Enables signing for generic boot images

Enables signing for them so we can verify that the boot partition contains a valid generic boot image during the compliance test. This change also adds the chained partition descriptor of boot partition into vbmeta.img, which contains the corresponding public key used to verify the boot partition. Bug: 151094943 Test: lunch aosp_arm64-user, `make` and use `avbtool info_image` to check that GKI images are properly signed. Test: `make dist` and checks that GKI images in the image zip file are properly signed. Change-Id: I2fd69964f9dc62526a813875fa9193913aa4935b
2020-05-08 14:09:57 +08:00
parent 9150e7a65c
commit 0f95ac7e8c
2 changed files with 6 additions and 4 deletions
--- a/core/Makefile
+++ b/core/Makefile
@@ -3524,12 +3524,8 @@ $(if $(BOARD_AVB_$(call to-upper,$(1))_KEY_PATH),\
 endef

 ifdef INSTALLED_BOOTIMAGE_TARGET
-# multiple hashes for an image are not yet supported, fortunately this
-# only arises for GKI where the boot descriptor can be left out
-ifeq ($(strip $(BOARD_KERNEL_BINARIES)),)
 $(eval $(call check-and-set-avb-args,boot))
 endif
-endif

 ifdef INSTALLED_VENDOR_BOOTIMAGE_TARGET
 $(eval $(call check-and-set-avb-args,vendor_boot))
--- a/target/board/BoardConfigGsiCommon.mk
+++ b/target/board/BoardConfigGsiCommon.mk
@@ -40,6 +40,12 @@ BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048
 BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
 BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1

+# Enable chain partition for boot, mainly for GKI images.
+BOARD_AVB_BOOT_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
+BOARD_AVB_BOOT_ALGORITHM := SHA256_RSA2048
+BOARD_AVB_BOOT_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
+BOARD_AVB_BOOT_ROLLBACK_INDEX_LOCATION := 2
+
 # GSI specific System Properties
 ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
 TARGET_SYSTEM_EXT_PROP := build/make/target/board/gsi_system_ext.prop