
635 lines
22 KiB

// Copyright (C) 2019 The Android Open Source Project
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.
// Build rules to build shim apexes.
package {
default_applicable_licenses: ["Android-Apache-2.0"],
genrule {
name: "",
out: [""],
cmd: "openssl genrsa -out $(out) 4096",
genrule {
name: "",
srcs: [""],
out: [""],
tools: ["avbtool"],
cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)",
apex_key {
name: "",
private_key: "",
public_key: "",
installable: false,
genrule {
name: "",
out: [""],
cmd: "openssl genrsa -out $(out) 4096",
genrule {
name: "",
srcs: [""],
out: [""],
tools: ["avbtool"],
cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)",
apex_key {
name: "",
private_key: "",
public_key: "",
installable: false,
genrule {
name: "generate_hash_of_dev_null",
out: ["hash.txt"],
cmd: "sha512sum -b /dev/null | cut -d' ' -f1 | tee $(out)",
prebuilt_etc {
name: "hash_of_dev_null",
src: ":generate_hash_of_dev_null",
filename: "hash.txt",
installable: false,
apex {
name: "",
manifest: "manifest_v3.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShim", "CtsShimPriv"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
updatable: false,
apex {
name: "",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShim", "CtsShimPriv"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
updatable: false,
apex {
name: "",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
updatable: false,
apex {
name: "",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
updatable: false,
apex {
name: "",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShim", "CtsShimPriv"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
generate_hashtree: false,
updatable: false,
apex {
name: "",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShim", "CtsShimPriv"],
installable: false,
allowed_files: "default_shim_allowed_list.txt",
test_only_unsigned_payload: true,
updatable: false,
override_apex {
name: "",
package_name: "",
// Use rebootless APEX to re-use this APEX in the rebootless update test case.
base: "",
genrule {
name: "generate_empty_hash",
out: ["hash.txt"],
cmd: "touch $(out)",
prebuilt_etc {
name: "empty_hash",
src: ":generate_empty_hash",
filename: "hash.txt",
installable: false,
// Use empty hash.txt to make sure that this apex has wrong SHA512, hence trying
// to stage it should fail.
apex {
name: "",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["empty_hash"],
installable: false,
updatable: false,
prebuilt_etc {
name: "apex_shim_additional_file",
src: "additional_file",
filename: "additional_file",
installable: false,
apex {
name: "",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null", "apex_shim_additional_file"],
installable: false,
updatable: false,
prebuilt_etc {
name: "apex_shim_additional_folder",
src: "additional_file",
filename: "additional_file",
sub_dir: "additional_folder",
installable: false,
apex {
name: "",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null", "apex_shim_additional_folder"],
installable: false,
updatable: false,
apex {
name: "",
manifest: "manifest_v2_with_pre_install_hook.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
apex {
name: "",
manifest: "manifest_v2_with_post_install_hook.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
genrule {
name: "generate_hash_v1",
srcs: [
out: ["hash.txt"],
cmd: "sha512sum -b $(in) | cut -d' ' -f1 | tee $(out)",
prebuilt_etc {
name: "hash_v1",
src: ":generate_hash_v1",
filename: "hash.txt",
installable: false,
apex {
name: "",
manifest: "manifest.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_v1"],
apps: ["CtsShim", "CtsShimPriv"],
allowed_files: "default_shim_allowed_list.txt",
updatable: false,
// This is to install the flattened version of
// Because is provided as prebuilt and the build system
// doesn't support install "flattened" version from "prebult" yet, GSI, which should
// have both "flatttened" and "unflattened" APEXes, is missing the flattened version
// of
// TODO(b/159426728): When the build system can install "flattened" from "prebuilts",
// this can be removed.
override_apex {
name: "",
base: "",
apps: ["CtsShimPrebuilt", "CtsShimPrivPrebuilt"],
allowed_files: "prebuilts_shim_allowed_list.txt",
genrule {
name: "",
out: [""],
cmd: "openssl genrsa -out $(out) 4096",
genrule {
name: "",
srcs: [""],
out: [""],
tools: ["avbtool"],
cmd: "$(location avbtool) extract_public_key --key $(in) --output $(out)",
apex_key {
name: "",
private_key: "",
public_key: "",
installable: false,
apex {
name: "",
manifest: "manifest_not_pre_installed.json",
androidManifest: "AndroidManifestNotPreInstalled.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
apex {
name: "",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
certificate: "",
updatable: false,
android_app_certificate {
name: "",
certificate: "",
// Build rules to build shim apex with rotated keys
// We name the original key used to sign cts.shim.v1 package as alice.
// We then create a second key called bob. The second key bob is used to rotate the
// original key alice.
