From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Tue, 6 Apr 2021 05:04:32 -0400
Subject: [PATCH] Allow setting OTA public keys from environment variable

Change-Id: Ib2a00de63b0c7a8790640462d13a84daf2076fa7
---
 core/product_config.mk             |  5 +++++
 target/product/security/Android.mk | 21 +++++++++++++++++----
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/core/product_config.mk b/core/product_config.mk
index 37146d3a9..7dc8113f5 100644
--- a/core/product_config.mk
+++ b/core/product_config.mk
@@ -395,6 +395,11 @@ PRODUCT_OTA_PUBLIC_KEYS := $(sort $(PRODUCT_OTA_PUBLIC_KEYS))
 PRODUCT_EXTRA_OTA_KEYS := $(sort $(PRODUCT_EXTRA_OTA_KEYS))
 PRODUCT_EXTRA_RECOVERY_KEYS := $(sort $(PRODUCT_EXTRA_RECOVERY_KEYS))
 
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    PRODUCT_OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+    PRODUCT_EXTRA_RECOVERY_KEYS := $(OTA_KEY_OVERRIDE_DIR)/extra
+endif
+
 # Resolve and setup per-module dex-preopt configs.
 DEXPREOPT_DISABLED_MODULES :=
 # If a module has multiple setups, the first takes precedence.
diff --git a/target/product/security/Android.mk b/target/product/security/Android.mk
index ad25a9261..c2dca4dc4 100644
--- a/target/product/security/Android.mk
+++ b/target/product/security/Android.mk
@@ -70,11 +70,17 @@ include $(BUILD_SYSTEM)/base_rules.mk
 
 extra_ota_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_OTA_KEYS))
 
-$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+endif
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(OTA_PUBLIC_KEYS)
 $(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_OTA_KEYS := $(extra_ota_keys)
 $(LOCAL_BUILT_MODULE): \
 	    $(SOONG_ZIP) \
-	    $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
+	    $(OTA_PUBLIC_KEYS) \
 	    $(extra_ota_keys)
 	$(SOONG_ZIP) -o $@ -j -symlinks=false \
 	    $(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_OTA_KEYS))
@@ -95,11 +101,18 @@ include $(BUILD_SYSTEM)/base_rules.mk
 
 extra_recovery_keys := $(addsuffix .x509.pem,$(PRODUCT_EXTRA_RECOVERY_KEYS))
 
-$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+OTA_PUBLIC_KEYS := $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem
+
+ifneq ($(OTA_KEY_OVERRIDE_DIR),)
+    OTA_PUBLIC_KEYS := $(OTA_KEY_OVERRIDE_DIR)/releasekey.x509.pem
+    extra_recovery_keys := $(OTA_KEY_OVERRIDE_DIR)/extra.x509.pem
+endif
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CERT := $(OTA_PUBLIC_KEYS)
 $(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_RECOVERY_KEYS := $(extra_recovery_keys)
 $(LOCAL_BUILT_MODULE): \
 	    $(SOONG_ZIP) \
-	    $(DEFAULT_SYSTEM_DEV_CERTIFICATE).x509.pem \
+	    $(OTA_PUBLIC_KEYS) \
 	    $(extra_recovery_keys)
 	$(SOONG_ZIP) -o $@ -j -symlinks=false \
 	    $(addprefix -f ,$(PRIVATE_CERT) $(PRIVATE_EXTRA_RECOVERY_KEYS))