Dan Hein wrote:
Do you know of any existing documentation that explains steps needed to
secure Android device (i.e. at the OEM level)?
I'm not sure where the documentation is for these things are; however:
1. sign userimage with vendor private keys
There is a variable you can set in your buildspec.mk to set the *public*
keys used by your build. I found it by tracing the build process, if I
remember correctly it is:
OTA_PUBLIC_KEYS := path/to/key1.pem path/to/key2.pem
This will include the listed public keys in the otacerts.zip store on
the system as well as bake them into the recovery binary in recovery.img.
If you do an engineering build, I'm not certain whether or not it also
includes the test keys, but you could include the following in your
buildspec.mk (I believe this works, but haven't tested):
INCLUDE_TEST_OTA_KEYS := false
The *private* keys, on the other hand are a different story. I seem to
remember reading a comment somewhere in the makefiles indicating that
initially everything is signed by the test keys and that all package
signing should be done with a post processing script. I couldn't find
those scripts. Of course, it was quite a while ago when I looked into
this, and they might be available now. Similarly, I'd love to have the
scripts that create the update.zip (it shouldn't be hard to create, but
I just haven't gotten around to it). To sign the update.zip, I believe
there is a SignApk.jar application somewhere in the build (could be a
slightly different name). Given the name, I imagine this works for both
the update.zip and .apk files included in the distribution.
2. ensure ro.secure system property set
This is set based on the build options. A user-release build will ensure
ro.secure=1. I.e., you want the following in your buildspec.mk:
TARGET_BUILD_VARIANT := user
TARGET_BUILD_TYPE := release
3. ensure no root consoles left running (e.g. such as G1 RC29)
This was fixed by modifying the kernel command line baked into boot.img.
A user-release configuration should have this configuration. I don't
know if it is also fixed with the engineering build. My best guess is yes.
4. ensure build phase for generating dexopt files into system image
Note sure.
Hope that helps,
-Will
