Use deterministic salt for AVB footer of prebuilt boot img

When target specified a prebuilt boot.img, current build system will add
avb hash footer to it with a random salt. Use a deterministic salt
instead for more reproducible builds. To stay consistent with
non-prebuilt boot.img code path, we extract the kernel image from
prebuilt boot.img and uses sha256sum of kernel image as the salt.

Test: th
Bug: 293313353
Change-Id: I988999ddc4f18e0b8677b05a3165c847b6a11b52

tools/releasetools/common.py

@@ -1947,7 +1947,15 @@ def _SignBootableImage(image_path, prebuilt_name, partition_name,
     cmd = [avbtool, "add_hash_footer", "--image", image_path,
            "--partition_size", str(part_size), "--partition_name",
            partition_name]
-    AppendAVBSigningArgs(cmd, partition_name)
+    # Use sha256 of the kernel as salt for reproducible builds
+    with tempfile.TemporaryDirectory() as tmpdir:
+      RunAndCheckOutput(["unpack_bootimg", "--boot_img", image_path, "--out", tmpdir])
+      for filename in ["kernel", "ramdisk", "vendor_ramdisk00"]:
+        path = os.path.join(tmpdir, filename)
+        if os.path.exists(path) and os.path.getsize(path):
+          with open(path, "rb") as fp:
+            salt = sha256(fp.read()).hexdigest()
+    AppendAVBSigningArgs(cmd, partition_name, salt)
     args = info_dict.get("avb_" + partition_name + "_add_hash_footer_args")
     if args and args.strip():
       split_args = ResolveAVBSigningPathArgs(shlex.split(args))