aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJeongik Cha2019-01-10 22:31:02 -0600
committerGerrit Code Review2019-01-10 22:31:02 -0600
commitbdf0ec03b67f044fa9f9d1a5ab488b0fe96445b5 (patch)
treef289ca6f030aa8030914af257859e16b2c3adcc0
parent73e13b5030377403b4e9233a30e518dd93c57ca6 (diff)
parentb2c4bb7e3ddcaa27242c1e4e78f69d7e39524cf9 (diff)
downloadplatform-build-bdf0ec03b67f044fa9f9d1a5ab488b0fe96445b5.tar.gz
platform-build-bdf0ec03b67f044fa9f9d1a5ab488b0fe96445b5.tar.xz
platform-build-bdf0ec03b67f044fa9f9d1a5ab488b0fe96445b5.zip
Merge "Dump and enforce certificate for apks"
-rw-r--r--core/app_certificate_validate.mk12
-rw-r--r--core/definitions.mk3
-rw-r--r--core/main.mk7
-rw-r--r--core/package_internal.mk1
-rw-r--r--core/prebuilt_internal.mk2
-rw-r--r--core/product.mk2
-rw-r--r--core/product_config.mk5
-rw-r--r--core/soong_app_prebuilt.mk2
-rw-r--r--core/soong_config.mk3
9 files changed, 36 insertions, 1 deletions
diff --git a/core/app_certificate_validate.mk b/core/app_certificate_validate.mk
new file mode 100644
index 000000000..15ddd9450
--- /dev/null
+++ b/core/app_certificate_validate.mk
@@ -0,0 +1,12 @@
1
2ifeq (true,$(filter true, \
3 $(LOCAL_PRODUCT_MODULE) $(LOCAL_PRODUCT_SERVICES_MODULE) \
4 $(LOCAL_VENDOR_MODULE) $(LOCAL_PROPRIETARY_MODULE)))
5 ifneq (,$(filter $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))%,$(LOCAL_CERTIFICATE)))
6 CERTIFICATE_VIOLATION_MODULES += $(LOCAL_MODULE)
7 ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT))
8 $(if $(filter $(LOCAL_MODULE),$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST)),,\
9 $(call pretty-error,The module in product partition cannot be signed with certificate in system.))
10 endif
11 endif
12endif \ No newline at end of file
diff --git a/core/definitions.mk b/core/definitions.mk
index a9807f110..d5c7b9113 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -77,6 +77,9 @@ ALL_FINDBUGS_FILES:=
77# GPL module license files 77# GPL module license files
78ALL_GPL_MODULE_LICENSE_FILES:= 78ALL_GPL_MODULE_LICENSE_FILES:=
79 79
80# Packages with certificate violation
81CERTIFICATE_VIOLATION_MODULES :=
82
80# Target and host installed module's dependencies on shared libraries. 83# Target and host installed module's dependencies on shared libraries.
81# They are list of "<module_name>:<installed_file>:lib1,lib2...". 84# They are list of "<module_name>:<installed_file>:lib1,lib2...".
82TARGET_DEPENDENCIES_ON_SHARED_LIBRARIES := 85TARGET_DEPENDENCIES_ON_SHARED_LIBRARIES :=
diff --git a/core/main.mk b/core/main.mk
index 4f81c2163..282821cdb 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -1096,6 +1096,13 @@ ifdef FULL_BUILD
1096 $(TARGET_OUT_SYSTEM_OTHER)/%.vdex \ 1096 $(TARGET_OUT_SYSTEM_OTHER)/%.vdex \
1097 $(TARGET_OUT_SYSTEM_OTHER)/%.art 1097 $(TARGET_OUT_SYSTEM_OTHER)/%.art
1098 endif 1098 endif
1099
1100CERTIFICATE_VIOLATION_MODULES_FILENAME := $(PRODUCT_OUT)/certificate_violation_modules.txt
1101$(CERTIFICATE_VIOLATION_MODULES_FILENAME):
1102 rm -f $@
1103 $(foreach m,$(sort $(CERTIFICATE_VIOLATION_MODULES)), echo $(m) >> $@;)
1104$(call dist-for-goals,droidcore,$(CERTIFICATE_VIOLATION_MODULES_FILENAME))
1105
1099 all_offending_files := 1106 all_offending_files :=
1100 $(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\ 1107 $(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\
1101 $(eval requirements := $(PRODUCTS.$(makefile).ARTIFACT_PATH_REQUIREMENTS)) \ 1108 $(eval requirements := $(PRODUCTS.$(makefile).ARTIFACT_PATH_REQUIREMENTS)) \
diff --git a/core/package_internal.mk b/core/package_internal.mk
index 75cc547be..c657f2edb 100644
--- a/core/package_internal.mk
+++ b/core/package_internal.mk
@@ -535,6 +535,7 @@ endif
535ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./) 535ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./)
536 LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE) 536 LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE)
537endif 537endif
538include $(BUILD_SYSTEM)/app_certificate_validate.mk
538private_key := $(LOCAL_CERTIFICATE).pk8 539private_key := $(LOCAL_CERTIFICATE).pk8
539certificate := $(LOCAL_CERTIFICATE).x509.pem 540certificate := $(LOCAL_CERTIFICATE).x509.pem
540additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8) 541additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)
diff --git a/core/prebuilt_internal.mk b/core/prebuilt_internal.mk
index 66913c1ac..960d8d1c5 100644
--- a/core/prebuilt_internal.mk
+++ b/core/prebuilt_internal.mk
@@ -306,6 +306,8 @@ else
306 $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem 306 $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
307endif 307endif
308 308
309include $(BUILD_SYSTEM)/app_certificate_validate.mk
310
309# Disable dex-preopt of prebuilts to save space, if requested. 311# Disable dex-preopt of prebuilts to save space, if requested.
310ifndef LOCAL_DEX_PREOPT 312ifndef LOCAL_DEX_PREOPT
311ifeq ($(DONT_DEXPREOPT_PREBUILTS),true) 313ifeq ($(DONT_DEXPREOPT_PREBUILTS),true)
diff --git a/core/product.mk b/core/product.mk
index 1420b46e1..2d7ace2fa 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -204,6 +204,8 @@ _product_var_list := \
204 PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE \ 204 PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE \
205 PRODUCT_ACTIONABLE_COMPATIBLE_PROPERTY_DISABLE \ 205 PRODUCT_ACTIONABLE_COMPATIBLE_PROPERTY_DISABLE \
206 PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS \ 206 PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS \
207 PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT \
208 PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST \
207 PRODUCT_ARTIFACT_PATH_REQUIREMENT_HINT \ 209 PRODUCT_ARTIFACT_PATH_REQUIREMENT_HINT \
208 PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST \ 210 PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST \
209 PRODUCT_USE_DYNAMIC_PARTITION_SIZE \ 211 PRODUCT_USE_DYNAMIC_PARTITION_SIZE \
diff --git a/core/product_config.mk b/core/product_config.mk
index 47b4c7aa0..c58405cb2 100644
--- a/core/product_config.mk
+++ b/core/product_config.mk
@@ -367,6 +367,11 @@ PRODUCT_PRODUCT_PROPERTIES := \
367 $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_PRODUCT_PROPERTIES)) 367 $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_PRODUCT_PROPERTIES))
368.KATI_READONLY := PRODUCT_PRODUCT_PROPERTIES 368.KATI_READONLY := PRODUCT_PRODUCT_PROPERTIES
369 369
370ENFORCE_SYSTEM_CERTIFICATE := \
371 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT)
372
373ENFORCE_SYSTEM_CERTIFICATE_WHITELIST := \
374 $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST))
370 375
371# A list of property assignments, like "key = value", with zero or more 376# A list of property assignments, like "key = value", with zero or more
372# whitespace characters on either side of the '='. 377# whitespace characters on either side of the '='.
diff --git a/core/soong_app_prebuilt.mk b/core/soong_app_prebuilt.mk
index 73d934bf9..f7236335b 100644
--- a/core/soong_app_prebuilt.mk
+++ b/core/soong_app_prebuilt.mk
@@ -108,7 +108,7 @@ ifdef LOCAL_CERTIFICATE
108 PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE) 108 PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE)
109 PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(patsubst %.x509.pem,%.pk8,$(LOCAL_CERTIFICATE)) 109 PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(patsubst %.x509.pem,%.pk8,$(LOCAL_CERTIFICATE))
110endif 110endif
111 111include $(BUILD_SYSTEM)/app_certificate_validate.mk
112PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES)) 112PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES))
113 113
114ifdef LOCAL_SOONG_BUNDLE 114ifdef LOCAL_SOONG_BUNDLE
diff --git a/core/soong_config.mk b/core/soong_config.mk
index 31c77d4b8..58e1a03ae 100644
--- a/core/soong_config.mk
+++ b/core/soong_config.mk
@@ -146,6 +146,9 @@ $(call add_json_str, DexpreoptGlobalConfig, $(DEX_PREOPT_CONFIG))
146 146
147$(call add_json_list, ManifestPackageNameOverrides, $(PRODUCT_MANIFEST_PACKAGE_NAME_OVERRIDES)) 147$(call add_json_list, ManifestPackageNameOverrides, $(PRODUCT_MANIFEST_PACKAGE_NAME_OVERRIDES))
148 148
149$(call add_json_bool, EnforceSystemCertificate, $(ENFORCE_SYSTEM_CERTIFICATE))
150$(call add_json_list, EnforceSystemCertificateWhitelist, $(ENFORCE_SYSTEM_CERTIFICATE_WHITELIST))
151
149$(call add_json_map, VendorVars) 152$(call add_json_map, VendorVars)
150$(foreach namespace,$(SOONG_CONFIG_NAMESPACES),\ 153$(foreach namespace,$(SOONG_CONFIG_NAMESPACES),\
151 $(call add_json_map, $(namespace))\ 154 $(call add_json_map, $(namespace))\