From 160aee5049ee2aad0dc37a314d20125b2ffcce52 Mon Sep 17 00:00:00 2001 From: Tad Date: Fri, 11 Aug 2023 18:52:41 -0400 Subject: [PATCH] Backport patch to handle verity with openssl 3.0 ref: https://github.com/Divested-Mobile/DivestOS-Website/pull/19 Signed-off-by: Tad --- .../android_build/0001-verity-openssl3.patch | 28 +++++++++++++++++++ .../android_build/0003-verity-openssl3.patch | 28 +++++++++++++++++++ Scripts/LineageOS-15.1/Patch.sh | 1 + Scripts/LineageOS-16.0/Patch.sh | 1 + Scripts/LineageOS-17.1/Patch.sh | 1 + Scripts/LineageOS-18.1/Patch.sh | 1 + Scripts/LineageOS-19.1/Patch.sh | 1 + 7 files changed, 61 insertions(+) create mode 100644 Patches/Common/android_build/0001-verity-openssl3.patch create mode 100644 Patches/LineageOS-15.1/android_build/0003-verity-openssl3.patch diff --git a/Patches/Common/android_build/0001-verity-openssl3.patch b/Patches/Common/android_build/0001-verity-openssl3.patch new file mode 100644 index 00000000..a56c4fe9 --- /dev/null +++ b/Patches/Common/android_build/0001-verity-openssl3.patch @@ -0,0 +1,28 @@ +From b7d70a2cb114ecbe9c931d59d852f5ada771ab52 Mon Sep 17 00:00:00 2001 +From: Kelvin Zhang +Date: Thu, 22 Dec 2022 10:30:00 -0800 +Subject: [PATCH] Fix VB 1.0 failure due to openssl output format change + +Openssl changed output format, the 'keyid:' prefix is removed, hence old +regex is unable to extract key id. + +Bug: 262902909 +Change-Id: Iea5b6fffed7c27855d87e35292f07a56686e4197 +Merged-In: I446a0b16e482c43542a1c0e41b24e80eb9fbc8e6 +--- + tools/releasetools/sign_target_files_apks.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py +index 837eaf9c1e..09d0b10a42 100755 +--- a/tools/releasetools/sign_target_files_apks.py ++++ b/tools/releasetools/sign_target_files_apks.py +@@ -1032,7 +1032,7 @@ def ReplaceVerityKeyId(input_zip, output_zip, key_path): + keyid, stderr = p.communicate() + assert p.returncode == 0, "Failed to dump certificate: {}".format(stderr) + keyid = re.search( +- r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower() ++ r'Authority Key Identifier:\s*(?:keyid:)?([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower() + print("Replacing verity keyid with {}".format(keyid)) + out_buffer.append("veritykeyid=id:%s" % (keyid,)) + diff --git a/Patches/LineageOS-15.1/android_build/0003-verity-openssl3.patch b/Patches/LineageOS-15.1/android_build/0003-verity-openssl3.patch new file mode 100644 index 00000000..ea0d833f --- /dev/null +++ b/Patches/LineageOS-15.1/android_build/0003-verity-openssl3.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Kelvin Zhang +Date: Thu, 22 Dec 2022 10:30:00 -0800 +Subject: [PATCH] Fix VB 1.0 failure due to openssl output format change + +Openssl changed output format, the 'keyid:' prefix is removed, hence old +regex is unable to extract key id. + +Bug: 262902909 +Change-Id: Iea5b6fffed7c27855d87e35292f07a56686e4197 +Merged-In: I446a0b16e482c43542a1c0e41b24e80eb9fbc8e6 +--- + tools/releasetools/sign_target_files_apks.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py +index 94ab84745c..9798985067 100755 +--- a/tools/releasetools/sign_target_files_apks.py ++++ b/tools/releasetools/sign_target_files_apks.py +@@ -566,7 +566,7 @@ def ReplaceVerityKeyId(targetfile_input_zip, targetfile_output_zip, keypath): + stdout=subprocess.PIPE) + keyid, stderr = p.communicate() + keyid = re.search( +- r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower() ++ r'Authority Key Identifier:\s*(?:keyid:)?