releasetools: Android T GKI certification scheme
Companion change of Iaf48a6e3d4b97fa6bfb5e1635a288b045baa248f To support new GKI certification scheme for boot.img and init_boot.img on upgrading and launching device combinations. Bug: 210367929 Bug: 211741246 Bug: 203698939 Test: atest --host releasetools_test:test_common Test: unpack_bootimg --boot_img boot.img Test: unpack_bootimg --boot_img init_boot.img Test: avbtool info_image --image out/boot_signature Change-Id: I3749297c09c3899046550e4be776acbeea37ef2e
This commit is contained in:
Yi-Yo Chiang
@@ -162,6 +162,7 @@ python_defaults {
|
||||
required: [
|
||||
"brillo_update_payload",
|
||||
"checkvintf",
|
||||
"generate_gki_certificate",
|
||||
"minigzip",
|
||||
"lz4",
|
||||
"toybox",
|
||||
@@ -236,6 +237,7 @@ python_library_host {
|
||||
"boot_signer",
|
||||
"brotli",
|
||||
"bsdiff",
|
||||
"generate_gki_certificate",
|
||||
"imgdiff",
|
||||
"minigzip",
|
||||
"lz4",
|
||||
@@ -301,6 +303,7 @@ python_defaults {
|
||||
"brotli",
|
||||
"bsdiff",
|
||||
"deapexer",
|
||||
"generate_gki_certificate",
|
||||
"imgdiff",
|
||||
"minigzip",
|
||||
"lz4",
|
||||
|
||||
@@ -1396,34 +1396,52 @@ def GetAvbChainedPartitionArg(partition, info_dict, key=None):
|
||||
return "{}:{}:{}".format(partition, rollback_index_location, pubkey_path)
|
||||
|
||||
|
||||
def AppendGkiSigningArgs(cmd):
|
||||
"""Append GKI signing arguments for mkbootimg."""
|
||||
# e.g., --gki_signing_key path/to/signing_key
|
||||
# --gki_signing_algorithm SHA256_RSA4096"
|
||||
def _HasGkiCertificationArgs():
|
||||
return ("gki_signing_key_path" in OPTIONS.info_dict and
|
||||
"gki_signing_algorithm" in OPTIONS.info_dict)
|
||||
|
||||
|
||||
def _GenerateGkiCertificate(image, image_name, partition_name):
|
||||
key_path = OPTIONS.info_dict.get("gki_signing_key_path")
|
||||
# It's fine that a non-GKI boot.img has no gki_signing_key_path.
|
||||
if not key_path:
|
||||
return
|
||||
algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
|
||||
|
||||
if not os.path.exists(key_path) and OPTIONS.search_path:
|
||||
new_key_path = os.path.join(OPTIONS.search_path, key_path)
|
||||
if os.path.exists(new_key_path):
|
||||
key_path = new_key_path
|
||||
|
||||
# Checks key_path exists, before appending --gki_signing_* args.
|
||||
# Checks key_path exists, before processing --gki_signing_* args.
|
||||
if not os.path.exists(key_path):
|
||||
raise ExternalError(
|
||||
'gki_signing_key_path: "{}" not found'.format(key_path))
|
||||
|
||||
algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
|
||||
if key_path and algorithm:
|
||||
cmd.extend(["--gki_signing_key", key_path,
|
||||
"--gki_signing_algorithm", algorithm])
|
||||
output_certificate = tempfile.NamedTemporaryFile()
|
||||
cmd = [
|
||||
"generate_gki_certificate",
|
||||
"--name", image_name,
|
||||
"--algorithm", algorithm,
|
||||
"--key", key_path,
|
||||
"--output", output_certificate.name,
|
||||
image,
|
||||
]
|
||||
|
||||
signature_args = OPTIONS.info_dict.get("gki_signing_signature_args")
|
||||
if signature_args:
|
||||
cmd.extend(["--gki_signing_signature_args", signature_args])
|
||||
signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "")
|
||||
signature_args = signature_args.strip()
|
||||
if signature_args:
|
||||
cmd.extend(["--additional_avb_args", signature_args])
|
||||
|
||||
args = OPTIONS.info_dict.get(
|
||||
"avb_" + partition_name + "_add_hash_footer_args", "")
|
||||
args = args.strip()
|
||||
if args:
|
||||
cmd.extend(["--additional_avb_args", args])
|
||||
|
||||
RunAndCheckOutput(cmd)
|
||||
|
||||
output_certificate.seek(os.SEEK_SET, 0)
|
||||
data = output_certificate.read()
|
||||
output_certificate.close()
|
||||
return data
|
||||
|
||||
|
||||
def BuildVBMeta(image_path, partitions, name, needed_partitions):
|
||||
@@ -1549,6 +1567,8 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
|
||||
if kernel and not os.access(os.path.join(sourcedir, kernel), os.F_OK):
|
||||
return None
|
||||
|
||||
kernel_path = os.path.join(sourcedir, kernel) if kernel else None
|
||||
|
||||
if has_ramdisk and not os.access(os.path.join(sourcedir, "RAMDISK"), os.F_OK):
|
||||
return None
|
||||
|
||||
@@ -1563,8 +1583,8 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
|
||||
mkbootimg = os.getenv('MKBOOTIMG') or "mkbootimg"
|
||||
|
||||
cmd = [mkbootimg]
|
||||
if kernel:
|
||||
cmd += ["--kernel", os.path.join(sourcedir, kernel)]
|
||||
if kernel_path is not None:
|
||||
cmd.extend(["--kernel", kernel_path])
|
||||
|
||||
fn = os.path.join(sourcedir, "second")
|
||||
if os.access(fn, os.F_OK):
|
||||
@@ -1604,15 +1624,31 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
|
||||
if args and args.strip():
|
||||
cmd.extend(shlex.split(args))
|
||||
|
||||
args = info_dict.get("mkbootimg_version_args")
|
||||
if args and args.strip():
|
||||
cmd.extend(shlex.split(args))
|
||||
boot_signature = None
|
||||
if _HasGkiCertificationArgs():
