diff --git a/Patches/Common/android_build/0001-OTA_Keys.patch b/Patches/Common/android_build/0001-OTA_Keys.patch new file mode 100644 index 00000000..1d7b3597 --- /dev/null +++ b/Patches/Common/android_build/0001-OTA_Keys.patch @@ -0,0 +1,29 @@ +From 2dc326c8e10dcee50439b49d329142c3c92273c4 Mon Sep 17 00:00:00 2001 +From: Tad +Date: Sat, 14 Sep 2019 20:14:42 -0400 +Subject: [PATCH] Support OTA recovery key override + +Change-Id: I454674073684325a4bc484ef783665fb58b5a503 +--- + core/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/core/Makefile b/core/Makefile +index f2a524d58..7c9735cf9 100644 +--- a/core/Makefile ++++ b/core/Makefile +@@ -1217,6 +1217,11 @@ endif + # substitute other keys for this one. + OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem + ++ifneq ($(OTA_KEY_OVERRIDE_DIR),) ++ OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem ++ PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra ++endif ++ + # Generate a file containing the keys that will be read by the + # recovery binary. + RECOVERY_INSTALL_OTA_KEYS := \ +-- +2.21.0 + diff --git a/Patches/LineageOS-14.1/android_build/0001-OTA_Keys.patch b/Patches/LineageOS-14.1/android_build/0001-OTA_Keys.patch new file mode 100644 index 00000000..3cf1cc15 --- /dev/null +++ b/Patches/LineageOS-14.1/android_build/0001-OTA_Keys.patch @@ -0,0 +1,29 @@ +From 3d9a2560ff4ce717b91724d941c3607abe8fa09f Mon Sep 17 00:00:00 2001 +From: Tad +Date: Sat, 14 Sep 2019 20:12:26 -0400 +Subject: [PATCH] Support OTA recovery key override + +Change-Id: Icafdb77a0c39353aaefbdf65a83f76be6e3e5f63 +--- + core/Makefile | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/core/Makefile b/core/Makefile +index 3fb424733..a87bce4df 100644 +--- a/core/Makefile ++++ b/core/Makefile +@@ -1038,6 +1038,11 @@ ifneq ($(OTA_PACKAGE_SIGNING_KEY),) + PRODUCT_EXTRA_RECOVERY_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE) + endif + ++ifneq ($(OTA_KEY_OVERRIDE_DIR),) ++ OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem ++ PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra ++endif ++ + # Generate a file containing the keys that will be read by the + # recovery binary. + RECOVERY_INSTALL_OTA_KEYS := \ +-- +2.21.0 + diff --git a/PrebuiltApps b/PrebuiltApps index b2d6c598..a5f2067f 160000 --- a/PrebuiltApps +++ b/PrebuiltApps @@ -1 +1 @@ -Subproject commit b2d6c598b007ada134dded570b7db5ebc83b20f5 +Subproject commit a5f2067f2eb00ed51d42a6ced93ee6d25e552358 diff --git a/Scripts/Common/Functions.sh b/Scripts/Common/Functions.sh index 3e53b983..f54aff92 100644 --- a/Scripts/Common/Functions.sh +++ b/Scripts/Common/Functions.sh @@ -148,7 +148,7 @@ processRelease() { VERITY="$3"; DATE=$(date -u '+%Y%m%d') - KEY_DIR="$DOS_SIGNING_KEYS"; + KEY_DIR="$DOS_SIGNING_KEYS/$DEVICE"; VERSION=$(echo $DOS_VERSION | cut -f2 -d "-"); PREFIX="$DOS_BRANDING_ZIP_PREFIX-$VERSION-$DATE-dos-$DEVICE"; ARCHIVE="$DOS_BUILDS/$DOS_VERSION/release_keys/"; @@ -157,9 +157,11 @@ processRelease() { echo -e "\e[0;32mProcessing release for $DEVICE\e[0m"; #Arguments + unset BLOCK_SWITCHES; if [ "$BLOCK" != false ]; then BLOCK_SWITCHES="--block"; fi; + unset VERITY_SWITCHES; if [[ "$VERITY" == "verity" ]]; then VERITY_SWITCHES=(--replace_verity_public_key "$KEY_DIR/verity_key.pub" \ --replace_verity_private_key "$KEY_DIR/verity" \ @@ -267,8 +269,10 @@ optimizeImagesRecursive() { export -f optimizeImagesRecursive; smallerSystem() { - echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk; echo "BOARD_SYSTEMIMAGE_JOURNAL_SIZE := 0" >> BoardConfig.mk; + echo "EXCLUDE_SERIF_FONTS := true" >> BoardConfig.mk; + echo "SMALLER_FONT_FOOTPRINT := true" >> BoardConfig.mk; + #echo "MINIMAL_FONT_FOOTPRINT := true" >> BoardConfig.mk; sed -i 's/common_full_phone.mk/common_mini_phone.mk/' *.mk &>/dev/null || true; } export -f smallerSystem; diff --git a/Scripts/Generate_Signing_Keys.sh b/Scripts/Generate_Signing_Keys.sh index 54ea1b96..ec7c8420 100644 --- a/Scripts/Generate_Signing_Keys.sh +++ b/Scripts/Generate_Signing_Keys.sh @@ -1,16 +1,22 @@ #!