([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower() + print "Replacing verity keyid with %s error=%s" % (keyid, stderr) + out_cmdline.append("veritykeyid=id:%s" % (keyid,)) + else: diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 5b4ae9d8..3a07240d 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -71,6 +71,7 @@ if enterAndClear "build/make"; then git revert --no-edit ceb64cd86b1cf6be3b1214ace80d8260971f8877; #Re-enable the downgrade check applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys to recovery for OTA verification (DivestOS) applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS) +applyPatch "$DOS_PATCHES/android_build/0003-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/Email/' target/product/core.mk; #Remove Email sed -i 's/2021-10-05/2023-08-05/' core/version_defaults.mk; #Bump Security String #XXX diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 927ce9a7..0072840e 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -95,6 +95,7 @@ git revert --no-edit 58544f3aa139b4603fa26c39e8d9259402d658b8; #Re-enable the do git revert --no-edit 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files applyPatch "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #Add correct keys to recovery for OTA verification (DivestOS) applyPatch "$DOS_PATCHES/android_build/0002-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS) +applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 17/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) awk -i inplace '!/Email/' target/product/core.mk; #Remove Email diff --git a/Scripts/LineageOS-17.1/Patch.sh b/Scripts/LineageOS-17.1/Patch.sh index 8f45f3b4..ce4152a6 100644 --- a/Scripts/LineageOS-17.1/Patch.sh +++ b/Scripts/LineageOS-17.1/Patch.sh @@ -93,6 +93,7 @@ git revert --no-edit 0a9df01b268a238a623f5e0ea5221cebdfee2414; #Re-enable the do applyPatch "$DOS_PATCHES/android_build/0001-Restore_TTS.patch"; #Add back PicoTTS and language files (DivestOS) applyPatch "$DOS_PATCHES/android_build/0002-OTA_Keys.patch"; #Add correct keys to recovery for OTA verification (DivestOS) applyPatch "$DOS_PATCHES/android_build/0003-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS) +applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) diff --git a/Scripts/LineageOS-18.1/Patch.sh b/Scripts/LineageOS-18.1/Patch.sh index 8adc095d..e1976653 100644 --- a/Scripts/LineageOS-18.1/Patch.sh +++ b/Scripts/LineageOS-18.1/Patch.sh @@ -91,6 +91,7 @@ git revert --no-edit def3f14af17ae92192d2cc7d22349cabfa906fd6; #Re-enable the do applyPatch "$DOS_PATCHES/android_build/0001-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS) applyPatch "$DOS_PATCHES/android_build/0002-OTA_Keys.patch"; #Add correct keys to recovery for OTA verification (DivestOS) if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_build/0003-Exec_Based_Spawning.patch"; fi; #Add exec-based spawning support (GrapheneOS) #XXX: most devices override this +applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/updatable_apex.mk/' target/product/mainline_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS) diff --git a/Scripts/LineageOS-19.1/Patch.sh b/Scripts/LineageOS-19.1/Patch.sh index d91a05e8..78905407 100644 --- a/Scripts/LineageOS-19.1/Patch.sh +++ b/Scripts/LineageOS-19.1/Patch.sh @@ -93,6 +93,7 @@ git revert --no-edit 7f4b9a43f3c49a5a896dd4951be0a96584751f46; #Re-enable the do applyPatch "$DOS_PATCHES/android_build/0001-Enable_fwrapv.patch"; #Use -fwrapv at a minimum (GrapheneOS) applyPatch "$DOS_PATCHES/android_build/0002-OTA_Keys.patch"; #Add correct keys to recovery for OTA verification (DivestOS) if [ "$DOS_GRAPHENE_EXEC" = true ]; then applyPatch "$DOS_PATCHES/android_build/0003-Exec_Based_Spawning.patch"; fi; #Add exec-based spawning support (GrapheneOS) #XXX: most devices override this +applyPatch "$DOS_PATCHES_COMMON/android_build/0001-verity-openssl3.patch"; #Fix VB 1.0 failure due to openssl output format change sed -i '75i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #Enable auto-add-overlay for packages, this allows the vendor overlay to easily work across all branches. awk -i inplace '!/updatable_apex.mk/' target/product/generic_system.mk; #Disable APEX sed -i 's/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 23/PLATFORM_MIN_SUPPORTED_TARGET_SDK_VERSION := 28/' core/version_defaults.mk; #Set the minimum supported target SDK to Pie (GrapheneOS)