Updating Security String to 2017-01-05 on nyc-dev
am: 190129bc61
Change-Id: I806b3dfebb6dc08059313b979a435684341a759c
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 3c8d6ce..a97c71a 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -374,6 +374,10 @@
# $(PRODUCT_OUT)/recovery/root/sdcard goes from symlink to folder.
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/sdcard)
+# Add BOARD_USES_SYSTEM_OTHER_ODEX
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/app/*)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/priv-app/*)
+
# ************************************************
# NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST
# ************************************************
diff --git a/core/Makefile b/core/Makefile
index d804c37..2031132 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -499,11 +499,6 @@
INTERNAL_BOOTIMAGE_FILES := $(filter-out --%,$(INTERNAL_BOOTIMAGE_ARGS))
-BOARD_KERNEL_CMDLINE := $(strip $(BOARD_KERNEL_CMDLINE))
-ifdef BOARD_KERNEL_CMDLINE
- INTERNAL_BOOTIMAGE_ARGS += --cmdline "$(BOARD_KERNEL_CMDLINE)"
-endif
-
BOARD_KERNEL_BASE := $(strip $(BOARD_KERNEL_BASE))
ifdef BOARD_KERNEL_BASE
INTERNAL_BOOTIMAGE_ARGS += --base $(BOARD_KERNEL_BASE)
@@ -514,6 +509,18 @@
INTERNAL_BOOTIMAGE_ARGS += --pagesize $(BOARD_KERNEL_PAGESIZE)
endif
+ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true)
+ifeq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true)
+VERITY_KEYID := veritykeyid=id:`openssl x509 -in $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).x509.pem -text \
+ | grep keyid | sed 's/://g' | tr -d '[:space:]' | tr '[:upper:]' '[:lower:]' | sed 's/keyid//g'`
+endif
+endif
+
+BOARD_KERNEL_CMDLINE := $(strip $(BOARD_KERNEL_CMDLINE) buildvariant=$(TARGET_BUILD_VARIANT) $(VERITY_KEYID))
+ifdef BOARD_KERNEL_CMDLINE
+INTERNAL_BOOTIMAGE_ARGS += --cmdline "$(BOARD_KERNEL_CMDLINE)"
+endif
+
INTERNAL_MKBOOTIMG_VERSION_ARGS := \
--os_version $(PLATFORM_VERSION) \
--os_patch_level $(PLATFORM_SECURITY_PATCH)
@@ -708,6 +715,10 @@
$(hide) rm -f $@
$(hide) mkdir -p $(dir $@)
$(hide) openssl x509 -pubkey -noout -in $< > $@
+
+ALL_DEFAULT_INSTALLED_MODULES += $(TARGET_RECOVERY_ROOT_OUT)/etc/update_engine/update-payload-key.pub.pem
+$(TARGET_RECOVERY_ROOT_OUT)/etc/update_engine/update-payload-key.pub.pem: $(TARGET_OUT_ETC)/update_engine/update-payload-key.pub.pem
+ $(hide) cp -f $< $@
endif
endif
@@ -785,6 +796,7 @@
$(if $(BOARD_HAS_EXT4_RESERVED_BLOCKS),$(hide) echo "has_ext4_reserved_blocks=$(BOARD_HAS_EXT4_RESERVED_BLOCKS)" >> $(1))
$(if $(BOARD_SYSTEMIMAGE_SQUASHFS_COMPRESSOR),$(hide) echo "system_squashfs_compressor=$(BOARD_SYSTEMIMAGE_SQUASHFS_COMPRESSOR)" >> $(1))
$(if $(BOARD_SYSTEMIMAGE_SQUASHFS_COMPRESSOR_OPT),$(hide) echo "system_squashfs_compressor_opt=$(BOARD_SYSTEMIMAGE_SQUASHFS_COMPRESSOR_OPT)" >> $(1))
+$(if $(BOARD_SYSTEMIMAGE_SQUASHFS_BLOCK_SIZE),$(hide) echo "system_squashfs_block_size=$(BOARD_SYSTEMIMAGE_SQUASHFS_BLOCK_SIZE)" >> $(1))
$(if $(BOARD_SYSTEMIMAGE_SQUASHFS_DISABLE_4K_ALIGN),$(hide) echo "system_squashfs_disable_4k_align=$(BOARD_SYSTEMIMAGE_SQUASHFS_DISABLE_4K_ALIGN)" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_BASE_FS_PATH),$(hide) echo "system_base_fs_file=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_BASE_FS_PATH)" >> $(1))
$(if $(BOARD_USERDATAIMAGE_FILE_SYSTEM_TYPE),$(hide) echo "userdata_fs_type=$(BOARD_USERDATAIMAGE_FILE_SYSTEM_TYPE)" >> $(1))
@@ -796,6 +808,7 @@
$(if $(BOARD_VENDORIMAGE_JOURNAL_SIZE),$(hide) echo "vendor_journal_size=$(BOARD_VENDORIMAGE_JOURNAL_SIZE)" >> $(1))
$(if $(BOARD_VENDORIMAGE_SQUASHFS_COMPRESSOR),$(hide) echo "vendor_squashfs_compressor=$(BOARD_VENDORIMAGE_SQUASHFS_COMPRESSOR)" >> $(1))
$(if $(BOARD_VENDORIMAGE_SQUASHFS_COMPRESSOR_OPT),$(hide) echo "vendor_squashfs_compressor_opt=$(BOARD_VENDORIMAGE_SQUASHFS_COMPRESSOR_OPT)" >> $(1))
+$(if $(BOARD_VENDORIMAGE_SQUASHFS_BLOCK_SIZE),$(hide) echo "vendor_squashfs_block_size=$(BOARD_VENDORIMAGE_SQUASHFS_BLOCK_SIZE)" >> $(1))
$(if $(BOARD_VENDORIMAGE_SQUASHFS_DISABLE_4K_ALIGN),$(hide) echo "vendor_squashfs_disable_4k_align=$(BOARD_VENDORIMAGE_SQUASHFS_DISABLE_4K_ALIGN)" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_BASE_FS_PATH),$(hide) echo "vendor_base_fs_file=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_BASE_FS_PATH)" >> $(1))
$(if $(BOARD_OEMIMAGE_PARTITION_SIZE),$(hide) echo "oem_size=$(BOARD_OEMIMAGE_PARTITION_SIZE)" >> $(1))
@@ -876,6 +889,11 @@
else
recovery_fstab := $(strip $(wildcard $(TARGET_DEVICE_DIR)/recovery.fstab))
endif
+ifdef TARGET_RECOVERY_WIPE
+recovery_wipe := $(TARGET_RECOVERY_WIPE)
+else
+recovery_wipe :=
+endif
# Prior to A/B update, we used to have:
# boot.img + recovery-from-boot.p + recovery-resource.dat = recovery.img.
@@ -946,7 +964,7 @@
$(hide) mkdir -p $(TARGET_RECOVERY_OUT)
$(hide) mkdir -p $(TARGET_RECOVERY_ROOT_OUT)/etc $(TARGET_RECOVERY_ROOT_OUT)/sdcard $(TARGET_RECOVERY_ROOT_OUT)/tmp
@echo Copying baseline ramdisk...
- $(hide) rsync -a --exclude=etc --exclude=sdcard $(TARGET_ROOT_OUT) $(TARGET_RECOVERY_OUT) # "cp -Rf" fails to overwrite broken symlinks on Mac.
+ $(hide) rsync -a --exclude=etc --exclude=sdcard $(IGNORE_CACHE_LINK) $(TARGET_ROOT_OUT) $(TARGET_RECOVERY_OUT) # "cp -Rf" fails to overwrite broken symlinks on Mac.
@echo Modifying ramdisk contents...
$(hide) rm -f $(TARGET_RECOVERY_ROOT_OUT)/init*.rc
$(hide) cp -f $(recovery_initrc) $(TARGET_RECOVERY_ROOT_OUT)/
@@ -961,9 +979,12 @@
cp -rf $(item) $(TARGET_RECOVERY_ROOT_OUT)/$(newline))
$(hide) $(foreach item,$(recovery_fstab), \
cp -f $(item) $(TARGET_RECOVERY_ROOT_OUT)/etc/recovery.fstab)
+ $(if $(strip $(recovery_wipe)), \
+ $(hide) cp -f $(recovery_wipe) $(TARGET_RECOVERY_ROOT_OUT)/etc/recovery.wipe)
$(hide) cp $(RECOVERY_INSTALL_OTA_KEYS) $(TARGET_RECOVERY_ROOT_OUT)/res/keys
$(hide) cat $(INSTALLED_DEFAULT_PROP_TARGET) $(recovery_build_prop) \
> $(TARGET_RECOVERY_ROOT_OUT)/default.prop
+ $(BOARD_RECOVERY_IMAGE_PREPARE)
$(if $(filter true,$(BOARD_BUILD_SYSTEM_ROOT_IMAGE)), \
$(hide) mkdir -p $(TARGET_RECOVERY_ROOT_OUT)/system_root; \
rm -rf $(TARGET_RECOVERY_ROOT_OUT)/system; \
@@ -973,10 +994,14 @@
$(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1).unsigned, \
$(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1) --id > $(RECOVERYIMAGE_ID_FILE))
$(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_BOOT_SIGNER)),\
- $(BOOT_SIGNER) /recovery $(1) $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).x509.pem $(1))
+ $(if $(filter true,$(BOARD_USES_RECOVERY_AS_BOOT)),\
+ $(BOOT_SIGNER) /boot $(1) $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).x509.pem $(1),\
+ $(BOOT_SIGNER) /recovery $(1) $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).x509.pem $(1)\
+ )\
+ )
$(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)), \
$(VBOOT_SIGNER) $(FUTILITY) $(1).unsigned $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_KEY).vbpubk $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_KEY).vbprivk $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_SUBKEY).vbprivk $(1).keyblock $(1))
- $(if $(filter true,BOARD_USES_RECOVERY_AS_BOOT), \
+ $(if $(filter true,$(BOARD_USES_RECOVERY_AS_BOOT)), \
$(hide) $(call assert-max-image-size,$(1),$(BOARD_BOOTIMAGE_PARTITION_SIZE)), \
$(hide) $(call assert-max-image-size,$(1),$(BOARD_RECOVERYIMAGE_PARTITION_SIZE)))
@echo ----- Made recovery image: $(1) --------
@@ -1079,7 +1104,7 @@
BUILT_SYSTEMIMAGE := $(systemimage_intermediates)/system.img
# Create symlink /system/vendor to /vendor if necessary.
-ifdef BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE
+ifdef BOARD_USES_VENDORIMAGE
define create-system-vendor-symlink
$(hide) if [ -d $(TARGET_OUT)/vendor ] && [ ! -h $(TARGET_OUT)/vendor ]; then \
echo 'Non-symlink $(TARGET_OUT)/vendor detected!' 1>&2; \
@@ -1393,10 +1418,66 @@
cacheimage-nodeps: | $(INTERNAL_USERIMAGES_DEPS)
$(build-cacheimage-target)
+else # BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE
+# we need to ignore the broken cache link when doing the rsync
+IGNORE_CACHE_LINK := --exclude=cache
endif # BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE
# -----------------------------------------------------------------
+# system_other partition image
+ifeq ($(BOARD_USES_SYSTEM_OTHER_ODEX),true)
+BOARD_USES_SYSTEM_OTHER := true
+
+# Marker file to identify that odex files are installed
+INSTALLED_SYSTEM_OTHER_ODEX_MARKER := $(TARGET_OUT_SYSTEM_OTHER)/system-other-odex-marker
+ALL_DEFAULT_INSTALLED_MODULES += $(INSTALLED_SYSTEM_OTHER_ODEX_MARKER)
+$(INSTALLED_SYSTEM_OTHER_ODEX_MARKER):
+ $(hide) touch $@
+endif
+
+ifdef BOARD_USES_SYSTEM_OTHER
+INTERNAL_SYSTEMOTHERIMAGE_FILES := \
+ $(filter $(TARGET_OUT_SYSTEM_OTHER)/%,\
+ $(ALL_DEFAULT_INSTALLED_MODULES)\
+ $(ALL_PDK_FUSION_FILES))
+
+INSTALLED_FILES_FILE_SYSTEMOTHER := $(PRODUCT_OUT)/installed-files-system-other.txt
+$(INSTALLED_FILES_FILE_SYSTEMOTHER) : $(INTERNAL_SYSTEMOTHERIMAGE_FILES)
+ @echo Installed file list: $@
+ @mkdir -p $(dir $@)
+ @rm -f $@
+ $(hide) build/tools/fileslist.py $(TARGET_OUT_SYSTEM_OTHER) > $@
+
+systemotherimage_intermediates := \
+ $(call intermediates-dir-for,PACKAGING,system_other)
+BUILT_SYSTEMOTHERIMAGE_TARGET := $(PRODUCT_OUT)/system_other.img
+
+# Note that we assert the size is SYSTEMIMAGE_PARTITION_SIZE since this is the 'b' system image.
