Merge "Adding sepolicy sign params to sign_target_files_apks."

2022-03-22 18:00:43 +00:00 · 2022-03-22 18:00:43 +00:00 · fb042449e0
commit fb042449e0
parent dd7dbbfe7b e6d4fb5ae6
4 changed files with 158 additions and 16 deletions
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@ -97,6 +97,7 @@ class Options(object):
    self.stash_threshold = 0.8
    self.logfile = None
    self.host_tools = {}
+    self.sepolicy_name = 'sepolicy.apex'


 OPTIONS = Options()
--- a/tools/releasetools/sign_apex.py
+++ b/tools/releasetools/sign_apex.py
@ -61,6 +61,7 @@ import apex_utils
 import common

 logger = logging.getLogger(__name__)
+OPTIONS = common.OPTIONS


 def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
@ -81,7 +82,7 @@ def SignApexFile(avbtool, apex_file, payload_key, container_key, no_hashtree,
      apk_keys=apk_keys,
      signing_args=signing_args,
      sign_tool=sign_tool,
-      is_sepolicy=apex_file.endswith("sepolicy.apex"),
+      is_sepolicy=apex_file.endswith(OPTIONS.sepolicy_name),
      sepolicy_key=sepolicy_key,
      sepolicy_cert=sepolicy_cert,
      fsverity_tool=fsverity_tool)
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@ -137,6 +137,15 @@ Usage:  sign_target_files_apks [flags] input_target_files output_target_files
  --android_jar_path <path>
      Path to the android.jar to repack the apex file.

+  --sepolicy_key <key>
+      Optional flag that specifies the sepolicy signing key, defaults to payload_key for the sepolicy.apex.
+
+  --sepolicy_cert <cert>
+      Optional flag that specifies the sepolicy signing cert.
+
+  --fsverity_tool <path>
+      Optional flag that specifies the path to fsverity tool to sign SEPolicy, defaults to fsverity.
+
  --allow_gsi_debug_sepolicy
      Allow the existence of the file 'userdebug_plat_sepolicy.cil' under
      (/system/system_ext|/system_ext)/etc/selinux.
@ -196,6 +205,9 @@ OPTIONS.gki_signing_extra_args = None
 OPTIONS.android_jar_path = None
 OPTIONS.vendor_partitions = set()
 OPTIONS.vendor_otatools = None
+OPTIONS.sepolicy_key = None
+OPTIONS.sepolicy_cert = None
+OPTIONS.fsverity_tool = None
 OPTIONS.allow_gsi_debug_sepolicy = False


@ -234,6 +246,8 @@ ALLOWED_VENDOR_PARTITIONS = set(["vendor", "odm"])
 def IsApexFile(filename):
  return filename.endswith(".apex") or filename.endswith(".capex")

+def IsSepolicyApex(filename):
+  return filename.endswith(OPTIONS.sepolicy_name)

 def GetApexFilename(filename):
  name = os.path.basename(filename)
@ -256,6 +270,24 @@ def GetApkCerts(certmap):

  return certmap

+def GetSepolicyKeys(keys_info):
+  """Gets SEPolicy signing keys applying overrides from command line options.
+
+  Args:
+    keys_info: A dict that maps from the SEPolicy APEX filename to a tuple of
+    (sepolicy_key, sepolicy_cert, fsverity_tool).
+
+  Returns:
+    A dict that contains the updated APEX key mapping, which should be used for
+    the current signing.
+  """
+  for name in keys_info:
+      (sepolicy_key, sepolicy_cert, fsverity_tool) = keys_info[name]
+      sepolicy_key = OPTIONS.sepolicy_key if OPTIONS.sepolicy_key else sepolicy_key
+      sepolicy_cert = OPTIONS.sepolicy_cert if OPTIONS.sepolicy_cert else sepolicy_cert
+      fsverity_tool = OPTIONS.fsverity_tool if OPTIONS.fsverity_tool else fsverity_tool
+      keys_info[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
+  return keys_info

 def GetApexKeys(keys_info, key_map):
  """Gets APEX payload and container signing keys by applying the mapping rules.
@ -518,7 +550,7 @@ def IsBuildPropFile(filename):
 def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
                       apk_keys, apex_keys, key_passwords,
                       platform_api_level, codename_to_api_level_map,
-                       compressed_extension):
+                       compressed_extension, sepolicy_keys):
  # maxsize measures the maximum filename length, including the ones to be
  # skipped.
  try:
@ -586,6 +618,17 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
        print("           : %-*s payload   (%s)" % (
            maxsize, name, payload_key))

