Per-device signing keys

- also fix OTA/recovery key regression - Update cherrypicks
2019-09-13 20:26:43 -04:00 · 2019-09-13 20:26:43 -04:00 · e01e457b24
parent 19d5b66097
commit e01e457b24
18 changed files with 127 additions and 68 deletions
--- a/Patches/Common/android_build/0001-OTA_Keys.patch
+++ b/Patches/Common/android_build/0001-OTA_Keys.patch
@ -0,0 +1,29 @@
+From 2dc326c8e10dcee50439b49d329142c3c92273c4 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Sat, 14 Sep 2019 20:14:42 -0400
+Subject: [PATCH] Support OTA recovery key override
+
+Change-Id: I454674073684325a4bc484ef783665fb58b5a503
+---
+ core/Makefile | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/core/Makefile b/core/Makefile
+index f2a524d58..7c9735cf9 100644
+--- a/core/Makefile
+++ b/core/Makefile
+@@ -1217,6 +1217,11 @@ endif
+ # substitute other keys for this one.
+ OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+ 
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+    PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
+endif
+
+ # Generate a file containing the keys that will be read by the
+ # recovery binary.
+ RECOVERY_INSTALL_OTA_KEYS := \
+-- 
+2.21.0
+
--- a/Patches/LineageOS-14.1/android_build/0001-OTA_Keys.patch
+++ b/Patches/LineageOS-14.1/android_build/0001-OTA_Keys.patch
@ -0,0 +1,29 @@
+From 3d9a2560ff4ce717b91724d941c3607abe8fa09f Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Sat, 14 Sep 2019 20:12:26 -0400
+Subject: [PATCH] Support OTA recovery key override
+
+Change-Id: Icafdb77a0c39353aaefbdf65a83f76be6e3e5f63
+---
+ core/Makefile | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/core/Makefile b/core/Makefile
+index 3fb424733..a87bce4df 100644
+--- a/core/Makefile
+++ b/core/Makefile
+@@ -1038,6 +1038,11 @@ ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
+     PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
+ endif
+ 
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+    PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
+endif
+
+ # Generate a file containing the keys that will be read by the
+ # recovery binary.
+ RECOVERY_INSTALL_OTA_KEYS := \
+-- 
+2.21.0
+
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit b2d6c598b007ada134dded570b7db5ebc83b20f5
+Subproject commit a5f2067f2eb00ed51d42a6ced93ee6d25e552358
--- a/Scripts/Common/Functions.sh
+++ b/Scripts/Common/Functions.sh
@ -148,7 +148,7 @@ processRelease() {
 	VERITY="$3";

 	DATE=$(date -u '+%Y%m%d')
-	KEY_DIR="$DOS_SIGNING_KEYS";
+	KEY_DIR="$DOS_SIGNING_KEYS/$DEVICE";
 	VERSION=$(echo $DOS_VERSION | cut -f2 -d "-");
 	PREFIX="$DOS_BRANDING_ZIP_PREFIX-$VERSION-$DATE-dos-$DEVICE";
 	ARCHIVE="$DOS_BUILDS/$DOS_VERSION/release_keys/";
@ -157,9 +157,11 @@ processRelease() {
 	echo -e "\e[0;32mProcessing release for $DEVICE\e[0m";

 	#Arguments
+	unset BLOCK_SWITCHES;
 	if [ "$BLOCK" != false ]; then
 		BLOCK_SWITCHES="--block";
 	fi;
+	unset VERITY_SWITCHES;
 	if [[ "$VERITY" == "verity" ]]; then
 		VERITY_SWITCHES=(--replace_verity_public_key "$KEY_DIR/verity_key.pub" \
 			--replace_verity_private_key "$KEY_DIR/verity" \
@ -267,8 +269,10 @@ optimizeImagesRecursive() {
 export -f optimizeImagesRecursive;

 smallerSystem() {
-	echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk;
 	echo "BOARD_SYSTEMIMAGE_JOURNAL_SIZE := 0" >> BoardConfig.mk;
+	echo "EXCLUDE_SERIF_FONTS := true" >> BoardConfig.mk;
+	echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk;
+	#echo "MINIMAL_FONT_FOOTPRINT := true" >> BoardConfig.mk;
 	sed -i 's/common_full_phone.mk/common_mini_phone.mk/' *.mk &>/dev/null || true;
 }
 export -f smallerSystem;
--- a/Scripts/Generate_Signing_Keys.sh
+++ b/Scripts/Generate_Signing_Keys.sh
@ -1,16 +1,22 @@
 #!/bin/bash

