board_avb_algorithm and board_avb_key_path are overlapping with
avb_signing_args. In core/Makefile, only avb_signing_args (i.e.
INTERNAL_AVB_SIGNING_ARGS) will be used in the AVB-signing command. It
covers the contents in board_avb_{algorithm,key_path}. We should do the
same thing in tools/releasetools to avoid potential inconsistency.
This CL cleans up the logic in tools/releasetools, by always using
avb_signing_args. This also allows easier signing key replacement (so we
can replace the key/algorithm/signer in 'avb_signing_args').
board_avb_system_add_hashtree_footer_args is unused in releasetools
script, and the same information has been covered by
system_avb_add_hashtree_footer_args. This CL removes this arg as well.
Test: `m dist`. Then a) check the removed three args no longer exist in
META/misc_info.txt; b) check that rebuilding images with
add_img_to_target_files.py uses the same parameters.
Change-Id: I7db890b5c942de5b6868d8d1ebf937586d4729c0
This is a step to enable signing a given target_files zip with release
keys.
When calling sign_target_files_apks.py, we will delete all the entries
under IMAGES/ in order to re-generate them (with the proper release
keys). In order to support that, we need to pack everything in need into
TF.zip.
Steps to test the CL.
a) Choose a target that has both AVB and DTBO enabled.
$ m dist
b) Check IMAGES/dtbo.img and PREBUILT_IMAGES/dtbo.img both exist in the
generated out/dist/TF.zip.
c) Remove the entries under IMAGES/ from the generated TF.zip.
$ zip -d TF.zip IMAGES/\*
d) Re-generate the images with TF.zip.
$ build/make/tools/releasetools/add_img_to_target_files.py TF.zip
e) Check that IMAGES/dtbo.img is re-generated, and it's identical to the
image in b). Note that by default the re-generated image will carry a
different footer, because of the random salt. This CL is verified by
specifying the same salt.
Bug: 38315721
Test: see above.
Change-Id: I0bdc4e1cd4800962dc3902ca550dad6a8ca56c78
Also pack the test keys for easier testing.
Bug: 38315721
Test: m otatools-package and avbtool is present in otatools.zip.
Change-Id: Ieb63bf3f4bc211ef1f48ab278cb01b70845d06da
`make custom_images` supports to build different kinds of *non-droid* images,
e.g., odm.img. Adding the support of signing them with either AVB HASH footer
or AVB HASHTREE footer. The user can use HASH for small images and
HASHTREE for large images.
Sample signing configurations:
* AVB HASH footer:
- CUSTOM_IMAGE_AVB_HASH_ENABLE := true
- CUSTOM_IMAGE_AVB_ADD_HASH_FOOTER_ARGS := --append_to_release_string my_odm_image
* AVB HASHTREE footer:
- CUSTOM_IMAGE_AVB_HASHTREE_ENABLE := true
- CUSTOM_IMAGE_AVB_ADD_HASHTREE_FOOTER_ARGS := --fec_num_roots 8
* Using custom signing key:
- CUSTOM_IMAGE_AVB_ALGORITHM := SHA256_RSA2048
- CUSTOM_IMAGE_AVB_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
Bug: 36701014
Test: `make custom_images` with AVB HASH footer
Test: `make custom_images` with AVB HASHTREE footer
Test: `make droid` to check system.img is still properly signed with AVB HASHTREE
Test: `make droid` to check vendor.img is still properly signed with AVB HASHTREE
Change-Id: I8dc420e12e37e9a631345c0cd883339db05d489f
This CL ensures that the _asan suffix is added to the build flavor
only when it doesn't already contain _asan (or _asan_coverage). This
correctly prevents it from appending an extra _asan to ASAN lunch
configs that already include it in the flavor, while allowing
sanitized targets for generic configs to behave as they used to.
Bug: 38145756
Test: _asan is correctly appended only for lunch configs that don't
already specify it in the build flavor.
Change-Id: Ia7d9356f717b97d1c64e3237ca31cc507f27734f
This is useful for devices with low disk space with different
build variants.
Bug: 37469715
Test: Regular image builds successfully, errors occur when
the headroom size is greater than available partition space.
Change-Id: I526cdd0f84981bbd16e3afcfe1cd7fc43dce98ef
Xml files will be generated instead of html files, and then Settings
will generate html file on runtime from xml files of partitions.
Test: build succeeded and tested on sailfish
Bug: 37099941
Merged-In: Id7899381a537b1947cbb6164ed2b4a98492334af
Change-Id: Id7899381a537b1947cbb6164ed2b4a98492334af
(cherry picked from commit 3b7560bf88)
Test: make with corresponding configurations in BoardConfig.mk
- dtbo.img is copied to the OUT directory
- avbtool info_image --image dtbo.img shows avb hashes
- avbtool info_image --image vbmeta.img shows dtbo partition info
Bug: 37730955
Change-Id: If3edaab860926c743f18fd031c911b076eb09fab
For A/B OTAs, ota_from_target_files.py calls brillo_update_payload
script to generate the payload entry in an A/B OTA package.