+        sepolicy_key = None
+        sepolicy_cert = None
+        fsverity_tool = None
+
+        if IsSepolicyApex(name):
+          (sepolicy_key, sepolicy_cert, fsverity_tool) = sepolicy_keys[name]
+          print("           : %-*s sepolicy key   (%s)" % (
+            maxsize, name, sepolicy_key))
+          print("           : %-*s sepolicy cert  (%s)" % (
+            maxsize, name, sepolicy_cert))
+
        signed_apex = apex_utils.SignApex(
            misc_info['avb_avbtool'],
            data,
@ -596,7 +639,11 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
            codename_to_api_level_map,
            no_hashtree=None,  # Let apex_util determine if hash tree is needed
            signing_args=OPTIONS.avb_extra_args.get('apex'),
-            sign_tool=sign_tool)
+            sign_tool=sign_tool,
+            is_sepolicy=IsSepolicyApex(name),
+            sepolicy_key=sepolicy_key,
+            sepolicy_cert=sepolicy_cert,
+            fsverity_tool=fsverity_tool)
        common.ZipWrite(output_tf_zip, signed_apex, filename)

      else:
@ -1206,20 +1253,24 @@ def GetCodenameToApiLevelMap(input_tf_zip):
 def ReadApexKeysInfo(tf_zip):
  """Parses the APEX keys info from a given target-files zip.

-  Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns a
-  dict that contains the mapping from APEX names (e.g. com.android.tzdata) to a
-  tuple of (payload_key, container_key, sign_tool).
+  Given a target-files ZipFile, parses the META/apexkeys.txt entry and returns
+  two dicts, the first one contains the mapping from APEX names
+  (e.g. com.android.tzdata) to a tuple of (payload_key, container_key,
+  sign_tool). The second one maps the sepolicy APEX name to a tuple containing
+  (sepolicy_key, sepolicy_cert, fsverity_tool).

  Args:
    tf_zip: The input target_files ZipFile (already open).

  Returns:
-    (payload_key, container_key, sign_tool):
+    name : (payload_key, container_key, sign_tool)
      - payload_key contains the path to the payload signing key
      - container_key contains the path to the container signing key
      - sign_tool is an apex-specific signing tool for its payload contents
+    name : (sepolicy_key, sepolicy_cert, fsverity_tool)
  """
  keys = {}
+  sepolicy_keys = {}
  for line in tf_zip.read('META/apexkeys.txt').decode().split('\n'):
    line = line.strip()
    if not line:
@ -1230,6 +1281,9 @@ def ReadApexKeysInfo(tf_zip):
        r'private_key="(?P<PAYLOAD_PRIVATE_KEY>.*)"\s+'
        r'container_certificate="(?P<CONTAINER_CERT>.*)"\s+'
        r'container_private_key="(?P<CONTAINER_PRIVATE_KEY>.*?)"'
+        r'(\s+sepolicy_key="(?P<SEPOLICY_KEY>.*?)")?'
+        r'(\s+sepolicy_certificate="(?P<SEPOLICY_CERT>.*?)")?'
+        r'(\s+fsverity_tool="(?P<FSVERITY_TOOL>.*?)")?'
        r'(\s+partition="(?P<PARTITION>.*?)")?'
        r'(\s+sign_tool="(?P<SIGN_TOOL>.*?)")?$',
        line)
@ -1258,12 +1312,18 @@ def ReadApexKeysInfo(tf_zip):
            container_private_key, OPTIONS.private_key_suffix):
      container_key = container_cert[:-len(OPTIONS.public_key_suffix)]
    else:
-      raise ValueError("Failed to parse container keys: \n{}".format(line))
+      raise ValueError("Failed to parse container keys: \n{} **** {}".format(container_cert, container_private_key))

    sign_tool = matches.group("SIGN_TOOL")
    keys[name] = (payload_private_key, container_key, sign_tool)