-#desc='/O=Divested Computing Group/CN=DivestOS/emailAddress=support@divestos.org';
-desc='/O=Example/CN=ExampleOS/emailAddress=support@example.com';
+#Reference: https://grapheneos.org/build#generating-release-signing-keys
+
 type='rsa'; #Options: rsa, ec

+#make -j20 generate_verity_key;
+
+cd "$DOS_SIGNING_KEYS";
+mkdir $1; cd $1;
+desc="/O=Divested Computing Group/CN=DivestOS for $1/emailAddress=support@divestos.org";
 "$DOS_BUILD_BASE"/development/tools/make_key extra "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key media "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key platform "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key releasekey "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key shared "$desc" "$type";
 "$DOS_BUILD_BASE"/development/tools/make_key verity "$desc" "$type";
-
-#https://grapheneos.org/build#generating-release-signing-keys
-
-echo "Please copy created keys to your signing keys directory. Keep them safe!";
+"$DOS_BUILD_BASE"/out/host/linux-x86/bin/generate_verity_key -convert verity.x509.pem verity_key;
+openssl x509 -outform der -in verity.x509.pem -out verifiedboot_relkeys.der.x509;
+openssl genrsa -out avb.pem 2048;
+"$DOS_BUILD_BASE"/external/avb/avbtool extract_public_key --key avb.pem --output avb_pkmd.bin;
+cd "$DOS_BUILD_BASE";
--- a/Scripts/LineageOS-11.0/Functions.sh
+++ b/Scripts/LineageOS-11.0/Functions.sh
@ -35,12 +35,13 @@ scanWorkspaceForMalware() {
 export -f scanWorkspaceForMalware;

 buildDevice() {
+	export OTA_PACKAGE_SIGNING_KEY="$DOS_SIGNING_KEYS/$1/releasekey";
 	brunch "cm_$1-user" && processRelease $1 false;
 }
 export -f buildDevice;

 buildDeviceDebug() {
-	unset SIGNING_KEY_DIR;
+	unset OTA_PACKAGE_SIGNING_KEY;
 	brunch "cm_$1-eng";
 }
 export -f buildDeviceDebug;
--- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_msm8974.sh
+++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_msm8974.sh
@ -63,11 +63,9 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10675/^4.12.9/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10879/3.4/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10880/3.4/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10940/^4.16.6/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11939/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-15594/^4.18.1/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-16658/^4.18.6/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-18710/^4.19/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-20511/^4.18.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5332/^4.14.13/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5333/^4.14.13/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5750/^4.14.15/0001.patch
@ -79,9 +77,8 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10491/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-9f34c6ebc016cd061ae5ec901221d15fa3d67e49.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-2475/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p84"
+editKernelLocalversion "-dos.p80"
 cd "$DOS_BUILD_BASE"
--- a/Scripts/LineageOS-14.1/Functions.sh
+++ b/Scripts/LineageOS-14.1/Functions.sh
@ -35,17 +35,19 @@ scanWorkspaceForMalware() {
 export -f scanWorkspaceForMalware;

 buildDevice() {
+	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
 	brunch "lineage_$1-user" && processRelease $1 true $2;
 }
 export -f buildDevice;

 buildDeviceUserDebug() {
+	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
 	brunch "lineage_$1-userdebug" && processRelease $1 true $2;
 }
 export -f buildDeviceUserDebug;

