StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

releasetools: Support verifying AVB signed images with chained partitions.

Browse Source 
For example, verify a target_files.zip that has system AVB-signed as a
chained partition.

  $ build/make/tools/releasetools/validate_target_files.py \
      signed-target_files-4904652.zip \
      --verity_key verifiedboot_pub.pem \
      --avb_system_key_path system_pub.pem

Note that verifiedboot_pub.pem should be the key (either public or
private) to verify vbmeta.img, and 'system_pub.pem' should be the key
(either public or private) for the chained partition of system.

testdata/testkey.key is the private key converted from
testdata/testkey.pk8 for testing purpose (`openssl pkcs8 -in
testdata/testkey.pk8 -inform DER -out testdata/testkey.key -nocrypt`).

Bug: 63706333
Test: python -m unittest test_common
Test: python -m unittest test_add_img_to_target_files
Test: `m dist` on aosp_walleye-userdebug; Run validate_target_files.py
      on the generated target_files.zip.
Test: Set up walleye with chained system partition; `m dist`; Run
      validate_target_files.py on the generated target_files.zip.
Change-Id: I38517ab39baf8a5bc1a6062fab2fe229b68e897d
This commit is contained in:
Tao Bao
2018-07-22 12:40:45 -07:00
parent 540a71d2b3
commit 02a0859b3c
5 changed files with 134 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
tools/releasetools/add_img_to_target_files.py
View File

@@ -373,22 +373,9 @@ def AppendVBMetaArgsForPartition(cmd, partition, image):
# Check if chain partition is used.
key_path = OPTIONS.info_dict.get("avb_" + partition + "_key_path")
if key_path:
# extract public key in AVB format to be included in vbmeta.img
avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"]
pubkey_path = common.MakeTempFile(prefix="avb-", suffix=".pubkey")
proc = common.Run(
[avbtool, "extract_public_key", "--key", key_path, "--output",
pubkey_path],
stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
stdoutdata, _ = proc.communicate()
assert proc.returncode == 0, \
"Failed to extract pubkey for {}:\n{}".format(
partition, stdoutdata)
rollback_index_location = OPTIONS.info_dict[
"avb_" + partition + "_rollback_index_location"]
cmd.extend(["--chain_partition", "%s:%s:%s" % (
partition, rollback_index_location, pubkey_path)])
chained_partition_arg = common.GetAvbChainedPartitionArg(
partition, OPTIONS.info_dict)
cmd.extend(["--chain_partition", chained_partition_arg])
else:
cmd.extend(["--include_descriptors_from_image", image])