+define build-systemotherimage-target
+ $(call pretty,"Target system_other fs image: $(INSTALLED_SYSTEMOTHERIMAGE_TARGET)")
+ @mkdir -p $(TARGET_OUT_SYSTEM_OTHER)
+ @mkdir -p $(systemotherimage_intermediates) && rm -rf $(systemotherimage_intermediates)/system_other_image_info.txt
+ $(call generate-userimage-prop-dictionary, $(systemotherimage_intermediates)/system_other_image_info.txt, skip_fsck=true)
+ $(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH \
+ ./build/tools/releasetools/build_image.py \
+ $(TARGET_OUT_SYSTEM_OTHER) $(systemotherimage_intermediates)/system_other_image_info.txt $(INSTALLED_SYSTEMOTHERIMAGE_TARGET) $(TARGET_OUT)
+ $(hide) $(call assert-max-image-size,$(INSTALLED_SYSTEMOTHERIMAGE_TARGET),$(BOARD_SYSTEMIMAGE_PARTITION_SIZE))
+endef
+
+# We just build this directly to the install location.
+INSTALLED_SYSTEMOTHERIMAGE_TARGET := $(BUILT_SYSTEMOTHERIMAGE_TARGET)
+$(INSTALLED_SYSTEMOTHERIMAGE_TARGET): $(INTERNAL_USERIMAGES_DEPS) $(INTERNAL_SYSTEMOTHERIMAGE_FILES) $(INSTALLED_FILES_FILE_SYSTEMOTHER)
+ $(build-systemotherimage-target)
+
+.PHONY: systemotherimage-nodeps
+systemotherimage-nodeps: | $(INTERNAL_USERIMAGES_DEPS)
+ $(build-systemotherimage-target)
+
+endif # BOARD_USES_SYSTEM_OTHER
+
+
+# -----------------------------------------------------------------
# vendor partition image
ifdef BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE
INTERNAL_VENDORIMAGE_FILES := \
@@ -1438,7 +1519,10 @@
vendorimage-nodeps: | $(INTERNAL_USERIMAGES_DEPS)
$(build-vendorimage-target)
-endif # BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE
+else ifdef BOARD_PREBUILT_VENDORIMAGE
+INSTALLED_VENDORIMAGE_TARGET := $(PRODUCT_OUT)/vendor.img
+$(eval $(call copy-one-file,$(BOARD_PREBUILT_VENDORIMAGE),$(INSTALLED_VENDORIMAGE_TARGET)))
+endif
# -----------------------------------------------------------------
# bring in the installer image generation defines if necessary
@@ -1627,6 +1711,7 @@
$(INSTALLED_USERDATAIMAGE_TARGET) \
$(INSTALLED_CACHEIMAGE_TARGET) \
$(INSTALLED_VENDORIMAGE_TARGET) \
+ $(INSTALLED_SYSTEMOTHERIMAGE_TARGET) \
$(INSTALLED_ANDROID_INFO_TXT_TARGET) \
$(SELINUX_FC) \
$(APKCERTS_FILE) \
@@ -1700,6 +1785,11 @@
$(hide) $(call package_files-copy-root, \
$(TARGET_OUT_VENDOR),$(zip_root)/VENDOR)
endif
+ifdef INSTALLED_SYSTEMOTHERIMAGE_TARGET
+ @# Contents of the system_other image
+ $(hide) $(call package_files-copy-root, \
+ $(TARGET_OUT_SYSTEM_OTHER),$(zip_root)/SYSTEM_OTHER)
+endif
@# Extra contents of the OTA package
$(hide) mkdir -p $(zip_root)/OTA
$(hide) $(ACP) $(INSTALLED_ANDROID_INFO_TXT_TARGET) $(zip_root)/OTA/
@@ -1798,6 +1888,10 @@
@# If breakpad symbols have been generated, add them to the zip.
$(hide) $(ACP) -r $(TARGET_OUT_BREAKPAD) $(zip_root)/BREAKPAD
endif
+ifdef BOARD_PREBUILT_VENDORIMAGE
+ $(hide) mkdir -p $(zip_root)/IMAGES
+ $(hide) cp $(INSTALLED_VENDORIMAGE_TARGET) $(zip_root)/IMAGES/
+endif
@# Zip everything up, preserving symlinks and placing META/ files first to
@# help early validation of the .zip file while uploading it.
$(hide) (cd $(zip_root) && \
@@ -1814,9 +1908,12 @@
ifneq ($(INSTALLED_RECOVERYIMAGE_TARGET),)
$(hide) zipinfo -1 $@ | awk 'BEGIN { FS="RECOVERY/RAMDISK/" } /^RECOVERY\/RAMDISK\// {print $$2}' | $(HOST_OUT_EXECUTABLES)/fs_config -C -D $(TARGET_OUT) -S $(SELINUX_FC) > $(zip_root)/META/recovery_filesystem_config.txt
endif
+ifdef INSTALLED_SYSTEMOTHERIMAGE_TARGET
+ $(hide) zipinfo -1 $@ | awk 'BEGIN { FS="SYSTEM_OTHER/" } /^SYSTEM_OTHER\// { print "system/" $$2}' | $(HOST_OUT_EXECUTABLES)/fs_config -C -D $(TARGET_OUT) -S $(SELINUX_FC) > $(zip_root)/META/system_other_filesystem_config.txt
+endif
$(hide) (cd $(zip_root) && zip -qX ../$(notdir $@) META/*filesystem_config.txt)
$(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH MKBOOTIMG=$(MKBOOTIMG) \
- ./build/tools/releasetools/add_img_to_target_files -v -p $(HOST_OUT) $@
+ ./build/tools/releasetools/add_img_to_target_files -a -v -p $(HOST_OUT) $@
.PHONY: target-files-package
target-files-package: $(BUILT_TARGET_FILES_PACKAGE)
diff --git a/core/binary.mk b/core/binary.mk
index 918a28d..7b22903 100644
--- a/core/binary.mk
+++ b/core/binary.mk
@@ -629,57 +629,55 @@
## Compile the .proto files to .cc (or .c) and then to .o
###########################################################
proto_sources := $(filter %.proto,$(my_src_files))
-proto_generated_objects :=
-proto_generated_headers :=
ifneq ($(proto_sources),)
-proto_generated_sources_dir := $(generated_sources_dir)/proto
-proto_generated_obj_dir := $(intermediates)/proto
+proto_gen_dir := $(generated_sources_dir)/proto
+my_rename_cpp_ext :=
ifneq (,$(filter nanopb-c nanopb-c-enable_malloc, $(LOCAL_PROTOC_OPTIMIZE_TYPE)))
my_proto_source_suffix := .c
my_proto_c_includes := external/nanopb-c
-my_protoc_flags := --nanopb_out=$(proto_generated_sources_dir) \
+my_protoc_flags := --nanopb_out=$(proto_gen_dir) \
--plugin=external/nanopb-c/generator/protoc-gen-nanopb
else
-my_proto_source_suffix := .cc
+my_proto_source_suffix := $(LOCAL_CPP_EXTENSION)
+ifneq ($(my_proto_source_suffix),.cc)
+# aprotoc is hardcoded to write out only .cc file.
+# We need to rename the extension to $(LOCAL_CPP_EXTENSION) if it's not .cc.
+my_rename_cpp_ext := true
+endif
my_proto_c_includes := external/protobuf/src
my_cflags += -DGOOGLE_PROTOBUF_NO_RTTI
-my_protoc_flags := --cpp_out=$(proto_generated_sources_dir)
+my_protoc_flags := --cpp_out=$(proto_gen_dir)
endif
-my_proto_c_includes += $(proto_generated_sources_dir)
+my_proto_c_includes += $(proto_gen_dir)
proto_sources_fullpath := $(addprefix $(LOCAL_PATH)/, $(proto_sources))
-proto_generated_sources := $(addprefix $(proto_generated_sources_dir)/, \
+proto_generated_cpps := $(addprefix $(proto_gen_dir)/, \
$(patsubst %.proto,%.pb$(my_proto_source_suffix),$(proto_sources_fullpath)))
-proto_generated_headers := $(patsubst %.pb$(my_proto_source_suffix),%.pb.h, $(proto_generated_sources))
-proto_generated_objects := $(addprefix $(proto_generated_obj_dir)/, \
- $(patsubst %.proto,%.pb.o,$(proto_sources_fullpath)))
-$(call track-src-file-obj,$(proto_sources),$(proto_generated_objects))
# Ensure the transform-proto-to-cc rule is only defined once in multilib build.
-ifndef $(my_prefix)_$(LOCAL_MODULE_CLASS)_$(LOCAL_MODULE)_proto_defined
-$(proto_generated_sources): PRIVATE_PROTO_INCLUDES := $(TOP)
-$(proto_generated_sources): PRIVATE_PROTOC_FLAGS := $(LOCAL_PROTOC_FLAGS) $(my_protoc_flags)
-$(proto_generated_sources): $(proto_generated_sources_dir)/%.pb$(my_proto_source_suffix): %.proto $(PROTOC)
+ifndef $(my_host)$(LOCAL_MODULE_CLASS)_$(LOCAL_MODULE)_proto_defined
+$(proto_generated_cpps): PRIVATE_PROTO_INCLUDES := $(TOP)
+$(proto_generated_cpps): PRIVATE_PROTOC_FLAGS := $(LOCAL_PROTOC_FLAGS) $(my_protoc_flags)
+$(proto_generated_cpps): PRIVATE_RENAME_CPP_EXT := $(my_rename_cpp_ext)
+$(proto_generated_cpps): $(proto_gen_dir)/%.pb$(my_proto_source_suffix): %.proto $(my_protoc_deps) $(PROTOC)
$(transform-proto-to-cc)
-# This is just a dummy rule to make sure gmake doesn't skip updating the dependents.
-$(proto_generated_headers): $(proto_generated_sources_dir)/%.pb.h: $(proto_generated_sources_dir)/%.pb$(my_proto_source_suffix)
- @echo "Updated header file $@."
- $(hide) touch $@
-
-$(my_prefix)_$(LOCAL_MODULE_CLASS)_$(LOCAL_MODULE)_proto_defined := true
-endif # transform-proto-to-cc rule included only once
-
-$(proto_generated_objects): PRIVATE_ARM_MODE := $(normal_objects_mode)
-$(proto_generated_objects): PRIVATE_ARM_CFLAGS := $(normal_objects_cflags)
-$(proto_generated_objects): $(proto_generated_obj_dir)/%.o: $(proto_generated_sources_dir)/%$(my_proto_source_suffix) $(proto_generated_headers)
-ifeq ($(my_proto_source_suffix),.c)
- $(transform-$(PRIVATE_HOST)c-to-o)
-else
- $(transform-$(PRIVATE_HOST)cpp-to-o)
+$(my_host)$(LOCAL_MODULE_CLASS)_$(LOCAL_MODULE)_proto_defined := true
endif
-$(call include-depfiles-for-objs, $(proto_generated_objects))
+# Ideally we can generate the source directly into $(intermediates).
+# But many Android.mks assume the .pb.hs are in $(generated_sources_dir).
+# As a workaround, we make a copy in the $(intermediates).
+proto_intermediate_dir := $(intermediates)/proto
+proto_intermediate_cpps := $(patsubst $(proto_gen_dir)/%,$(proto_intermediate_dir)/%,\
+ $(proto_generated_cpps))
+$(proto_intermediate_cpps) : $(proto_intermediate_dir)/% : $(proto_gen_dir)/% | $(ACP)
+ @echo "Copy: $@"
+ $(copy-file-to-target)
+ $(hide) cp $(basename $<).h $(basename $@).h
+$(call track-src-file-gen,$(proto_sources),$(proto_intermediate_cpps))
+
+my_generated_sources += $(proto_intermediate_cpps)
my_c_includes += $(my_proto_c_includes)
# Auto-export the generated proto source dir.
@@ -897,7 +895,7 @@
dotdot_arm_objects :=
$(foreach s,$(dotdot_arm_sources),\
$(eval $(call compile-dotdot-cpp-file,$(s),\
- $(yacc_cpps) $(proto_generated_headers) $(my_additional_dependencies),\
+ $(my_additional_dependencies),\
dotdot_arm_objects)))
$(call track-src-file-obj,$(patsubst %,%.arm,$(dotdot_arm_sources)),$(dotdot_arm_objects))
@@ -905,7 +903,7 @@
dotdot_objects :=
$(foreach s,$(dotdot_sources),\
$(eval $(call compile-dotdot-cpp-file,$(s),\
- $(yacc_cpps) $(proto_generated_headers) $(my_additional_dependencies),\
+ $(my_additional_dependencies),\
dotdot_objects)))
$(call track-src-file-obj,$(dotdot_sources),$(dotdot_objects))
@@ -923,7 +921,6 @@
ifneq ($(strip $(cpp_objects)),)
$(cpp_objects): $(intermediates)/%.o: \
$(TOPDIR)$(LOCAL_PATH)/%$(LOCAL_CPP_EXTENSION) \
- $(yacc_cpps) $(proto_generated_headers) \
$(my_additional_dependencies)
$(transform-$(PRIVATE_HOST)cpp-to-o)
$(call include-depfiles-for-objs, $(cpp_objects))
@@ -945,8 +942,7 @@
$(gen_cpp_objects): PRIVATE_ARM_MODE := $(normal_objects_mode)
$(gen_cpp_objects): PRIVATE_ARM_CFLAGS := $(normal_objects_cflags)
$(gen_cpp_objects): $(intermediates)/%.o: \
- $(intermediates)/%$(LOCAL_CPP_EXTENSION) $(yacc_cpps) \
- $(proto_generated_headers) \
+ $(intermediates)/%$(LOCAL_CPP_EXTENSION) \
$(my_additional_dependencies)
$(transform-$(PRIVATE_HOST)cpp-to-o)
$(call include-depfiles-for-objs, $(gen_cpp_objects))
@@ -1001,7 +997,7 @@
dotdot_arm_objects :=
$(foreach s,$(dotdot_arm_sources),\
$(eval $(call compile-dotdot-c-file,$(s),\
- $(yacc_cpps) $(proto_generated_headers) $(my_additional_dependencies),\
+ $(my_additional_dependencies),\
dotdot_arm_objects)))
$(call track-src-file-obj,$(patsubst %,%.arm,$(dotdot_arm_sources)),$(dotdot_arm_objects))
@@ -1009,7 +1005,7 @@
dotdot_objects :=
$(foreach s, $(dotdot_sources),\
$(eval $(call compile-dotdot-c-file,$(s),\
- $(yacc_cpps) $(proto_generated_headers) $(my_additional_dependencies),\
+ $(my_additional_dependencies),\
dotdot_objects)))
$(call track-src-file-obj,$(dotdot_sources),$(dotdot_objects))
@@ -1025,7 +1021,7 @@
c_objects := $(c_arm_objects) $(c_normal_objects)
ifneq ($(strip $(c_objects)),)
-$(c_objects): $(intermediates)/%.o: $(TOPDIR)$(LOCAL_PATH)/%.c $(yacc_cpps) $(proto_generated_headers) \
+$(c_objects): $(intermediates)/%.o: $(TOPDIR)$(LOCAL_PATH)/%.c \
$(my_additional_dependencies)
$(transform-$(PRIVATE_HOST)c-to-o)
$(call include-depfiles-for-objs, $(c_objects))
@@ -1046,7 +1042,7 @@
# TODO: support compiling certain generated files as arm.
$(gen_c_objects): PRIVATE_ARM_MODE := $(normal_objects_mode)
$(gen_c_objects): PRIVATE_ARM_CFLAGS := $(normal_objects_cflags)
-$(gen_c_objects): $(intermediates)/%.o: $(intermediates)/%.c $(yacc_cpps) $(proto_generated_headers) \
+$(gen_c_objects): $(intermediates)/%.o: $(intermediates)/%.c \
$(my_additional_dependencies)
$(transform-$(PRIVATE_HOST)c-to-o)
$(call include-depfiles-for-objs, $(gen_c_objects))
@@ -1061,7 +1057,7 @@
$(call track-src-file-obj,$(objc_sources),$(objc_objects))
ifneq ($(strip $(objc_objects)),)
-$(objc_objects): $(intermediates)/%.o: $(TOPDIR)$(LOCAL_PATH)/%.m $(yacc_cpps) $(proto_generated_headers) \
+$(objc_objects): $(intermediates)/%.o: $(TOPDIR)$(LOCAL_PATH)/%.m \
$(my_additional_dependencies)
$(transform-$(PRIVATE_HOST)m-to-o)
$(call include-depfiles-for-objs, $(objc_objects))
@@ -1076,7 +1072,7 @@
$(call track-src-file-obj,$(objcpp_sources),$(objcpp_objects))
ifneq ($(strip $(objcpp_objects)),)
-$(objcpp_objects): $(intermediates)/%.o: $(TOPDIR)$(LOCAL_PATH)/%.mm $(yacc_cpps) $(proto_generated_headers) \
+$(objcpp_objects): $(intermediates)/%.o: $(TOPDIR)$(LOCAL_PATH)/%.mm \
$(my_additional_dependencies)
$(transform-$(PRIVATE_HOST)mm-to-o)
$(call include-depfiles-for-objs, $(objcpp_objects))
@@ -1206,8 +1202,7 @@
$(c_objects) \
$(gen_c_objects) \
$(objc_objects) \
- $(objcpp_objects) \
- $(proto_generated_objects)
+ $(objcpp_objects)
new_order_normal_objects := $(foreach f,$(my_src_files),$(my_src_file_obj_$(f)))
new_order_normal_objects += $(foreach f,$(my_gen_src_files),$(my_src_file_obj_$(f)))
@@ -1420,11 +1415,9 @@
###########################################################
export_includes := $(intermediates)/export_includes
$(export_includes): PRIVATE_EXPORT_C_INCLUDE_DIRS := $(my_export_c_include_dirs)
-# Make sure .pb.h are already generated before any dependent source files get compiled.
-# Similarly, the generated DBus headers need to exist before we export their location.
-# People are not going to consume the aidl generated cpp file, but the cpp file is
-# generated after the headers, so this is a convenient way to ensure the headers exist.
-$(export_includes) : $(LOCAL_MODULE_MAKEFILE_DEP) $(proto_generated_headers) $(dbus_generated_headers) $(aidl_gen_cpp) $(vts_gen_cpp)
+# By adding $(my_generated_sources) it makes sure the headers get generated
+# before any dependent source files get compiled.
+$(export_includes) : $(my_generated_sources) $(export_include_deps)
@echo Export includes file: $< -- $@
$(hide) mkdir -p $(dir $@) && rm -f $@.tmp
ifdef my_export_c_include_dirs
diff --git a/core/cleanbuild.mk b/core/cleanbuild.mk
index 0d6a406..e46d934 100644
--- a/core/cleanbuild.mk
+++ b/core/cleanbuild.mk
@@ -242,6 +242,7 @@
$(PRODUCT_OUT)/recovery \
$(PRODUCT_OUT)/root \
$(PRODUCT_OUT)/system \
+ $(PRODUCT_OUT)/system_other \
$(PRODUCT_OUT)/vendor \
$(PRODUCT_OUT)/oem \
$(PRODUCT_OUT)/dex_bootjars \
diff --git a/core/clear_vars.mk b/core/clear_vars.mk
index 59e907b..5886610 100644
--- a/core/clear_vars.mk
+++ b/core/clear_vars.mk
@@ -204,6 +204,8 @@
# Used to replace the installed file of a presigned prebuilt apk in PDK fusion build,
# to avoid installing the presigned apks with classes.dex unstripped.
LOCAL_REPLACE_PREBUILT_APK_INSTALLED:=
+LOCAL_EXTRACT_APK:=
+LOCAL_EXTRACT_DPI_APK:=
# arch specific variables
LOCAL_SRC_FILES_$(TARGET_ARCH):=
diff --git a/core/config_sanitizers.mk b/core/config_sanitizers.mk
index 6e96880..dbcf276 100644
--- a/core/config_sanitizers.mk
+++ b/core/config_sanitizers.mk
@@ -24,6 +24,31 @@
my_sanitize := $(my_global_sanitize)
endif
+# The sanitizer specified in the product configuration wins over the previous.
+ifneq ($(SANITIZER.$(TARGET_PRODUCT).$(LOCAL_MODULE).CONFIG),)
+ my_sanitize := $(SANITIZER.$(TARGET_PRODUCT).$(LOCAL_MODULE).CONFIG)
+ ifeq ($(my_sanitize),never)
+ my_sanitize :=
+ endif
+endif
+
+# Add a filter point for 32-bit vs 64-bit sanitization (to lighten the burden).
+SANITIZE_ARCH ?= 32 64
+ifeq ($(filter $(SANITIZE_ARCH),$(my_32_64_bit_suffix)),)
+ my_sanitize :=
+endif
+
+# Add a filter point based on module owner (to lighten the burden). The format is a space- or
+# colon-separated list of owner names.