 buildDeviceDebug() {
-	unset SIGNING_KEY_DIR;
+	unset OTA_KEY_OVERRIDE_DIR;
 	brunch "lineage_$1-eng";
 }
 export -f buildDeviceDebug;
@ -73,8 +75,6 @@ buildAll() {
 	buildDevice himaul;
 	buildDevice Z00T;
 	buildDevice flounder verity;
-	buildDevice axon7;
-	buildDevice h850;
 	if [ "$DOS_BUILDALL_SUPERSEDED" = true ]; then
 		buildDevice flo;
 		buildDevice mako;
@ -95,7 +95,9 @@ buildAll() {
 		buildDevice ether;
 		buildDevice angler verity;
 		buildDevice kipper;
+		buildDevice axon7;
 		buildDevice griffin;
+		buildDevice h850;
 		buildDevice us996;
 		buildDevice marlin verity;
 		buildDevice sailfish verity;
@ -124,7 +126,6 @@ patchWorkspace() {
 	repopick 248600 248649; #/proc hardening
 	repopick -it nougat-mr2-security-release-residue;
 	repopick 255328; #update webview
-	repopick -it N_asb_2019-09;

 	export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails

--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@ -66,6 +66,7 @@ enterAndClear "bootable/recovery";
 patch -p1 < "$DOS_PATCHES/android_bootable_recovery/0001-Squash_Menus.patch"; #What's a back button?

 enterAndClear "build";
+patch -p1 < "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
 sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
 sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;

@ -161,9 +162,6 @@ git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f
 patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)

-enterAndClear "system/gatekeeper";
-git pull "https://github.com/LineageOS/android_system_gatekeeper" refs/changes/85/252985/1; #N_asb_2019-09
-
 enterAndClear "system/sepolicy";
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices

@ -171,6 +169,7 @@ enterAndClear "system/vold";
 patch -p1 < "$DOS_PATCHES/android_system_vold/0001-AES256.patch"; #Add a variable for enabling AES-256 bit encryption

 enterAndClear "vendor/cm";
+rm build/target/product/security/lineage.x509.pem;
 rm -rf overlay/common/vendor/cmsdk/packages; #Remove analytics
 rm -rf overlay/common/frameworks/base/core/res/res/drawable-*/default_wallpaper.png;
 awk -i inplace '!/50-cm.sh/' config/common.mk; #Make sure our hosts is always used
@ -235,15 +234,15 @@ rm board-info.txt; #Never restrict installation
 enterAndClear "device/oneplus/bacon";
 sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/

-enterAndClear "device/samsung/manta";
-git revert e55bbff1c8aa50e25ffe39c8936ea3dc92a4a575; #restore releasetools
+#enterAndClear "device/samsung/manta";
+#git revert e55bbff1c8aa50e25ffe39c8936ea3dc92a4a575; #restore releasetools #TODO

 enterAndClear "device/samsung/toroplus";
 awk -i inplace '!/additional_system_update/' overlay/packages/apps/Settings/res/values*/*.xml;

 enableLowRam "device/samsung/tuna";
 enterAndClear "device/samsung/tuna";
-git revert e53eea6426da49dfb542929d5aa686667f4d416f; #restore releasetools
+#git revert e53eea6426da49dfb542929d5aa686667f4d416f; #restore releasetools #TODO
 rm setup-makefiles.sh; #broken, deblobber will still function
 sed -i 's|vendor/maguro/|vendor/|' libgps-shim/gps.c; #fix dlopen not found
 #See: https://review.lineageos.org/q/topic:%22tuna-sepolicies
@ -267,9 +266,13 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
-find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
 cd "$DOS_BUILD_BASE";

+#Verity
+cp "$DOS_SIGNING_KEYS/griffin/verifiedboot_relkeys.der.x509" "kernel/motorola/msm8996/verifiedboot_griffin_relkeys.der.x509";
+cp "$DOS_SIGNING_KEYS/marlin/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_marlin_relkeys.der.x509";
+cp "$DOS_SIGNING_KEYS/sailfish/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_sailfish_relkeys.der.x509";
+
 #Fixes
 #Fix broken options enabled by hardenDefconfig()
 sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
--- a/Scripts/LineageOS-15.1/Functions.sh
+++ b/Scripts/LineageOS-15.1/Functions.sh
@ -35,17 +35,19 @@ scanWorkspaceForMalware() {
 export -f scanWorkspaceForMalware;

 buildDevice() {
+	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
 	brunch "lineage_$1-user" && processRelease $1 true $2;
 }
 export -f buildDevice;

 buildDeviceUserDebug() {
+	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
 	brunch "lineage_$1-userdebug" && processRelease $1 true $2;
 }
 export -f buildDeviceUserDebug;

 buildDeviceDebug() {
-	unset SIGNING_KEY_DIR;
+	unset OTA_KEY_OVERRIDE_DIR;
 	brunch "lineage_$1-eng";
 }
 export -f buildDeviceDebug;
@ -100,7 +102,6 @@ patchWorkspace() {

 	source build/envsetup.sh;
 	repopick 255328; #update webview
-	repopick -it O_asb_2019-09;

 	export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails

--- a/Scripts/LineageOS-15.1/Patch.sh
+++ b/Scripts/LineageOS-15.1/Patch.sh
@ -64,9 +64,11 @@ enterAndClear "bionic";
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi; #(GrapheneOS)

 enterAndClear "bootable/recovery";
-#git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity
+git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity

 enterAndClear "build/make";
+patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
+awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
 sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;

 enterAndClear "device/lineage/sepolicy";
@ -77,9 +79,6 @@ git revert c9b0d95630b82cd0ad1a0fc633c6d59c2cb8aad7 37422f7df389f3ae5a34ee3d6dd9
 enterAndClear "device/qcom/sepolicy";
 patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/0001-Camera_Fix.patch"; #Fix camera on -user builds XXX: REMOVE THIS TRASH

-enterAndClear "external/libcups";
-git pull "https://github.com/LineageOS/android_external_libcups" refs/changes/66/255866/1; #O_asb_2019-09
-
 enterAndClear "external/svox";
 git revert 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles

@ -175,6 +174,7 @@ enterAndClear "system/vold";
 patch -p1 < "$DOS_PATCHES/android_system_vold/0001-AES256.patch"; #Add a variable for enabling AES-256 bit encryption

 enterAndClear "vendor/lineage";
+rm build/target/product/security/lineage.x509.pem;
 rm -rf overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove analytics
 rm -rf verity_tool; #Resurrect dm-verity
 rm -rf overlay/common/frameworks/base/core/res/res/drawable-*/default_wallpaper.png;
@ -240,9 +240,13 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
-find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
 cd "$DOS_BUILD_BASE";