Bug: 37443093
Test: lunch aosp_marlin-userdebug && rm
out/host/linux-x86/bin/brillo_update_payload && m otapackage
Change-Id: I3845786b6c934c709f32e12a63cd6ea1f303d380
Uses avbtool to sign vendor.img if BOARD_AVB_ENABLE is set.
It also allows appending additional arguments to avbtool via
BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS.
e.g.,
BOARD_AVB_ENABLE := true
BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS := --generate_fec
Bug: 35415839
Test: "make" with the above variables and use avbtool to check vbmeta is
appended to vendor.img
Test: "make dist" with the above variables
Change-Id: I8ada38dff3def6d34613e77c67944def8a49f464
This patch updates the logic to use the PRODUCT_IOT variable instead of
BRILLO.
Bug: 36702887
Test: `make`; Image doesn't have the dev key.
Change-Id: I1751e97d8cdfeba83c7e4720a017a5f4dcfd49da
For tar-ed ASAN artifacts, enforce ownership by the system uid.
Bug: 36458146
Test: m && m SANITIZE_TARGET=true SANITIZE_TARGET_SYSTEM=true
Change-Id: I190cba3d160f15a89ef74f26e7aaa853a449929f
Add build system support for asan.tar.bz in the system image. This
is triggered by SANITIZE_TARGET_SYSTEM=true.
Bug: 36458146
Test: m && m SANITIZE_TARGET=true SANITIZE_TARGET_SYSTEM=true
Change-Id: I725f99f16a8c9182b1c7ad26580c73d3708f8554
If a module has multiple dependencies, the current regexp for making
the dependencies absolute paths only modifies the first dependency.
Test: build sailfish with module configuration including multiple
dependencies
Change-Id: I8f2b40c8c5ec228aa8f831086bcdd561c8714910
fileslist.go is still disabled by default. To enable, use:
USE_FILESLIST_GO=true m -j
Bug: 36274890
Test: Manual, with m -j
Change-Id: I722e17fa7fb6ba91e2b2c44cd7524d974cbe4a56
This got lost from the previous backport, since systemotherimage wasn't
in AOSP yet.
(The Merged-In is a random Change-Id only on master so that this only
merges up to master)
Test: lunch aosp_marlin-eng; m -j systemotherimage
Change-Id: I92c05f27c92d877f3b83e5c5ae2e76728eb162bd
Merged-In: Iafed66e19bc114552b0261dd299379dbb37873c6
add_img_to_target_files may use these to create the recovery patch, so
add a dependency. They were previously a transitive dependency through
the system image to the standalone recovery patch creation.
Bug: 36575896
Test: rm out/host/linux-x86/bin/imgdiff; m -j target-files-package
Change-Id: I2a43220e94c09393e88e1d9950032f5665a0d2ce
This used to happen in the system image creation, but the target-files
didn't really depend on the system image, so I removed that dependency.
But then we weren't creating the symlink all the time.
This should be safe to run in parallel with the same link step in the
system creation.
Bug: 36540023
Test: m -j target-files-package, ensure vendor symlink is created
without system.img.
Change-Id: I37059fa1ce759a0870dc4c65c5515050992245e2
We don't actually need to build the system image before
target-files-package, we just need to make sure everything is present in
$(PRODUCT_OUT)/system. So switch the dependencies around.
This can't be done as easily for the vendor image, since it may be a
prebuilt, or we may need to install some kernel modules into
$(PRODUCT_OUT)/vendor when building vendor.img. It tends to be smaller
anyway, so the time savings isn't as big.
Test: Make sure the build server outputs the same files
Test: Ensure target-files-package is identical before/after.
Change-Id: I84e4f878491ab2b71582f4f49418dbfbba75590f
And move simple cases of $(ACP) to cp. That does change OTA/bin/updater
from 0640 to 0700, but that's more consistent anyways.
Test: m -j target-files-package; ensure it's the same before/after.
Change-Id: I37b65eb9ddccd2f360aa007f929ece35c9e44f9b
We've just created the target files package and still have the extracted
directory, so pass that to ota_from_target_files so that it doesn't have
to re-extract what we just compressed.
This saves a little bit of time -- for bullhead-userdebug on internal
master, this brings the time to build an OTA from ~340s -> ~310s. Much
of the time is still spent generating and signing the OTA.
Test: lunch bullhead-userdebug; m -j otapackage
Test: bullhead-ota-*.zip is identical before/after
Change-Id: Ib51cf6b02123e9c49280e9957c6590645470a52c
When building target-files-package, dir: META has to be copied first
to help early validation of the .zip file.
In order to prevent $(zip_root)/META from getting copied twice to $@.list,
use the method (find -path -prune -o -print) instead of (grep pattern -v).
Test: m target-files-package
Bug: b/31676493
Change-Id: Id6b4d77fb62aa136253de88573cc51a575b90be2
The vendor image will have more than just proprietary modules in it
under Treble, so let's stop marking open source code as proprietary just
to move it to vendor.