+ifneq (,$(SANITIZE_NEVER_BY_OWNER))
+ ifneq (,$(LOCAL_MODULE_OWNER))
+ ifneq (,$(filter $(LOCAL_MODULE_OWNER),$(subst :, ,$(SANITIZE_NEVER_BY_OWNER))))
+ $(warning Not sanitizing $(LOCAL_MODULE) based on module owner.)
+ my_sanitize :=
+ endif
+ endif
+endif
+
# Don't apply sanitizers to NDK code.
ifdef LOCAL_SDK_VERSION
my_sanitize :=
diff --git a/core/definitions.mk b/core/definitions.mk
index b9ef4d5..84ea801 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -1169,6 +1169,9 @@
$(addprefix --proto_path=, $(PRIVATE_PROTO_INCLUDES)) \
$(PRIVATE_PROTOC_FLAGS) \
$<
+@# aprotoc outputs only .cc. Rename it to .cpp if necessary.
+$(if $(PRIVATE_RENAME_CPP_EXT),\
+ $(hide) mv $(basename $@).cc $@)
endef
diff --git a/core/dex_preopt.mk b/core/dex_preopt.mk
index d182dc0..5df9dc3 100644
--- a/core/dex_preopt.mk
+++ b/core/dex_preopt.mk
@@ -19,6 +19,10 @@
# The default value for LOCAL_DEX_PREOPT
DEX_PREOPT_DEFAULT ?= true
+# The default filter for which files go into the system_other image (if it is
+# being used). To bundle everything one should set this to '%'
+SYSTEM_OTHER_ODEX_FILTER ?= app/% priv-app/%
+
# The default values for pre-opting: always preopt PIC.
# Conditional to building on linux, as dex2oat currently does not work on darwin.
ifeq ($(HOST_OS),linux)
diff --git a/core/dex_preopt_libart.mk b/core/dex_preopt_libart.mk
index 9410c3c..acd4a02 100644
--- a/core/dex_preopt_libart.mk
+++ b/core/dex_preopt_libart.mk
@@ -59,6 +59,21 @@
$(dir $(2))oat/$(1)/$(basename $(notdir $(2))).odex
endef
+# Returns the full path to the installed .odex file.
+# This handles BOARD_USES_SYSTEM_OTHER_ODEX to install odex files into another
+# partition.
+# $(1): the arch name.
+# $(2): the full install path (including file name) of the corresponding .apk.
+ifeq ($(BOARD_USES_SYSTEM_OTHER_ODEX),true)
+define get-odex-installed-file-path
+$(if $(filter $(foreach f,$(SYSTEM_OTHER_ODEX_FILTER),$(TARGET_OUT)/$(f)),$(2)),
+ $(call get-odex-file-path,$(1),$(patsubst $(TARGET_OUT)/%,$(TARGET_OUT_SYSTEM_OTHER)/%,$(2))),
+ $(call get-odex-file-path,$(1),$(2)))
+endef
+else
+get-odex-installed-file-path = $(get-odex-file-path)
+endif
+
# Returns the path to the image file (such as "/system/framework/<arch>/boot.art"
# $(1): the arch name (such as "arm")
# $(2): the image location (such as "/system/framework/boot.art")
diff --git a/core/dex_preopt_odex_install.mk b/core/dex_preopt_odex_install.mk
index 4e486d5..b05d4da 100644
--- a/core/dex_preopt_odex_install.mk
+++ b/core/dex_preopt_odex_install.mk
@@ -39,6 +39,14 @@
LOCAL_DEX_PREOPT :=
endif
endif
+# if installing into system, and odex are being installed into system_other, don't strip
+ifeq ($(BOARD_USES_SYSTEM_OTHER_ODEX),true)
+ifeq ($(LOCAL_DEX_PREOPT),true)
+ifneq ($(filter $(foreach f,$(SYSTEM_OTHER_ODEX_FILTER),$(TARGET_OUT)/$(f)),$(my_module_path)),)
+LOCAL_DEX_PREOPT := nostripping
+endif
+endif
+endif
built_odex :=
installed_odex :=
@@ -100,14 +108,6 @@
endif
$(built_odex): PRIVATE_DEX_PREOPT_FLAGS := $(LOCAL_DEX_PREOPT_FLAGS)
-
-# Use pattern rule - we may have multiple installed odex files.
-# Ugly syntax - See the definition get-odex-file-path.
-$(installed_odex) : $(dir $(LOCAL_INSTALLED_MODULE))%$(notdir $(word 1,$(installed_odex))) \
- : $(dir $(LOCAL_BUILT_MODULE))%$(notdir $(word 1,$(built_odex))) \
- | $(ACP)
- @echo "Install: $@"
- $(copy-file-to-target)
endif
# Add the installed_odex to the list of installed files for this module.
diff --git a/core/envsetup.mk b/core/envsetup.mk
index 0a72603..6cfb6a1 100644
--- a/core/envsetup.mk
+++ b/core/envsetup.mk
@@ -109,6 +109,7 @@
# TARGET_COPY_OUT_* are all relative to the staging directory, ie PRODUCT_OUT.
# Define them here so they can be used in product config files.
TARGET_COPY_OUT_SYSTEM := system
+TARGET_COPY_OUT_SYSTEM_OTHER := system_other
TARGET_COPY_OUT_DATA := data
TARGET_COPY_OUT_OEM := oem
TARGET_COPY_OUT_ODM := odm
@@ -172,6 +173,19 @@
$(error TARGET_COPY_OUT_VENDOR must be either 'vendor' or 'system/vendor', seeing '$(TARGET_COPY_OUT_VENDOR)'.)
endif
PRODUCT_COPY_FILES := $(subst $(_vendor_path_placeholder),$(TARGET_COPY_OUT_VENDOR),$(PRODUCT_COPY_FILES))
+
+BOARD_USES_VENDORIMAGE :=
+ifdef BOARD_PREBUILT_VENDORIMAGE
+BOARD_USES_VENDORIMAGE := true
+endif
+ifdef BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE
+BOARD_USES_VENDORIMAGE := true
+endif
+ifeq ($(TARGET_COPY_OUT_VENDOR),vendor)
+BOARD_USES_VENDORIMAGE := true
+else ifdef BOARD_USES_VENDORIMAGE
+$(error TARGET_COPY_OUT_VENDOR must be set to 'vendor' to use a vendor image)
+endif
###########################################
@@ -322,6 +336,8 @@
TARGET_OUT_NOTICE_FILES := $(TARGET_OUT_INTERMEDIATES)/NOTICE_FILES
TARGET_OUT_FAKE := $(PRODUCT_OUT)/fake_packages
+TARGET_OUT_SYSTEM_OTHER := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_SYSTEM_OTHER)
+
# Out for TARGET_2ND_ARCH
TARGET_2ND_ARCH_VAR_PREFIX := $(HOST_2ND_ARCH_VAR_PREFIX)
TARGET_2ND_ARCH_MODULE_SUFFIX := $(HOST_2ND_ARCH_MODULE_SUFFIX)
@@ -377,7 +393,7 @@
TARGET_OUT_VENDOR_ETC := $(TARGET_OUT_VENDOR)/etc
$(TARGET_2ND_ARCH_VAR_PREFIX)TARGET_OUT_VENDOR_EXECUTABLES := $(TARGET_OUT_VENDOR_EXECUTABLES)
-$(TARGET_2ND_ARCH_VAR_PREFIX)TARGET_OUT_VENDOR_SHARED_LIBRARIES := $(TARGET_OUT_VENDOR)/lib
+$(TARGET_2ND_ARCH_VAR_PREFIX)TARGET_OUT_VENDOR_SHARED_LIBRARIES := $(target_out_vendor_shared_libraries_base)/lib
$(TARGET_2ND_ARCH_VAR_PREFIX)TARGET_OUT_VENDOR_APPS := $(TARGET_OUT_VENDOR_APPS)
TARGET_OUT_OEM := $(PRODUCT_OUT)/$(TARGET_COPY_OUT_OEM)
diff --git a/core/main.mk b/core/main.mk
index 651ba98..a612f83 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -81,6 +81,7 @@
userdataimage-nodeps userdatatarball-nodeps \
cacheimage-nodeps \
vendorimage-nodeps \
+ systemotherimage-nodeps \
ramdisk-nodeps \
bootimage-nodeps \
recoveryimage-nodeps \
@@ -928,6 +929,9 @@
.PHONY: vendorimage
vendorimage: $(INSTALLED_VENDORIMAGE_TARGET)
+.PHONY: systemotherimage
+systemotherimage: $(INSTALLED_SYSTEMOTHERIMAGE_TARGET)
+
.PHONY: bootimage
bootimage: $(INSTALLED_BOOTIMAGE_TARGET)
@@ -955,8 +959,10 @@
$(INSTALLED_USERDATAIMAGE_TARGET) \
$(INSTALLED_CACHEIMAGE_TARGET) \
$(INSTALLED_VENDORIMAGE_TARGET) \
+ $(INSTALLED_SYSTEMOTHERIMAGE_TARGET) \
$(INSTALLED_FILES_FILE) \
- $(INSTALLED_FILES_FILE_VENDOR)
+ $(INSTALLED_FILES_FILE_VENDOR) \
+ $(INSTALLED_FILES_FILE_SYSTEMOTHER)
