @@
echo "verity_block_device=$(PRIVATE_VERITY_BLOCK_DEVICE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
$(if $(PRIVATE_SUPPORT_VERITY_FEC),\
$(hide) echo "verity_fec=$(PRIVATE_SUPPORT_VERITY_FEC)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
+ $(if $(filter eng, $(TARGET_BUILD_VARIANT)),$(hide) echo "verity_disable=true" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
$(hide) echo "avb_avbtool=$(PRIVATE_AVB_AVBTOOL)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
$(if $(PRIVATE_AVB_KEY_PATH),\
$(hide) echo "avb_key_path=$(PRIVATE_AVB_KEY_PATH)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
diff --git a/target/product/verity.mk b/target/product/verity.mk
index 0badb9f..d954159 100644
--- a/target/product/verity.mk
+++ b/target/product/verity.mk
@@ -14,20 +14,16 @@
# limitations under the License.
#
-# Provides dependencies necessary for verified boot (only for user and
-# userdebug builds)
+# Provides dependencies necessary for verified boot.
-user_variant := $(filter user userdebug,$(TARGET_BUILD_VARIANT))
-ifneq (,$(user_variant))
- PRODUCT_SUPPORTS_BOOT_SIGNER := true
- PRODUCT_SUPPORTS_VERITY := true
- PRODUCT_SUPPORTS_VERITY_FEC := true
+PRODUCT_SUPPORTS_BOOT_SIGNER := true
+PRODUCT_SUPPORTS_VERITY := true
+PRODUCT_SUPPORTS_VERITY_FEC := true
- # The dev key is used to sign boot and recovery images, and the verity
- # metadata table. Actual product deliverables will be re-signed by hand.
- # We expect this file to exist with the suffixes ".x509.pem" and ".pk8".
- PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verity
+# The dev key is used to sign boot and recovery images, and the verity
+# metadata table. Actual product deliverables will be re-signed by hand.
+# We expect this file to exist with the suffixes ".x509.pem" and ".pk8".
+PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verity
- PRODUCT_PACKAGES += \
- verity_key
-endif
+PRODUCT_PACKAGES += \
+ verity_key
diff --git a/tools/releasetools/build_image.py b/tools/releasetools/build_image.py
index 94626d7..816cf4e 100755
--- a/tools/releasetools/build_image.py
+++ b/tools/releasetools/build_image.py
@@ -225,12 +225,15 @@
return True
def BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt,
- block_device, signer_path, key, signer_args):
+ block_device, signer_path, key, signer_args,
+ verity_disable):
cmd = ["system/extras/verity/build_verity_metadata.py", "build",
str(image_size), verity_metadata_path, root_hash, salt, block_device,
signer_path, key]
if signer_args:
cmd.append("--signer_args=\"%s\"" % (' '.join(signer_args),))
+ if verity_disable:
+ cmd.append("--verity_disable")
output, exit_code = RunCommand(cmd)
if exit_code != 0:
print "Could not build verity metadata! Error: %s" % output
@@ -334,8 +337,10 @@
# build the metadata blocks
root_hash = prop_dict["verity_root_hash"]
salt = prop_dict["verity_salt"]
+ verity_disable = "verity_disable" in prop_dict
if not BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt,
- block_dev, signer_path, signer_key, signer_args):
+ block_dev, signer_path, signer_key, signer_args,
+ verity_disable):
shutil.rmtree(tempdir_name, ignore_errors=True)
return False
@@ -644,6 +649,7 @@
"verity_key",
"verity_signer_cmd",
"verity_fec",
+ "verity_disable",
"avb_enable",
"avb_avbtool",
"avb_salt",