+#Verity
+cp "$DOS_SIGNING_KEYS/griffin/verifiedboot_relkeys.der.x509" "kernel/motorola/msm8996/verifiedboot_griffin_relkeys.der.x509";
+cp "$DOS_SIGNING_KEYS/marlin/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_marlin_relkeys.der.x509";
+cp "$DOS_SIGNING_KEYS/sailfish/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_sailfish_relkeys.der.x509";
+
 #Fix broken options enabled by hardenDefconfig()
 sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
 sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile
--- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_essential_msm8998.sh
+++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_essential_msm8998.sh
@ -1,8 +1,7 @@
 #!/bin/bash
 cd "$DOS_BUILD_BASE""kernel/essential/msm8998"
 git apply $DOS_PATCHES_LINUX_CVES/0001-LinuxIncrementals/4.4/4.4.0187-0188.patch --exclude=Makefile
-git apply $DOS_PATCHES_LINUX_CVES/0003-syzkaller-Misc2/ANY/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/0003-syzkaller-Misc2/ANY/0004.patch
+git apply $DOS_PATCHES_LINUX_CVES/0001-LinuxIncrementals/4.4/4.4.0188-0189.patch --exclude=Makefile
 git apply $DOS_PATCHES_LINUX_CVES/0007-Accelerated_AES/3.10+/0016.patch
 git apply $DOS_PATCHES_LINUX_CVES/0007-Accelerated_AES/3.10+/0020.patch
 git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/ANY/0001.patch
@ -43,7 +42,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16USB/ANY/0009.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18174/^4.7/0002.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18204/^4.14.2/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18306/4.4/0003.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18509/^4.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-9711/4.4/0003.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11273/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11818/ANY/0002.patch
@ -82,9 +80,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10524/ANY/0003.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12378/^5.1.5/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12456/^5.1.5/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12614/^5.1.6/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-13631/^5.2.1/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15098/^5.2.8/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15213/^5.2.3/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0011.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0012.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2181/4.4/0002.patch
@ -99,5 +95,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14875/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11274/ANY/0001.patch
-editKernelLocalversion "-dos.p99"
+editKernelLocalversion "-dos.p95"
 cd "$DOS_BUILD_BASE"
--- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_lge_mako.sh
+++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_lge_mako.sh
@ -120,9 +120,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-3459/^5.1/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/797912_0001-usb-gadget-Fix-synchronization-issue-between-f_audio.patch
 git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/870057_0001-wcnss-add-null-check-in-pm_ops-unregister.patch
-git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-5d89eb01c93d8a62998e3bdccae28a7732e3bd51.patch
-git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-7be3e08d7a523207486701b2d34607137558066f.patch
-git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-9f34c6ebc016cd061ae5ec901221d15fa3d67e49.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p124"
+editKernelLocalversion "-dos.p121"
 cd "$DOS_BUILD_BASE"
--- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_samsung_msm8974.sh
+++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_samsung_msm8974.sh
@ -62,11 +62,9 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10675/^4.12.9/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10879/3.4/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10880/3.4/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10940/^4.16.6/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11939/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-15594/^4.18.1/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-16658/^4.18.6/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-18710/^4.19/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-20511/^4.18.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5332/^4.14.13/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5333/^4.14.13/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5750/^4.14.15/0001.patch
@ -74,13 +72,11 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-7492/^4.14.7/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-7757/^4.15.7/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-8781/^4.15/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10142/ANY/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10491/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0001.patch
-git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-9f34c6ebc016cd061ae5ec901221d15fa3d67e49.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-2475/ANY/0001.patch
 git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
-editKernelLocalversion "-dos.p83"
+editKernelLocalversion "-dos.p78"
 cd "$DOS_BUILD_BASE"
--- a/Scripts/LineageOS-16.0/Functions.sh
+++ b/Scripts/LineageOS-16.0/Functions.sh
@ -35,17 +35,19 @@ scanWorkspaceForMalware() {
 export -f scanWorkspaceForMalware;

 buildDevice() {
+	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
 	brunch "lineage_$1-user" && processRelease $1 true $2;
 }
 export -f buildDevice;

 buildDeviceUserDebug() {
+	export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
 	brunch "lineage_$1-userdebug" && processRelease $1 true $2;
 }
 export -f buildDeviceUserDebug;

 buildDeviceDebug() {
-	unset SIGNING_KEY_DIR;
+	unset OTA_KEY_OVERRIDE_DIR;
 	brunch "lineage_$1-eng";
 }
 export -f buildDeviceDebug;
@ -107,9 +109,7 @@ patchWorkspace() {

 	source build/envsetup.sh;
 	repopick -f 254249; #g3 nfc
-	#repopick -it hh-cleanup;
 	repopick 255328; #update webview
-	repopick -it P_asb_2019-09;

 	source "$DOS_SCRIPTS/Patch.sh";
 	source "$DOS_SCRIPTS/Defaults.sh";
--- a/Scripts/LineageOS-16.0/Patch.sh
+++ b/Scripts/LineageOS-16.0/Patch.sh
@ -65,10 +65,12 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bio

 enterAndClear "bootable/recovery";
 git revert 4d361ff13b5bd61d5a6a5e95063b24b8a37a24ab 37d729bf; #fix sideload
-#git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity
+git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity

 enterAndClear "build/make";
 git revert 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files
+patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
+awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
 sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;

 #enterAndClear "device/lineage/sepolicy";
@ -78,12 +80,6 @@ enterAndClear "device/qcom/sepolicy-legacy";
 patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy-legacy/0001-Camera_Fix.patch"; #Fix camera on -user builds XXX: REMOVE THIS TRASH
 echo "SELINUX_IGNORE_NEVERALLOWS := true" >> sepolicy.mk; #necessary for -user builds of legacy devices

