releasetools: Support verifying AVB signed images with chained partitions.
For example, verify a target_files.zip that has system AVB-signed as a
chained partition.
$ build/make/tools/releasetools/validate_target_files.py \
signed-target_files-4904652.zip \
--verity_key verifiedboot_pub.pem \
--avb_system_key_path system_pub.pem
Note that verifiedboot_pub.pem should be the key (either public or
private) to verify vbmeta.img, and 'system_pub.pem' should be the key
(either public or private) for the chained partition of system.
testdata/testkey.key is the private key converted from
testdata/testkey.pk8 for testing purpose (`openssl pkcs8 -in
testdata/testkey.pk8 -inform DER -out testdata/testkey.key -nocrypt`).
Bug: 63706333
Test: python -m unittest test_common
Test: python -m unittest test_add_img_to_target_files
Test: `m dist` on aosp_walleye-userdebug; Run validate_target_files.py
on the generated target_files.zip.
Test: Set up walleye with chained system partition; `m dist`; Run
validate_target_files.py on the generated target_files.zip.
Change-Id: I38517ab39baf8a5bc1a6062fab2fe229b68e897d
This commit is contained in:
Tao Bao
@@ -315,9 +315,19 @@ def ValidateVerifiedBootImages(input_tmp, info_dict, options):
|
||||
key = options['verity_key']
|
||||
if key is None:
|
||||
key = info_dict['avb_vbmeta_key_path']
|
||||
|
||||
# avbtool verifies all the images that have descriptors listed in vbmeta.
|
||||
image = os.path.join(input_tmp, 'IMAGES', 'vbmeta.img')
|
||||
cmd = ['avbtool', 'verify_image', '--image', image, '--key', key]
|
||||
|
||||
# Append the args for chained partitions if any.
|
||||
for partition in common.AVB_PARTITIONS:
|
||||
key_name = 'avb_' + partition + '_key_path'
|
||||
if info_dict.get(key_name) is not None:
|
||||
chained_partition_arg = common.GetAvbChainedPartitionArg(
|
||||
partition, info_dict, options[key_name])
|
||||
cmd.extend(["--expected_chain_partition", chained_partition_arg])
|
||||
|
||||
proc = common.Run(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
|
||||
stdoutdata, _ = proc.communicate()
|
||||
assert proc.returncode == 0, \
|
||||
@@ -339,8 +349,13 @@ def main():
|
||||
parser.add_argument(
|
||||
'--verity_key',
|
||||
help='the verity public key to verify the bootable images (Verified '
|
||||
'Boot 1.0), or the vbmeta image (Verified Boot 2.0), where '
|
||||
'Boot 1.0), or the vbmeta image (Verified Boot 2.0, aka AVB), where '
|
||||
'applicable')
|
||||
for partition in common.AVB_PARTITIONS:
|
||||
parser.add_argument(
|
||||
'--avb_' + partition + '_key_path',
|
||||
help='the public or private key in PEM format to verify AVB chained '
|
||||
'partition of {}'.format(partition))
|
||||
parser.add_argument(
|
||||
'--verity_key_mincrypt',
|
||||
help='the verity public key in mincrypt format to verify the system '
|
||||
|
||||
Reference in New Issue
Block a user