# dist_files only for putting your library into the dist directory with a full build.
.PHONY: dist_files
@@ -1017,6 +1023,7 @@
$(SYMBOLS_ZIP) \
$(INSTALLED_FILES_FILE) \
$(INSTALLED_FILES_FILE_VENDOR) \
+ $(INSTALLED_FILES_FILE_SYSTEMOTHER) \
$(INSTALLED_BUILD_PROP_TARGET) \
$(BUILT_TARGET_FILES_PACKAGE) \
$(INSTALLED_ANDROID_INFO_TXT_TARGET) \
diff --git a/core/pathmap.mk b/core/pathmap.mk
index 9b5a7db..edc584b 100644
--- a/core/pathmap.mk
+++ b/core/pathmap.mk
@@ -106,7 +106,11 @@
#
FRAMEWORKS_SUPPORT_SUBDIRS := \
annotations \
- v4 \
+ compat \
+ media-compat \
+ fragment \
+ core-ui \
+ core-utils \
v7/gridlayout \
v7/cardview \
v7/mediarouter \
@@ -147,6 +151,7 @@
#
FRAMEWORKS_SUPPORT_JAVA_LIBRARIES := \
$(foreach dir,$(FRAMEWORKS_SUPPORT_SUBDIRS),android-support-$(subst /,-,$(dir))) \
+ android-support-v4 \
android-support-vectordrawable \
android-support-animatedvectordrawable \
android-support-v7-appcompat \
diff --git a/core/prebuilt_internal.mk b/core/prebuilt_internal.mk
index ee68427..b6727fa 100644
--- a/core/prebuilt_internal.mk
+++ b/core/prebuilt_internal.mk
@@ -85,8 +85,10 @@
ifeq ($(LOCAL_MODULE_CLASS),APPS)
LOCAL_BUILT_MODULE_STEM := package.apk
+ifndef LOCAL_INSTALLED_MODULE_STEM
LOCAL_INSTALLED_MODULE_STEM := $(LOCAL_MODULE).apk
endif
+endif
ifneq ($(filter true no_debuglink,$(my_strip_module) $(my_pack_module_relocations)),)
ifdef LOCAL_IS_HOST_MODULE
@@ -152,6 +154,8 @@
ifeq ($(LOCAL_MODULE_CLASS),APPS)
PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES))
+my_extract_apk := $(strip $(LOCAL_EXTRACT_APK))
+
# Select dpi-specific source
ifdef LOCAL_DPI_VARIANTS
my_dpi := $(firstword $(filter $(LOCAL_DPI_VARIANTS),$(PRODUCT_AAPT_PREF_CONFIG) $(PRODUCT_AAPT_PREBUILT_DPI)))
@@ -162,9 +166,27 @@
my_prebuilt_dpi_file_stem := $(LOCAL_MODULE)_%.apk
endif
my_prebuilt_src_file := $(dir $(my_prebuilt_src_file))$(subst %,$(my_dpi),$(my_prebuilt_dpi_file_stem))
+
+ifneq ($(strip $(LOCAL_EXTRACT_DPI_APK)),)
+my_extract_apk := $(subst %,$(my_dpi),$(LOCAL_EXTRACT_DPI_APK))
+endif # LOCAL_EXTRACT_DPI_APK
endif # my_dpi
endif # LOCAL_DPI_VARIANTS
+ifdef my_extract_apk
+my_extracted_apk := $(intermediates)/extracted.apk
+
+$(my_extracted_apk): PRIVATE_EXTRACT := $(my_extract_apk)
+$(my_extracted_apk): $(my_prebuilt_src_file)
+ @echo Extract APK: $@
+ $(hide) mkdir -p $(dir $@) && rm -f $@
+ $(hide) unzip -p $< $(PRIVATE_EXTRACT) >$@
+
+my_prebuilt_src_file := $(my_extracted_apk)
+my_extracted_apk :=
+my_extract_apk :=
+endif
+
rs_compatibility_jni_libs :=
include $(BUILD_SYSTEM)/install_jni_libs.mk
diff --git a/core/product.mk b/core/product.mk
index 94cc2e3..332b015 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -120,6 +120,7 @@
PRODUCT_DEX_PREOPT_MODULE_CONFIGS \
PRODUCT_DEX_PREOPT_DEFAULT_FLAGS \
PRODUCT_DEX_PREOPT_BOOT_FLAGS \
+ PRODUCT_SANITIZER_MODULE_CONFIGS \
PRODUCT_SYSTEM_BASE_FS_PATH \
PRODUCT_VENDOR_BASE_FS_PATH \
PRODUCT_SHIPPING_API_LEVEL \
@@ -333,3 +334,14 @@
$(eval PRODUCT_DEX_PREOPT_MODULE_CONFIGS += \
$(foreach m,$(1),$(m)=$(_c)))
endef
+
+# whitespace placeholder when we record module's sanitizer config.
+_PSMC_SP_PLACE_HOLDER := |@SP@|
+# Set up sanitizer config for a module.
+# $(1) list of module names
+# $(2) the modules' sanitizer config
+define add-product-sanitizer-module-config
+$(eval _c := $(subst $(space),$(_PSMC_SP_PLACE_HOLDER),$(strip $(2))))\
+$(eval PRODUCT_SANITIZER_MODULE_CONFIGS += \
+ $(foreach m,$(1),$(m)=$(_c)))
+endef
diff --git a/core/product_config.mk b/core/product_config.mk
index ed38bc8..6438d51 100644
--- a/core/product_config.mk
+++ b/core/product_config.mk
@@ -74,7 +74,7 @@
###########################################################
define find-copy-subdir-files
-$(shell find $(2) -name "$(1)" | $(SED_EXTENDED) "s:($(2)/?(.*)):\\1\\:$(3)/\\2:" | sed "s://:/:g")
+$(sort $(shell find $(2) -name "$(1)" -type f | $(SED_EXTENDED) "s:($(2)/?(.*)):\\1\\:$(3)/\\2:" | sed "s://:/:g"))
endef
# ---------------------------------------------------------------
@@ -392,7 +392,7 @@
$(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_DEX_PREOPT_DEFAULT_FLAGS))
PRODUCT_DEX_PREOPT_BOOT_FLAGS := \
$(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_DEX_PREOPT_BOOT_FLAGS))
-# Resolve and setup per-module dex-preopot configs.
+# Resolve and setup per-module dex-preopt configs.
PRODUCT_DEX_PREOPT_MODULE_CONFIGS := \
$(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_DEX_PREOPT_MODULE_CONFIGS))
# If a module has multiple setups, the first takes precedence.
@@ -405,3 +405,17 @@
$(eval cf := $(subst $(_PDPMC_SP_PLACE_HOLDER),$(space),$(cf)))\
$(eval DEXPREOPT.$(TARGET_PRODUCT).$(m).CONFIG := $(cf))))
_pdpmc_modules :=
+
+# Resolve and setup per-module sanitizer configs.
+PRODUCT_SANITIZER_MODULE_CONFIGS := \
+ $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SANITIZER_MODULE_CONFIGS))
+# If a module has multiple setups, the first takes precedence.
+_psmc_modules :=
+$(foreach c,$(PRODUCT_SANITIZER_MODULE_CONFIGS),\
+ $(eval m := $(firstword $(subst =,$(space),$(c))))\
+ $(if $(filter $(_psmc_modules),$(m)),,\
+ $(eval _psmc_modules += $(m))\
+ $(eval cf := $(patsubst $(m)=%,%,$(c)))\
+ $(eval cf := $(subst $(_PSMC_SP_PLACE_HOLDER),$(space),$(cf)))\
+ $(eval SANITIZER.$(TARGET_PRODUCT).$(m).CONFIG := $(cf))))
+_psmc_modules :=
diff --git a/core/setup_one_odex.mk b/core/setup_one_odex.mk
index ec8a28a..36b6817 100644
--- a/core/setup_one_odex.mk
+++ b/core/setup_one_odex.mk
@@ -32,7 +32,9 @@
$(DEXPREOPT_ONE_FILE_DEPENDENCY_TOOLS) \
$(my_dex_preopt_image_filename)
-my_installed_odex := $(call get-odex-file-path,$($(my_2nd_arch_prefix)DEX2OAT_TARGET_ARCH),$(LOCAL_INSTALLED_MODULE))
+my_installed_odex := $(call get-odex-installed-file-path,$($(my_2nd_arch_prefix)DEX2OAT_TARGET_ARCH),$(LOCAL_INSTALLED_MODULE))
+
+$(eval $(call copy-one-file,$(my_built_odex),$(my_installed_odex)))
built_odex += $(my_built_odex)
installed_odex += $(my_installed_odex)
diff --git a/core/tasks/vendor_module_check.mk b/core/tasks/vendor_module_check.mk
index 910c8b7..e3761ae 100644
--- a/core/tasks/vendor_module_check.mk
+++ b/core/tasks/vendor_module_check.mk
@@ -43,6 +43,7 @@
synaptics \
ti \
trusted_logic \
+ verizon \
widevine
diff --git a/core/version_defaults.mk b/core/version_defaults.mk
index 651292d..e0db15d 100644
--- a/core/version_defaults.mk
+++ b/core/version_defaults.mk
@@ -25,7 +25,7 @@
# BUILD_ID
# BUILD_NUMBER
# BUILD_DATETIME
-# SECURITY_PATCH
+# PLATFORM_SECURITY_PATCH
#
# Look for an optional file containing overrides of the defaults,
@@ -43,7 +43,7 @@
# which is the version that we reveal to the end user.
# Update this value when the platform version changes (rather
# than overriding it somewhere else). Can be an arbitrary string.
- PLATFORM_VERSION := 7.0
+ PLATFORM_VERSION := 7.1
endif
ifeq "" "$(PLATFORM_SDK_VERSION)"
@@ -55,7 +55,7 @@
# intermediate builds). During development, this number remains at the
# SDK version the branch is based on and PLATFORM_VERSION_CODENAME holds
# the code-name of the new development work.
- PLATFORM_SDK_VERSION := 24
+ PLATFORM_SDK_VERSION := 25
endif
ifeq "" "$(PLATFORM_JACK_MIN_SDK_VERSION)"
@@ -64,7 +64,7 @@
# PLATFORM_SDK_VERSION. During development, this number may be incremented
# before PLATFORM_SDK_VERSION if the plateform starts to add new java
# language supports.
- PLATFORM_JACK_MIN_SDK_VERSION := 24
+ PLATFORM_JACK_MIN_SDK_VERSION := 25
endif
ifeq "" "$(PLATFORM_VERSION_CODENAME)"
diff --git a/target/product/core.mk b/target/product/core.mk
index 75cf649..0a4e0fd 100644
--- a/target/product/core.mk
+++ b/target/product/core.mk
@@ -53,6 +53,7 @@
QuickSearchBox \
Settings \
SharedStorageBackup \
+ StorageManager \
Telecom \
TeleService \
VpnDialogs \
diff --git a/tools/releasetools/add_img_to_target_files.py b/tools/releasetools/add_img_to_target_files.py
index 7cb9072..6acc69d 100755
--- a/tools/releasetools/add_img_to_target_files.py
+++ b/tools/releasetools/add_img_to_target_files.py
@@ -37,6 +37,7 @@
import build_image
import common
+import sparse_img
OPTIONS = common.OPTIONS
@@ -46,6 +47,19 @@
OPTIONS.replace_verity_private_key = False
OPTIONS.verity_signer_path = None
+def GetCareMap(which, imgname):
+ """Generate care_map of system (or vendor) partition"""
+
+ assert which in ("system", "vendor")
+ _, blk_device = common.GetTypeAndDevice("/" + which, OPTIONS.info_dict)
+
+ simg = sparse_img.SparseImage(imgname)
+ care_map_list = []
+ care_map_list.append(blk_device)
+ care_map_list.append(simg.care_map.to_string_raw())
+ return care_map_list
+
+
def AddSystem(output_zip, prefix="IMAGES/", recovery_img=None, boot_img=None):
"""Turn the contents of SYSTEM into a system image and store it in
output_zip."""
@@ -53,7 +67,7 @@
prebuilt_path = os.path.join(OPTIONS.input_tmp, prefix, "system.img")
if os.path.exists(prebuilt_path):
print "system.img already exists in %s, no need to rebuild..." % (prefix,)
- return
+ return prebuilt_path
def output_sink(fn, data):
ofile = open(os.path.join(OPTIONS.input_tmp, "SYSTEM", fn), "w")
@@ -70,6 +84,7 @@
block_list=block_list)
common.ZipWrite(output_zip, imgname, prefix + "system.img")
common.ZipWrite(output_zip, block_list, prefix + "system.map")
+ return imgname
def BuildSystem(input_dir, info_dict, block_list=None):
@@ -78,6 +93,24 @@
return CreateImage(input_dir, info_dict, "system", block_list=block_list)
+def AddSystemOther(output_zip, prefix="IMAGES/"):
+ """Turn the contents of SYSTEM_OTHER into a system_other image
+ and store it in output_zip."""
+
+ prebuilt_path = os.path.join(OPTIONS.input_tmp, prefix, "system_other.img")
+ if os.path.exists(prebuilt_path):
+ print "system_other.img already exists in %s, no need to rebuild..." % (prefix,)
+ return
+
+ imgname = BuildSystemOther(OPTIONS.input_tmp, OPTIONS.info_dict)
+ common.ZipWrite(output_zip, imgname, prefix + "system_other.img")
+
+def BuildSystemOther(input_dir, info_dict):
+ """Build the (sparse) system_other image and return the name of a temp
+ file containing it."""
