target/product/security/Android.mk - platform/build - Git at Google

 LOCAL_PATH:= $(call my-dir)

 #######################################
 # verity_key (installed to /, i.e. part of system.img)
 include $(CLEAR_VARS)

 LOCAL_MODULE := verity_key
 LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
 LOCAL_LICENSE_CONDITIONS := notice
 LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
 LOCAL_SRC_FILES := $(LOCAL_MODULE)
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)

 # For devices using a separate ramdisk, we need a copy there to establish the chain of trust.
 ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true)
 LOCAL_REQUIRED_MODULES := verity_key_ramdisk
 endif

 include $(BUILD_PREBUILT)

 #######################################
 # verity_key (installed to ramdisk)
 #
 # Enabling the target when using system-as-root would cause build failure, as TARGET_RAMDISK_OUT
 # points to the same location as TARGET_ROOT_OUT.
 ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true)
   include $(CLEAR_VARS)
   LOCAL_MODULE := verity_key_ramdisk
   LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
   LOCAL_LICENSE_CONDITIONS := notice
   LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
   LOCAL_MODULE_CLASS := ETC
   LOCAL_SRC_FILES := verity_key
   LOCAL_MODULE_STEM := verity_key
   LOCAL_MODULE_PATH := $(TARGET_RAMDISK_OUT)
   include $(BUILD_PREBUILT)
 endif

 #######################################
 # adb key, if configured via PRODUCT_ADB_KEYS
 ifdef PRODUCT_ADB_KEYS
   ifneq ($(filter eng userdebug,$(TARGET_BUILD_VARIANT)),)
     include $(CLEAR_VARS)
     LOCAL_MODULE := adb_keys
     LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
     LOCAL_LICENSE_CONDITIONS := notice
     LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
     LOCAL_MODULE_CLASS := ETC
     LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
     LOCAL_PREBUILT_MODULE_FILE := $(PRODUCT_ADB_KEYS)
     include $(BUILD_PREBUILT)
   endif
 endif


 #######################################
 # otacerts: A keystore with the authorized keys in it, which is used to verify the authenticity of
 # downloaded OTA packages.
 include $(CLEAR_VARS)

 LOCAL_MODULE := otacerts
 LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
 LOCAL_LICENSE_CONDITIONS := notice
 LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_STEM := otacerts.zip
 LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
 include $(BUILD_SYSTEM)/base_rules.mk

 extra_ota_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_OTA_KEYS))

 $(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
 $(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_OTA_KEYS := $(extra_ota_keys)
 $(LOCAL_BUILT_MODULE): \
 	    $(SOONG_ZIP) \
 	    $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
 	    $(extra_ota_keys)
 	$(SOONG_ZIP) -o $@ -j -symlinks=false \
 	    $(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_OTA_KEYS))


 #######################################
 # otacerts for recovery image.
 include $(CLEAR_VARS)

 LOCAL_MODULE := otacerts.recovery
 LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
 LOCAL_LICENSE_CONDITIONS := notice
 LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_STEM := otacerts.zip
 LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security
 include $(BUILD_SYSTEM)/base_rules.mk

 extra_recovery_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))

 $(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
 $(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_RECOVERY_KEYS := $(extra_recovery_keys)
 $(LOCAL_BUILT_MODULE): \
 	    $(SOONG_ZIP) \
 	    $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
 	    $(extra_recovery_keys)
 	$(SOONG_ZIP) -o $@ -j -symlinks=false \
 	    $(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS))
	LOCAL_PATH:= $(call my-dir)

	#######################################
	# verity_key (installed to /, i.e. part of system.img)
	include $(CLEAR_VARS)

	LOCAL_MODULE := verity_key
	LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
	LOCAL_LICENSE_CONDITIONS := notice
	LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
	LOCAL_SRC_FILES := $(LOCAL_MODULE)
	LOCAL_MODULE_CLASS := ETC
	LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)

	# For devices using a separate ramdisk, we need a copy there to establish the chain of trust.
	ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true)
	LOCAL_REQUIRED_MODULES := verity_key_ramdisk
	endif

	include $(BUILD_PREBUILT)

	#######################################
	# verity_key (installed to ramdisk)
	#
	# Enabling the target when using system-as-root would cause build failure, as TARGET_RAMDISK_OUT
	# points to the same location as TARGET_ROOT_OUT.
	ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true)
	include $(CLEAR_VARS)
	LOCAL_MODULE := verity_key_ramdisk
	LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
	LOCAL_LICENSE_CONDITIONS := notice
	LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
	LOCAL_MODULE_CLASS := ETC
	LOCAL_SRC_FILES := verity_key
	LOCAL_MODULE_STEM := verity_key
	LOCAL_MODULE_PATH := $(TARGET_RAMDISK_OUT)
	include $(BUILD_PREBUILT)
	endif

	#######################################
	# adb key, if configured via PRODUCT_ADB_KEYS
	ifdef PRODUCT_ADB_KEYS
	ifneq ($(filter eng userdebug,$(TARGET_BUILD_VARIANT)),)
	include $(CLEAR_VARS)
	LOCAL_MODULE := adb_keys
	LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
	LOCAL_LICENSE_CONDITIONS := notice
	LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
	LOCAL_MODULE_CLASS := ETC
	LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
	LOCAL_PREBUILT_MODULE_FILE := $(PRODUCT_ADB_KEYS)
	include $(BUILD_PREBUILT)
	endif
	endif


	#######################################
	# otacerts: A keystore with the authorized keys in it, which is used to verify the authenticity of
	# downloaded OTA packages.
	include $(CLEAR_VARS)

	LOCAL_MODULE := otacerts
	LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
	LOCAL_LICENSE_CONDITIONS := notice
	LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
	LOCAL_MODULE_CLASS := ETC
	LOCAL_MODULE_STEM := otacerts.zip
	LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/security
	include $(BUILD_SYSTEM)/base_rules.mk

	extra_ota_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_OTA_KEYS))

	$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
	$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_OTA_KEYS := $(extra_ota_keys)
	$(LOCAL_BUILT_MODULE): \
	$(SOONG_ZIP) \
	$(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
	$(extra_ota_keys)
	$(SOONG_ZIP) -o $@ -j -symlinks=false \
	$(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_OTA_KEYS))


	#######################################
	# otacerts for recovery image.
	include $(CLEAR_VARS)

	LOCAL_MODULE := otacerts.recovery
	LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0
	LOCAL_LICENSE_CONDITIONS := notice
	LOCAL_NOTICE_FILE := build/soong/licenses/LICENSE
	LOCAL_MODULE_CLASS := ETC
	LOCAL_MODULE_STEM := otacerts.zip
	LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/system/etc/security
	include $(BUILD_SYSTEM)/base_rules.mk

	extra_recovery_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))

	$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
	$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_RECOVERY_KEYS := $(extra_recovery_keys)
	$(LOCAL_BUILT_MODULE): \
	$(SOONG_ZIP) \
	$(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
	$(extra_recovery_keys)
	$(SOONG_ZIP) -o $@ -j -symlinks=false \
	$(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS))