13 files changed, 41 insertions, 18 deletions

diff --git a/core/Makefile b/core/Makefile
index 62ddef6319..06cc876c73 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -912,6 +912,16 @@ $(hide) echo '' >> $6
 
 endef
 
+# -----------------------------------------------------------------
+# Merge an individual apkcerts output into the final apkcerts.txt output.
+# Use a macro to make it compatible with _apkcerts_write_line
+# $1 apkcerts file to be merged
+# $2 output file
+define _apkcerts_merge
+$(hide) cat $1 >> $2
+
+endef
+
 name := $(TARGET_PRODUCT)
 ifeq ($(TARGET_BUILD_TYPE),debug)
   name := $(name)_debug
@@ -920,6 +930,8 @@ name := $(name)-apkcerts-$(FILE_NAME_TAG)
 intermediates := \
 	$(call intermediates-dir-for,PACKAGING,apkcerts)
 APKCERTS_FILE := $(intermediates)/$(name).txt
+all_apkcerts_files := $(sort $(foreach p,$(PACKAGES),$(PACKAGES.$(p).APKCERTS_FILE)))
+$(APKCERTS_FILE): $(all_apkcerts_files)
 # We don't need to really build all the modules.
 # TODO: rebuild APKCERTS_FILE if any app change its cert.
 $(APKCERTS_FILE):
@@ -927,9 +939,11 @@ $(APKCERTS_FILE):
 	@mkdir -p $(dir $@)
 	@rm -f $@
 	$(foreach p,$(sort $(PACKAGES)),\
-	  $(if $(PACKAGES.$(p).EXTERNAL_KEY),\
-	    $(call _apkcerts_write_line,$(PACKAGES.$(p).STEM),"EXTERNAL","",$(PACKAGES.$(p).COMPRESSED),$(PACKAGES.$(p).PARTITION),$@),\
-	    $(call _apkcerts_write_line,$(PACKAGES.$(p).STEM),$(PACKAGES.$(p).CERTIFICATE),$(PACKAGES.$(p).PRIVATE_KEY),$(PACKAGES.$(p).COMPRESSED),$(PACKAGES.$(p).PARTITION),$@)))
+	  $(if $(PACKAGES.$(p).APKCERTS_FILE),\
+	    $(call _apkcerts_merge,$(PACKAGES.$(p).APKCERTS_FILE), $@),\
+	    $(if $(PACKAGES.$(p).EXTERNAL_KEY),\
+	      $(call _apkcerts_write_line,$(PACKAGES.$(p).STEM),"EXTERNAL","",$(PACKAGES.$(p).COMPRESSED),$(PACKAGES.$(p).PARTITION),$@),\
+	      $(call _apkcerts_write_line,$(PACKAGES.$(p).STEM),$(PACKAGES.$(p).CERTIFICATE),$(PACKAGES.$(p).PRIVATE_KEY),$(PACKAGES.$(p).COMPRESSED),$(PACKAGES.$(p).PARTITION),$@))))
 	# In case value of PACKAGES is empty.
 	$(hide) touch $@
 
@@ -4107,6 +4121,7 @@ INTERNAL_OTATOOLS_MODULES := \
   libconscrypt_openjdk_jni \
   lpmake \
   lpunpack \
+  lz4 \
   make_f2fs \
   merge_target_files \
   minigzip \
diff --git a/core/clear_vars.mk b/core/clear_vars.mk
index c01912cd81..b9f439fb59 100644
--- a/core/clear_vars.mk
+++ b/core/clear_vars.mk
@@ -22,6 +22,7 @@ LOCAL_APIDIFF_NEWAPI:=
 LOCAL_APIDIFF_OLDAPI:=
 LOCAL_APK_LIBRARIES:=
 LOCAL_APK_SET_MASTER_FILE:=
+LOCAL_APKCERTS_FILE:=
 LOCAL_ARM_MODE:=
 LOCAL_ASFLAGS:=
 LOCAL_ASSET_DIR:=
diff --git a/core/config.mk b/core/config.mk
index 0b9ff52bcf..90eea5ba99 100644
--- a/core/config.mk
+++ b/core/config.mk
@@ -123,6 +123,7 @@ $(KATI_obsolete_var MD5SUM)
 $(KATI_obsolete_var BOARD_HAL_STATIC_LIBRARIES, See $(CHANGES_URL)#BOARD_HAL_STATIC_LIBRARIES)
 $(KATI_obsolete_var LOCAL_HAL_STATIC_LIBRARIES, See $(CHANGES_URL)#BOARD_HAL_STATIC_LIBRARIES)
 $(KATI_obsolete_var PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_WHITELIST,Use PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_ALLOW_LIST.)
+$(KATI_obsolete_var PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST,Use PRODUCT_ARTIFACT_PATH_REQUIREMENT_ALLOWED_LIST.)
 
 # Used to force goals to build.  Only use for conditionally defined goals.
 .PHONY: FORCE
diff --git a/core/main.mk b/core/main.mk
index a7a69f086e..9e1d6b7024 100644
--- a/core/main.mk
+++ b/core/main.mk
@@ -1218,8 +1218,7 @@ $(call dist-for-goals,droidcore,$(CERTIFICATE_VIOLATION_MODULES_FILENAME))
     $(eval extra_files := $(filter-out $(files) $(HOST_OUT)/%,$(product_target_FILES))) \
     $(eval files_in_requirement := $(filter $(path_patterns),$(extra_files))) \
     $(eval all_offending_files += $(files_in_requirement)) \
-    $(eval allowed := $(strip $(PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST) \
-      $(PRODUCT_ARTIFACT_PATH_REQUIREMENT_ALLOWED_LIST))) \
+    $(eval allowed := $(PRODUCT_ARTIFACT_PATH_REQUIREMENT_ALLOWED_LIST)) \
     $(eval allowed_patterns := $(call resolve-product-relative-paths,$(allowed))) \
     $(eval offending_files := $(filter-out $(allowed_patterns),$(files_in_requirement))) \
     $(eval enforcement := $(PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS)) \
diff --git a/core/product.mk b/core/product.mk
index 3d96d23590..f8ba5936f8 100644
--- a/core/product.mk
+++ b/core/product.mk
@@ -333,7 +333,6 @@ _product_single_value_vars += PRODUCT_ENFORCE_ARTIFACT_PATH_REQUIREMENTS
 _product_single_value_vars += PRODUCT_ENFORCE_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT
 _product_list_vars += PRODUCT_ARTIFACT_SYSTEM_CERTIFICATE_REQUIREMENT_ALLOW_LIST
 _product_list_vars += PRODUCT_ARTIFACT_PATH_REQUIREMENT_HINT
-_product_list_vars += PRODUCT_ARTIFACT_PATH_REQUIREMENT_WHITELIST
 _product_list_vars += PRODUCT_ARTIFACT_PATH_REQUIREMENT_ALLOWED_LIST
 
 # List of modules that should be forcefully unmarked from being LOCAL_PRODUCT_MODULE, and hence
diff --git a/core/soong_android_app_set.mk b/core/soong_android_app_set.mk
index 5ed9b2c29b..c88489427a 100644
--- a/core/soong_android_app_set.mk
+++ b/core/soong_android_app_set.mk
@@ -31,4 +31,9 @@ LOCAL_POST_INSTALL_CMD := unzip -qo -j -d $(dir $(LOCAL_INSTALLED_MODULE)) \
 $(LOCAL_INSTALLED_MODULE): PRIVATE_POST_INSTALL_CMD := $(LOCAL_POST_INSTALL_CMD)
 PACKAGES.$(LOCAL_MODULE).OVERRIDES := $(strip $(LOCAL_OVERRIDES_PACKAGES))
 
+PACKAGES := $(PACKAGES) $(LOCAL_MODULE)
+# We can't know exactly what apk files would be outputted yet.
+# Let extract_apks generate apkcerts.txt and merge it later.
+PACKAGES.$(LOCAL_MODULE).APKCERTS_FILE := $(LOCAL_APKCERTS_FILE)
+
 SOONG_ALREADY_CONV += $(LOCAL_MODULE)
diff --git a/core/version_defaults.mk b/core/version_defaults.mk
index a33f4e7098..c28c2fa0c5 100644
--- a/core/version_defaults.mk
+++ b/core/version_defaults.mk
@@ -240,7 +240,7 @@ ifndef PLATFORM_SECURITY_PATCH
     #  It must be of the form "YYYY-MM-DD" on production devices.
     #  It must match one of the Android Security Patch Level strings of the Public Security Bulletins.
     #  If there is no $PLATFORM_SECURITY_PATCH set, keep it empty.
-      PLATFORM_SECURITY_PATCH := 2020-08-05
+      PLATFORM_SECURITY_PATCH := 2020-09-01
 endif
 .KATI_READONLY := PLATFORM_SECURITY_PATCH
 
diff --git a/target/product/mainline_system_arm64.mk b/target/product/mainline_system_arm64.mk
index 772c687c1b..679af0a06d 100644
--- a/target/product/mainline_system_arm64.mk
+++ b/target/product/mainline_system_arm64.mk
@@ -36,8 +36,6 @@ PRODUCT_BUILD_VENDOR_IMAGE := false
 
 PRODUCT_SHIPPING_API_LEVEL := 29
 
-PRODUCT_RESTRICT_VENDOR_FILES := all
-
 PRODUCT_NAME := mainline_system_arm64
 PRODUCT_DEVICE := mainline_arm64
 PRODUCT_BRAND := generic
diff --git a/target/product/mainline_system_x86.mk b/target/product/mainline_system_x86.mk
index 05e51a9c01..e1f862c88d 100644
--- a/target/product/mainline_system_x86.mk
+++ b/target/product/mainline_system_x86.mk
@@ -35,8 +35,6 @@ PRODUCT_BUILD_VENDOR_IMAGE := false
 
 PRODUCT_SHIPPING_API_LEVEL := 29
 
-PRODUCT_RESTRICT_VENDOR_FILES := all
-
 PRODUCT_NAME := mainline_system_x86
 PRODUCT_DEVICE := mainline_x86
 PRODUCT_BRAND := generic
diff --git a/target/product/mainline_system_x86_64.mk b/target/product/mainline_system_x86_64.mk
index 473ff7236f..8806d3edbb 100644
--- a/target/product/mainline_system_x86_64.mk
+++ b/target/product/mainline_system_x86_64.mk
@@ -36,8 +36,6 @@ PRODUCT_BUILD_VENDOR_IMAGE := false
 
 PRODUCT_SHIPPING_API_LEVEL := 29
 
-PRODUCT_RESTRICT_VENDOR_FILES := all
-
 PRODUCT_NAME := mainline_system_x86_64
 PRODUCT_DEVICE := mainline_x86_64
 PRODUCT_BRAND := generic
diff --git a/target/product/mainline_system_x86_arm.mk b/target/product/mainline_system_x86_arm.mk
index cc11c55f2f..04fb6523a5 100644
--- a/target/product/mainline_system_x86_arm.mk
+++ b/target/product/mainline_system_x86_arm.mk
@@ -35,8 +35,6 @@ PRODUCT_BUILD_VENDOR_IMAGE := false
 
 PRODUCT_SHIPPING_API_LEVEL := 29
 
-PRODUCT_RESTRICT_VENDOR_FILES := all
-
 PRODUCT_NAME := mainline_system_x86_arm
 PRODUCT_DEVICE := mainline_x86_arm
 PRODUCT_BRAND := generic
diff --git a/tools/releasetools/edify_generator.py b/tools/releasetools/edify_generator.py
index 99e21f1c04..b9c9b197b3 100644
--- a/tools/releasetools/edify_generator.py
+++ b/tools/releasetools/edify_generator.py
@@ -374,12 +374,12 @@ class EdifyGenerator(object):
 
   def _CheckSecondTokenNotSlotSuffixed(self, s, fn):
     lst = s.split(':')
-    assert(len(s) == 4), "{} does not contain 4 tokens".format(s)
+    assert(len(lst) == 4), "{} does not contain 4 tokens".format(s)
     if self.fstab:
-      entry = common.GetEntryForDevice(s[1])
+      entry = common.GetEntryForDevice(self.fstab, lst[1])
       if entry is not None:
         assert not entry.slotselect, \
-          "Use %s because %s is slot suffixed" % (fn, s[1])
+          "Use %s because %s is slot suffixed" % (fn, lst[1])
 
   def WriteRawImage(self, mount_point, fn, mapfn=None):
     """Write the given package file into the partition for the given
diff --git a/tools/releasetools/validate_target_files.py b/tools/releasetools/validate_target_files.py
index 69be5119ab..ac469eb685 100755
--- a/tools/releasetools/validate_target_files.py
+++ b/tools/releasetools/validate_target_files.py
@@ -371,6 +371,17 @@ def ValidateVerifiedBootImages(input_tmp, info_dict, options):
             partition, info_dict, key_file)
         cmd.extend(['--expected_chain_partition', chained_partition_arg])
 
+    # Handle the boot image with a non-default name, e.g. boot-5.4.img
+    boot_images = info_dict.get("boot_images")
+    if boot_images:
+      # we used the 1st boot image to generate the vbmeta. Rename the filename
+      # to boot.img so that avbtool can find it correctly.
+      first_image_name = boot_images.split()[0]
+      first_image_path = os.path.join(input_tmp, 'IMAGES', first_image_name)
+      assert os.path.isfile(first_image_path)
+      renamed_boot_image_path = os.path.join(input_tmp, 'IMAGES', 'boot.img')
+      os.rename(first_image_path, renamed_boot_image_path)
+
     proc = common.Run(cmd)
     stdoutdata, _ = proc.communicate()
     assert proc.returncode == 0, \