/bin/bash -#desc='/O=Divested Computing Group/CN=DivestOS/emailAddress=support@divestos.org'; -desc='/O=Example/CN=ExampleOS/emailAddress=support@example.com'; +#Reference: https://grapheneos.org/build#generating-release-signing-keys + type='rsa'; #Options: rsa, ec +#make -j20 generate_verity_key; + +cd "$DOS_SIGNING_KEYS"; +mkdir $1; cd $1; +desc="/O=Divested Computing Group/CN=DivestOS for $1/emailAddress=support@divestos.org"; "$DOS_BUILD_BASE"/development/tools/make_key extra "$desc" "$type"; "$DOS_BUILD_BASE"/development/tools/make_key media "$desc" "$type"; "$DOS_BUILD_BASE"/development/tools/make_key platform "$desc" "$type"; "$DOS_BUILD_BASE"/development/tools/make_key releasekey "$desc" "$type"; "$DOS_BUILD_BASE"/development/tools/make_key shared "$desc" "$type"; "$DOS_BUILD_BASE"/development/tools/make_key verity "$desc" "$type"; - -#https://grapheneos.org/build#generating-release-signing-keys - -echo "Please copy created keys to your signing keys directory. Keep them safe!"; +"$DOS_BUILD_BASE"/out/host/linux-x86/bin/generate_verity_key -convert verity.x509.pem verity_key; +openssl x509 -outform der -in verity.x509.pem -out verifiedboot_relkeys.der.x509; +openssl genrsa -out avb.pem 2048; +"$DOS_BUILD_BASE"/external/avb/avbtool extract_public_key --key avb.pem --output avb_pkmd.bin; +cd "$DOS_BUILD_BASE"; diff --git a/Scripts/LineageOS-11.0/Functions.sh b/Scripts/LineageOS-11.0/Functions.sh index 680c710e..aa1830fe 100644 --- a/Scripts/LineageOS-11.0/Functions.sh +++ b/Scripts/LineageOS-11.0/Functions.sh @@ -35,12 +35,13 @@ scanWorkspaceForMalware() { export -f scanWorkspaceForMalware; buildDevice() { + export OTA_PACKAGE_SIGNING_KEY="$DOS_SIGNING_KEYS/$1/releasekey"; brunch "cm_$1-user" && processRelease $1 false; } export -f buildDevice; buildDeviceDebug() { - unset SIGNING_KEY_DIR; + unset OTA_PACKAGE_SIGNING_KEY; brunch "cm_$1-eng"; } export -f buildDeviceDebug; diff --git a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_msm8974.sh b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_msm8974.sh index 224881d7..b95df374 100644 --- a/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_msm8974.sh +++ b/Scripts/LineageOS-14.1/CVE_Patchers/android_kernel_samsung_msm8974.sh @@ -63,11 +63,9 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10675/^4.12.9/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10879/3.4/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10880/3.4/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10940/^4.16.6/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11939/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-15594/^4.18.1/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-16658/^4.18.6/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-18710/^4.19/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-20511/^4.18.11/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5332/^4.14.13/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5333/^4.14.13/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5750/^4.14.15/0001.patch @@ -79,9 +77,8 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10491/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-9f34c6ebc016cd061ae5ec901221d15fa3d67e49.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-2475/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p84" +editKernelLocalversion "-dos.p80" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-14.1/Functions.sh b/Scripts/LineageOS-14.1/Functions.sh index 8eb6b123..1413e597 100644 --- a/Scripts/LineageOS-14.1/Functions.sh +++ b/Scripts/LineageOS-14.1/Functions.sh @@ -35,17 +35,19 @@ scanWorkspaceForMalware() { export -f scanWorkspaceForMalware; buildDevice() { + export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1"; brunch "lineage_$1-user" && processRelease $1 true $2; } export -f buildDevice; buildDeviceUserDebug() { + export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1"; brunch "lineage_$1-userdebug" && processRelease $1 true $2; } export -f buildDeviceUserDebug; buildDeviceDebug() { - unset SIGNING_KEY_DIR; + unset OTA_KEY_OVERRIDE_DIR; brunch "lineage_$1-eng"; } export -f buildDeviceDebug; @@ -73,8 +75,6 @@ buildAll() { buildDevice himaul; buildDevice Z00T; buildDevice flounder verity; - buildDevice axon7; - buildDevice h850; if [ "$DOS_BUILDALL_SUPERSEDED" = true ]; then buildDevice flo; buildDevice mako; @@ -95,7 +95,9 @@ buildAll() { buildDevice ether; buildDevice angler verity; buildDevice kipper; + buildDevice axon7; buildDevice griffin; + buildDevice h850; buildDevice us996; buildDevice marlin verity; buildDevice sailfish verity; @@ -124,7 +126,6 @@ patchWorkspace() { repopick 248600 248649; #/proc hardening repopick -it nougat-mr2-security-release-residue; repopick 255328; #update webview - repopick -it N_asb_2019-09; export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index e85e94eb..cea898fa 100644 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -66,6 +66,7 @@ enterAndClear "bootable/recovery"; patch -p1 < "$DOS_PATCHES/android_bootable_recovery/0001-Squash_Menus.patch"; #What's a back button? enterAndClear "build"; +patch -p1 < "$DOS_PATCHES/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification sed -i '50i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; sed -i '296iLOCAL_AAPT_FLAGS += --auto-add-overlay' core/package_internal.mk; @@ -161,9 +162,6 @@ git revert 0217dddeb5c16903c13ff6c75213619b79ea622b d7aa1231b6a0631f506c0c23816f patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS) if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS) -enterAndClear "system/gatekeeper"; -git pull "https://github.com/LineageOS/android_system_gatekeeper" refs/changes/85/252985/1; #N_asb_2019-09 - enterAndClear "system/sepolicy"; patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices @@ -171,6 +169,7 @@ enterAndClear "system/vold"; patch -p1 < "$DOS_PATCHES/android_system_vold/0001-AES256.patch"; #Add a variable for enabling AES-256 bit encryption enterAndClear "vendor/cm"; +rm build/target/product/security/lineage.x509.pem; rm -rf overlay/common/vendor/cmsdk/packages; #Remove analytics rm -rf overlay/common/frameworks/base/core/res/res/drawable-*/default_wallpaper.png; awk -i inplace '!/50-cm.sh/' config/common.mk; #Make sure our hosts is always used @@ -235,15 +234,15 @@ rm board-info.txt; #Never restrict installation enterAndClear "device/oneplus/bacon"; sed -i "s/TZ.BF.2.0-2.0.0134/TZ.BF.2.0-2.0.0134|TZ.BF.2.0-2.0.0137/" board-info.txt; #Suport new TZ firmware https://review.lineageos.org/#/c/178999/ -enterAndClear "device/samsung/manta"; -git revert e55bbff1c8aa50e25ffe39c8936ea3dc92a4a575; #restore releasetools +#enterAndClear "device/samsung/manta"; +#git revert e55bbff1c8aa50e25ffe39c8936ea3dc92a4a575; #restore releasetools #TODO enterAndClear "device/samsung/toroplus"; awk -i inplace '!/additional_system_update/' overlay/packages/apps/Settings/res/values*/*.xml; enableLowRam "device/samsung/tuna"; enterAndClear "device/samsung/tuna"; -git revert e53eea6426da49dfb542929d5aa686667f4d416f; #restore releasetools +#git revert e53eea6426da49dfb542929d5aa686667f4d416f; #restore releasetools #TODO rm setup-makefiles.sh; #broken, deblobber will still function sed -i 's|vendor/maguro/|vendor/|' libgps-shim/gps.c; #fix dlopen not found #See: https://review.lineageos.org/q/topic:%22tuna-sepolicies @@ -267,9 +266,13 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"'; if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi; find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; -find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"'; cd "$DOS_BUILD_BASE"; +#Verity +cp "$DOS_SIGNING_KEYS/griffin/verifiedboot_relkeys.der.x509" "kernel/motorola/msm8996/verifiedboot_griffin_relkeys.der.x509"; +cp "$DOS_SIGNING_KEYS/marlin/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_marlin_relkeys.der.x509"; +cp "$DOS_SIGNING_KEYS/sailfish/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_sailfish_relkeys.der.x509"; + #Fixes #Fix broken options enabled by hardenDefconfig() sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile diff --git a/Scripts/LineageOS-15.1/Functions.sh b/Scripts/LineageOS-15.1/Functions.sh index d8d5d208..a7cf76c2 100644 --- a/Scripts/LineageOS-15.1/Functions.sh +++ b/Scripts/LineageOS-15.1/Functions.sh @@ -35,17 +35,19 @@ scanWorkspaceForMalware() { export -f scanWorkspaceForMalware; buildDevice() { + export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1"; brunch "lineage_$1-user" && processRelease $1 true $2; } export -f buildDevice; buildDeviceUserDebug() { + export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1"; brunch "lineage_$1-userdebug" && processRelease $1 true $2; } export -f buildDeviceUserDebug; buildDeviceDebug() { - unset SIGNING_KEY_DIR; + unset OTA_KEY_OVERRIDE_DIR; brunch "lineage_$1-eng"; } export -f buildDeviceDebug; @@ -100,7 +102,6 @@ patchWorkspace() { source build/envsetup.sh; repopick 255328; #update webview - repopick -it O_asb_2019-09; export DOS_GRAPHENE_MALLOC=false; #patches apply, compile fails diff --git a/Scripts/LineageOS-15.1/Patch.sh b/Scripts/LineageOS-15.1/Patch.sh index 433438e2..b45b0159 100644 --- a/Scripts/LineageOS-15.1/Patch.sh +++ b/Scripts/LineageOS-15.1/Patch.sh @@ -64,9 +64,11 @@ enterAndClear "bionic"; if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bionic/0001-HM-Use_HM.patch"; fi; #(GrapheneOS) enterAndClear "bootable/recovery"; -#git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity +git revert ac258a4f4c4b4b91640cc477ad1ac125f206db02; #Resurrect dm-verity enterAndClear "build/make"; +patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification +awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk; sed -i '57i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; enterAndClear "device/lineage/sepolicy"; @@ -77,9 +79,6 @@ git revert c9b0d95630b82cd0ad1a0fc633c6d59c2cb8aad7 37422f7df389f3ae5a34ee3d6dd9 enterAndClear "device/qcom/sepolicy"; patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy/0001-Camera_Fix.patch"; #Fix camera on -user builds XXX: REMOVE THIS TRASH -enterAndClear "external/libcups"; -git pull "https://github.com/LineageOS/android_external_libcups" refs/changes/66/255866/1; #O_asb_2019-09 - enterAndClear "external/svox"; git revert 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles @@ -175,6 +174,7 @@ enterAndClear "system/vold"; patch -p1 < "$DOS_PATCHES/android_system_vold/0001-AES256.patch"; #Add a variable for enabling AES-256 bit encryption enterAndClear "vendor/lineage"; +rm build/target/product/security/lineage.x509.pem; rm -rf overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove analytics rm -rf verity_tool; #Resurrect dm-verity rm -rf overlay/common/frameworks/base/core/res/res/drawable-*/default_wallpaper.png; @@ -240,9 +240,13 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"'; if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi; find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; -find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"'; cd "$DOS_BUILD_BASE"; +#Verity +cp "$DOS_SIGNING_KEYS/griffin/verifiedboot_relkeys.der.x509" "kernel/motorola/msm8996/verifiedboot_griffin_relkeys.der.x509"; +cp "$DOS_SIGNING_KEYS/marlin/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_marlin_relkeys.der.x509"; +cp "$DOS_SIGNING_KEYS/sailfish/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_sailfish_relkeys.der.x509"; + #Fix broken options enabled by hardenDefconfig() sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile sed -i "s/CONFIG_STRICT_MEMORY_RWX=y/# CONFIG_STRICT_MEMORY_RWX is not set/" kernel/lge/msm8996/arch/arm64/configs/lineageos_*_defconfig; #Breaks on compile diff --git a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_essential_msm8998.sh b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_essential_msm8998.sh index 006f9c5f..fdcda9d3 100644 --- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_essential_msm8998.sh +++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_essential_msm8998.sh @@ -1,8 +1,7 @@ #!