mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-28 17:09:39 -05:00
Per-device signing keys
- also fix OTA/recovery key regression - Update cherrypicks
This commit is contained in:
parent
19d5b66097
commit
e01e457b24
29
Patches/Common/android_build/0001-OTA_Keys.patch
Normal file
29
Patches/Common/android_build/0001-OTA_Keys.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From 2dc326c8e10dcee50439b49d329142c3c92273c4 Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Sat, 14 Sep 2019 20:14:42 -0400
|
||||
Subject: [PATCH] Support OTA recovery key override
|
||||
|
||||
Change-Id: I454674073684325a4bc484ef783665fb58b5a503
|
||||
---
|
||||
core/Makefile | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/core/Makefile b/core/Makefile
|
||||
index f2a524d58..7c9735cf9 100644
|
||||
--- a/core/Makefile
|
||||
+++ b/core/Makefile
|
||||
@@ -1217,6 +1217,11 @@ endif
|
||||
# substitute other keys for this one.
|
||||
OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
|
||||
|
||||
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
|
||||
+ OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
|
||||
+ PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
|
||||
+endif
|
||||
+
|
||||
# Generate a file containing the keys that will be read by the
|
||||
# recovery binary.
|
||||
RECOVERY_INSTALL_OTA_KEYS := \
|
||||
--
|
||||
2.21.0
|
||||
|
29
Patches/LineageOS-14.1/android_build/0001-OTA_Keys.patch
Normal file
29
Patches/LineageOS-14.1/android_build/0001-OTA_Keys.patch
Normal file
@ -0,0 +1,29 @@
|
||||
From 3d9a2560ff4ce717b91724d941c3607abe8fa09f Mon Sep 17 00:00:00 2001
|
||||
From: Tad <tad@spotco.us>
|
||||
Date: Sat, 14 Sep 2019 20:12:26 -0400
|
||||
Subject: [PATCH] Support OTA recovery key override
|
||||
|
||||
Change-Id: Icafdb77a0c39353aaefbdf65a83f76be6e3e5f63
|
||||
---
|
||||
core/Makefile | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/core/Makefile b/core/Makefile
|
||||
index 3fb424733..a87bce4df 100644
|
||||
--- a/core/Makefile
|
||||
+++ b/core/Makefile
|
||||
@@ -1038,6 +1038,11 @@ ifneq ($(OTA_PACKAGE_SIGNING_KEY),)
|
||||
PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE)
|
||||
endif
|
||||
|
||||
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
|
||||
+ OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
|
||||
+ PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
|
||||
+endif
|
||||
+
|
||||
# Generate a file containing the keys that will be read by the
|
||||
# recovery binary.
|
||||
RECOVERY_INSTALL_OTA_KEYS := \
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit b2d6c598b007ada134dded570b7db5ebc83b20f5
|
||||
Subproject commit a5f2067f2eb00ed51d42a6ced93ee6d25e552358
|
@ -148,7 +148,7 @@ processRelease() {
|
||||
VERITY="$3";
|
||||
|
||||
DATE=$(date -u '+%Y%m%d')
|
||||
KEY_DIR="$DOS_SIGNING_KEYS";
|
||||
KEY_DIR="$DOS_SIGNING_KEYS/$DEVICE";
|
||||
VERSION=$(echo $DOS_VERSION | cut -f2 -d "-");
|
||||
PREFIX="$DOS_BRANDING_ZIP_PREFIX-$VERSION-$DATE-dos-$DEVICE";
|
||||
ARCHIVE="$DOS_BUILDS/$DOS_VERSION/release_keys/";
|
||||
@ -157,9 +157,11 @@ processRelease() {
|
||||
echo -e "\e[0;32mProcessing release for $DEVICE\e[0m";
|
||||
|
||||
#Arguments
|
||||
unset BLOCK_SWITCHES;
|
||||
if [ "$BLOCK" != false ]; then
|
||||
BLOCK_SWITCHES="--block";
|
||||
fi;
|
||||
unset VERITY_SWITCHES;
|
||||
if [[ "$VERITY" == "verity" ]]; then
|
||||
VERITY_SWITCHES=(--replace_verity_public_key "$KEY_DIR/verity_key.pub" \
|
||||
--replace_verity_private_key "$KEY_DIR/verity" \
|
||||
@ -267,8 +269,10 @@ optimizeImagesRecursive() {
|
||||
export -f optimizeImagesRecursive;
|
||||
|
||||
smallerSystem() {
|
||||
echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk;
|
||||
echo "BOARD_SYSTEMIMAGE_JOURNAL_SIZE := 0" >> BoardConfig.mk;
|
||||
echo "EXCLUDE_SERIF_FONTS := true" >> BoardConfig.mk;
|
||||
echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk;
|
||||
#echo "MINIMAL_FONT_FOOTPRINT := true" >> BoardConfig.mk;
|
||||
sed -i 's/common_full_phone.mk/common_mini_phone.mk/' *.mk &>/dev/null || true;
|
||||
}
|
||||
export -f smallerSystem;
|
||||
|
@ -1,16 +1,22 @@
|
||||
#!/bin/bash
|
||||
|
||||
#desc='/O=Divested Computing Group/CN=DivestOS/emailAddress=support@divestos.org';
|
||||
desc='/O=Example/CN=ExampleOS/emailAddress=support@example.com';
|
||||
#Reference: https://grapheneos.org/build#generating-release-signing-keys
|
||||
|
||||
type='rsa'; #Options: rsa, ec
|
||||
|
||||
#make -j20 generate_verity_key;
|
||||
|
||||
cd "$DOS_SIGNING_KEYS";
|
||||
mkdir $1; cd $1;
|
||||
desc="/O=Divested Computing Group/CN=DivestOS for $1/emailAddress=support@divestos.org";
|
||||
"$DOS_BUILD_BASE"/development/tools/make_key extra "$desc" "$type";
|
||||
"$DOS_BUILD_BASE"/development/tools/make_key media "$desc" "$type";
|
||||
"$DOS_BUILD_BASE"/development/tools/make_key platform "$desc" "$type";
|
||||
"$DOS_BUILD_BASE"/development/tools/make_key releasekey "$desc" "$type";
|
||||
"$DOS_BUILD_BASE"/development/tools/make_key shared "$desc" "$type";
|
||||
"$DOS_BUILD_BASE"/development/tools/make_key verity "$desc" "$type";
|
||||
|
||||
#https://grapheneos.org/build#generating-release-signing-keys
|
||||
|
||||
echo "Please copy created keys to your signing keys directory. Keep them safe!";
|
||||
"$DOS_BUILD_BASE"/out/host/linux-x86/bin/generate_verity_key -convert verity.x509.pem verity_key;
|
||||
openssl x509 -outform der -in verity.x509.pem -out verifiedboot_relkeys.der.x509;
|
||||
openssl genrsa -out avb.pem 2048;
|
||||
"$DOS_BUILD_BASE"/external/avb/avbtool extract_public_key --key avb.pem --output avb_pkmd.bin;
|
||||
cd "$DOS_BUILD_BASE";
|
||||
|
@ -35,12 +35,13 @@ scanWorkspaceForMalware() {
|
||||
export -f scanWorkspaceForMalware;
|
||||
|
||||
buildDevice() {
|
||||
export OTA_PACKAGE_SIGNING_KEY="$DOS_SIGNING_KEYS/$1/releasekey";
|
||||
brunch "cm_$1-user" && processRelease $1 false;
|
||||
}
|
||||
export -f buildDevice;
|
||||
|
||||
buildDeviceDebug() {
|
||||
unset SIGNING_KEY_DIR;
|
||||
unset OTA_PACKAGE_SIGNING_KEY;
|
||||
brunch "cm_$1-eng";
|
||||
}
|
||||
export -f buildDeviceDebug;
|
||||
|
@ -63,11 +63,9 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10675/^4.12.9/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10879/3.4/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10880/3.4/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10940/^4.16.6/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11939/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-15594/^4.18.1/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-16658/^4.18.6/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-18710/^4.19/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-20511/^4.18.11/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5332/^4.14.13/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5333/^4.14.13/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5750/^4.14.15/0001.patch
|
||||
@ -79,9 +77,8 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10491/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-9f34c6ebc016cd061ae5ec901221d15fa3d67e49.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-2475/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p84"
|
||||
editKernelLocalversion "-dos.p80"
|
||||
cd "$DOS_BUILD_BASE"
|
||||
|
@ -35,17 +35,19 @@ scanWorkspaceForMalware() {
|
||||
export -f scanWorkspaceForMalware;
|
||||
|
||||
buildDevice() {
|
||||
export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
|
||||
brunch "lineage_$1-user" && processRelease $1 true $2;
|
||||
}
|
||||
export -f buildDevice;
|
||||
|
||||
buildDeviceUserDebug() {
|
||||
export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
|
||||
brunch "lineage_$1-userdebug" && processRelease $1 true $2;
|
||||
}
|
||||
export -f buildDeviceUserDebug;
|
||||
|
||||
buildDeviceDebug() {
|
||||
unset SIGNING_KEY_DIR;
|
||||
unset OTA_KEY_OVERRIDE_DIR;
|
||||
brunch "lineage_$1-eng";
|
||||
}
|
||||
export -f buildDeviceDebug;
|
||||
@ -73,8 +75,6 @@ buildAll() {
|
||||
buildDevice himaul;
|
||||
buildDevice Z00T;
|
||||
buildDevice flounder verity;
|
||||
buildDevice axon7;
|
||||
buildDevice h850;
|
||||
if [ "$DOS_BUILDALL_SUPERSEDED" = true ]; then
|
||||
buildDevice flo;
|
||||
buildDevice mako;
|
||||
@ -95,7 +95,9 @@ buildAll() {
|
||||
buildDevice ether;
|
||||
buildDevice angler verity;
|
||||
buildDevice kipper;
|
||||
buildDevice axon7;
|
||||
buildDevice griffin;
|
||||
buildDevice h850;
|
||||
buildDevice us996;
|
||||
buildDevice marlin verity;
|
||||
buildDevice sailfish verity;
|
||||
@ -124,7 +126,6 @@ patchWorkspace() {
|
||||
repopick 248600 248649; #/proc hardening
|
||||
repopick -it nougat-mr2-security-release-residue;
|
||||
repopick 255328; #update webview
|
||||
repopick -it N_asb_2019-09;
|
||||
|
||||
export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails
|
||||
|
||||
|
@ -66,6 +66,7 @@ enterAndClear "bootable/recovery";
|
||||
patch -p1 < "$DOS_PATCHES/android_bootable_recovery/0001-Squash_Menus.patch"; #What's a back button?
|
||||
|
||||
enterAndClear "build";
|
||||
patch -p1 < "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
|
||||
sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
|
||||
sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk;
|
||||
|
||||
@ -161,9 +162,6 @@ git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f
|
||||
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
|
||||
|
||||
enterAndClear "system/gatekeeper";
|
||||
git pull "https://github.com/LineageOS/android_system_gatekeeper" refs/changes/85/252985/1; #N_asb_2019-09
|
||||
|
||||
enterAndClear "system/sepolicy";
|
||||
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
|
||||
|
||||
@ -171,6 +169,7 @@ enterAndClear "system/vold";
|
||||
patch -p1 < "$DOS_PATCHES/android_system_vold/0001-AES256.patch"; #Add a variable for enabling AES-256 bit encryption
|
||||
|
||||
enterAndClear "vendor/cm";
|
||||
rm build/target/product/security/lineage.x509.pem;
|
||||
rm -rf overlay/common/vendor/cmsdk/packages; #Remove analytics
|
||||
rm -rf overlay/common/frameworks/base/core/res/res/drawable-*/default_wallpaper.png;
|
||||
awk -i inplace '!/50-cm.sh/' config/common.mk; #Make sure our hosts is always used
|
||||
@ -235,15 +234,15 @@ rm board-info.txt; #Never restrict installation
|
||||
enterAndClear "device/oneplus/bacon";
|
||||
sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/
|
||||
|
||||
enterAndClear "device/samsung/manta";
|
||||
git revert e55bbff1c8aa50e25ffe39c8936ea3dc92a4a575; #restore releasetools
|
||||
#enterAndClear "device/samsung/manta";
|
||||
#git revert e55bbff1c8aa50e25ffe39c8936ea3dc92a4a575; #restore releasetools #TODO
|
||||
|
||||
enterAndClear "device/samsung/toroplus";
|
||||
awk -i inplace '!/additional_system_update/' overlay/packages/apps/Settings/res/values*/*.xml;
|
||||
|
||||
enableLowRam "device/samsung/tuna";
|
||||
enterAndClear "device/samsung/tuna";
|
||||
git revert e53eea6426da49dfb542929d5aa686667f4d416f; #restore releasetools
|
||||
#git revert e53eea6426da49dfb542929d5aa686667f4d416f; #restore releasetools #TODO
|
||||
rm setup-makefiles.sh; #broken, deblobber will still function
|
||||
sed -i 's|vendor/maguro/|vendor/|' libgps-shim/gps.c; #fix dlopen not found
|
||||
#See: https://review.lineageos.org/q/topic:%22tuna-sepolicies
|
||||
@ -267,9 +266,13 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
|
||||
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
|
||||
if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
|
||||
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
|
||||
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
|
||||
cd "$DOS_BUILD_BASE";
|
||||
|
||||
#Verity
|
||||
cp "$DOS_SIGNING_KEYS/griffin/verifiedboot_relkeys.der.x509" "kernel/motorola/msm8996/verifiedboot_griffin_relkeys.der.x509";
|
||||
cp "$DOS_SIGNING_KEYS/marlin/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_marlin_relkeys.der.x509";
|
||||
cp "$DOS_SIGNING_KEYS/sailfish/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_sailfish_relkeys.der.x509";
|
||||
|
||||
#Fixes
|
||||
#Fix broken options enabled by hardenDefconfig()
|
||||
sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
|
||||
|
@ -35,17 +35,19 @@ scanWorkspaceForMalware() {
|
||||
export -f scanWorkspaceForMalware;
|
||||
|
||||
buildDevice() {
|
||||
export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
|
||||
brunch "lineage_$1-user" && processRelease $1 true $2;
|
||||
}
|
||||
export -f buildDevice;
|
||||
|
||||
buildDeviceUserDebug() {
|
||||
export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
|
||||
brunch "lineage_$1-userdebug" && processRelease $1 true $2;
|
||||
}
|
||||
export -f buildDeviceUserDebug;
|
||||
|
||||
buildDeviceDebug() {
|
||||
unset SIGNING_KEY_DIR;
|
||||
unset OTA_KEY_OVERRIDE_DIR;
|
||||
brunch "lineage_$1-eng";
|
||||
}
|
||||
export -f buildDeviceDebug;
|
||||
@ -100,7 +102,6 @@ patchWorkspace() {
|
||||
|
||||
source build/envsetup.sh;
|
||||
repopick 255328; #update webview
|
||||
repopick -it O_asb_2019-09;
|
||||
|
||||
export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails
|
||||
|
||||
|
@ -64,9 +64,11 @@ enterAndClear "bionic";
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi; #(GrapheneOS)
|
||||
|
||||
enterAndClear "bootable/recovery";
|
||||
#git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity
|
||||
git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity
|
||||
|
||||
enterAndClear "build/make";
|
||||
patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
|
||||
awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
|
||||
sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
|
||||
|
||||
enterAndClear "device/lineage/sepolicy";
|
||||
@ -77,9 +79,6 @@ git revert c9b0d95630b82cd0ad1a0fc633c6d59c2cb8aad7 37422f7df389f3ae5a34ee3d6dd9
|
||||
enterAndClear "device/qcom/sepolicy";
|
||||
patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/0001-Camera_Fix.patch"; #Fix camera on -user builds XXX: REMOVE THIS TRASH
|
||||
|
||||
enterAndClear "external/libcups";
|
||||
git pull "https://github.com/LineageOS/android_external_libcups" refs/changes/66/255866/1; #O_asb_2019-09
|
||||
|
||||
enterAndClear "external/svox";
|
||||
git revert 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
|
||||
|
||||
@ -175,6 +174,7 @@ enterAndClear "system/vold";
|
||||
patch -p1 < "$DOS_PATCHES/android_system_vold/0001-AES256.patch"; #Add a variable for enabling AES-256 bit encryption
|
||||
|
||||
enterAndClear "vendor/lineage";
|
||||
rm build/target/product/security/lineage.x509.pem;
|
||||
rm -rf overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove analytics
|
||||
rm -rf verity_tool; #Resurrect dm-verity
|
||||
rm -rf overlay/common/frameworks/base/core/res/res/drawable-*/default_wallpaper.png;
|
||||
@ -240,9 +240,13 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
|
||||
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
|
||||
if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
|
||||
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
|
||||
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
|
||||
cd "$DOS_BUILD_BASE";
|
||||
|
||||
#Verity
|
||||
cp "$DOS_SIGNING_KEYS/griffin/verifiedboot_relkeys.der.x509" "kernel/motorola/msm8996/verifiedboot_griffin_relkeys.der.x509";
|
||||
cp "$DOS_SIGNING_KEYS/marlin/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_marlin_relkeys.der.x509";
|
||||
cp "$DOS_SIGNING_KEYS/sailfish/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_sailfish_relkeys.der.x509";
|
||||
|
||||
#Fix broken options enabled by hardenDefconfig()
|
||||
sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
|
||||
sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile
|
||||
|
@ -1,8 +1,7 @@
|
||||
#!/bin/bash
|
||||
cd "$DOS_BUILD_BASE""kernel/essential/msm8998"
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0001-LinuxIncrementals/4.4/4.4.0187-0188.patch --exclude=Makefile
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0003-syzkaller-Misc2/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0003-syzkaller-Misc2/ANY/0004.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0001-LinuxIncrementals/4.4/4.4.0188-0189.patch --exclude=Makefile
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0007-Accelerated_AES/3.10+/0016.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0007-Accelerated_AES/3.10+/0020.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/ANY/0001.patch
|
||||
@ -43,7 +42,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16USB/ANY/0009.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18174/^4.7/0002.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18204/^4.14.2/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18306/4.4/0003.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18509/^4.11/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-9711/4.4/0003.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11273/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11818/ANY/0002.patch
|
||||
@ -82,9 +80,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10524/ANY/0003.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12378/^5.1.5/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12456/^5.1.5/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12614/^5.1.6/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-13631/^5.2.1/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15098/^5.2.8/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15213/^5.2.3/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0011.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0012.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2181/4.4/0002.patch
