From b026a7811ce9ee5c258c15bb1adec1abf17691b2 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 6 Apr 2022 10:32:44 -0400
Subject: [PATCH] Actually enforce AVB + signing fixes

- Turns out AVB was set permissive this entire time :(
  --flags 2 == VERIFICATION_DISABLED
- APEX support from GrapheneOS
- Disable vbmeta chaining like GrapheneOS
  and optionally handle it like CalyxOS

taimen 19.1 boots with locked bootloader successfully after this

Signed-off-by: Tad <tad@spotco.us>
---
 Scripts/Common/Enable_Verity.sh     | 17 ++++-
 Scripts/Common/Functions.sh         | 97 +++++++++++++++++++++++++++--
 Scripts/LineageOS-19.1/Functions.sh |  4 +-
 Scripts/init.sh                     |  1 +
 4 files changed, 107 insertions(+), 12 deletions(-)

diff --git a/Scripts/Common/Enable_Verity.sh b/Scripts/Common/Enable_Verity.sh
index 6efc7809..cb7b0cf4 100644
--- a/Scripts/Common/Enable_Verity.sh
+++ b/Scripts/Common/Enable_Verity.sh
@@ -35,9 +35,20 @@ export -f enableVerity;
 enableAVB() {
 	if [ -d "$DOS_BUILD_BASE/$1" ]; then
 		cd "$DOS_BUILD_BASE/$1";
-		sed -i 's/--set_hashtree_disabled_flag//' *.mk &>/dev/null || true;
-		sed -i 's/AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 3/AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2/' *.mk &>/dev/null || true;
-		#TODO: investigate BOARD_AVB_RECOVERY_KEY_PATH
+		awk -i inplace '!/AVB_MAKE_VBMETA_IMAGE_ARGS += --set_hashtree_disabled_flag/' *.mk &>/dev/null || true;
+		awk -i inplace '!/AVB_MAKE_VBMETA_IMAGE_ARGS += --flag/' *.mk &>/dev/null || true;
+		#Disable chaining
+		if [ "$DOS_SIGNING_NOCHAIN" = true ]; then
+			awk -i inplace '!/BOARD_AVB_VBMETA_SYSTEM/' *.mk &>/dev/null || true;
+			awk -i inplace '!/BOARD_AVB_BOOT/' *.mk &>/dev/null || true;
+			awk -i inplace '!/BOARD_AVB_RECOVERY/' *.mk &>/dev/null || true;
+			sed -i 's/vbmeta_system//' *.mk &>/dev/null || true;
+			sed -i '/\/system /{s|avb=vbmeta_system|avb=vbmeta|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+			sed -i '/\/system_ext/{s|avb=vbmeta_system|avb|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+			sed -i '/\/system_ext/{s|avb=vbmeta|avb|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+			sed -i '/\/vendor/{s|avb=vbmeta_system|avb|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+			sed -i '/\/vendor/{s|avb=vbmeta|avb|}' fstab.* root/fstab.* rootdir/fstab.* rootdir/*/fstab.* &>/dev/null || true;
+		fi;
 		echo "Enabled AVB for $1";
 		cd "$DOS_BUILD_BASE";
 	fi;
diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh
index aa90fd6a..6ad5eb20 100644
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@@ -208,6 +208,10 @@ processRelease() {
 	echo -e "\e[0;32mProcessing release for $DEVICE\e[0m";
 
