From d395c6ff3f31126f1bf2c0a08c96a8f185d594b1 Mon Sep 17 00:00:00 2001 From: Yi-Yo Chiang Date: Sat, 11 Sep 2021 19:31:28 +0800 Subject: [PATCH 1/6] Add PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT If this option is set, then an additional copy of the debug policy can be installed to the GSI, and the init-second-stage of GSI could load debug policy from GSI /system_ext when debug-ramdisk is used. Bug: 188067818 Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash gsi_arm64-user from master, device can boot and `adb root` works Change-Id: I9c3dad8bb6c5fa88b16762193446dc7e54f326c8 Merged-In: I9c3dad8bb6c5fa88b16762193446dc7e54f326c8 (cherry picked from commit 0a468fe904768240fe011f1c47fa89b3165c265c) --- core/android_soong_config_vars.mk | 1 + core/product.mk | 5 +++++ core/product_config.mk | 6 ++++++ 3 files changed, 12 insertions(+) diff --git a/core/android_soong_config_vars.mk b/core/android_soong_config_vars.mk index 5e63a25d9..1b4aeb558 100644 --- a/core/android_soong_config_vars.mk +++ b/core/android_soong_config_vars.mk @@ -28,6 +28,7 @@ $(call add_soong_config_namespace,ANDROID) $(call add_soong_config_var,ANDROID,TARGET_ENABLE_MEDIADRM_64) $(call add_soong_config_var,ANDROID,BOARD_USES_ODMIMAGE) +$(call add_soong_config_var,ANDROID,PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT) ifeq (,$(findstring com.google.android.conscrypt,$(PRODUCT_PACKAGES))) # Prebuilt module SDKs require prebuilt modules to work, and currently diff --git a/core/product.mk b/core/product.mk index 015fe44ba..21fc06e65 100644 --- a/core/product.mk +++ b/core/product.mk @@ -427,6 +427,11 @@ _product_list_vars += PRODUCT_INTER_PARTITION_JAVA_LIBRARY_ALLOWLIST _product_single_value_vars += PRODUCT_INSTALL_EXTRA_FLATTENED_APEXES +# Install a copy of the debug policy to the system_ext partition, and allow +# init-second-stage to load debug policy from system_ext. +# This option is only meant to be set by GSI products. +_product_single_value_vars += PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT + .KATI_READONLY := _product_single_value_vars _product_list_vars _product_var_list :=$= $(_product_single_value_vars) $(_product_list_vars) diff --git a/core/product_config.mk b/core/product_config.mk index 5c85fb85f..679453e52 100644 --- a/core/product_config.mk +++ b/core/product_config.mk @@ -350,6 +350,12 @@ ifneq ($(filter-out 0 1,$(words $(PRODUCT_ADB_KEYS))),) $(error Only one file may be in PRODUCT_ADB_KEYS: $(PRODUCT_ADB_KEYS)) endif +ifdef PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT + ifeq (,$(filter gsi_arm gsi_arm64 gsi_x86 gsi_x86_64,$(PRODUCT_NAME))) + $(error Only GSI products are allowed to set PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT) + endif +endif + ifndef PRODUCT_USE_DYNAMIC_PARTITIONS PRODUCT_USE_DYNAMIC_PARTITIONS := $(PRODUCT_RETROFIT_DYNAMIC_PARTITIONS) endif From 00fc943377a110e7c31faa49d9deb09a660ffc53 Mon Sep 17 00:00:00 2001 From: Bowgo Tsai Date: Thu, 9 Sep 2021 19:04:55 +0800 Subject: [PATCH 2/6] Skip building boot-(test-harness|debug).img if not needed boot-(test-harness|debug).img is not needed for devices with a /vendor_boot partition. They can use vendor_boot-(test-harness|debug).img instead. (Cherry-picked with Ic032b8594f776f911d7b6345a97d64fed930d890 to solve merge conflict.) Bug: 200945738 Bug: 196001476 Test: make then checks $OUT/*.img Change-Id: If76df0329c96f718ebf0a0ac138cde3ae859a6c6 Merged-In: If76df0329c96f718ebf0a0ac138cde3ae859a6c6 (cherry picked from commit 4bb4d1fb9165b124f67bb6f405503ca4ae1ecef2) --- core/Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/core/Makefile b/core/Makefile index 2d56edb9e..a10e93d68 100644 --- a/core/Makefile +++ b/core/Makefile @@ -2398,6 +2398,7 @@ endif # BUILDING_RAMDISK_IMAGE # # Note: it's intentional to skip signing for boot-debug.img, because it # can only be used if the device is unlocked with verification error. +ifneq ($(BUILDING_VENDOR_BOOT_IMAGE),true) ifneq ($(INSTALLED_BOOTIMAGE_TARGET),) ifneq ($(strip $(TARGET_NO_KERNEL)),true) ifneq ($(strip $(BOARD_KERNEL_BINARIES)),) @@ -2456,6 +2457,7 @@ bootimage_debug-nodeps: $(MKBOOTIMG) $(BOARD_GKI_SIGNING_KEY_PATH) $(AVBTOOL) endif # TARGET_NO_KERNEL endif # INSTALLED_BOOTIMAGE_TARGET +endif # BUILDING_VENDOR_BOOT_IMAGE is not true ifeq ($(BUILDING_VENDOR_BOOT_IMAGE),true) ifeq ($(BUILDING_RAMDISK_IMAGE),true) @@ -2601,6 +2603,7 @@ endif # BUILDING_RAMDISK_IMAGE # # Note: it's intentional to skip signing for boot-test-harness.img, because it # can only be used if the device is unlocked with verification error. +ifneq ($(BUILDING_VENDOR_BOOT_IMAGE),true) ifneq ($(INSTALLED_BOOTIMAGE_TARGET),) ifneq ($(strip $(TARGET_NO_KERNEL)),true) @@ -2643,6 +2646,7 @@ bootimage_test_harness-nodeps: $(MKBOOTIMG) $(BOARD_GKI_SIGNING_KEY_PATH) $(AVBT endif # TARGET_NO_KERNEL endif # INSTALLED_BOOTIMAGE_TARGET +endif # BUILDING_VENDOR_BOOT_IMAGE is not true endif # BOARD_BUILD_SYSTEM_ROOT_IMAGE is not true ifeq ($(BUILDING_VENDOR_BOOT_IMAGE),true) From 8d2495319bad51afc794717f085625ee0a60e904 Mon Sep 17 00:00:00 2001 From: Yi-Yo Chiang Date: Wed, 29 Sep 2021 19:41:11 +0800 Subject: [PATCH 3/6] Refactor build logic of boot-debug & vendor_boot-debug Add PRODUCT variables PRODUCT_BUILD_DEBUG_BOOT_IMAGE PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE as toggles to enable/disable building boot-debug & vendor_boot-debug. Bug: 200945738 Test: m bootimage_debug Change-Id: Ic032b8594f776f911d7b6345a97d64fed930d890 Merged-In: Ic032b8594f776f911d7b6345a97d64fed930d890 (cherry picked from commit 4d7c613c58cb0578893996887e8270a3bd8cb069) --- core/Makefile | 43 +++++++++--------------- core/board_config.mk | 80 ++++++++++++++++++++++++++++++++++++++++++++ core/product.mk | 2 ++ 3 files changed, 98 insertions(+), 27 deletions(-) diff --git a/core/Makefile b/core/Makefile index a10e93d68..a6959fac9 100644 --- a/core/Makefile +++ b/core/Makefile @@ -2327,14 +2327,14 @@ ifneq ($(BOARD_NAND_SPARE_SIZE),) $(error MTD device is no longer supported and thus BOARD_NAND_SPARE_SIZE is deprecated.) endif -ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) + # ----------------------------------------------------------------- # the debug ramdisk, which is the original ramdisk plus additional # files: force_debuggable, adb_debug.prop and userdebug sepolicy. # When /force_debuggable is present, /init will load userdebug sepolicy # and property files to allow adb root, if the device is unlocked. +ifneq ($(BUILDING_DEBUG_BOOT_IMAGE)$(BUILDING_DEBUG_VENDOR_BOOT_IMAGE),) -ifdef BUILDING_RAMDISK_IMAGE BUILT_DEBUG_RAMDISK_TARGET := $(PRODUCT_OUT)/ramdisk-debug.img INSTALLED_DEBUG_RAMDISK_TARGET := $(BUILT_DEBUG_RAMDISK_TARGET) @@ -2391,16 +2391,15 @@ ramdisk_debug-nodeps: $(MKBOOTFS) | $(COMPRESSION_COMMAND_DEPS) touch $(TARGET_DEBUG_RAMDISK_OUT)/force_debuggable $(MKBOOTFS) -d $(TARGET_OUT) $(TARGET_DEBUG_RAMDISK_OUT) $(PRIVATE_ADDITIONAL_DIR) | $(COMPRESSION_COMMAND) > $(INSTALLED_DEBUG_RAMDISK_TARGET) -endif # BUILDING_RAMDISK_IMAGE +endif # BUILDING_DEBUG_BOOT_IMAGE || BUILDING_DEBUG_VENDOR_BOOT_IMAGE # ----------------------------------------------------------------- # the boot-debug.img, which is the kernel plus ramdisk-debug.img # # Note: it's intentional to skip signing for boot-debug.img, because it # can only be used if the device is unlocked with verification error. -ifneq ($(BUILDING_VENDOR_BOOT_IMAGE),true) -ifneq ($(INSTALLED_BOOTIMAGE_TARGET),) -ifneq ($(strip $(TARGET_NO_KERNEL)),true) +ifdef BUILDING_DEBUG_BOOT_IMAGE + ifneq ($(strip $(BOARD_KERNEL_BINARIES)),) INSTALLED_DEBUG_BOOTIMAGE_TARGET := $(foreach k,$(subst kernel,boot-debug,$(BOARD_KERNEL_BINARIES)), \ $(PRODUCT_OUT)/$(k).img) @@ -2455,16 +2454,13 @@ bootimage_debug-nodeps: $(MKBOOTIMG) $(BOARD_GKI_SIGNING_KEY_PATH) $(AVBTOOL) echo "make $@: ignoring dependencies" $(foreach b,$(INSTALLED_DEBUG_BOOTIMAGE_TARGET),$(call build-debug-bootimage-target,$b)) -endif # TARGET_NO_KERNEL -endif # INSTALLED_BOOTIMAGE_TARGET -endif # BUILDING_VENDOR_BOOT_IMAGE is not true +endif # BUILDING_DEBUG_BOOT_IMAGE -ifeq ($(BUILDING_VENDOR_BOOT_IMAGE),true) -ifeq ($(BUILDING_RAMDISK_IMAGE),true) # ----------------------------------------------------------------- # vendor debug ramdisk # Combines vendor ramdisk files and debug ramdisk files to build the vendor debug ramdisk. -# +ifdef BUILDING_DEBUG_VENDOR_BOOT_IMAGE + INTERNAL_VENDOR_DEBUG_RAMDISK_FILES := $(filter $(TARGET_VENDOR_DEBUG_RAMDISK_OUT)/%, \ $(ALL_GENERATED_SOURCES) \ $(ALL_DEFAULT_INSTALLED_MODULES)) @@ -2536,14 +2532,13 @@ $(INSTALLED_VENDOR_DEBUG_BOOTIMAGE_TARGET): $(INTERNAL_VENDOR_RAMDISK_FRAGMENT_T $(call assert-max-image-size,$@,$(BOARD_VENDOR_BOOTIMAGE_PARTITION_SIZE)) $(if $(BOARD_AVB_VENDOR_BOOT_KEY_PATH),$(call test-key-sign-vendor-bootimage,$@)) -endif # BUILDING_RAMDISK_IMAGE -endif # BUILDING_VENDOR_BOOT_IMAGE +endif # BUILDING_DEBUG_VENDOR_BOOT_IMAGE # ----------------------------------------------------------------- # The test harness ramdisk, which is based off debug_ramdisk, plus a # few additional test-harness-specific properties in adb_debug.prop. +ifneq ($(BUILDING_DEBUG_BOOT_IMAGE)$(BUILDING_DEBUG_VENDOR_BOOT_IMAGE),) -ifdef BUILDING_RAMDISK_IMAGE BUILT_TEST_HARNESS_RAMDISK_TARGET := $(PRODUCT_OUT)/ramdisk-test-harness.img INSTALLED_TEST_HARNESS_RAMDISK_TARGET := $(BUILT_TEST_HARNESS_RAMDISK_TARGET) @@ -2596,16 +2591,14 @@ ramdisk_test_harness-nodeps: $(MKBOOTFS) | $(COMPRESSION_COMMAND_DEPS) $(call append-test-harness-props,$(ADDITIONAL_TEST_HARNESS_PROPERTIES),$(TEST_HARNESS_PROP_TARGET)) $(MKBOOTFS) -d $(TARGET_OUT) $(TARGET_TEST_HARNESS_RAMDISK_OUT) $(PRIVATE_ADDITIONAL_DIR) | $(COMPRESSION_COMMAND) > $(INSTALLED_TEST_HARNESS_RAMDISK_TARGET) -endif # BUILDING_RAMDISK_IMAGE +endif # BUILDING_DEBUG_BOOT_IMAGE || BUILDING_DEBUG_VENDOR_BOOT_IMAGE # ----------------------------------------------------------------- # the boot-test-harness.img, which is the kernel plus ramdisk-test-harness.img # # Note: it's intentional to skip signing for boot-test-harness.img, because it # can only be used if the device is unlocked with verification error. -ifneq ($(BUILDING_VENDOR_BOOT_IMAGE),true) -ifneq ($(INSTALLED_BOOTIMAGE_TARGET),) -ifneq ($(strip $(TARGET_NO_KERNEL)),true) +ifdef BUILDING_DEBUG_BOOT_IMAGE ifneq ($(strip $(BOARD_KERNEL_BINARIES)),) INSTALLED_TEST_HARNESS_BOOTIMAGE_TARGET := $(foreach k,$(subst kernel,boot-test-harness,$(BOARD_KERNEL_BINARIES)), \ @@ -2644,16 +2637,12 @@ bootimage_test_harness-nodeps: $(MKBOOTIMG) $(BOARD_GKI_SIGNING_KEY_PATH) $(AVBT echo "make $@: ignoring dependencies" $(foreach b,$(INSTALLED_TEST_HARNESS_BOOTIMAGE_TARGET),$(call build-boot-test-harness-target,$b)) -endif # TARGET_NO_KERNEL -endif # INSTALLED_BOOTIMAGE_TARGET -endif # BUILDING_VENDOR_BOOT_IMAGE is not true -endif # BOARD_BUILD_SYSTEM_ROOT_IMAGE is not true +endif # BUILDING_DEBUG_BOOT_IMAGE -ifeq ($(BUILDING_VENDOR_BOOT_IMAGE),true) -ifeq ($(BUILDING_RAMDISK_IMAGE),true) # ----------------------------------------------------------------- # vendor test harness ramdisk, which is a vendor ramdisk combined with # a test harness ramdisk. +ifdef BUILDING_DEBUG_VENDOR_BOOT_IMAGE INTERNAL_VENDOR_TEST_HARNESS_RAMDISK_TARGET := $(call intermediates-dir-for,PACKAGING,vendor_boot-test-harness)/vendor_ramdisk-test-harness.cpio$(RAMDISK_EXT) @@ -2688,8 +2677,8 @@ $(INSTALLED_VENDOR_TEST_HARNESS_BOOTIMAGE_TARGET): $(INTERNAL_VENDOR_RAMDISK_FRA $(call assert-max-image-size,$@,$(BOARD_VENDOR_BOOTIMAGE_PARTITION_SIZE)) $(if $(BOARD_AVB_VENDOR_BOOT_KEY_PATH),$(call test-key-sign-vendor-bootimage,$@)) -endif # BUILDING_RAMDISK_IMAGE -endif # BUILDING_VENDOR_BOOT_IMAGE +endif # BUILDING_DEBUG_VENDOR_BOOT_IMAGE + # Creates a compatibility symlink between two partitions, e.g. /system/vendor to /vendor # $1: from location (e.g $(TARGET_OUT)/vendor) diff --git a/core/board_config.mk b/core/board_config.mk index 1b08f9a0b..ea6ec1e4e 100644 --- a/core/board_config.mk +++ b/core/board_config.mk @@ -439,6 +439,86 @@ else ifeq ($(PRODUCT_BUILD_RAMDISK_IMAGE),false) endif .KATI_READONLY := BUILDING_RAMDISK_IMAGE +# Are we building a debug vendor_boot image +BUILDING_DEBUG_VENDOR_BOOT_IMAGE := +# Can't build vendor_boot-debug.img if BOARD_BUILD_SYSTEM_ROOT_IMAGE is true, +# because building debug vendor_boot image requires a ramdisk. +ifeq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) + ifeq ($(PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE),true) + $(warning PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE is true, but so is