+ return CreateImage(input_dir, info_dict, "system_other", block_list=None)
+
+
def AddVendor(output_zip, prefix="IMAGES/"):
"""Turn the contents of VENDOR into a vendor image and store in it
output_zip."""
@@ -85,13 +118,14 @@
prebuilt_path = os.path.join(OPTIONS.input_tmp, prefix, "vendor.img")
if os.path.exists(prebuilt_path):
print "vendor.img already exists in %s, no need to rebuild..." % (prefix,)
- return
+ return prebuilt_path
block_list = common.MakeTempFile(prefix="vendor-blocklist-", suffix=".map")
imgname = BuildVendor(OPTIONS.input_tmp, OPTIONS.info_dict,
block_list=block_list)
common.ZipWrite(output_zip, imgname, prefix + "vendor.img")
common.ZipWrite(output_zip, block_list, prefix + "vendor.map")
+ return imgname
def BuildVendor(input_dir, info_dict, block_list=None):
@@ -121,8 +155,9 @@
image_props = build_image.ImagePropFromGlobalDict(info_dict, what)
fstab = info_dict["fstab"]
- if fstab:
- image_props["fs_type"] = fstab["/" + what].fs_type
+ mount_point = "/" + what
+ if fstab and mount_point in fstab:
+ image_props["fs_type"] = fstab[mount_point].fs_type
# Use a fixed timestamp (01/01/2009) when packaging the image.
# Bug: 24377993
@@ -268,6 +303,8 @@
except KeyError:
has_vendor = False
+ has_system_other = "SYSTEM_OTHER/" in input_zip.namelist()
+
OPTIONS.info_dict = common.LoadInfoDict(input_zip, OPTIONS.input_tmp)
common.ZipClose(input_zip)
@@ -310,10 +347,15 @@
recovery_image.AddToZip(output_zip)
banner("system")
- AddSystem(output_zip, recovery_img=recovery_image, boot_img=boot_image)
+ system_imgname = AddSystem(output_zip, recovery_img=recovery_image,
+ boot_img=boot_image)
+ vendor_imgname = None
if has_vendor:
banner("vendor")
- AddVendor(output_zip)
+ vendor_imgname = AddVendor(output_zip)
+ if has_system_other:
+ banner("system_other")
+ AddSystemOther(output_zip)
banner("userdata")
AddUserdata(output_zip)
banner("cache")
@@ -325,7 +367,19 @@
if os.path.exists(ab_partitions):
with open(ab_partitions, 'r') as f:
lines = f.readlines()
+ # For devices using A/B update, generate care_map for system and vendor
+ # partitions (if present), then write this file to target_files package.
+ care_map_list = []
for line in lines:
+ if line.strip() == "system" and OPTIONS.info_dict.get(
+ "system_verity_block_device", None) is not None:
+ assert os.path.exists(system_imgname)
+ care_map_list += GetCareMap("system", system_imgname)
+ if line.strip() == "vendor" and OPTIONS.info_dict.get(
+ "vendor_verity_block_device", None) is not None:
+ assert os.path.exists(vendor_imgname)
+ care_map_list += GetCareMap("vendor", vendor_imgname)
+
img_name = line.strip() + ".img"
img_radio_path = os.path.join(OPTIONS.input_tmp, "RADIO", img_name)
if os.path.exists(img_radio_path):
@@ -336,6 +390,10 @@
img_path = 'IMAGES/' + img_name
assert img_path in output_zip.namelist(), "cannot find " + img_name
+ if care_map_list:
+ file_path = "META/care_map.txt"
+ common.ZipWriteStr(output_zip, file_path, '\n'.join(care_map_list))
+
common.ZipClose(output_zip)
def main(argv):
diff --git a/tools/releasetools/blockimgdiff.py b/tools/releasetools/blockimgdiff.py
index 66d5907..0d9aabd 100644
--- a/tools/releasetools/blockimgdiff.py
+++ b/tools/releasetools/blockimgdiff.py
@@ -342,19 +342,20 @@
return ctx.hexdigest()
def WriteTransfers(self, prefix):
- def WriteTransfersZero(out, to_zero):
- """Limit the number of blocks in command zero to 1024 blocks.
+ def WriteSplitTransfers(out, style, target_blocks):
+ """Limit the size of operand in command 'new' and 'zero' to 1024 blocks.
This prevents the target size of one command from being too large; and
might help to avoid fsync errors on some devices."""
- zero_blocks_limit = 1024
+ assert (style == "new" or style == "zero")
+ blocks_limit = 1024
total = 0
- while to_zero:
- zero_blocks = to_zero.first(zero_blocks_limit)
- out.append("zero %s\n" % (zero_blocks.to_string_raw(),))
- total += zero_blocks.size()
- to_zero = to_zero.subtract(zero_blocks)
+ while target_blocks:
+ blocks_to_write = target_blocks.first(blocks_limit)
+ out.append("%s %s\n" % (style, blocks_to_write.to_string_raw()))
+ total += blocks_to_write.size()
+ target_blocks = target_blocks.subtract(blocks_to_write)
return total
out = []
@@ -478,7 +479,7 @@
if xf.style == "new":
assert xf.tgt_ranges
- out.append("%s %s\n" % (xf.style, xf.tgt_ranges.to_string_raw()))
+ assert tgt_size == WriteSplitTransfers(out, xf.style, xf.tgt_ranges)
total += tgt_size
elif xf.style == "move":
assert xf.tgt_ranges
@@ -538,7 +539,7 @@
elif xf.style == "zero":
assert xf.tgt_ranges
to_zero = xf.tgt_ranges.subtract(xf.src_ranges)
- assert WriteTransfersZero(out, to_zero) == to_zero.size()
+ assert WriteSplitTransfers(out, xf.style, to_zero) == to_zero.size()
total += to_zero.size()
else:
raise ValueError("unknown transfer style '%s'\n" % xf.style)
@@ -568,7 +569,7 @@
# Zero out extended blocks as a workaround for bug 20881595.
if self.tgt.extended:
- assert (WriteTransfersZero(out, self.tgt.extended) ==
+ assert (WriteSplitTransfers(out, "zero", self.tgt.extended) ==
self.tgt.extended.size())
total += self.tgt.extended.size()
diff --git a/tools/releasetools/build_image.py b/tools/releasetools/build_image.py
index c1c9057..24ecd15 100755
--- a/tools/releasetools/build_image.py
+++ b/tools/releasetools/build_image.py
@@ -409,6 +409,8 @@
build_command.extend(["-z", prop_dict["squashfs_compressor"]])
if "squashfs_compressor_opt" in prop_dict:
build_command.extend(["-zo", prop_dict["squashfs_compressor_opt"]])
+ if "squashfs_block_size" in prop_dict:
+ build_command.extend(["-b", prop_dict["squashfs_block_size"]])
if "squashfs_disable_4k_align" in prop_dict and prop_dict.get("squashfs_disable_4k_align") == "true":
build_command.extend(["-a"])
elif fs_type.startswith("f2fs"):
@@ -554,8 +556,22 @@
copy_prop("has_ext4_reserved_blocks", "has_ext4_reserved_blocks")
copy_prop("system_squashfs_compressor", "squashfs_compressor")
copy_prop("system_squashfs_compressor_opt", "squashfs_compressor_opt")
+ copy_prop("system_squashfs_block_size", "squashfs_block_size")
copy_prop("system_squashfs_disable_4k_align", "squashfs_disable_4k_align")
copy_prop("system_base_fs_file", "base_fs_file")
+ elif mount_point == "system_other":
+ # We inherit the selinux policies of /system since we contain some of its files.
+ d["mount_point"] = "system"
+ copy_prop("fs_type", "fs_type")
+ copy_prop("system_fs_type", "fs_type")
+ copy_prop("system_size", "partition_size")
+ copy_prop("system_journal_size", "journal_size")
+ copy_prop("system_verity_block_device", "verity_block_device")
+ copy_prop("has_ext4_reserved_blocks", "has_ext4_reserved_blocks")
+ copy_prop("system_squashfs_compressor", "squashfs_compressor")
+ copy_prop("system_squashfs_compressor_opt", "squashfs_compressor_opt")
+ copy_prop("system_squashfs_block_size", "squashfs_block_size")
+ copy_prop("system_base_fs_file", "base_fs_file")
elif mount_point == "data":
# Copy the generic fs type first, override with specific one if available.
copy_prop("fs_type", "fs_type")
@@ -572,6 +588,7 @@
copy_prop("has_ext4_reserved_blocks", "has_ext4_reserved_blocks")
copy_prop("vendor_squashfs_compressor", "squashfs_compressor")
copy_prop("vendor_squashfs_compressor_opt", "squashfs_compressor_opt")
+ copy_prop("vendor_squashfs_block_size", "squashfs_block_size")
copy_prop("vendor_squashfs_disable_4k_align", "squashfs_disable_4k_align")
copy_prop("vendor_base_fs_file", "base_fs_file")
elif mount_point == "oem":
@@ -617,6 +634,8 @@
mount_point = ""
if image_filename == "system.img":
mount_point = "system"
+ elif image_filename == "system_other.img":
+ mount_point = "system_other"
elif image_filename == "userdata.img":
mount_point = "data"
elif image_filename == "cache.img":
diff --git a/tools/releasetools/check_target_files_signatures.py b/tools/releasetools/check_target_files_signatures.py
index 5c541ab..3048488 100755
--- a/tools/releasetools/check_target_files_signatures.py
+++ b/tools/releasetools/check_target_files_signatures.py
@@ -245,7 +245,7 @@
fullname = os.path.join(dirpath, fn)
displayname = fullname[len(d)+1:]
apk = APK(fullname, displayname)
- self.apks[apk.package] = apk
+ self.apks[apk.filename] = apk
self.apks_by_basename[os.path.basename(apk.filename)] = apk
self.max_pkg_len = max(self.max_pkg_len, len(apk.package))
@@ -316,8 +316,7 @@
self.max_pkg_len, apk.package,
apk.shared_uid)
else:
- print " %-*s %-*s" % (self.max_fn_len, apk.filename,
- self.max_pkg_len, apk.package)
+ print " %-*s %s" % (self.max_fn_len, apk.filename, apk.package)
print
def CompareWith(self, other):
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index a4862a6..3874c1f 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -259,11 +259,18 @@
makeint("boot_size")
makeint("fstab_version")
- if d.get("no_recovery", False) == "true":
- d["fstab"] = None
- else:
+ system_root_image = d.get("system_root_image", None) == "true"
+ if d.get("no_recovery", None) != "true":
+ recovery_fstab_path = "RECOVERY/RAMDISK/etc/recovery.fstab"
d["fstab"] = LoadRecoveryFSTab(read_helper, d["fstab_version"],
- d.get("system_root_image", False))
+ recovery_fstab_path, system_root_image)
+ elif d.get("recovery_as_boot", None) == "true":
+ recovery_fstab_path = "BOOT/RAMDISK/etc/recovery.fstab"
+ d["fstab"] = LoadRecoveryFSTab(read_helper, d["fstab_version"],
+ recovery_fstab_path, system_root_image)
+ else:
+ d["fstab"] = None
+
d["build.prop"] = LoadBuildProp(read_helper)
return d
@@ -286,7 +293,8 @@
d[name] = value
return d
-def LoadRecoveryFSTab(read_helper, fstab_version, system_root_image=False):
+def LoadRecoveryFSTab(read_helper, fstab_version, recovery_fstab_path,
+ system_root_image=False):
class Partition(object):
def __init__(self, mount_point, fs_type, device, length, device2, context):
self.mount_point = mount_point
@@ -297,9 +305,9 @@
self.context = context
try:
- data = read_helper("RECOVERY/RAMDISK/etc/recovery.fstab")
+ data = read_helper(recovery_fstab_path)
except KeyError:
- print "Warning: could not find RECOVERY/RAMDISK/etc/recovery.fstab"
+ print "Warning: could not find {}".format(recovery_fstab_path)
data = ""
if fstab_version == 1:
diff --git a/tools/releasetools/ota_from_target_files.py b/tools/releasetools/ota_from_target_files.py
index b69ddac..d3d4974 100755
--- a/tools/releasetools/ota_from_target_files.py
+++ b/tools/releasetools/ota_from_target_files.py
@@ -113,6 +113,17 @@
Generate a log file that shows the differences in the source and target
builds for an incremental package. This option is only meaningful when
-i is specified.