|
||||
@ -99,5 +95,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14875/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11274/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p99"
|
||||
editKernelLocalversion "-dos.p95"
|
||||
cd "$DOS_BUILD_BASE"
|
||||
|
@ -120,9 +120,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-3459/^5.1/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/797912_0001-usb-gadget-Fix-synchronization-issue-between-f_audio.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/870057_0001-wcnss-add-null-check-in-pm_ops-unregister.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-5d89eb01c93d8a62998e3bdccae28a7732e3bd51.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-7be3e08d7a523207486701b2d34607137558066f.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-9f34c6ebc016cd061ae5ec901221d15fa3d67e49.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p124"
|
||||
editKernelLocalversion "-dos.p121"
|
||||
cd "$DOS_BUILD_BASE"
|
||||
|
@ -62,11 +62,9 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10675/^4.12.9/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10879/3.4/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10880/3.4/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10940/^4.16.6/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11939/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-15594/^4.18.1/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-16658/^4.18.6/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-18710/^4.19/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-20511/^4.18.11/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5332/^4.14.13/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5333/^4.14.13/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5750/^4.14.15/0001.patch
|
||||
@ -74,13 +72,11 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-7492/^4.14.7/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-7757/^4.15.7/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-8781/^4.15/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10142/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10491/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-9f34c6ebc016cd061ae5ec901221d15fa3d67e49.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-2475/ANY/0001.patch
|
||||
git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch
|
||||
editKernelLocalversion "-dos.p83"
|
||||
editKernelLocalversion "-dos.p78"
|
||||
cd "$DOS_BUILD_BASE"
|
||||
|
@ -35,17 +35,19 @@ scanWorkspaceForMalware() {
|
||||
export -f scanWorkspaceForMalware;
|
||||
|
||||
buildDevice() {
|
||||
export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
|
||||
brunch "lineage_$1-user" && processRelease $1 true $2;
|
||||
}
|
||||
export -f buildDevice;
|
||||
|
||||
buildDeviceUserDebug() {
|
||||
export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1";
|
||||
brunch "lineage_$1-userdebug" && processRelease $1 true $2;
|
||||
}
|
||||
export -f buildDeviceUserDebug;
|
||||
|
||||
buildDeviceDebug() {
|
||||
unset SIGNING_KEY_DIR;
|
||||
unset OTA_KEY_OVERRIDE_DIR;
|
||||
brunch "lineage_$1-eng";
|
||||
}
|
||||
export -f buildDeviceDebug;
|
||||
@ -107,9 +109,7 @@ patchWorkspace() {
|
||||
|
||||
source build/envsetup.sh;
|
||||
repopick -f 254249; #g3 nfc
|
||||
#repopick -it hh-cleanup;
|
||||
repopick 255328; #update webview
|
||||
repopick -it P_asb_2019-09;
|
||||
|
||||
source "$DOS_SCRIPTS/Patch.sh";
|
||||
source "$DOS_SCRIPTS/Defaults.sh";
|
||||
|
@ -65,10 +65,12 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bio
|
||||
|
||||
enterAndClear "bootable/recovery";
|
||||
git revert 4d361ff13b5bd61d5a6a5e95063b24b8a37a24ab 37d729bf; #fix sideload
|
||||
#git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity
|
||||
git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity
|
||||
|
||||
enterAndClear "build/make";
|
||||
git revert 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files
|
||||
patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification
|
||||
awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk;
|
||||
sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk;
|
||||
|
||||
#enterAndClear "device/lineage/sepolicy";
|
||||
@ -78,12 +80,6 @@ enterAndClear "device/qcom/sepolicy-legacy";
|
||||
patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy-legacy/0001-Camera_Fix.patch"; #Fix camera on -user builds XXX: REMOVE THIS TRASH
|
||||
echo "SELINUX_IGNORE_NEVERALLOWS := true" >> sepolicy.mk; #necessary for -user builds of legacy devices
|
||||
|
||||
enterAndClear "external/libcups";
|
||||
git pull "https://github.com/LineageOS/android_external_libcups" refs/changes/96/255696/1; #P_asb_2019-09
|
||||
|
||||
enterAndClear "external/libhevc";
|
||||
git pull "https://github.com/LineageOS/android_external_libhevc" refs/changes/97/255697/1; #P_asb_2019-09
|
||||
|
||||
enterAndClear "external/svox";
|
||||
git revert 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles
|
||||
sed -i '12iLOCAL_SDK_VERSION := current' pico/Android.mk; #Fix build under Pie
|
||||
@ -171,15 +167,12 @@ git revert b3609d82999d23634c5e6db706a3ecbc5348309a; #Always update recovery
|
||||
patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS)
|
||||
if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS)
|
||||
|
||||
enterAndClear "system/nfc";
|
||||
git pull "https://github.com/LineageOS/android_system_nfc" refs/changes/93/255693/1; #P_asb_2019-09
|
||||
git pull "https://github.com/LineageOS/android_system_nfc" refs/changes/94/255694/1;
|
||||
|
||||
enterAndClear "system/sepolicy";
|
||||
patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices
|
||||
awk -i inplace '!/true cannot be used in user builds/' Android.mk; #Allow ignoring neverallows under -user
|
||||
|
||||
enterAndClear "vendor/lineage";
|
||||
rm build/target/product/security/lineage.x509.pem;
|
||||
rm -rf overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove analytics
|
||||
rm -rf verity_tool; #Resurrect dm-verity
|
||||
rm -rf overlay/common/frameworks/base/core/res/res/drawable-*/default_wallpaper.png;
|
||||
@ -223,8 +216,8 @@ enterAndClear "device/lge/d855";
|
||||
git revert 9a5739e66d0a44347881807c0cc44d7c318c02b8; #fix nfc path
|
||||
|
||||
enterAndClear "device/lge/mako";
|
||||
git revert 218f7442874f7b7d494f265286a2151e2f81bb6e; #disable dexpreopt full and switch back to -mini
|
||||
#git revert ; #restore releasetools #TODO
|
||||
smallerSystem;
|
||||
echo "allow kickstart usbfs:dir search;" >> sepolicy/kickstart.te; #Fix forceencrypt on first boot
|
||||
echo "allow system_server sensors_data_file:dir search;" >> sepolicy/system_server.te; #Fix qcom_sensors log spam
|
||||
echo "allow system_server sensors_data_file:dir r_file_perms;" >> sepolicy/system_server.te;
|
||||
@ -250,9 +243,15 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {}
|
||||
find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"';
|
||||
if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi;
|
||||
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"';
|
||||
find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"';
|
||||
cd "$DOS_BUILD_BASE";
|
||||
|
||||
#Verity
|
||||
cp "$DOS_SIGNING_KEYS/cheryl/verifiedboot_relkeys.der.x509" "kernel/razer/msm8998/verifiedboot_cheryl_relkeys.der.x509";
|
||||
cp "$DOS_SIGNING_KEYS/griffin/verifiedboot_relkeys.der.x509" "kernel/motorola/msm8996/verifiedboot_griffin_relkeys.der.x509";
|
||||
cp "$DOS_SIGNING_KEYS/marlin/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_marlin_relkeys.der.x509";
|
||||
cp "$DOS_SIGNING_KEYS/sailfish/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_sailfish_relkeys.der.x509";
|
||||
cp "$DOS_SIGNING_KEYS/z2_plus/verifiedboot_relkeys.der.x509" "kernel/zuk/msm8996/verifiedboot_z2_plus_relkeys.der.x509";
|
||||
|
||||
#Fix broken options enabled by hardenDefconfig()
|
||||
sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
|
||||
sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/lge/mako/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile
|
||||
|
@ -130,8 +130,6 @@ if [ ! -d "$DOS_SCRIPTS" ]; then
|
||||
fi;
|
||||
export DOS_SCRIPTS_CVES=$DOS_SCRIPTS"CVE_Patchers/";
|
||||
|
||||
export SIGNING_KEY_DIR=$DOS_SIGNING_KEYS;
|
||||
|
||||
export KBUILD_BUILD_USER="emy";
|
||||
export KBUILD_BUILD_HOST="dosbm";
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user