|
||||
# Certify GKI images.
|
||||
boot_signature_bytes = b''
|
||||
if kernel_path is not None:
|
||||
boot_signature_bytes += _GenerateGkiCertificate(
|
||||
kernel_path, "generic_kernel", "boot")
|
||||
if has_ramdisk:
|
||||
boot_signature_bytes += _GenerateGkiCertificate(
|
||||
ramdisk_img.name, "generic_ramdisk", "init_boot")
|
||||
|
||||
if len(boot_signature_bytes) > 0:
|
||||
boot_signature = tempfile.NamedTemporaryFile()
|
||||
boot_signature.write(boot_signature_bytes)
|
||||
boot_signature.flush()
|
||||
cmd.extend(["--boot_signature", boot_signature.name])
|
||||
else:
|
||||
# Certified GKI boot/init_boot image mustn't set 'mkbootimg_version_args'.
|
||||
args = info_dict.get("mkbootimg_version_args")
|
||||
if args and args.strip():
|
||||
cmd.extend(shlex.split(args))
|
||||
|
||||
if has_ramdisk:
|
||||
cmd.extend(["--ramdisk", ramdisk_img.name])
|
||||
|
||||
AppendGkiSigningArgs(cmd)
|
||||
|
||||
img_unsigned = None
|
||||
if info_dict.get("vboot"):
|
||||
img_unsigned = tempfile.NamedTemporaryFile()
|
||||
@@ -1690,6 +1726,9 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
|
||||
ramdisk_img.close()
|
||||
img.close()
|
||||
|
||||
if boot_signature is not None:
|
||||
boot_signature.close()
|
||||
|
||||
return data
|
||||
|
||||
|
||||
|
||||
@@ -1631,66 +1631,7 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
|
||||
self.assertEqual('3', chained_partition_args[1])
|
||||
self.assertTrue(os.path.exists(chained_partition_args[2]))
|
||||
|
||||
@test_utils.SkipIfExternalToolsUnavailable()
|
||||
def test_AppendGkiSigningArgs_NoSigningKeyPath(self):
|
||||
# A non-GKI boot.img has no gki_signing_key_path.
|
||||
common.OPTIONS.info_dict = {
|
||||
# 'gki_signing_key_path': pubkey,
|
||||
'gki_signing_algorithm': 'SHA256_RSA4096',
|
||||
'gki_signing_signature_args': '--prop foo:bar',
|
||||
}
|
||||
|
||||
# Tests no --gki_signing_* args are appended if there is no
|
||||
# gki_signing_key_path.
|
||||
cmd = ['mkbootimg', '--header_version', '4']
|
||||
expected_cmd = ['mkbootimg', '--header_version', '4']
|
||||
common.AppendGkiSigningArgs(cmd)
|
||||
self.assertEqual(cmd, expected_cmd)
|
||||
|
||||
def test_AppendGkiSigningArgs_NoSigningAlgorithm(self):
|
||||
pubkey = os.path.join(self.testdata_dir, 'testkey_gki.pem')
|
||||
with open(pubkey, 'wb') as f:
|
||||
f.write(b'\x00' * 100)
|
||||
self.assertTrue(os.path.exists(pubkey))