+
+ --payload_signer <signer>
+ Specify the signer when signing the payload and metadata for A/B OTAs.
+ By default (i.e. without this flag), it calls 'openssl pkeyutl' to sign
+ with the package private key. If the private key cannot be accessed
+ directly, a payload signer that knows how to do that should be specified.
+ The signer will be supplied with "-inkey <path_to_key>",
+ "-in <input_file>" and "-out <output_file>" parameters.
+
+ --payload_signer_args <args>
+ Specify the arguments needed for payload signer.
"""
import sys
@@ -124,6 +135,7 @@
import multiprocessing
import os
import subprocess
+import shlex
import tempfile
import zipfile
@@ -160,6 +172,8 @@
OPTIONS.stash_threshold = 0.8
OPTIONS.gen_verify = False
OPTIONS.log_diff = None
+OPTIONS.payload_signer = None
+OPTIONS.payload_signer_args = []
def MostPopularKey(d, default):
"""Given a dict, return the key corresponding to the largest
@@ -859,15 +873,17 @@
int(i) for i in
OPTIONS.info_dict.get("blockimgdiff_versions", "1").split(","))
- # Check first block of system partition for remount R/W only if
- # disk type is ext4
- system_partition = OPTIONS.source_info_dict["fstab"]["/system"]
- check_first_block = system_partition.fs_type == "ext4"
+ # Check the first block of the source system partition for remount R/W only
+ # if the filesystem is ext4.
+ system_src_partition = OPTIONS.source_info_dict["fstab"]["/system"]
+ check_first_block = system_src_partition.fs_type == "ext4"
# Disable using imgdiff for squashfs. 'imgdiff -z' expects input files to be
# in zip formats. However with squashfs, a) all files are compressed in LZ4;
# b) the blocks listed in block map may not contain all the bytes for a given
# file (because they're rounded to be 4K-aligned).
- disable_imgdiff = system_partition.fs_type == "squashfs"
+ system_tgt_partition = OPTIONS.target_info_dict["fstab"]["/system"]
+ disable_imgdiff = (system_src_partition.fs_type == "squashfs" or
+ system_tgt_partition.fs_type == "squashfs")
system_diff = common.BlockDifference("system", system_tgt, system_src,
check_first_block,
version=blockimgdiff_version,
@@ -1163,17 +1179,19 @@
"default_system_dev_certificate",
"build/target/product/security/testkey")
- # A/B updater expects key in RSA format.
- cmd = ["openssl", "pkcs8",
- "-in", OPTIONS.package_key + OPTIONS.private_key_suffix,
- "-inform", "DER", "-nocrypt"]
- rsa_key = common.MakeTempFile(prefix="key-", suffix=".key")
- cmd.extend(["-out", rsa_key])
- p1 = common.Run(cmd, stdout=subprocess.PIPE)
- p1.wait()
- assert p1.returncode == 0, "openssl pkcs8 failed"
+ # A/B updater expects a signing key in RSA format. Gets the key ready for
+ # later use in step 3, unless a payload_signer has been specified.
+ if OPTIONS.payload_signer is None:
+ cmd = ["openssl", "pkcs8",
+ "-in", OPTIONS.package_key + OPTIONS.private_key_suffix,
+ "-inform", "DER", "-nocrypt"]
+ rsa_key = common.MakeTempFile(prefix="key-", suffix=".key")
+ cmd.extend(["-out", rsa_key])
+ p1 = common.Run(cmd, stdout=subprocess.PIPE)
+ p1.wait()
+ assert p1.returncode == 0, "openssl pkcs8 failed"
- # Stage the output zip package for signing.
+ # Stage the output zip package for package signing.
temp_zip_file = tempfile.NamedTemporaryFile()
output_zip = zipfile.ZipFile(temp_zip_file, "w",
compression=zipfile.ZIP_DEFLATED)
@@ -1234,21 +1252,30 @@
signed_metadata_sig_file = common.MakeTempFile(prefix="signed-sig-",
suffix=".bin")
# 3a. Sign the payload hash.
- cmd = ["openssl", "pkeyutl", "-sign",
- "-inkey", rsa_key,
- "-pkeyopt", "digest:sha256",
- "-in", payload_sig_file,
- "-out", signed_payload_sig_file]
+ if OPTIONS.payload_signer is not None:
+ cmd = [OPTIONS.payload_signer]
+ cmd.extend(OPTIONS.payload_signer_args)
+ else:
+ cmd = ["openssl", "pkeyutl", "-sign",
+ "-inkey", rsa_key,
+ "-pkeyopt", "digest:sha256"]
+ cmd.extend(["-in", payload_sig_file,
+ "-out", signed_payload_sig_file])
+
p1 = common.Run(cmd, stdout=subprocess.PIPE)
p1.wait()
assert p1.returncode == 0, "openssl sign payload failed"
# 3b. Sign the metadata hash.
- cmd = ["openssl", "pkeyutl", "-sign",
- "-inkey", rsa_key,
- "-pkeyopt", "digest:sha256",
- "-in", metadata_sig_file,
- "-out", signed_metadata_sig_file]
+ if OPTIONS.payload_signer is not None:
+ cmd = [OPTIONS.payload_signer]
+ cmd.extend(OPTIONS.payload_signer_args)
+ else:
+ cmd = ["openssl", "pkeyutl", "-sign",
+ "-inkey", rsa_key,
+ "-pkeyopt", "digest:sha256"]
+ cmd.extend(["-in", metadata_sig_file,
+ "-out", signed_metadata_sig_file])
p1 = common.Run(cmd, stdout=subprocess.PIPE)
p1.wait()
assert p1.returncode == 0, "openssl sign metadata failed"
@@ -1276,12 +1303,30 @@
p1.wait()
assert p1.returncode == 0, "brillo_update_payload properties failed"
+ if OPTIONS.wipe_user_data:
+ with open(properties_file, "a") as f:
+ f.write("POWERWASH=1\n")
+ metadata["ota-wipe"] = "yes"
+
# Add the signed payload file and properties into the zip.
common.ZipWrite(output_zip, properties_file, arcname="payload_properties.txt")
common.ZipWrite(output_zip, signed_payload_file, arcname="payload.bin",
compress_type=zipfile.ZIP_STORED)
WriteMetadata(metadata, output_zip)
+ # If dm-verity is supported for the device, copy contents of care_map
+ # into A/B OTA package.
+ if OPTIONS.info_dict.get("verity") == "true":
+ target_zip = zipfile.ZipFile(target_file, "r")
+ care_map_path = "META/care_map.txt"
+ namelist = target_zip.namelist()
+ if care_map_path in namelist:
+ care_map_data = target_zip.read(care_map_path)
+ common.ZipWriteStr(output_zip, "care_map.txt", care_map_data)
+ else:
+ print "Warning: cannot find care map file in target_file package"
+ common.ZipClose(target_zip)
+
# Sign the whole package to comply with the Android OTA package format.
common.ZipClose(output_zip)
SignOutput(temp_zip_file.name, output_file)
@@ -1900,6 +1945,10 @@
OPTIONS.gen_verify = True
elif o == "--log_diff":
OPTIONS.log_diff = a
+ elif o == "--payload_signer":
+ OPTIONS.payload_signer = a
+ elif o == "--payload_signer_args":
+ OPTIONS.payload_signer_args = shlex.split(a)
else:
return False
return True
@@ -1929,6 +1978,8 @@
"stash_threshold=",
"gen_verify",
"log_diff=",
+ "payload_signer=",
+ "payload_signer_args=",
], extra_option_handler=option_handler)
if len(args) != 2:
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 457ff5c..1677a44 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -51,10 +51,12 @@
in which they appear on the command line.
-o (--replace_ota_keys)
- Replace the certificate (public key) used by OTA package
- verification with the one specified in the input target_files
- zip (in the META/otakeys.txt file). Key remapping (-k and -d)
- is performed on this key.
+ Replace the certificate (public key) used by OTA package verification
+ with the ones specified in the input target_files zip (in the
+ META/otakeys.txt file). Key remapping (-k and -d) is performed on the
+ keys. For A/B devices, the payload verification key will be replaced
+ as well. If there're multiple OTA keys, only the first one will be used
+ for payload verification.
-t (--tag_changes) <+tag>,<-tag>,...
Comma-separated list of changes to make to the set of tags (in
@@ -63,6 +65,19 @@
removed. Changes are processed in the order they appear.
Default value is "-test-keys,-dev-keys,+release-keys".
+ --replace_verity_private_key <key>
+ Replace the private key used for verity signing. It expects a filename
+ WITHOUT the extension (e.g. verity_key).
+
+ --replace_verity_public_key <key>
+ Replace the certificate (public key) used for verity verification. The
+ key file replaces the one at BOOT/RAMDISK/verity_key (or ROOT/verity_key
+ for devices using system_root_image). It expects the key filename WITH
+ the extension (e.g. verity_key.pub).
+
+ --replace_verity_keyid <path_to_X509_PEM_cert_file>
+ Replace the veritykeyid in BOOT/cmdline of input_target_file_zip
+ with keyid of the cert pointed by <path_to_X509_PEM_cert_file>.
"""
import sys
@@ -92,6 +107,7 @@
OPTIONS.replace_ota_keys = False
OPTIONS.replace_verity_public_key = False
OPTIONS.replace_verity_private_key = False
+OPTIONS.replace_verity_keyid = False
OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys")
def GetApkCerts(tf_zip):
@@ -171,7 +187,9 @@
for i in input_tf_zip.infolist()
if i.filename.endswith('.apk')])
rebuild_recovery = False
+ system_root_image = misc_info.get("system_root_image") == "true"
+ # tmpdir will only be used to regenerate the recovery-from-boot patch.
tmpdir = tempfile.mkdtemp()
def write_to_temp(fn, attr, data):
fn = os.path.join(tmpdir, fn)
@@ -196,25 +214,6 @@
data = input_tf_zip.read(info.filename)
out_info = copy.copy(info)
- # Replace keys if requested.
