diff --git a/core/app_certificate_validate.mk b/core/app_certificate_validate.mk new file mode 100644 index 000000000..15ddd9450 --- /dev/null +++ b/core/app_certificate_validate.mk @@ -0,0 +1,12 @@ + +ifeq (true,$(filter true, \ + $(LOCAL_PRODUCT_MODULE) $(LOCAL_PRODUCT_SERVICES_MODULE) \ + $(LOCAL_VENDOR_MODULE) $(LOCAL_PROPRIETARY_MODULE))) + ifneq (,$(filter $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))%,$(LOCAL_CERTIFICATE))) + CERTIFICATE_VIOLATION_MODULES += $(LOCAL_MODULE) + ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT)) + $(if $(filter $(LOCAL_MODULE),$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST)),,\ + $(call pretty-error,The module in product partition cannot be signed with certificate in system.)) + endif + endif +endif \ No newline at end of file diff --git a/core/definitions.mk b/core/definitions.mk index a67508018..2ffc0176d 100644 --- a/core/definitions.mk +++ b/core/definitions.mk @@ -77,6 +77,9 @@ ALL_FINDBUGS_FILES:= # GPL module license files ALL_GPL_MODULE_LICENSE_FILES:= +# Packages with certificate violation +CERTIFICATE_VIOLATION_MODULES := + # Target and host installed module's dependencies on shared libraries. # They are list of "::lib1,lib2...". TARGET_DEPENDENCIES_ON_SHARED_LIBRARIES := diff --git a/core/main.mk b/core/main.mk index 9fd1c35c5..660290a1b 100644 --- a/core/main.mk +++ b/core/main.mk @@ -1096,6 +1096,13 @@ ifdef FULL_BUILD $(TARGET_OUT_SYSTEM_OTHER)/%.vdex \ $(TARGET_OUT_SYSTEM_OTHER)/%.art endif + +CERTIFICATE_VIOLATION_MODULES_FILENAME := $(PRODUCT_OUT)/certificate_violation_modules.txt +$(CERTIFICATE_VIOLATION_MODULES_FILENAME): + rm -f $@ + $(foreach m,$(sort $(CERTIFICATE_VIOLATION_MODULES)), echo $(m) >> $@;) +$(call dist-for-goals,droidcore,$(CERTIFICATE_VIOLATION_MODULES_FILENAME)) + all_offending_files := $(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\ $(eval requirements := $(PRODUCTS.$(makefile).ARTIFACT_PATH_REQUIREMENTS)) \ diff --git a/core/package_internal.mk b/core/package_internal.mk index 75cc547be..c657f2edb 100644 --- a/core/package_internal.mk +++ b/core/package_internal.mk @@ -535,6 +535,7 @@ endif ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./) LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE) endif +include $(BUILD_SYSTEM)/app_certificate_validate.mk private_key := $(LOCAL_CERTIFICATE).pk8 certificate := $(LOCAL_CERTIFICATE).x509.pem additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8) diff --git a/core/prebuilt_internal.mk b/core/prebuilt_internal.mk index 66913c1ac..960d8d1c5 100644 --- a/core/prebuilt_internal.mk +++ b/core/prebuilt_internal.mk @@ -306,6 +306,8 @@ else $(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem endif +include $(BUILD_SYSTEM)/app_certificate_validate.mk + # Disable dex-preopt of prebuilts to save space, if requested. ifndef LOCAL_DEX_PREOPT ifeq ($(DONT_DEXPREOPT_PREBUILTS),true) diff --git a/core/product.mk b/core/product.mk index 1420b46e1..2d7ace2fa 100644 --- a/core/product.mk +++ b/core/product.mk @@ -204,6 +204,8 @@ _product_var_list := \ PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE \ PRODUCT_ACTIONABLE_COMPATIBLE_PROPERTY_DISABLE \ PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS \ + PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT \ + PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST \ PRODUCT_ARTIFACT_PATH_REQUIREMENT_HINT \ PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST \ PRODUCT_USE_DYNAMIC_PARTITION_SIZE \ diff --git a/core/product_config.mk b/core/product_config.mk index 47b4c7aa0..c58405cb2 100644 --- a/core/product_config.mk +++ b/core/product_config.mk @@ -367,6 +367,11 @@ PRODUCT_PRODUCT_PROPERTIES := \ $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_PRODUCT_PROPERTIES)) .KATI_READONLY := PRODUCT_PRODUCT_PROPERTIES +ENFORCE_SYSTEM_CERTIFICATE := \ + $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT) + +ENFORCE_SYSTEM_CERTIFICATE_WHITELIST := \ + $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST)) # A list of property assignments, like "key = value", with zero or more # whitespace characters on either side of the '='. diff --git a/core/soong_app_prebuilt.mk b/core/soong_app_prebuilt.mk index 73d934bf9..f7236335b 100644 --- a/core/soong_app_prebuilt.mk +++ b/core/soong_app_prebuilt.mk @@ -108,7 +108,7 @@ ifdef LOCAL_CERTIFICATE PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE) PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(patsubst %.x509.pem,%.pk8,$(LOCAL_CERTIFICATE)) endif - +include $(BUILD_SYSTEM)/app_certificate_validate.mk PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES)) ifdef LOCAL_SOONG_BUNDLE diff --git a/core/soong_config.mk b/core/soong_config.mk index 31c77d4b8..58e1a03ae 100644 --- a/core/soong_config.mk +++ b/core/soong_config.mk @@ -146,6 +146,9 @@ $(call add_json_str, DexpreoptGlobalConfig, $(DEX_PREOPT_CONFIG)) $(call add_json_list, ManifestPackageNameOverrides, $(PRODUCT_MANIFEST_PACKAGE_NAME_OVERRIDES)) +$(call add_json_bool, EnforceSystemCertificate, $(ENFORCE_SYSTEM_CERTIFICATE)) +$(call add_json_list, EnforceSystemCertificateWhitelist, $(ENFORCE_SYSTEM_CERTIFICATE_WHITELIST)) + $(call add_json_map, VendorVars) $(foreach namespace,$(SOONG_CONFIG_NAMESPACES),\ $(call add_json_map, $(namespace))\