Dump and enforce certificate for apks
Dump the list of APKs that aren't located at system partition and signed
with system certificate.
And when enforcement option is enabled, it makes build error if there is
the apk that satisfies the condition above.
Bug: 74699609
Test: m -j
Test: m out/target/product/$(get_build_var TARGET_DEVICE)/certificate_violation_modules.txt
Change-Id: I23c41f2665dd97abac3e77d1c82d81ff91b894eb
diff --git a/core/app_certificate_validate.mk b/core/app_certificate_validate.mk
new file mode 100644
index 0000000..15ddd94
--- /dev/null
+++ b/core/app_certificate_validate.mk
@@ -0,0 +1,12 @@
+
+ifeq (true,$(filter true, \
+ $(LOCAL_PRODUCT_MODULE) $(LOCAL_PRODUCT_SERVICES_MODULE) \
+ $(LOCAL_VENDOR_MODULE) $(LOCAL_PROPRIETARY_MODULE)))
+ ifneq (,$(filter $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))%,$(LOCAL_CERTIFICATE)))
+ CERTIFICATE_VIOLATION_MODULES += $(LOCAL_MODULE)
+ ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT))
+ $(if $(filter $(LOCAL_MODULE),$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST)),,\
+ $(call pretty-error,The module in product partition cannot be signed with certificate in system.))
+ endif
+ endif
+endif
\ No newline at end of file
diff --git a/core/definitions.mk b/core/definitions.mk
index a675080..2ffc017 100644
--- a/core/definitions.mk
+++ b/core/definitions.mk
@@ -77,6 +77,9 @@
# GPL module license files
ALL_GPL_MODULE_LICENSE_FILES:=
+# Packages with certificate violation
+CERTIFICATE_VIOLATION_MODULES :=
+
# Target and host installed module's dependencies on shared libraries.
# They are list of "<module_name>:<installed_file>:lib1,lib2...".
TARGET_DEPENDENCIES_ON_SHARED_LIBRARIES :=
diff --git a/core/main.mk b/core/main.mk
index 9fd1c35..660290a 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -1096,6 +1096,13 @@
$(TARGET_OUT_SYSTEM_OTHER)/%.vdex \
$(TARGET_OUT_SYSTEM_OTHER)/%.art
endif
+
+CERTIFICATE_VIOLATION_MODULES_FILENAME := $(PRODUCT_OUT)/certificate_violation_modules.txt
+$(CERTIFICATE_VIOLATION_MODULES_FILENAME):
+ rm -f $@
+ $(foreach m,$(sort $(CERTIFICATE_VIOLATION_MODULES)), echo $(m) >> $@;)
+$(call dist-for-goals,droidcore,$(CERTIFICATE_VIOLATION_MODULES_FILENAME))
+
all_offending_files :=
$(foreach makefile,$(ARTIFACT_PATH_REQUIREMENT_PRODUCTS),\
$(eval requirements := $(PRODUCTS.$(makefile).ARTIFACT_PATH_REQUIREMENTS)) \
diff --git a/core/package_internal.mk b/core/package_internal.mk
index 75cc547..c657f2e 100644
--- a/core/package_internal.mk
+++ b/core/package_internal.mk
@@ -535,6 +535,7 @@
ifeq ($(dir $(strip $(LOCAL_CERTIFICATE))),./)
LOCAL_CERTIFICATE := $(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))$(LOCAL_CERTIFICATE)
endif
+include $(BUILD_SYSTEM)/app_certificate_validate.mk
private_key := $(LOCAL_CERTIFICATE).pk8
certificate := $(LOCAL_CERTIFICATE).x509.pem
additional_certificates := $(foreach c,$(LOCAL_ADDITIONAL_CERTIFICATES), $(c).x509.pem $(c).pk8)
diff --git a/core/prebuilt_internal.mk b/core/prebuilt_internal.mk
index 66913c1..960d8d1 100644
--- a/core/prebuilt_internal.mk
+++ b/core/prebuilt_internal.mk
@@ -306,6 +306,8 @@
$(built_module) : PRIVATE_CERTIFICATE := $(LOCAL_CERTIFICATE).x509.pem
endif
+include $(BUILD_SYSTEM)/app_certificate_validate.mk
+
# Disable dex-preopt of prebuilts to save space, if requested.
ifndef LOCAL_DEX_PREOPT
ifeq ($(DONT_DEXPREOPT_PREBUILTS),true)
diff --git a/core/product.mk b/core/product.mk
index 1420b46..2d7ace2 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -204,6 +204,8 @@
PRODUCT_COMPATIBLE_PROPERTY_OVERRIDE \
PRODUCT_ACTIONABLE_COMPATIBLE_PROPERTY_DISABLE \
PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS \
+ PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT \
+ PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST \
PRODUCT_ARTIFACT_PATH_REQUIREMENT_HINT \
PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST \
PRODUCT_USE_DYNAMIC_PARTITION_SIZE \
diff --git a/core/product_config.mk b/core/product_config.mk
index 47b4c7a..c58405c 100644
--- a/core/product_config.mk
+++ b/core/product_config.mk
@@ -367,6 +367,11 @@
$(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_PRODUCT_PROPERTIES))
.KATI_READONLY := PRODUCT_PRODUCT_PROPERTIES
+ENFORCE_SYSTEM_CERTIFICATE := \
+ $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT)
+
+ENFORCE_SYSTEM_CERTIFICATE_WHITELIST := \
+ $(strip $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST))
# A list of property assignments, like "key = value", with zero or more
# whitespace characters on either side of the '='.
diff --git a/core/soong_app_prebuilt.mk b/core/soong_app_prebuilt.mk
index 73d934b..f723633 100644
--- a/core/soong_app_prebuilt.mk
+++ b/core/soong_app_prebuilt.mk
@@ -108,7 +108,7 @@
PACKAGES.$(LOCAL_MODULE).CERTIFICATE := $(LOCAL_CERTIFICATE)
PACKAGES.$(LOCAL_MODULE).PRIVATE_KEY := $(patsubst %.x509.pem,%.pk8,$(LOCAL_CERTIFICATE))
endif
-
+include $(BUILD_SYSTEM)/app_certificate_validate.mk
PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES))
ifdef LOCAL_SOONG_BUNDLE
diff --git a/core/soong_config.mk b/core/soong_config.mk
index 31c77d4..58e1a03 100644
--- a/core/soong_config.mk
+++ b/core/soong_config.mk
@@ -146,6 +146,9 @@
$(call add_json_list, ManifestPackageNameOverrides, $(PRODUCT_MANIFEST_PACKAGE_NAME_OVERRIDES))
+$(call add_json_bool, EnforceSystemCertificate, $(ENFORCE_SYSTEM_CERTIFICATE))
+$(call add_json_list, EnforceSystemCertificateWhitelist, $(ENFORCE_SYSTEM_CERTIFICATE_WHITELIST))
+
$(call add_json_map, VendorVars)
$(foreach namespace,$(SOONG_CONFIG_NAMESPACES),\
$(call add_json_map, $(namespace))\