- if (info.filename == "META/misc_info.txt" and
- OPTIONS.replace_verity_private_key):
- ReplaceVerityPrivateKey(input_tf_zip, output_tf_zip, misc_info,
- OPTIONS.replace_verity_private_key[1])
- elif (info.filename in ("BOOT/RAMDISK/verity_key",
- "BOOT/verity_key") and
- OPTIONS.replace_verity_public_key):
- new_data = ReplaceVerityPublicKey(output_tf_zip, info.filename,
- OPTIONS.replace_verity_public_key[1])
- write_to_temp(info.filename, info.external_attr, new_data)
- # Copy BOOT/, RECOVERY/, META/, ROOT/ to rebuild recovery patch.
- elif (info.filename.startswith("BOOT/") or
- info.filename.startswith("RECOVERY/") or
- info.filename.startswith("META/") or
- info.filename.startswith("ROOT/") or
- info.filename == "SYSTEM/etc/recovery-resource.dat"):
- write_to_temp(info.filename, info.external_attr, data)
-
# Sign APKs.
if info.filename.endswith(".apk"):
name = os.path.basename(info.filename)
@@ -228,44 +227,113 @@
# an APK we're not supposed to sign.
print "NOT signing: %s" % (name,)
common.ZipWriteStr(output_tf_zip, out_info, data)
+
+ # System properties.
elif info.filename in ("SYSTEM/build.prop",
"VENDOR/build.prop",
"BOOT/RAMDISK/default.prop",
+ "ROOT/default.prop",
"RECOVERY/RAMDISK/default.prop"):
print "rewriting %s:" % (info.filename,)
new_data = RewriteProps(data, misc_info)
common.ZipWriteStr(output_tf_zip, out_info, new_data)
if info.filename in ("BOOT/RAMDISK/default.prop",
+ "ROOT/default.prop",
"RECOVERY/RAMDISK/default.prop"):
write_to_temp(info.filename, info.external_attr, new_data)
+
elif info.filename.endswith("mac_permissions.xml"):
print "rewriting %s with new keys." % (info.filename,)
new_data = ReplaceCerts(data)
common.ZipWriteStr(output_tf_zip, out_info, new_data)
+
+ # Trigger a rebuild of the recovery patch if needed.
elif info.filename in ("SYSTEM/recovery-from-boot.p",
"SYSTEM/etc/recovery.img",
"SYSTEM/bin/install-recovery.sh"):
rebuild_recovery = True
+
+ # Don't copy OTA keys if we're replacing them.
elif (OPTIONS.replace_ota_keys and
- info.filename in ("RECOVERY/RAMDISK/res/keys",
- "SYSTEM/etc/security/otacerts.zip")):
- # don't copy these files if we're regenerating them below
+ info.filename in (
+ "BOOT/RAMDISK/res/keys",
+ "BOOT/RAMDISK/etc/update_engine/update-payload-key.pub.pem",
+ "RECOVERY/RAMDISK/res/keys",
+ "SYSTEM/etc/security/otacerts.zip",
+ "SYSTEM/etc/update_engine/update-payload-key.pub.pem")):
pass
+
+ # Skip META/misc_info.txt if we will replace the verity private key later.
elif (OPTIONS.replace_verity_private_key and
info.filename == "META/misc_info.txt"):
pass
+
+ # Skip verity public key if we will replace it.
elif (OPTIONS.replace_verity_public_key and
info.filename in ("BOOT/RAMDISK/verity_key",
- "BOOT/verity_key")):
+ "ROOT/verity_key")):
pass
+
+ # Skip verity keyid (for system_root_image use) if we will replace it.
+ elif (OPTIONS.replace_verity_keyid and
+ info.filename == "BOOT/cmdline"):
+ pass
+
+ # Skip the care_map as we will regenerate the system/vendor images.
+ elif (info.filename == "META/care_map.txt"):
+ pass
+
+ # Copy BOOT/, RECOVERY/, META/, ROOT/ to rebuild recovery patch. This case
+ # must come AFTER other matching rules.
+ elif (info.filename.startswith("BOOT/") or
+ info.filename.startswith("RECOVERY/") or
+ info.filename.startswith("META/") or
+ info.filename.startswith("ROOT/") or
+ info.filename == "SYSTEM/etc/recovery-resource.dat"):
+ write_to_temp(info.filename, info.external_attr, data)
+ common.ZipWriteStr(output_tf_zip, out_info, data)
+
+ # A non-APK file; copy it verbatim.
else:
- # a non-APK file; copy it verbatim
common.ZipWriteStr(output_tf_zip, out_info, data)
if OPTIONS.replace_ota_keys:
new_recovery_keys = ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info)
if new_recovery_keys:
- write_to_temp("RECOVERY/RAMDISK/res/keys", 0o755 << 16, new_recovery_keys)
+ if system_root_image:
+ recovery_keys_location = "BOOT/RAMDISK/res/keys"
+ else:
+ recovery_keys_location = "RECOVERY/RAMDISK/res/keys"
+ # The "new_recovery_keys" has been already written into the output_tf_zip
+ # while calling ReplaceOtaKeys(). We're just putting the same copy to
+ # tmpdir in case we need to regenerate the recovery-from-boot patch.
+ write_to_temp(recovery_keys_location, 0o755 << 16, new_recovery_keys)
+
+ # Replace the keyid string in META/misc_info.txt.
+ if OPTIONS.replace_verity_private_key:
+ ReplaceVerityPrivateKey(input_tf_zip, output_tf_zip, misc_info,
+ OPTIONS.replace_verity_private_key[1])
+
+ if OPTIONS.replace_verity_public_key:
+ if system_root_image:
+ dest = "ROOT/verity_key"
+ else:
+ dest = "BOOT/RAMDISK/verity_key"
+ # We are replacing the one in boot image only, since the one under
+ # recovery won't ever be needed.
+ new_data = ReplaceVerityPublicKey(
+ output_tf_zip, dest, OPTIONS.replace_verity_public_key[1])
+ write_to_temp(dest, 0o755 << 16, new_data)
+
+ # Replace the keyid string in BOOT/cmdline.
+ if OPTIONS.replace_verity_keyid:
+ new_cmdline = ReplaceVerityKeyId(input_tf_zip, output_tf_zip,
+ OPTIONS.replace_verity_keyid[1])
+ # Writing the new cmdline to tmpdir is redundant as the bootimage
+ # gets build in the add_image_to_target_files and rebuild_recovery
+ # is not exercised while building the boot image for the A/B
+ # path
+ write_to_temp("BOOT/cmdline", 0o755 << 16, new_cmdline)
if rebuild_recovery:
recovery_img = common.GetBootableImage(
@@ -398,7 +466,8 @@
"build/target/product/security/testkey")
mapped_keys.append(
OPTIONS.key_map.get(devkey, devkey) + ".x509.pem")
- print "META/otakeys.txt has no keys; using", mapped_keys[0]
+ print("META/otakeys.txt has no keys; using %s for OTA package"
+ " verification." % (mapped_keys[0],))
# recovery uses a version of the key that has been slightly
# predigested (by DumpPublicKey.java) and put in res/keys.
@@ -411,8 +480,13 @@
new_recovery_keys, _ = p.communicate()
if p.returncode != 0:
raise common.ExternalError("failed to run dumpkeys")
- common.ZipWriteStr(output_tf_zip, "RECOVERY/RAMDISK/res/keys",
- new_recovery_keys)
+
+ # system_root_image puts the recovery keys at BOOT/RAMDISK.
+ if misc_info.get("system_root_image") == "true":
+ recovery_keys_location = "BOOT/RAMDISK/res/keys"
+ else:
+ recovery_keys_location = "RECOVERY/RAMDISK/res/keys"
+ common.ZipWriteStr(output_tf_zip, recovery_keys_location, new_recovery_keys)
# SystemUpdateActivity uses the x509.pem version of the keys, but
# put into a zipfile system/etc/security/otacerts.zip.
@@ -426,8 +500,31 @@
common.ZipWriteStr(output_tf_zip, "SYSTEM/etc/security/otacerts.zip",
temp_file.getvalue())
+ # For A/B devices, update the payload verification key.
+ if misc_info.get("ab_update") == "true":
+ # Unlike otacerts.zip that may contain multiple keys, we can only specify
+ # ONE payload verification key.
+ if len(mapped_keys) > 1:
+ print("\n WARNING: Found more than one OTA keys; Using the first one"
+ " as payload verification key.\n\n")
+
+ print "Using %s for payload verification." % (mapped_keys[0],)
+ cmd = common.Run(
+ ["openssl", "x509", "-pubkey", "-noout", "-in", mapped_keys[0]],
+ stdout=subprocess.PIPE)
+ pubkey, _ = cmd.communicate()
+ common.ZipWriteStr(
+ output_tf_zip,
+ "SYSTEM/etc/update_engine/update-payload-key.pub.pem",
+ pubkey)
+ common.ZipWriteStr(
+ output_tf_zip,
+ "BOOT/RAMDISK/etc/update_engine/update-payload-key.pub.pem",
+ pubkey)
+
return new_recovery_keys
+
def ReplaceVerityPublicKey(targetfile_zip, filename, key_path):
print "Replacing verity public key with %s" % key_path
with open(key_path) as f:
@@ -435,6 +532,7 @@
common.ZipWriteStr(targetfile_zip, filename, data)
return data
+
def ReplaceVerityPrivateKey(targetfile_input_zip, targetfile_output_zip,
misc_info, key_path):
print "Replacing verity private key with %s" % key_path
@@ -444,6 +542,32 @@
common.ZipWriteStr(targetfile_output_zip, "META/misc_info.txt", new_misc_info)
misc_info["verity_key"] = key_path
+
+def ReplaceVerityKeyId(targetfile_input_zip, targetfile_output_zip, keypath):
+ in_cmdline = targetfile_input_zip.read("BOOT/cmdline")
+ # copy in_cmdline to output_zip if veritykeyid is not present in in_cmdline
+ if "veritykeyid" not in in_cmdline:
+ common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", in_cmdline)
+ return in_cmdline
+ out_cmdline = []
+ for param in in_cmdline.split():
+ if "veritykeyid" in param:
+ # extract keyid using openssl command
+ p = common.Run(["openssl", "x509", "-in", keypath, "-text"], stdout=subprocess.PIPE)
+ keyid, stderr = p.communicate()
+ keyid = re.search(r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower()
+ print "Replacing verity keyid with %s error=%s" % (keyid, stderr)
+ out_cmdline.append("veritykeyid=id:%s" % (keyid,))
+ else:
+ out_cmdline.append(param)
+
+ out_cmdline = ' '.join(out_cmdline)
+ out_cmdline = out_cmdline.strip()
+ print "out_cmdline %s" % (out_cmdline)
+ common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", out_cmdline)
+ return out_cmdline
+
+
def BuildKeyMap(misc_info, key_mapping_options):
for s, d in key_mapping_options:
if s is None: # -d option
@@ -541,6 +665,8 @@
OPTIONS.replace_verity_public_key = (True, a)
elif o == "--replace_verity_private_key":
OPTIONS.replace_verity_private_key = (True, a)
+ elif o == "--replace_verity_keyid":
+ OPTIONS.replace_verity_keyid = (True, a)
else:
return False
return True
@@ -553,7 +679,8 @@
"replace_ota_keys",
"tag_changes=",
"replace_verity_public_key=",
- "replace_verity_private_key="],
+ "replace_verity_private_key=",
+ "replace_verity_keyid="],
extra_option_handler=option_handler)
if len(args) != 2: