aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeongik Cha2018-12-16 23:45:15 -0600
committerJeongik Cha2019-01-09 20:37:22 -0600
commitb2c4bb7e3ddcaa27242c1e4e78f69d7e39524cf9 (patch)
tree3806c64f1fb8168e38b893ce19bf665f88e1cd33
parent8d95a14476b5b1cb5a2af655ac5da4606c3b5c07 (diff)
downloadplatform-build-b2c4bb7e3ddcaa27242c1e4e78f69d7e39524cf9.tar.gz
platform-build-b2c4bb7e3ddcaa27242c1e4e78f69d7e39524cf9.tar.xz
platform-build-b2c4bb7e3ddcaa27242c1e4e78f69d7e39524cf9.zip
Dump and enforce certificate for apks
Dump the list of APKs that aren't located at system partition and signed with system certificate. And when enforcement option is enabled, it makes build error if there is the apk that satisfies the condition above. Bug: 74699609 Test: m -j Test: m out/target/product/$(get_build_var TARGET_DEVICE)/certificate_violation_modules.txt Change-Id: I23c41f2665dd97abac3e77d1c82d81ff91b894eb
-rw-r--r--core/app_certificate_validate.mk12
-rw-r--r--core/definitions.mk3
-rw-r--r--core/main.mk7
-rw-r--r--core/package_internal.mk1
-rw-r--r--core/prebuilt_internal.mk2
-rw-r--r--core/product.mk2
-rw-r--r--core/product_config.mk5
-rw-r--r--core/soong_app_prebuilt.mk2
-rw-r--r--core/soong_config.mk3
9 files changed, 36 insertions, 1 deletions
diff --git a/core/app_certificate_validate.mk b/core/app_certificate_validate.mk
new file mode 100644
index 000000000..15ddd9450
--- /dev/null
+++ b/core/app_certificate_validate.mk
@@ -0,0 +1,12 @@
1
2ifeq (true,$(filter true, \
3 $(LOCAL_PRODUCT_MODULE) $(LOCAL_PRODUCT_SERVICES_MODULE) \
4 $(LOCAL_VENDOR_MODULE) $(LOCAL_PROPRIETARY_MODULE)))
5 ifneq (,$(filter $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))%,$(LOCAL_CERTIFICATE)))
6 CERTIFICATE_VIOLATION_MODULES += $(LOCAL_MODULE)
7 ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT))
8 $(if $(filter $(LOCAL_MODULE),$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST)),,\
9 $(call pretty-error,The module in product partition cannot be signed with certificate in system.))
10 endif
11 endif
12endif \ No newline at end of file
diff --git a/core/definitions.mk b/core/definitions.mk
index a67508018..2ffc0176d 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -77,6 +77,9 @@ ALL_FINDBUGS_FILES:=
77# GPL module license files 77# GPL module license files
78ALL_GPL_MODULE_LICENSE_FILES:= 78ALL_GPL_MODULE_LICENSE_FILES:=
79 79
80# Packages with certificate violation
81CERTIFICATE_VIOLATION_MODULES :=
82
80# Target and host installed module's dependencies on shared libraries. 83# Target and host installed module's dependencies on shared libraries.
81# They are list of "<module_name>:<installed_file>:lib1,lib2...". 84# They are list of "<module_name>:<installed_file>:lib1,lib2...".
82TARGET_DEPENDENCIES_ON_SHARED_LIBRARIES := 85TARGET_DEPENDENCIES_ON_SHARED_LIBRARIES :=
diff --git a/core/main.mk b/core/main.mk
index 9fd1c35c5..660290a1b 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -1096,6 +1096,13 @@ ifdef FULL_BUILD
1096 $(TARGET_OUT_SYSTEM_OTHER)/%.vdex \ 1096 $(TARGET_OUT_SYSTEM_OTHER)/%.vdex \
1097 $(TARGET_OUT_SYSTEM_OTHER)/%.art 1097 $(TARGET_OUT_SYSTEM_OTHER)/%.art
1098 endif 1098 endif
1099
1100CERTIFICATE_VIOLATION_MODULES_FILENAME := $(PRODUCT_OUT)/certificate_violation_modules.txt
1101$(CERTIFICATE_VIOLATION_MODULES_FILENAME):
1102 rm -f $@
1103 $(foreach m,$(sort $(CERTIFICATE_VIOLATION_MODULES)), echo $(m) >> $@;)
1104$(call dist-for-goals,droidcore,$(CERTIFICATE_VIOLATION_MODULES_FILENAME))
1105
1099 all_offending_files := 1106 all_offending_files :=
1100 $(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\ 1107 $(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\
1101 $(eval requirements := $(PRODUCTS.$(makefile).ARTIFACT_PATH_REQUIREMENTS)) \ 1108 $(eval requirements := $(PRODUCTS.$(makefile).ARTIFACT_PATH_REQUIREMENTS)) \
diff --git a/core/package_internal.mk b/core/package_internal.mk
index 75cc547be..c657f2edb 100644
--- a/core/package_internal.mk
+++ b/core/package_internal.mk
@@ -535,6 +535,7 @@ endif
535ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./) 535ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./)
536 LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE) 536 LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE)
537endif 537endif
538include $(BUILD_SYSTEM)/app_certificate_validate.mk
538private_key := $(LOCAL_CERTIFICATE).pk8 539private_key := $(LOCAL_CERTIFICATE).pk8
539certificate := $(LOCAL_CERTIFICATE).x509.pem 540certificate := $(LOCAL_CERTIFICATE).x509.pem
540additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8) 541additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)
diff --git a/core/prebuilt_internal.mk b/core/prebuilt_internal.mk
index 66913c1ac..960d8d1c5 100644
--- a/core/prebuilt_internal.mk
+++ b/core/prebuilt_internal.mk
@@ -306,6 +306,8 @@ else
306 $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem 306 $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
307endif 307endif
308 308
309include $(BUILD_SYSTEM)/app_certificate_validate.mk
310
309# Disable dex-preopt of prebuilts to save space, if requested. 311# Disable dex-preopt of prebuilts to save space, if requested.