-  return keys
+    if IsSepolicyApex(name):
+      sepolicy_key = matches.group('SEPOLICY_KEY')
+      sepolicy_cert = matches.group('SEPOLICY_CERT')
+      fsverity_tool = matches.group('FSVERITY_TOOL')
+      sepolicy_keys[name] = (sepolicy_key, sepolicy_cert, fsverity_tool)
+
+  return keys, sepolicy_keys


 def BuildVendorPartitions(output_zip_path):
@ -1475,6 +1535,12 @@ def main(argv):
      OPTIONS.vendor_otatools = a
    elif o == "--vendor_partitions":
      OPTIONS.vendor_partitions = set(a.split(","))
+    elif o == '--sepolicy_key':
+      OPTIONS.sepolicy_key = a
+    elif o == '--sepolicy_cert':
+      OPTIONS.sepolicy_cert = a
+    elif o == '--fsverity_tool':
+      OPTIONS.fsverity_tool = a
    elif o == "--allow_gsi_debug_sepolicy":
      OPTIONS.allow_gsi_debug_sepolicy = True
    else:
@ -1529,6 +1595,9 @@ def main(argv):
          "gki_signing_extra_args=",
          "vendor_partitions=",
          "vendor_otatools=",
+          "sepolicy_key=",
+          "sepolicy_cert=",
+          "fsverity_tool=",
          "allow_gsi_debug_sepolicy",
      ],
      extra_option_handler=option_handler)
@ -1551,8 +1620,9 @@ def main(argv):
  apk_keys_info, compressed_extension = common.ReadApkCerts(input_zip)
  apk_keys = GetApkCerts(apk_keys_info)

-  apex_keys_info = ReadApexKeysInfo(input_zip)
+  apex_keys_info, sepolicy_keys_info = ReadApexKeysInfo(input_zip)
  apex_keys = GetApexKeys(apex_keys_info, apk_keys)
+  sepolicy_keys = GetSepolicyKeys(sepolicy_keys_info)

  # TODO(xunchang) check for the apks inside the apex files, and abort early if
  # the keys are not available.
@ -1570,7 +1640,7 @@ def main(argv):
  ProcessTargetFiles(input_zip, output_zip, misc_info,
                     apk_keys, apex_keys, key_passwords,
                     platform_api_level, codename_to_api_level_map,
-                     compressed_extension)
+                     compressed_extension, sepolicy_keys)

  common.ZipClose(input_zip)
  common.ZipClose(output_zip)
--- a/tools/releasetools/test_sign_target_files_apks.py
+++ b/tools/releasetools/test_sign_target_files_apks.py
@ -476,7 +476,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
      target_files_zip.writestr('META/apexkeys.txt', self.APEX_KEYS_TXT)

    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
-      keys_info = ReadApexKeysInfo(target_files_zip)
+      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

    self.assertEqual({
        'apex.apexd_test.apex': (
@ -486,6 +486,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
+    self.assertEqual({}, sepolicy_keys_info)

  def test_ReadApexKeysInfo_mismatchingContainerKeys(self):
    # Mismatching payload public / private keys.
@ -515,7 +516,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
      target_files_zip.writestr('META/apexkeys.txt', apex_keys)

    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
-      keys_info = ReadApexKeysInfo(target_files_zip)
+      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

    self.assertEqual({
        'apex.apexd_test.apex': (
@ -525,6 +526,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
+    self.assertEqual({}, sepolicy_keys_info)

  def test_ReadApexKeysInfo_missingPayloadPublicKey(self):
    # Invalid lines will be skipped.
@ -538,7 +540,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
      target_files_zip.writestr('META/apexkeys.txt', apex_keys)