Bug: 36452052
Test: compare build-aosp_arm.ninja before/after, no changes.
Test: Try defining LOCAL_VENDOR_MODULE / LOCAL_PROPRIETARY_MODULE in the
same and different ways, ensure it works.
Change-Id: I0ab046bcb7563a20d44ed00667e18497ef0873a8
/file_contexts.bin is needed only by devices which do not have
PRODUCT_FULL_TREBLE set to true. Adding this file to devices which
have PRODUCT_FULL_TREBLE set to true causes confusion and wastes
about 800 kB of space.
/file_contexts.bin was being added unconditionally to all devices due
to the build system needing the combined file_contexts file for
host-side labelling of filesystems in images and for inclusion into
target files ZIP (again, to be used for host-side labelling later).
This change switches these targets to depend on the same file, but
from intermediates directory. As a result, everything continues to
work just fine, but without pulling in /file_contexts.bin. On devices
which need /file_contexts.bin, it is pulled in by
system/core/init/Android.mk.
Test: /file_contexts.bin still there on bullhead, but not there on
sailfish with PRODUCT_FULL_TREBLE set to true.
Test: Clean build, device boots up with, no new denials.
Reboot to recovery, recovery boots up fine too, no denials.
This was tested on sailfish-eng and marlin-eng.
Bug: 36002414
Change-Id: I9bbbb08bbf7d874bba0bafcc19bcbf9eec564326
This makes recoveryimage/bootimage targets explicitly depend on SELinux
policy artifacts needed by recovery. Prior to this change, the
dependency was contrived: these targets would rely on copying these
files from "root" directory, and then overwriting sepolicy file with
sepolicy.recovery.
Test: Clean build, flash, device boots up just fine. No new denials.
Reboot into recovery, recovery boot up just fine, no denials.
This was tested on bullhead (non A/B device) and sailfish (A/B
device).
Bug: 33642277
Change-Id: Id2369253d0c7e02e079ae01ac7140b41880fd5ad
BBOTA v1 and v2 (introduced in L and L MR1 respectively) don't support
resumable OTA. We shouldn't generate packages using v1/v2 at the risk of
bricking devices.
BBOTA v3 (since M) and v4 (since N) both support resumable OTAs. BBOTA
v4 additionally supports using FEC to possibly recover a corrupted
image.
Bug: 33694730
Test: Generate full and incremental OTAs w/ and w/o the CL. They should
give identical packages (in v4).
Change-Id: Ib89d9cd63ba08e8e9aa4131bed18876b89d244c0
Remove the following functions that are needed for file-based OTAs only:
- SetPermissions()
- SetPermissionsRecursive()
- MakeSymlinks()
- DeleteFiles()
- DeleteFilesIfNotMatching()
- RenameFiles()
- SkipNextActionIfTargetExists()
Bug: 35853185
Test: Verified there's no reference to these functions.
Change-Id: Iff24a9d705476211effaef28eed2a147fa5fcbce
For aosp_marlin (on AOSP), this speeds up target files creation from
~57 seconds to ~15 seconds.
For marlin-userdebug (on internal master), this speeds up target files
creation from ~300 seconds to ~95 seconds.
This does make some minor changes to the resulting target_files zip:
* All of the META files are actually at the beginning of the zip now,
previously the ones created by add_img_to_target_files would be at
the end.
* The images are slightly larger. Go's zip implementation in soong_zip
isn't quite as good as the `zip` tool.
* vendor_filesystem_config.txt isn't present if we're not building a
vendor image.
Test: aosp_marlin target_files zip changes look reasonable
Test: marlin target_files zip changes look reasonable
Test: bullhead target_files zip changes look reasonable
Change-Id: Ia5ce6870b85559d65107c3b94332391b4b43a0ea
Support BOARD_VENDOR_KERNEL_MODULES which accepts a list of the
kernel module binaries. Binaries listed there are copied to
$(TARGET_OUT_VENDOR)/lib/modules and 'depmod' is executed to generate
the dependencies. BOARD_RECOVERY_KERNEL_MODULES is similarly
implemented to provide a way to specify kernel modules to be copied
to the recovery image.
Bug: 33305644
Test: android master build on marlin and load dummy modules
Merged-In: I0a58a270dbb0d2d38fd089f4abff66e62e14fac1
Change-Id: Ia5f429508ca3d7c77448358e42af6efa98fa8624
These files are used by the update console to determine the product
associated with a given target_files.zip.
Bug: 35804180
Bug: 33211225
Test: `make dist` generates a target_files.zip with these files.
Change-Id: I6066da07d76749ae64c26d5f661c7a6d06f3fb3d
Statically link libwinpthread.a, so that we don't have to ship a
libwinpthread dll with all of our windows exectuables.
Bug: http://b/31665213
Test: wine adb.exe
Test: wine fastboot.exe
Change-Id: I96414e980d8894f8f6a58c1c7bbd9dc5e0f5169c
Tao Bao