Add verity support to `make dist`.
Without this, system images will be built that do not contain the
necessary bits for verification.
Change-Id: I87c15282b26377d7a2a1540e3d0e30b0299622e3
diff --git a/core/Makefile b/core/Makefile
index 9260128..5068595 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -663,6 +663,11 @@
$(if $(INTERNAL_USERIMAGES_SPARSE_EXT_FLAG),$(hide) echo "extfs_sparse_flag=$(INTERNAL_USERIMAGES_SPARSE_EXT_FLAG)" >> $(1))
$(if $(mkyaffs2_extra_flags),$(hide) echo "mkyaffs2_extra_flags=$(mkyaffs2_extra_flags)" >> $(1))
$(hide) echo "selinux_fc=$(SELINUX_FC)" >> $(1)
+$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY), $(hide) echo "verity=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY)" >> $(1))
+$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_PARTITION)" >> $(1))
+$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY)" >> $(1))
+$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(VERITY_SIGNER)" >> $(1))
+$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_mountpoint=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_MOUNTPOINT)" >> $(1))
$(if $(2),$(hide) $(foreach kv,$(2),echo "$(kv)" >> $(1);))
endef
@@ -875,11 +880,7 @@
@echo "Target system fs image: $(1)"
@mkdir -p $(dir $(1)) $(systemimage_intermediates) && rm -rf $(systemimage_intermediates)/system_image_info.txt
$(call generate-userimage-prop-dictionary, $(systemimage_intermediates)/system_image_info.txt, \
- skip_fsck=true \
- verity=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY) \
- verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_PARTITION) \
- verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY) \
- verity_signer_cmd=$(VERITY_SIGNER))
+ skip_fsck=true)
$(hide) PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATH \
./build/tools/releasetools/build_image.py \
$(TARGET_OUT) $(systemimage_intermediates)/system_image_info.txt $(1)
diff --git a/core/product.mk b/core/product.mk
index 1a7685c..5693fe9 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -104,7 +104,8 @@
PRODUCT_OEM_PROPERTIES \
PRODUCT_SYSTEM_PROPERTY_BLACKLIST \
PRODUCT_VERITY_PARTITION \
- PRODUCT_VERITY_SIGNING_KEY
+ PRODUCT_VERITY_SIGNING_KEY \
+ PRODUCT_VERITY_MOUNTPOINT
define dump-product
$(info ==== $(1) ====)\
diff --git a/target/product/verity.mk b/target/product/verity.mk
index 4a1ca5e..b14eaa4 100644
--- a/target/product/verity.mk
+++ b/target/product/verity.mk
@@ -18,6 +18,7 @@
PRODUCT_SUPPORTS_VERITY := true
PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verity_private_dev_key
+PRODUCT_VERITY_MOUNTPOINT := system
PRODUCT_PACKAGES += \
verity_key
diff --git a/tools/releasetools/build_image.py b/tools/releasetools/build_image.py
index d3f7144..4ad5bca 100755
--- a/tools/releasetools/build_image.py
+++ b/tools/releasetools/build_image.py
@@ -26,6 +26,7 @@
import sys
import commands
import shutil
+import tempfile
import simg_map
@@ -170,10 +171,7 @@
signer_path = prop_dict["verity_signer_cmd"]
# make a tempdir
- tempdir_name = os.path.join(os.path.dirname(out_file), "verity_images")
- if os.path.exists(tempdir_name):
- shutil.rmtree(tempdir_name)
- os.mkdir(tempdir_name)
+ tempdir_name = tempfile.mkdtemp(suffix="_verity_images")
# get partial image paths
verity_image_path = os.path.join(tempdir_name, "verity.img")
@@ -181,7 +179,7 @@
# build the verity tree and get the root hash and salt
if not BuildVerityTree(out_file, verity_image_path, prop_dict):
- shutil.rmtree(tempdir_name)
+ shutil.rmtree(tempdir_name, ignore_errors=True)
return False
# build the metadata blocks
@@ -194,17 +192,17 @@
block_dev,
signer_path,
signer_key):
- shutil.rmtree(tempdir_name)
+ shutil.rmtree(tempdir_name, ignore_errors=True)
return False
# build the full verified image
if not BuildVerifiedImage(out_file,
verity_image_path,
verity_metadata_path):
- shutil.rmtree(tempdir_name)
+ shutil.rmtree(tempdir_name, ignore_errors=True)
return False
- shutil.rmtree(tempdir_name)
+ shutil.rmtree(tempdir_name, ignore_errors=True)
return True
def BuildImage(in_dir, prop_dict, out_file):
@@ -222,8 +220,10 @@
fs_type = prop_dict.get("fs_type", "")
run_fsck = False
+ is_verity_partition = prop_dict.get("mount_point") == prop_dict.get("verity_mountpoint")
+ verity_supported = prop_dict.get("verity") == "true"
# adjust the partition size to make room for the hashes if this is to be verified
- if prop_dict.get("verity") == "true":
+ if verity_supported and is_verity_partition:
partition_size = int(prop_dict.get("partition_size"))
adjusted_size = AdjustPartitionSizeForVerity(partition_size)
if not adjusted_size:
@@ -258,7 +258,7 @@
return False
# create the verified image if this is to be verified
- if prop_dict.get("verity") == "true":
+ if verity_supported and is_verity_partition:
if not MakeVerityEnabledImage(out_file, prop_dict):
return False
@@ -301,7 +301,8 @@
"verity",
"verity_block_device",
"verity_key",
- "verity_signer_cmd"
+ "verity_signer_cmd",
+ "verity_mountpoint"
)
for p in common_props:
copy_prop(p, p)