310ifndef LOCAL_DEX_PREOPT 312ifndef LOCAL_DEX_PREOPT
311ifeq ($(DONT_DEXPREOPT_PREBUILTS),true) 313ifeq ($(DONT_DEXPREOPT_PREBUILTS),true)
diff --git a/core/product.mk b/core/product.mk
index 1420b46e1..2d7ace2fa 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -204,6 +204,8 @@ _product_var_list := \
204 PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE \ 204 PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE \
205 PRODUCT_ACTIONABLE_COMPATIBLE_PROPERTY_DISABLE \ 205 PRODUCT_ACTIONABLE_COMPATIBLE_PROPERTY_DISABLE \
206 PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS \ 206 PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS \
207 PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT \
208 PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST \
207 PRODUCT_ARTIFACT_PATH_REQUIREMENT_HINT \ 209 PRODUCT_ARTIFACT_PATH_REQUIREMENT_HINT \
208 PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST \ 210 PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST \
209 PRODUCT_USE_DYNAMIC_PARTITION_SIZE \ 211 PRODUCT_USE_DYNAMIC_PARTITION_SIZE \
diff --git a/core/product_config.mk b/core/product_config.mk
index 47b4c7aa0..c58405cb2 100644
--- a/core/product_config.mk
+++ b/core/product_config.mk
@@ -367,6 +367,11 @@ PRODUCT_PRODUCT_PROPERTIES := \
367 $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_PRODUCT_PROPERTIES)) 367 $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_PRODUCT_PROPERTIES))
368.KATI_READONLY := PRODUCT_PRODUCT_PROPERTIES 368.KATI_READONLY := PRODUCT_PRODUCT_PROPERTIES
369 369
370ENFORCE_SYSTEM_CERTIFICATE := \
371 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT)
372
373ENFORCE_SYSTEM_CERTIFICATE_WHITELIST := \
374 $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST))
370 375
371# A list of property assignments, like "key = value", with zero or more 376# A list of property assignments, like "key = value", with zero or more
372# whitespace characters on either side of the '='. 377# whitespace characters on either side of the '='.
diff --git a/core/soong_app_prebuilt.mk b/core/soong_app_prebuilt.mk
index 73d934bf9..f7236335b 100644
--- a/core/soong_app_prebuilt.mk
+++ b/core/soong_app_prebuilt.mk
@@ -108,7 +108,7 @@ ifdef LOCAL_CERTIFICATE
108 PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE) 108 PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE)
109 PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(patsubst %.x509.pem,%.pk8,$(LOCAL_CERTIFICATE)) 109 PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(patsubst %.x509.pem,%.pk8,$(LOCAL_CERTIFICATE))
110endif 110endif
111 111include $(BUILD_SYSTEM)/app_certificate_validate.mk
112PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES)) 112PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES))
113 113
114ifdef LOCAL_SOONG_BUNDLE 114ifdef LOCAL_SOONG_BUNDLE
diff --git a/core/soong_config.mk b/core/soong_config.mk
index 31c77d4b8..58e1a03ae 100644
--- a/core/soong_config.mk
+++ b/core/soong_config.mk
@@ -146,6 +146,9 @@ $(call add_json_str, DexpreoptGlobalConfig, $(DEX_PREOPT_CONFIG))
146 146
147$(call add_json_list, ManifestPackageNameOverrides, $(PRODUCT_MANIFEST_PACKAGE_NAME_OVERRIDES)) 147$(call add_json_list, ManifestPackageNameOverrides, $(PRODUCT_MANIFEST_PACKAGE_NAME_OVERRIDES))
148 148
149$(call add_json_bool, EnforceSystemCertificate, $(ENFORCE_SYSTEM_CERTIFICATE))
150$(call add_json_list, EnforceSystemCertificateWhitelist, $(ENFORCE_SYSTEM_CERTIFICATE_WHITELIST))
151
149$(call add_json_map, VendorVars) 152$(call add_json_map, VendorVars)
150$(foreach namespace,$(SOONG_CONFIG_NAMESPACES),\ 153$(foreach namespace,$(SOONG_CONFIG_NAMESPACES),\
151 $(call add_json_map, $(namespace))\ 154 $(call add_json_map, $(namespace))\