/bin/bash cd "$DOS_BUILD_BASE""kernel/essential/msm8998" git apply $DOS_PATCHES_LINUX_CVES/0001-LinuxIncrementals/4.4/4.4.0187-0188.patch --exclude=Makefile -git apply $DOS_PATCHES_LINUX_CVES/0003-syzkaller-Misc2/ANY/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/0003-syzkaller-Misc2/ANY/0004.patch +git apply $DOS_PATCHES_LINUX_CVES/0001-LinuxIncrementals/4.4/4.4.0188-0189.patch --exclude=Makefile git apply $DOS_PATCHES_LINUX_CVES/0007-Accelerated_AES/3.10+/0016.patch git apply $DOS_PATCHES_LINUX_CVES/0007-Accelerated_AES/3.10+/0020.patch git apply $DOS_PATCHES_LINUX_CVES/0008-Graphene-Kernel_Hardening/ANY/0001.patch @@ -43,7 +42,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-16USB/ANY/0009.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18174/^4.7/0002.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18204/^4.14.2/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18306/4.4/0003.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-18509/^4.11/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-9711/4.4/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11273/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11818/ANY/0002.patch @@ -82,9 +80,7 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10524/ANY/0003.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12378/^5.1.5/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12456/^5.1.5/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-12614/^5.1.6/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-13631/^5.2.1/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15098/^5.2.8/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15213/^5.2.3/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0011.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0012.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2181/4.4/0002.patch @@ -99,5 +95,5 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-6696/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-14875/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11274/ANY/0001.patch -editKernelLocalversion "-dos.p99" +editKernelLocalversion "-dos.p95" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_lge_mako.sh b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_lge_mako.sh index bf10cd4b..57a7dda9 100644 --- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_lge_mako.sh +++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_lge_mako.sh @@ -120,9 +120,6 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-3459/^5.1/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/797912_0001-usb-gadget-Fix-synchronization-issue-between-f_audio.patch git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/870057_0001-wcnss-add-null-check-in-pm_ops-unregister.patch -git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-5d89eb01c93d8a62998e3bdccae28a7732e3bd51.patch -git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-7be3e08d7a523207486701b2d34607137558066f.patch -git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-9f34c6ebc016cd061ae5ec901221d15fa3d67e49.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p124" +editKernelLocalversion "-dos.p121" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_samsung_msm8974.sh b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_samsung_msm8974.sh index aeadd749..82cfab06 100644 --- a/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_samsung_msm8974.sh +++ b/Scripts/LineageOS-16.0/CVE_Patchers/android_kernel_samsung_msm8974.sh @@ -62,11 +62,9 