 	#Arguments
+	DOS_DEVICES_VBMETA=('akari' 'aura' 'aurora' 'beryllium' 'blueline' 'bonito' 'crosshatch' 'davinci' 'enchilada' 'fajita' 'FP3' 'guacamole' 'guacamoleb' 'lavender' 'pro1' 'raphael' 'sargo' 'taimen' 'walleye' 'xz2c');
+	DOS_DEVICES_VBMETA_SYSTEM=('alioth' 'avicii' 'hotdog' 'hotdogb' 'lmi' 'vayu');
+	DOS_DEVICES_VBMETA_SYSTEM_FULL=('bramble' 'coral' 'flame' 'redfin' 'sunfish');
+	DOS_DEVICES_VBMETA_EVERYTHING=('oriole' 'raven');
 	if [ "$BLOCK" != false ]; then
 		local BLOCK_SWITCHES="--block";
 	fi;
@@ -217,13 +221,92 @@ processRelease() {
 			--replace_verity_keyid "$KEY_DIR/verity.x509.pem");
 		echo -e "\e[0;32m\t+ Verified Boot 1.0\e[0m";
 	elif [[ "$VERITY" == "avb" ]]; then
-		#TODO: Verify if both SHA512 and RSA4096 is always supported
-		local VERITY_SWITCHES=(--avb_vbmeta_key "$KEY_DIR/avb.pem" \
-			--avb_vbmeta_algorithm SHA256_RSA4096 \
-			--avb_system_key "$KEY_DIR/avb.pem" \
-			--avb_system_algorithm SHA256_RSA4096);
 		local AVB_PKMD="$KEY_DIR/avb_pkmd.bin";
-		echo -e "\e[0;32m\t+ Verified Boot 2.0\e[0m";
+
+		if [ "$DOS_SIGNING_NOCHAIN" = true ]; then
+			local VERITY_SWITCHES=(--avb_vbmeta_key "$KEY_DIR/avb.pem" --avb_vbmeta_algorithm SHA256_RSA4096);
+			echo -e "\e[0;32m\t+ Verified Boot 2.0 with VBMETA and NOCHAIN\e[0m";
+		else
+			if [[ " ${DOS_DEVICES_VBMETA[@]} " =~ " ${DEVICE} " ]]; then
+				local VERITY_SWITCHES=(--avb_vbmeta_key "$KEY_DIR/avb.pem" --avb_vbmeta_algorithm SHA256_RSA4096);
+				echo -e "\e[0;32m\t+ Verified Boot 2.0 with VBMETA\e[0m";
+			fi;
+			if [[ " ${DOS_DEVICES_VBMETA_SYSTEM[@]} " =~ " ${DEVICE} " ]]; then
+				local VERITY_SWITCHES=(--avb_vbmeta_key "$KEY_DIR/avb.pem" --avb_vbmeta_algorithm SHA256_RSA4096 \
+					--avb_system_key "$KEY_DIR/avb.pem" --avb_system_algorithm SHA256_RSA4096);
+				echo -e "\e[0;32m\t+ Verified Boot 2.0 with VBMETA and VBMETA_SYSTEM\e[0m";
+			fi;
+			if [[ " ${DOS_DEVICES_VBMETA_SYSTEM_FULL[@]} " =~ " ${DEVICE} " ]]; then
+				local VERITY_SWITCHES=(--avb_vbmeta_key "$KEY_DIR/avb.pem" --avb_vbmeta_algorithm SHA256_RSA4096 \
+					--avb_system_key "$KEY_DIR/avb.pem" --avb_system_algorithm SHA256_RSA4096 \
+					--avb_vbmeta_system_key "$KEY_DIR/avb.pem" --avb_vbmeta_system_algorithm SHA256_RSA4096);
+				echo -e "\e[0;32m\t+ Verified Boot 2.0 with VBMETA and VBMETA_SYSTEM_FULL\e[0m";
+			fi;
+			if [[ " ${DOS_DEVICES_VBMETA_EVERYTHING[@]} " =~ " ${DEVICE} " ]]; then
+				local VERITY_SWITCHES=(--avb_vbmeta_key "$KEY_DIR/avb.pem" --avb_vbmeta_algorithm SHA256_RSA4096 \
+					--avb_system_key "$KEY_DIR/avb.pem" --avb_system_algorithm SHA256_RSA4096 \
+					--avb_vbmeta_system_key "$KEY_DIR/avb.pem" --avb_vbmeta_system_algorithm SHA256_RSA4096 \
+					--avb_vbmeta_vendor_key "$KEY_DIR/avb.pem" --avb_vbmeta_vendor_algorithm SHA256_RSA4096 \
+					--avb_boot_key "$KEY_DIR/avb.pem" --avb_boot_algorithm SHA256_RSA4096);
+				echo -e "\e[0;32m\t+ Verified Boot 2.0 with VBMETA_EVERYTHING\e[0m";
+			fi;
+		fi;
+	fi;
+	if [[ "$DOS_VERSION" == "LineageOS-17.1" ]] || [[ "$DOS_VERSION" == "LineageOS-18.1" ]] || [[ "$DOS_VERSION" == "LineageOS-19.1" ]]; then
+		local APEX_SWITCHES=(--extra_apks com.android.adbd.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.adbd.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.apex.cts.shim.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.apex.cts.shim.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.appsearch.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.appsearch.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.art.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.art.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.art.debug.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.art.debug.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.cellbroadcast.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.cellbroadcast.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.conscrypt.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.conscrypt.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.extservices.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.extservices.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.i18n.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.i18n.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.ipsec.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.ipsec.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.media.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.media.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.media.swcodec.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.media.swcodec.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.mediaprovider.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.mediaprovider.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.neuralnetworks.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.neuralnetworks.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.os.statsd.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.os.statsd.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.permission.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.permission.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.resolv.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.resolv.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.runtime.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.runtime.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.scheduling.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.scheduling.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.sdkext.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.sdkext.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.tethering.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.tethering.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.tzdata.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.tzdata.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.vndk.current.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.vndk.current.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.wifi.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.wifi.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.google.pixel.camera.hal.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.google.pixel.camera.hal.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.vibrator.sunfish.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.vibrator.sunfish.apex="$KEY_DIR/avb.pem" \
+			--extra_apks com.android.vibrator.drv2624.apex="$KEY_DIR/releasekey" \
+			--extra_apex_payload_key com.android.vibrator.drv2624.apex="$KEY_DIR/avb.pem");
 	fi;
 