// Create private key bob in pem format
genrule {
name: "",
out: ["bob.pem"],
cmd: "openssl req -x509 -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/ View/ST=California/C=US' -keyout $(out)",
// Converts bob's private key to pk8 format
genrule {
name: "",
srcs: [""],
out: ["bob.pk8"],
cmd: "openssl pkcs8 -topk8 -inform PEM -outform DER -in $(in) -out $(out) -nocrypt",
// Extract bob's public key from its private key
genrule {
name: "",
srcs: [""],
out: ["bob.x509.pem"],
cmd: "openssl req -x509 -key $(in) -newkey rsa:4096 -nodes -days 999999 -subj '/DN=/ View/ST=California/C=US' -out $(out)",
// Create lineage file for rotating alice to bob
genrule {
name: "",
srcs: [
out: ["bob.rot"],
tools: [":apksigner"],
cmd: "$(location :apksigner) rotate --out $(out) --old-signer --key $(location alice.pk8) --cert $(location alice.x509.pem) --new-signer --key $(location --cert $(location",
// Create lineage file for rotating alice to bob with rollback capability
genrule {
name: "",
srcs: [
out: ["bob.rot"],
tools: [":apksigner"],
cmd: "$(location :apksigner) rotate --out $(out) --old-signer --key $(location alice.pk8) --cert $(location alice.x509.pem) --set-rollback true --new-signer --key $(location --cert $(location",
// v2 cts shim package signed by bob, without lineage
genrule {
name: "",
out: [""],
tools: [":apksigner"],
srcs: [
dist: {
targets: [""],
dest: "",
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location --cert $(location --out $(out) $(location",
// v2 cts shim package signed by bob + lineage
genrule {
name: "",
out: [""],
tools: [":apksigner"],
srcs: [
dist: {
targets: [""],
dest: "",
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location --cert $(location --lineage $(location --rotation-min-sdk-version 28 --out $(out) $(location",
// v2 cts shim package signed by bob + lineage + rollback capability
genrule {
name: "",
out: [""],
tools: [":apksigner"],
srcs: [
dist: {
targets: [""],
dest: "",
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location --cert $(location --lineage $(location --rotation-min-sdk-version 28 --out $(out) $(location",
// v3 cts shim package signed by bob
genrule {
name: "",
out: [""],
tools: [":apksigner"],
srcs: [
dist: {
targets: [""],
dest: "",
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location --cert $(location --out $(out) $(location",
// v3 cts shim package signed by bob + lineage
genrule {
name: "",
out: [""],
tools: [":apksigner"],
srcs: [
dist: {
targets: [""],
dest: "",
cmd: "$(location :apksigner) sign --v1-signing-enabled false --v2-signing-enabled false --key $(location --cert $(location --lineage $(location --rotation-min-sdk-version 28 --out $(out) $(location",
// This one is only used in ApexdHostTest and not meant to be installed
// and hence shouldn't be allowed in hash.txt of v1 shim APEX.
apex {
name: "",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShim", "CtsShimPriv"],
installable: false,
min_sdk_version: "29",
updatable: false,
genrule {
name: "",
srcs: [""],
out: [""],
tools: ["zip2zip"],
cmd: "$(location zip2zip) -i $(in) -x apex_manifest.pb -o $(out)",
// Apex shim that targets an old sdk (P)
apex {
name: "",
// Use manifest_v2_rebootless to also re-use this APEX in the rebootless update test case.
manifest: "manifest_v2_rebootless.json",
androidManifest: "AndroidManifestSdkTargetP.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
apps: ["CtsShim", "CtsShimPriv"],
updatable: false,
// Apex shim with apk-in-apex that targets sdk P
apex {
name: "",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShimTargetPSdk"],
installable: false,
updatable: false,
// Apex shim with unsigned apk
genrule {
name: "",
// Use shim.v2_rebootless to re-use same APEX in the rebootless update test case.
srcs: [""],
out: [""],
cmd: "cp -v $(in) $(out) && zip -d $(out) META-INF*",
// Apex shim for testing rebootless updates
apex {
name: "",
manifest: "manifest_v2_rebootless.json",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
apex {
name: "",
manifest: "manifest_v3_rebootless.json",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
// Apex shim with upgraded apk-in-apexes
apex {
name: "",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifest.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
apps: ["CtsShim", "CtsShimPrivUpgrade"],
installable: false,
updatable: false,
apex {
name: "",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifestInstallConstraints_empty.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
apex {
name: "",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifestInstallConstraints_invalid_fingerprint.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,
apex {
name: "",
manifest: "manifest_v2.json",
androidManifest: "AndroidManifestInstallConstraints_no_value.xml",
file_contexts: ":apex.test-file_contexts",
key: "",
prebuilts: ["hash_of_dev_null"],
installable: false,
updatable: false,