BOARD_BUILD_SYSTEM_ROOT_IMAGE. \ + Skip building the debug vendor_boot image.) + endif +# Can't build vendor_boot-debug.img if we're not building a ramdisk. +else ifndef BUILDING_RAMDISK_IMAGE + ifeq ($(PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE),true) + $(warning PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE is true, but we're not building a ramdisk image. \ + Skip building the debug vendor_boot image.) + endif +# Can't build vendor_boot-debug.img if we're not building a vendor_boot.img. +else ifndef BUILDING_VENDOR_BOOT_IMAGE + ifeq ($(PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE),true) + $(warning PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE is true, but we're not building a vendor_boot image. \ + Skip building the debug vendor_boot image.) + endif +else + ifeq ($(PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE),) + BUILDING_DEBUG_VENDOR_BOOT_IMAGE := true + else ifeq ($(PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE),true) + BUILDING_DEBUG_VENDOR_BOOT_IMAGE := true + endif +endif +.KATI_READONLY := BUILDING_DEBUG_VENDOR_BOOT_IMAGE + +_has_boot_img_artifact := +ifneq ($(strip $(TARGET_NO_KERNEL)),true) + ifdef BUILDING_BOOT_IMAGE + _has_boot_img_artifact := true + endif + # BUILDING_RECOVERY_IMAGE && BOARD_USES_RECOVERY_AS_BOOT implies that + # recovery is being built with the file name *boot.img*, which still counts + # as "building boot.img". + ifdef BUILDING_RECOVERY_IMAGE + ifeq ($(BOARD_USES_RECOVERY_AS_BOOT),true) + _has_boot_img_artifact := true + endif + endif +endif + +# Are we building a debug boot image +BUILDING_DEBUG_BOOT_IMAGE := +# Can't build boot-debug.img if BOARD_BUILD_SYSTEM_ROOT_IMAGE is true, +# because building debug boot image requires a ramdisk. +ifeq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) + ifeq ($(PRODUCT_BUILD_DEBUG_BOOT_IMAGE),true) + $(warning PRODUCT_BUILD_DEBUG_BOOT_IMAGE is true, but so is BOARD_BUILD_SYSTEM_ROOT_IMAGE. \ + Skip building the debug boot image.) + endif +# Can't build boot-debug.img if we're not building a ramdisk. +else ifndef BUILDING_RAMDISK_IMAGE + ifeq ($(PRODUCT_BUILD_DEBUG_BOOT_IMAGE),true) + $(warning PRODUCT_BUILD_DEBUG_BOOT_IMAGE is true, but we're not building a ramdisk image. \ + Skip building the debug boot image.) + endif +# Can't build boot-debug.img if we're not building a boot.img. +else ifndef _has_boot_img_artifact + ifeq ($(PRODUCT_BUILD_DEBUG_BOOT_IMAGE),true) + $(warning PRODUCT_BUILD_DEBUG_BOOT_IMAGE is true, but we're not building a boot image. \ + Skip building the debug boot image.) + endif +else + ifeq ($(PRODUCT_BUILD_DEBUG_BOOT_IMAGE),) + BUILDING_DEBUG_BOOT_IMAGE := true + # Don't build boot-debug.img if we're already building vendor_boot-debug.img. + ifdef BUILDING_DEBUG_VENDOR_BOOT_IMAGE + BUILDING_DEBUG_BOOT_IMAGE := + endif + else ifeq ($(PRODUCT_BUILD_DEBUG_BOOT_IMAGE),true) + BUILDING_DEBUG_BOOT_IMAGE := true + endif +endif +.KATI_READONLY := BUILDING_DEBUG_BOOT_IMAGE +_has_boot_img_artifact := + # Are we building a userdata image BUILDING_USERDATA_IMAGE := ifeq ($(PRODUCT_BUILD_USERDATA_IMAGE),) diff --git a/core/product.mk b/core/product.mk index 015fe44ba..db6c57779 100644 --- a/core/product.mk +++ b/core/product.mk @@ -385,7 +385,9 @@ _product_single_value_vars += PRODUCT_BUILD_RAMDISK_IMAGE _product_single_value_vars += PRODUCT_BUILD_USERDATA_IMAGE _product_single_value_vars += PRODUCT_BUILD_RECOVERY_IMAGE _product_single_value_vars += PRODUCT_BUILD_BOOT_IMAGE +_product_single_value_vars += PRODUCT_BUILD_DEBUG_BOOT_IMAGE _product_single_value_vars += PRODUCT_BUILD_VENDOR_BOOT_IMAGE +_product_single_value_vars += PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE _product_single_value_vars += PRODUCT_BUILD_VBMETA_IMAGE _product_single_value_vars += PRODUCT_BUILD_SUPER_EMPTY_IMAGE From 6e701a2cac7e8f0c8cc458d375b7ce18ad5ba33b Mon Sep 17 00:00:00 2001 From: Yi-Yo Chiang Date: Thu, 14 Oct 2021 17:07:14 +0800 Subject: [PATCH 4/6] Stop building boot-(debug|with-debug-ramdisk)-*.img for GSI/GKI We don't need these anymore as we now export userdebug_plat_sepolicy.cil to artifacts dist dir directly, so repack_bootimg don't need to use boot-(debug|with-debug-ramdisk)-*.img as repack source anymore. Bug: 202129499 Test: Check presubmit artifacts don't have boot-*debug*.img Change-Id: I3161e42b00a93177a1a4cb3b22da2218d294b7a7 Merged-In: I3161e42b00a93177a1a4cb3b22da2218d294b7a7 (cherry picked from commit 92f08702ddd42959508279eaf88071564bbc5b54) --- target/product/gsi_release.mk | 2 ++ 1 file changed, 2 insertions(+) diff --git a/target/product/gsi_release.mk b/target/product/gsi_release.mk index 09417b5f1..a2a29ed0f 100644 --- a/target/product/gsi_release.mk +++ b/target/product/gsi_release.mk @@ -71,6 +71,8 @@ PRODUCT_EXTRA_VNDK_VERSIONS := \ # Do not build non-GSI partition images. PRODUCT_BUILD_CACHE_IMAGE := false +PRODUCT_BUILD_DEBUG_BOOT_IMAGE := false +PRODUCT_BUILD_DEBUG_VENDOR_BOOT_IMAGE := false PRODUCT_BUILD_USERDATA_IMAGE := false PRODUCT_BUILD_VENDOR_IMAGE := false PRODUCT_BUILD_SUPER_PARTITION := false From 702b8fdfe00cfd34b6effe76fc71eeaef2cf4dd4 Mon Sep 17 00:00:00 2001 From: Bowgo Tsai Date: Wed, 13 Oct 2021 17:39:33 +0800 Subject: [PATCH 5/6] sign_target_files_apks: adding --allow_gsi_debug_sepolicy https://android-review.googlesource.com/q/topic:gsi_debug_policy adds userdebug_plat_sepolicy.cil into the GSI system.img to reduce the steps of repacking a debug ramdisk. This CL checks that the file userdebug_plat_sepolicy.cil shouldn't exist before signing, unless the caller explicitly specifies --allow_gsi_debug_sepolicy to allow it. Note: also fixes the indentation around the block. Bug: 188067818 Bug: 201482141 Test: sign_target_files_apks *-target_files-*.zip signed.zip Change-Id: I56ed328a9ae70cf49dbd3c6efb5a4a8c54e1b7a7 Merged-In: I56ed328a9ae70cf49dbd3c6efb5a4a8c54e1b7a7 (cherry picked from commit 5a73b0ee976dc61fe6fa12e48f15d5ec53f90878) --- tools/releasetools/sign_target_files_apks.py | 23 ++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index 0842af901..936ef888d 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -136,6 +136,11 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files --android_jar_path Path to the android.jar to repack the apex