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10675/^4.12.9/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10879/3.4/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10880/3.4/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-10940/^4.16.6/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-11939/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-15594/^4.18.1/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-16658/^4.18.6/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-18710/^4.19/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-20511/^4.18.11/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5332/^4.14.13/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5333/^4.14.13/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-5750/^4.14.15/0001.patch @@ -74,13 +72,11 @@ git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-7492/^4.14.7/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-7757/^4.15.7/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2018-8781/^4.15/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10142/ANY/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-10491/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15216/^5.0.14/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-15807/^5.1.13/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-2054/ANY/0001.patch -git apply $DOS_PATCHES_LINUX_CVES/CVE-2019-8912/^4.20.11/0001.patch git apply $DOS_PATCHES_LINUX_CVES/Untracked-02/ANY/kernel.msm.git-9f34c6ebc016cd061ae5ec901221d15fa3d67e49.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2016-2475/ANY/0001.patch git apply $DOS_PATCHES_LINUX_CVES/CVE-2017-0750/ANY/0001.patch -editKernelLocalversion "-dos.p83" +editKernelLocalversion "-dos.p78" cd "$DOS_BUILD_BASE" diff --git a/Scripts/LineageOS-16.0/Functions.sh b/Scripts/LineageOS-16.0/Functions.sh index 365e679d..095d9556 100644 --- a/Scripts/LineageOS-16.0/Functions.sh +++ b/Scripts/LineageOS-16.0/Functions.sh @@ -35,17 +35,19 @@ scanWorkspaceForMalware() { export -f scanWorkspaceForMalware; buildDevice() { + export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1"; brunch "lineage_$1-user" && processRelease $1 true $2; } export -f buildDevice; buildDeviceUserDebug() { + export OTA_KEY_OVERRIDE_DIR="$DOS_SIGNING_KEYS/$1"; brunch "lineage_$1-userdebug" && processRelease $1 true $2; } export -f buildDeviceUserDebug; buildDeviceDebug() { - unset SIGNING_KEY_DIR; + unset OTA_KEY_OVERRIDE_DIR; brunch "lineage_$1-eng"; } export -f buildDeviceDebug; @@ -107,9 +109,7 @@ patchWorkspace() { source build/envsetup.sh; repopick -f 254249; #g3 nfc - #repopick -it hh-cleanup; repopick 255328; #update webview - repopick -it P_asb_2019-09; source "$DOS_SCRIPTS/Patch.sh"; source "$DOS_SCRIPTS/Defaults.sh"; diff --git a/Scripts/LineageOS-16.0/Patch.sh b/Scripts/LineageOS-16.0/Patch.sh index 2608e4ce..839542df 100644 --- a/Scripts/LineageOS-16.0/Patch.sh +++ b/Scripts/LineageOS-16.0/Patch.sh @@ -65,10 +65,12 @@ if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES/android_bio enterAndClear "bootable/recovery"; git revert 4d361ff13b5bd61d5a6a5e95063b24b8a37a24ab 37d729bf; #fix sideload -#git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity +git revert fe2901b144c515c5a90b547198aed37c209b5a82; #Resurrect dm-verity enterAndClear "build/make"; git revert 271f6ffa045064abcac066e97f2cb53ccb3e5126 61f7ee9386be426fd4eadc2c8759362edb5bef8; #Add back PicoTTS and language files +patch -p1 < "$DOS_PATCHES_COMMON/android_build/0001-OTA_Keys.patch"; #add correct keys to recovery for OTA verification +awk -i inplace '!/PRODUCT_EXTRA_RECOVERY_KEYS/' core/product.mk; sed -i '74i$(my_res_package): PRIVATE_AAPT_FLAGS += --auto-add-overlay' core/aapt2.mk; #enterAndClear "device/lineage/sepolicy"; @@ -78,12 +80,6 @@ enterAndClear "device/qcom/sepolicy-legacy"; patch -p1 < "$DOS_PATCHES/android_device_qcom_sepolicy-legacy/0001-Camera_Fix.patch"; #Fix camera on -user builds XXX: REMOVE THIS TRASH echo "SELINUX_IGNORE_NEVERALLOWS := true" >> sepolicy.mk; #necessary for -user builds of legacy devices -enterAndClear "external/libcups"; -git pull "https://github.com/LineageOS/android_external_libcups" refs/changes/96/255696/1; #P_asb_2019-09 - -enterAndClear "external/libhevc"; -git pull "https://github.com/LineageOS/android_external_libhevc" refs/changes/97/255697/1; #P_asb_2019-09 - enterAndClear "external/svox"; git revert 1419d63b4889a26d22443fd8df1f9073bf229d3d; #Add back Makefiles sed -i '12iLOCAL_SDK_VERSION := current' pico/Android.mk; #Fix build under Pie @@ -171,15 +167,12 @@ git revert b3609d82999d23634c5e6db706a3ecbc5348309a; #Always update recovery patch -p1 < "$DOS_PATCHES/android_system_core/0001-Harden.patch"; #Harden mounts with nodev/noexec/nosuid + misc sysfs changes (GrapheneOS) if [ "$DOS_GRAPHENE_MALLOC" = true ]; then patch -p1 < "$DOS_PATCHES_COMMON/android_system_core/0001-HM-Increase_vm_mmc.patch"; fi; #(GrapheneOS) -enterAndClear "system/nfc"; -git pull "https://github.com/LineageOS/android_system_nfc" refs/changes/93/255693/1; #P_asb_2019-09 -git pull "https://github.com/LineageOS/android_system_nfc" refs/changes/94/255694/1; - enterAndClear "system/sepolicy"; patch -p1 < "$DOS_PATCHES/android_system_sepolicy/0001-LGE_Fixes.patch"; #Fix -user builds for LGE devices awk -i inplace '!/true cannot be used in user builds/' Android.mk; #Allow ignoring neverallows under -user enterAndClear "vendor/lineage"; +rm build/target/product/security/lineage.x509.pem; rm -rf overlay/common/lineage-sdk/packages/LineageSettingsProvider/res/values/defaults.xml; #Remove analytics rm -rf verity_tool; #Resurrect dm-verity rm -rf overlay/common/frameworks/base/core/res/res/drawable-*/default_wallpaper.png; @@ -223,8 +216,8 @@ enterAndClear "device/lge/d855"; git revert 9a5739e66d0a44347881807c0cc44d7c318c02b8; #fix nfc path enterAndClear "device/lge/mako"; -git revert 218f7442874f7b7d494f265286a2151e2f81bb6e; #disable dexpreopt full and switch back to -mini #git revert ; #restore releasetools #TODO +smallerSystem; echo "allow kickstart usbfs:dir search;" >> sepolicy/kickstart.te; #Fix forceencrypt on first boot echo "allow system_server sensors_data_file:dir search;" >> sepolicy/system_server.te; #Fix qcom_sensors log spam echo "allow system_server sensors_data_file:dir r_file_perms;" >> sepolicy/system_server.te; @@ -250,9 +243,15 @@ find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'hardenUserdata "{}"'; if [ "$DOS_STRONG_ENCRYPTION_ENABLED" = true ]; then find "device" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'enableStrongEncryption "{}"'; fi; find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 4 -I {} bash -c 'hardenDefconfig "{}"'; -find "kernel" -maxdepth 2 -mindepth 2 -type d -print0 | xargs -0 -n 1 -P 8 -I {} bash -c 'cp "$DOS_SIGNING_KEYS/verifiedboot_relkeys.der.x509" "{}/verifiedboot_divested_relkeys.der.x509"'; cd "$DOS_BUILD_BASE"; +#Verity +cp "$DOS_SIGNING_KEYS/cheryl/verifiedboot_relkeys.der.x509" "kernel/razer/msm8998/verifiedboot_cheryl_relkeys.der.x509"; +cp "$DOS_SIGNING_KEYS/griffin/verifiedboot_relkeys.der.x509" "kernel/motorola/msm8996/verifiedboot_griffin_relkeys.der.x509"; +cp "$DOS_SIGNING_KEYS/marlin/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_marlin_relkeys.der.x509"; +cp "$DOS_SIGNING_KEYS/sailfish/verifiedboot_relkeys.der.x509" "kernel/google/marlin/verifiedboot_sailfish_relkeys.der.x509"; +cp "$DOS_SIGNING_KEYS/z2_plus/verifiedboot_relkeys.der.x509" "kernel/zuk/msm8996/verifiedboot_z2_plus_relkeys.der.x509"; + #Fix broken options enabled by hardenDefconfig() sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/lge/mako/arch/arm/configs/lineageos_*_defconfig; #Breaks on compile diff --git a/Scripts/init.sh b/Scripts/init.sh index 2494daaf..6145fb27 100644 --- a/Scripts/init.sh +++ b/Scripts/init.sh @@ -130,8 +130,6 @@ if [ ! -d "$DOS_SCRIPTS" ]; then fi; export DOS_SCRIPTS_CVES=$DOS_SCRIPTS"CVE_Patchers/"; -export SIGNING_KEY_DIR=$DOS_SIGNING_KEYS; - export KBUILD_BUILD_USER="emy"; export KBUILD_BUILD_HOST="dosbm"; diff --git a/TODO b/TODO index 26d00a13..9b1b60ac 100644 --- a/TODO +++ b/TODO @@ -1,8 +1,6 @@ -Last updated: 2019-08-29 +Last updated: 2019-09-14 High Priority (Release blockers) - Build - - New signing keys Project - GPG all the things! - Create cryptocurrency addresses