Gitiles
Code Review Sign In
review.blissroms.org / platform_build_make / c99819311c0124dc6f6a0f0f6db74cae7cf570fb
commitc99819311c0124dc6f6a0f0f6db74cae7cf570fb[log] [tgz]
authorTao Bao <tbao@google.com>Mon Sep 16 12:10:43 2019 -0700
committerTao Bao <tbao@google.com>Tue Sep 17 08:53:16 2019 -0700
tree725bcca1820726b442adde70b570542702f61c38
parent0b67e41f3fdb2a6257f5e25050c7bd4fa43a778d [diff]
Also install verity_key to ramdisk for non-system-as-root target.

The commit in d14b895665f9fb122f93edb16655fd3a49510032
(https://android-review.googlesource.com/c/platform/build/+/728287)
changed partition layout, to always build the root dir into system.img,
even for devices not using system-as-root (i.e. the ones with separate
boot ramdisk).

With the new layout, there will be two root dirs for non-system-as-root
targets during the boot. If such a device uses Verified Boot 1.0,
/verity_key needs to be available in both roots, to establish the chain
of trust.
 - bootloader uses the baked-in key to verify boot.img; it then loads
   the ramdisk from the verified boot.img
 - First stage init uses /verity_key (in ramdisk) to verify and mount
   system.img at /system, then chroot's to it
 - Second stage init uses /verity_key (in system.img) to verify and
   mount other partitions

This CL adds rules to additionally install verity_key into ramdisk for
such targets.

Bug: 139770257
Test: Set up a target to use non-system-as-root
      (BOARD_BUILD_SYSTEM_ROOT_IMAGE != true). `m dist`.
Test: Check that both ROOT/verity_key and BOOT/RAMDISK/verity_key exist
      in the built target_files.zip.
Test: Run validate_target_files to validate the above target_files.zip.
      $ validate_target_files \
          --verity_key_mincrypt /path/to/verity_key \
          target_files.zip
Test: Run sign_target_files_apks to sign the above target. Re-run
      validate_target_files on the signed target_files.zip.
Test: python -m unittest test_validate_target_files
Change-Id: Ibe7e771c8c376429add85851ac86055564765d3c
4 files changed
tree: 725bcca1820726b442adde70b570542702f61c38
  1. common/
  2. core/
  3. packaging/
  4. target/
  5. tests/
  6. tools/
  7. .gitignore
  8. buildspec.mk.default
  9. Changes.md
  10. CleanSpec.mk
  11. Deprecation.md
  12. envsetup.sh
  13. help.sh
  14. navbar.md
  15. OWNERS
  16. README.md
  17. tapasHelp.sh
  18. Usage.txt
README.md

Android Make Build System

This is the Makefile-based portion of the Android Build System.

For documentation on how to run a build, see Usage.txt

For a list of behavioral changes useful for Android.mk writers see Changes.md

For an outdated reference on Android.mk files, see build-system.html. Our Android.mk files look similar, but are entirely different from the Android.mk files used by the NDK build system. When searching for documentation elsewhere, ensure that it is for the platform build system -- most are not.

This Makefile-based system is in the process of being replaced with Soong, a new build system written in Go. During the transition, all of these makefiles are read by Kati, and generate a ninja file instead of being executed directly. That's combined with a ninja file read by Soong so that the build graph of the two systems can be combined and run as one.