-enterAndClear "external/libcups";
-git pull "https://github.com/LineageOS/android_external_libcups" refs/changes/96/255696/1; #P_asb_2019-09
-
-enterAndClear "external/libhevc";
-git pull "https://github.com/LineageOS/android_external_libhevc" refs/changes/97/255697/1; #P_asb_2019-09
-
 enterAndClear "external/svox";
 git revert 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
 sed -i '12iLOCAL_SDK_VERSION := current' pico/Android.mk; #Fix build under Pie
@ -171,15 +167,12 @@ git revert b3609d82999d23634c5e6db706a3ecbc5348309a; #Always update recovery
 patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)
 if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)

-enterAndClear "system/nfc";
-git pull "https://github.com/LineageOS/android_system_nfc" refs/changes/93/255693/1; #P_asb_2019-09
-git pull "https://github.com/LineageOS/android_system_nfc" refs/changes/94/255694/1;
-
 enterAndClear "system/sepolicy";
 patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
 awk -i inplace '!/true cannot be used in user builds/' Android.mk; #Allow ignoring neverallows under -user

 enterAndClear "vendor/lineage";
+rm build/target/product/security/lineage.x509.pem;
 rm -rf overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove analytics
 rm -rf verity_tool; #Resurrect dm-verity
 rm -rf overlay/common/frameworks/base/core/res/res/drawable-*/default_wallpaper.png;
@ -223,8 +216,8 @@ enterAndClear "device/lge/d855";
 git revert 9a5739e66d0a44347881807c0cc44d7c318c02b8; #fix nfc path

 enterAndClear "device/lge/mako";
-git revert 218f7442874f7b7d494f265286a2151e2f81bb6e; #disable dexpreopt full and switch back to -mini
 #git revert ; #restore releasetools #TODO
+smallerSystem;
 echo "allow kickstart usbfs:dir search;" >> sepolicy/kickstart.te; #Fix forceencrypt on first boot
 echo "allow system_server sensors_data_file:dir search;" >> sepolicy/system_server.te; #Fix qcom_sensors log spam
 echo "allow system_server sensors_data_file:dir r_file_perms;" >> sepolicy/system_server.te;
@ -250,9 +243,15 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
 find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
 if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
-find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
 cd "$DOS_BUILD_BASE";

+#Verity
+cp "$DOS_SIGNING_KEYS/cheryl/verifiedboot_relkeys.der.x509" "kernel/razer/msm8998/verifiedboot_cheryl_relkeys.der.x509";
+cp "$DOS_SIGNING_KEYS/griffin/verifiedboot_relkeys.der.x509" "kernel/motorola/msm8996/verifiedboot_griffin_relkeys.der.x509";
+cp "$DOS_SIGNING_KEYS/marlin/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_marlin_relkeys.der.x509";
+cp "$DOS_SIGNING_KEYS/sailfish/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_sailfish_relkeys.der.x509";
+cp "$DOS_SIGNING_KEYS/z2_plus/verifiedboot_relkeys.der.x509" "kernel/zuk/msm8996/verifiedboot_z2_plus_relkeys.der.x509";
+
 #Fix broken options enabled by hardenDefconfig()
 sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
 sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/lge/mako/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
--- a/Scripts/init.sh
+++ b/Scripts/init.sh
@ -130,8 +130,6 @@ if [ ! -d "$DOS_SCRIPTS" ]; then
 fi;
 export DOS_SCRIPTS_CVES=$DOS_SCRIPTS"CVE_Patchers/";

-export SIGNING_KEY_DIR=$DOS_SIGNING_KEYS;
-
 export KBUILD_BUILD_USER="emy";
 export KBUILD_BUILD_HOST="dosbm";

--- a/4
+++ b/4
@ -1,8 +1,6 @@
-Last updated: 2019-08-29
+Last updated: 2019-09-14

 High Priority (Release blockers)
-	Build
-		- New signing keys
 	Project
 		- GPG all the things!
 		- Create cryptocurrency addresses