Support GKI boot.img v4 signing
Commit I9967d06bde0e18a12b84b5b0b568db09765fe305 supports adding a
generic boot_signature into boot.img v4. This change allows replacing
the boot_signture signing key with a release key during the release
process.
The default GKI signing key can be specified in a BoardConfig.mk via:
BOARD_GKI_SIGNING_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_GKI_SIGNING_ALGORITHM := SHA256_RSA2048
BOARD_GKI_SIGNING_SIGNATURE_ARGS := --prop foo:bar
The release signing key/algorithm can be specified by the following options
when invoking sign_target_files_apks:
--gki_signing_key=external/avb/test/data/testkey_rsa4096.pem
--gki_signing_algorithm=SHA256_RSA4096
Additional arguments for generating the GKI signature can be
specified as below:
--gki_signing_extra_args="--prop gki:prop1 --prop gki:prop2"
Bug: 177862434
Test: make dist
Test: sign_target_files_apks \
--gki_signing_key=external/avb/test/data/testkey_rsa4096.pem \
--gki_signing_algorithm=SHA256_RSA4096 \
--gki_signing_extra_args="--prop gki:prop1 --prop gki:prop2" \
./out/dist/*-target_files-eng.*.zip signed.zip
Test: Checks GKI boot_signature is expected after signing:
`unzip signed.zip IMAGES/boot.img`
`unpack_bootimg --boot_img IMAGES/boot.img --out unpack`
`avbtool info_image --image unpack/boot_signature`
Test: unit test: releasetools_test and releasetools_py3_test
Change-Id: I61dadbc242360e4cab3dc70295931b4a5b9422a9
This commit is contained in:
Bowgo Tsai
@@ -123,6 +123,17 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files
|
||||
mounted on the partition (e.g. "--signing_helper /path/to/helper"). The
|
||||
args will be appended to the existing ones in info dict.
|
||||
|
||||
--gki_signing_algorithm <algorithm>
|
||||
--gki_signing_key <key>
|
||||
Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate
|
||||
'boot signature' in a v4 boot.img. Otherwise it uses the existing values
|
||||
in info dict.
|
||||
|
||||
--gki_signing_extra_args <args>
|
||||
Specify any additional args that are needed to generate 'boot signature'
|
||||
(e.g. --prop foo:bar). The args will be appended to the existing ones
|
||||
in info dict.
|
||||
|
||||
--android_jar_path <path>
|
||||
Path to the android.jar to repack the apex file.
|
||||
"""
|
||||
@@ -174,6 +185,9 @@ OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys")
|
||||
OPTIONS.avb_keys = {}
|
||||
OPTIONS.avb_algorithms = {}
|
||||
OPTIONS.avb_extra_args = {}
|
||||
OPTIONS.gki_signing_key = None
|
||||
OPTIONS.gki_signing_algorithm = None
|
||||
OPTIONS.gki_signing_extra_args = None
|
||||
OPTIONS.android_jar_path = None
|
||||
|
||||
|
||||
@@ -677,6 +691,9 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
||||
if misc_info.get('avb_enable') == 'true':
|
||||
RewriteAvbProps(misc_info)
|
||||
|
||||
# Replace the GKI signing key for boot.img, if any.
|
||||
ReplaceGkiSigningKey(misc_info)
|
||||
|
||||
# Write back misc_info with the latest values.
|
||||
ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info)
|
||||
|
||||
@@ -995,6 +1012,28 @@ def RewriteAvbProps(misc_info):
|
||||
misc_info[args_key] = result
|
||||
|
||||
|
||||
def ReplaceGkiSigningKey(misc_info):
|
||||
"""Replaces the GKI signing key."""
|
||||
|
||||
key = OPTIONS.gki_signing_key
|
||||
if not key:
|
||||
return
|
||||
|
||||
algorithm = OPTIONS.gki_signing_algorithm
|
||||
if not algorithm:
|
||||
raise ValueError("Missing --gki_signing_algorithm")
|
||||
|
||||
print('Replacing GKI signing key with "%s" (%s)' % (key, algorithm))
|
||||
misc_info["gki_signing_algorithm"] = algorithm
|
||||
misc_info["gki_signing_key_path"] = key
|
||||
|
||||
extra_args = OPTIONS.gki_signing_extra_args
|
||||
if extra_args:
|
||||
print('Setting extra GKI signing args: "%s"' % (extra_args))
|
||||
misc_info["gki_signing_signature_args"] = (
|
||||
misc_info.get("gki_signing_signature_args", '') + ' ' + extra_args)
|
||||
|
||||
|
||||
def BuildKeyMap(misc_info, key_mapping_options):
|
||||
for s, d in key_mapping_options:
|
||||
if s is None: # -d option
|
||||
@@ -1226,6 +1265,12 @@ def main(argv):
|
||||
# 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'.
|
||||
partition, extra_args = a.split("=", 1)
|
||||
OPTIONS.avb_extra_args[partition] = extra_args
|
||||
elif o == "--gki_signing_key":
|
||||
OPTIONS.gki_signing_key = a
|
||||
elif o == "--gki_signing_algorithm":
|
||||
OPTIONS.gki_signing_algorithm = a
|
||||
elif o == "--gki_signing_extra_args":
|
||||
OPTIONS.gki_signing_extra_args = a
|
||||
else:
|
||||
return False
|
||||
return True
|
||||
@@ -1273,6 +1318,9 @@ def main(argv):
|
||||
"avb_extra_custom_image_key=",
|
||||
"avb_extra_custom_image_algorithm=",
|
||||
"avb_extra_custom_image_extra_args=",
|
||||
"gki_signing_key=",
|
||||
"gki_signing_algorithm=",
|
||||
"gki_signing_extra_args=",
|
||||
],
|
||||
extra_option_handler=option_handler)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user