|
||||
|
||||
# Tests no --gki_signing_* args are appended if there is no
|
||||
# gki_signing_algorithm.
|
||||
common.OPTIONS.info_dict = {
|
||||
'gki_signing_key_path': pubkey,
|
||||
# 'gki_signing_algorithm': 'SHA256_RSA4096',
|
||||
'gki_signing_signature_args': '--prop foo:bar',
|
||||
}
|
||||
|
||||
cmd = ['mkbootimg', '--header_version', '4']
|
||||
expected_cmd = ['mkbootimg', '--header_version', '4']
|
||||
common.AppendGkiSigningArgs(cmd)
|
||||
self.assertEqual(cmd, expected_cmd)
|
||||
|
||||
@test_utils.SkipIfExternalToolsUnavailable()
|
||||
def test_AppendGkiSigningArgs(self):
|
||||
pubkey = os.path.join(self.testdata_dir, 'testkey_gki.pem')
|
||||
with open(pubkey, 'wb') as f:
|
||||
f.write(b'\x00' * 100)
|
||||
self.assertTrue(os.path.exists(pubkey))
|
||||
|
||||
common.OPTIONS.info_dict = {
|
||||
'gki_signing_key_path': pubkey,
|
||||
'gki_signing_algorithm': 'SHA256_RSA4096',
|
||||
'gki_signing_signature_args': '--prop foo:bar',
|
||||
}
|
||||
cmd = ['mkbootimg', '--header_version', '4']
|
||||
common.AppendGkiSigningArgs(cmd)
|
||||
|
||||
expected_cmd = [
|
||||
'mkbootimg', '--header_version', '4',
|
||||
'--gki_signing_key', pubkey,
|
||||
'--gki_signing_algorithm', 'SHA256_RSA4096',
|
||||
'--gki_signing_signature_args', '--prop foo:bar'
|
||||
]
|
||||
self.assertEqual(cmd, expected_cmd)
|
||||
|
||||
@test_utils.SkipIfExternalToolsUnavailable()
|
||||
def test_AppendGkiSigningArgs_KeyPathNotFound(self):
|
||||
def test_GenerateGkiCertificate_KeyPathNotFound(self):
|
||||
pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem')
|
||||
self.assertFalse(os.path.exists(pubkey))
|
||||
|
||||
@@ -1699,41 +1640,11 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
|
||||
'gki_signing_algorithm': 'SHA256_RSA4096',
|
||||
'gki_signing_signature_args': '--prop foo:bar',
|
||||
}
|
||||
cmd = ['mkbootimg', '--header_version', '4']
|
||||
self.assertRaises(common.ExternalError, common.AppendGkiSigningArgs, cmd)
|
||||
test_file = tempfile.NamedTemporaryFile()
|
||||
self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
|
||||
test_file.name, 'generic_kernel', 'boot')
|
||||
|
||||
@test_utils.SkipIfExternalToolsUnavailable()
|
||||
def test_AppendGkiSigningArgs_SearchKeyPath(self):
|
||||
pubkey = 'testkey_gki.pem'
|
||||
self.assertFalse(os.path.exists(pubkey))
|
||||
|
||||
# Tests it should replace the pubkey with an existed key under
|
||||
# OPTIONS.search_path, i.e., os.path.join(OPTIONS.search_path, pubkey).
|
||||
search_path_dir = common.MakeTempDir()
|
||||
search_pubkey = os.path.join(search_path_dir, pubkey)
|
||||
with open(search_pubkey, 'wb') as f:
|
||||
f.write(b'\x00' * 100)
|
||||
self.assertTrue(os.path.exists(search_pubkey))
|
||||
|
||||
common.OPTIONS.search_path = search_path_dir
|
||||
common.OPTIONS.info_dict = {
|
||||
'gki_signing_key_path': pubkey,
|
||||
'gki_signing_algorithm': 'SHA256_RSA4096',
|
||||
'gki_signing_signature_args': '--prop foo:bar',
|
||||
}
|
||||
cmd = ['mkbootimg', '--header_version', '4']
|
||||
common.AppendGkiSigningArgs(cmd)
|
||||
|
||||
expected_cmd = [
|
||||
'mkbootimg', '--header_version', '4',
|
||||
'--gki_signing_key', search_pubkey,
|
||||
'--gki_signing_algorithm', 'SHA256_RSA4096',
|
||||
'--gki_signing_signature_args', '--prop foo:bar'
|
||||
]
|
||||
self.assertEqual(cmd, expected_cmd)
|
||||
|
||||
@test_utils.SkipIfExternalToolsUnavailable()
|
||||
def test_AppendGkiSigningArgs_SearchKeyPathNotFound(self):
|
||||
def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):
|
||||
pubkey = 'no_testkey_gki.pem'
|
||||
self.assertFalse(os.path.exists(pubkey))
|
||||
|
||||
@@ -1749,9 +1660,9 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
|
||||
'gki_signing_algorithm': 'SHA256_RSA4096',
|
||||
'gki_signing_signature_args': '--prop foo:bar',
|
||||
}
|
||||
cmd = ['mkbootimg', '--header_version', '4']
|
||||
self.assertRaises(common.ExternalError, common.AppendGkiSigningArgs, cmd)
|
||||
|
||||
test_file = tempfile.NamedTemporaryFile()
|
||||
self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
|
||||
test_file.name, 'generic_kernel', 'boot')
|
||||
|
||||
class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
|
||||
"""Checks the format of install-recovery.sh.
|
||||
|
||||
Reference in New Issue
Block a user