file. + + --allow_gsi_debug_sepolicy + Allow the existence of the file 'userdebug_plat_sepolicy.cil' under + (/system/system_ext|/system_ext)/etc/selinux. + If not set, error out when the file exists. """ from __future__ import print_function @@ -189,6 +194,7 @@ OPTIONS.gki_signing_key = None OPTIONS.gki_signing_algorithm = None OPTIONS.gki_signing_extra_args = None OPTIONS.android_jar_path = None +OPTIONS.allow_gsi_debug_sepolicy = False AVB_FOOTER_ARGS_BY_PARTITION = { @@ -658,7 +664,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, # Updates system_other.avbpubkey in /product/etc/. elif filename in ( "PRODUCT/etc/security/avb/system_other.avbpubkey", - "SYSTEM/product/etc/security/avb/system_other.avbpubkey"): + "SYSTEM/product/etc/security/avb/system_other.avbpubkey"): # Only update system_other's public key, if the corresponding signing # key is specified via --avb_system_other_key. signing_key = OPTIONS.avb_keys.get("system_other") @@ -671,9 +677,19 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, # Should NOT sign boot-debug.img. elif filename in ( "BOOT/RAMDISK/force_debuggable", - "BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"): + "BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"): raise common.ExternalError("debuggable boot.img cannot be signed") + # Should NOT sign userdebug sepolicy file. + elif filename in ( + "SYSTEM_EXT/etc/selinux/userdebug_plat_sepolicy.cil", + "SYSTEM/system_ext/etc/selinux/userdebug_plat_sepolicy.cil"): + if not OPTIONS.allow_gsi_debug_sepolicy: + raise common.ExternalError("debug sepolicy shouldn't be included") + else: + # Copy it verbatim if we allow the file to exist. + common.ZipWriteStr(output_tf_zip, out_info, data) + # A non-APK file; copy it verbatim. else: common.ZipWriteStr(output_tf_zip, out_info, data) @@ -1289,6 +1305,8 @@ def main(argv): OPTIONS.gki_signing_algorithm = a elif o == "--gki_signing_extra_args": OPTIONS.gki_signing_extra_args = a + elif o == "--allow_gsi_debug_sepolicy": + OPTIONS.allow_gsi_debug_sepolicy = True else: return False return True @@ -1339,6 +1357,7 @@ def main(argv): "gki_signing_key=", "gki_signing_algorithm=", "gki_signing_extra_args=", + "allow_gsi_debug_sepolicy", ], extra_option_handler=option_handler) From fdbbcabca3d8c0ae12b91933ad52b5c84e044902 Mon Sep 17 00:00:00 2001 From: Bassem Khalife Date: Thu, 9 Dec 2021 19:40:23 +0000 Subject: [PATCH 6/6] [DO NOT MERGE] Update Security String to 2022-02-05 Bug: 210005927 Change-Id: Ifcc54fbdb18bb480e73c2f52ebefd968b52a1e27 --- core/version_defaults.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/version_defaults.mk b/core/version_defaults.mk index 47bb92c14..4f89a2be7 100644 --- a/core/version_defaults.mk +++ b/core/version_defaults.mk @@ -240,7 +240,7 @@ ifndef PLATFORM_SECURITY_PATCH # It must be of the form "YYYY-MM-DD" on production devices. # It must match one of the Android Security Patch Level strings of the Public Security Bulletins. # If there is no $PLATFORM_SECURITY_PATCH set, keep it empty. - PLATFORM_SECURITY_PATCH := 2022-01-05 + PLATFORM_SECURITY_PATCH := 2022-02-05 endif .KATI_READONLY := PLATFORM_SECURITY_PATCH