    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
-      keys_info = ReadApexKeysInfo(target_files_zip)
+      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

    self.assertEqual({
        'apex.apexd_test.apex': (
@ -548,6 +550,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
+    self.assertEqual({}, sepolicy_keys_info)

  def test_ReadApexKeysInfo_presignedKeys(self):
    apex_keys = self.APEX_KEYS_TXT + (
@ -561,7 +564,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
      target_files_zip.writestr('META/apexkeys.txt', apex_keys)

    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
-      keys_info = ReadApexKeysInfo(target_files_zip)
+      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

    self.assertEqual({
        'apex.apexd_test.apex': (
@ -571,6 +574,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
+    self.assertEqual({}, sepolicy_keys_info)

  def test_ReadApexKeysInfo_presignedKeys(self):
    apex_keys = self.APEX_KEYS_TXT + (
@ -584,7 +588,7 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
      target_files_zip.writestr('META/apexkeys.txt', apex_keys)

    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
-      keys_info = ReadApexKeysInfo(target_files_zip)
+      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)

    self.assertEqual({
        'apex.apexd_test.apex': (
@ -594,6 +598,72 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
            'build/make/target/product/security/testkey', None),
        }, keys_info)
+    self.assertEqual({}, sepolicy_keys_info)
+
+  def test_ReadApexKeysInfo_withSepolicyKeys(self):
+    apex_keys = self.APEX_KEYS_TXT + (
+        'name="sepolicy.apex" '
+        'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
+        'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
+        'container_certificate="build/make/target/product/security/testkey.x509.pem" '
+        'container_private_key="build/make/target/product/security/testkey.pk8" '
+        'sepolicy_key="build/make/target/product/security/testkey.key" '
+        'sepolicy_certificate="build/make/target/product/security/testkey.x509.pem" '
+        'fsverity_tool="fsverity"')
+    target_files = common.MakeTempFile(suffix='.zip')
+    with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
+      target_files_zip.writestr('META/apexkeys.txt', apex_keys)
+
+    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
+      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+
+    self.assertEqual({
+        'apex.apexd_test.apex': (
+            'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
+            'build/make/target/product/security/testkey', None),
+        'apex.apexd_test_different_app.apex': (
+            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
+            'build/make/target/product/security/testkey', None),
+        'sepolicy.apex': (
+            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
+            'build/make/target/product/security/testkey', None),
+        }, keys_info)
+    self.assertEqual({'sepolicy.apex': (
+            'build/make/target/product/security/testkey.key',
+            'build/make/target/product/security/testkey.x509.pem',
+            'fsverity'),
+        }, sepolicy_keys_info)
+
+  def test_ReadApexKeysInfo_withSepolicyApex(self):
+    apex_keys = self.APEX_KEYS_TXT + (
+        'name="sepolicy.apex" '
+        'public_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.avbpubkey" '
+        'private_key="system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem" '
+        'container_certificate="build/make/target/product/security/testkey.x509.pem" '
+        'container_private_key="build/make/target/product/security/testkey.pk8" ')
+    target_files = common.MakeTempFile(suffix='.zip')
+    with zipfile.ZipFile(target_files, 'w', allowZip64=True) as target_files_zip:
+      target_files_zip.writestr('META/apexkeys.txt', apex_keys)
+
+    with zipfile.ZipFile(target_files, allowZip64=True) as target_files_zip:
+      keys_info, sepolicy_keys_info = ReadApexKeysInfo(target_files_zip)
+
+    self.assertEqual({
+        'apex.apexd_test.apex': (
+            'system/apex/apexd/apexd_testdata/com.android.apex.test_package.pem',
+            'build/make/target/product/security/testkey', None),
+        'apex.apexd_test_different_app.apex': (
+            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
+            'build/make/target/product/security/testkey', None),
+        'sepolicy.apex': (
+            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
+            'build/make/target/product/security/testkey', None),
+        }, keys_info)
+    self.assertEqual({'sepolicy.apex': (
+            None,
+            None,
+            None),
+        }, sepolicy_keys_info)

  def test_ReplaceGkiSigningKey(self):
    common.OPTIONS.gki_signing_key = 'release_gki_key'