 	#Malware Scan
@@ -235,6 +318,8 @@ processRelease() {
 	#Target Files
 	echo -e "\e[0;32mSigning target files\e[0m";
 	"$RELEASETOOLS_PREFIX"sign_target_files_apks -o -d "$KEY_DIR" \
+		--extra_apks OsuLogin.apk,ServiceConnectivityResources.apk,ServiceWifiResources.apk="$KEY_DIR/releasekey" \
+		"${APEX_SWITCHES[@]}" \
 		"${VERITY_SWITCHES[@]}" \
 		$OUT_DIR/obj/PACKAGING/target_files_intermediates/*$DEVICE-target_files-*.zip \
 		"$OUT_DIR/$PREFIX-target_files.zip";
diff --git a/Scripts/LineageOS-19.1/Functions.sh b/Scripts/LineageOS-19.1/Functions.sh
index 86a09fbc..c9502702 100644
--- a/Scripts/LineageOS-19.1/Functions.sh
+++ b/Scripts/LineageOS-19.1/Functions.sh
@@ -67,9 +67,7 @@ patchWorkspace() {
 	touch DOS_PATCHED_FLAG;
 	if [ "$DOS_MALWARE_SCAN_ENABLED" = true ]; then scanForMalware false "$DOS_PREBUILT_APPS $DOS_BUILD_BASE/build $DOS_BUILD_BASE/device $DOS_BUILD_BASE/vendor/lineage"; fi;
 
-	source build/envsetup.sh;
-	repopick -i 328251; #Scape apostrophes
-	#repopick -it S_asb_2022-04;
+	#source build/envsetup.sh;
 
 	sh "$DOS_SCRIPTS/Patch.sh";
 	sh "$DOS_SCRIPTS_COMMON/Enable_Verity.sh";
diff --git a/Scripts/init.sh b/Scripts/init.sh
index 8c1663bc..8e0931cf 100644
--- a/Scripts/init.sh
+++ b/Scripts/init.sh
@@ -86,6 +86,7 @@ export DOS_GPS_SUPL_HOST="supl.google.com"; #Options: supl.{google,vodafone,sony
 
 #Release Processing
 export DOS_MALWARE_SCAN_BEFORE_SIGN=false; #Scan device files for malware before signing
+export DOS_SIGNING_NOCHAIN=true; #Disable AVB partition chaining
 export DOS_GENERATE_DELTAS=true; #Creates deltas from existing target_files in $DOS_BUILDS
 export DOS_GENERATE_DELTAS_DEVICES=('akari' 'alioth' 'Amber' 'aura' 'aurora' 'avicii' 'blueline' 'bonito' 'bramble' 'cheryl' 'coral' 'crosshatch' 'davinci' 'discovery' 'enchilada' 'fajita' 'flame' 'FP3' 'guacamole' 'guacamoleb' 'hotdog' 'hotdogb' 'marlin' 'mata' 'pioneer' 'pro1' 'redfin' 'sailfish' 'sargo' 'sunfish' 'taimen' 'vayu' 'voyager' 'walleye' 'xz2c'); #List of devices deltas will be generated for
 export DOS_AUTO_ARCHIVE_BUILDS=true; #Copies files to $DOS_BUILDS after signing