Merge "Add verity support to `make dist`."

core/Makefile

@@ -661,6 +661,11 @@ $(if $(BOARD_OEMIMAGE_PARTITION_SIZE),$(hide) echo "oem_size=$(BOARD_OEMIMAGE_PA
 $(if $(INTERNAL_USERIMAGES_SPARSE_EXT_FLAG),$(hide) echo "extfs_sparse_flag=$(INTERNAL_USERIMAGES_SPARSE_EXT_FLAG)" >> $(1))
 $(if $(mkyaffs2_extra_flags),$(hide) echo "mkyaffs2_extra_flags=$(mkyaffs2_extra_flags)" >> $(1))
 $(hide) echo "selinux_fc=$(SELINUX_FC)" >> $(1)
+$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY), $(hide) echo "verity=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY)" >> $(1))
+$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_PARTITION)" >> $(1))
+$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY)" >> $(1))
+$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(VERITY_SIGNER)" >> $(1))
+$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_mountpoint=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_MOUNTPOINT)" >> $(1))
 $(if $(2),$(hide) $(foreach kv,$(2),echo "$(kv)" >> $(1);))
 endef
 
@@ -865,11 +870,7 @@ define build-systemimage-target
   @echo "Target system fs image: $(1)"
   @mkdir -p $(dir $(1)) $(systemimage_intermediates) && rm -rf $(systemimage_intermediates)/system_image_info.txt
   $(call generate-userimage-prop-dictionary, $(systemimage_intermediates)/system_image_info.txt, \
-      skip_fsck=true \
+      skip_fsck=true)
-      verity=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY) \
-      verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_PARTITION) \
-      verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY) \
-      verity_signer_cmd=$(VERITY_SIGNER))
   $(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH \
       ./build/tools/releasetools/build_image.py \
       $(TARGET_OUT) $(systemimage_intermediates)/system_image_info.txt $(1)

core/product.mk

@@ -104,7 +104,8 @@ _product_var_list := \
     PRODUCT_OEM_PROPERTIES \
     PRODUCT_SYSTEM_PROPERTY_BLACKLIST \
     PRODUCT_VERITY_PARTITION \
-    PRODUCT_VERITY_SIGNING_KEY
+    PRODUCT_VERITY_SIGNING_KEY \
+    PRODUCT_VERITY_MOUNTPOINT
 
 define dump-product
 $(info ==== $(1) ====)\

target/product/verity.mk

@@ -18,6 +18,7 @@
 
 PRODUCT_SUPPORTS_VERITY := true
 PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verity_private_dev_key
+PRODUCT_VERITY_MOUNTPOINT := system
 
 PRODUCT_PACKAGES += \
         verity_key

tools/releasetools/build_image.py

@@ -26,6 +26,7 @@ import subprocess
 import sys
 import commands
 import shutil
+import tempfile
 
 import simg_map
 
@@ -170,10 +171,7 @@ def MakeVerityEnabledImage(out_file, prop_dict):
   signer_path = prop_dict["verity_signer_cmd"]
 
   # make a tempdir
-  tempdir_name = os.path.join(os.path.dirname(out_file), "verity_images")
+  tempdir_name = tempfile.mkdtemp(suffix="_verity_images")
-  if os.path.exists(tempdir_name):
-    shutil.rmtree(tempdir_name)
-  os.mkdir(tempdir_name)
 
   # get partial image paths
   verity_image_path = os.path.join(tempdir_name, "verity.img")
@@ -181,7 +179,7 @@ def MakeVerityEnabledImage(out_file, prop_dict):
 
   # build the verity tree and get the root hash and salt
   if not BuildVerityTree(out_file, verity_image_path, prop_dict):
-    shutil.rmtree(tempdir_name)
+    shutil.rmtree(tempdir_name, ignore_errors=True)
     return False
 
   # build the metadata blocks
@@ -194,17 +192,17 @@ def MakeVerityEnabledImage(out_file, prop_dict):
                               block_dev,
                               signer_path,
                               signer_key):
-    shutil.rmtree(tempdir_name)
+    shutil.rmtree(tempdir_name, ignore_errors=True)
     return False
 
   # build the full verified image
   if not BuildVerifiedImage(out_file,
                             verity_image_path,
                             verity_metadata_path):
-    shutil.rmtree(tempdir_name)
+    shutil.rmtree(tempdir_name, ignore_errors=True)
     return False
 
-  shutil.rmtree(tempdir_name)
+  shutil.rmtree(tempdir_name, ignore_errors=True)
   return True
 
 def BuildImage(in_dir, prop_dict, out_file):
@@ -222,8 +220,10 @@ def BuildImage(in_dir, prop_dict, out_file):
   fs_type = prop_dict.get("fs_type", "")
   run_fsck = False
 
+  is_verity_partition = prop_dict.get("mount_point") == prop_dict.get("verity_mountpoint")
+  verity_supported = prop_dict.get("verity") == "true"
   # adjust the partition size to make room for the hashes if this is to be verified
-  if prop_dict.get("verity") == "true":
+  if verity_supported and is_verity_partition:
     partition_size = int(prop_dict.get("partition_size"))
     adjusted_size = AdjustPartitionSizeForVerity(partition_size)
     if not adjusted_size:
@@ -258,7 +258,7 @@ def BuildImage(in_dir, prop_dict, out_file):
     return False
 
   # create the verified image if this is to be verified
-  if prop_dict.get("verity") == "true":
+  if verity_supported and is_verity_partition:
     if not MakeVerityEnabledImage(out_file, prop_dict):
       return False
 
@@ -301,7 +301,8 @@ def ImagePropFromGlobalDict(glob_dict, mount_point):
       "verity",
       "verity_block_device",
       "verity_key",
-      "verity_signer_cmd"
+      "verity_signer_cmd",
+      "verity_mountpoint"
       )
   for p in common_props:
     copy_prop(p, p)