StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge changes from topic "gki-avb-vts" am: 9d164b6300 am: e93bc67cf8

Browse Source 
Original change: https://android-review.googlesource.com/c/platform/build/+/1999071

Change-Id: Ie1685e3db923366676404465fe846d59f3559def
This commit is contained in:
Yi-yo Chiang
2022-03-01 05:36:25 +00:00
committed by Automerger Merge Worker
parent 6dde81f3f5 e93bc67cf8
commit 4e8705b181
3 changed files with 38 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
core/Makefile
View File

@@ -906,11 +906,9 @@ INTERNAL_BOOTIMAGE_ARGS := \
INTERNAL_INIT_BOOT_IMAGE_ARGS := INTERNAL_INIT_BOOT_IMAGE_ARGS :=
INTERNAL_BOOT_HAS_RAMDISK :=
ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true)
ifneq ($(BUILDING_INIT_BOOT_IMAGE),true) ifneq ($(BUILDING_INIT_BOOT_IMAGE),true)
INTERNAL_BOOTIMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET) INTERNAL_BOOTIMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET)
INTERNAL_BOOT_HAS_RAMDISK := true
else else
INTERNAL_INIT_BOOT_IMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET) INTERNAL_INIT_BOOT_IMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET)
endif endif
@@ -973,7 +971,6 @@ endef
INTERNAL_GKI_CERTIFICATE_ARGS := INTERNAL_GKI_CERTIFICATE_ARGS :=
INTERNAL_GKI_CERTIFICATE_DEPS := INTERNAL_GKI_CERTIFICATE_DEPS :=
INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE :=
ifdef BOARD_GKI_SIGNING_KEY_PATH ifdef BOARD_GKI_SIGNING_KEY_PATH
ifndef BOARD_GKI_SIGNING_ALGORITHM ifndef BOARD_GKI_SIGNING_ALGORITHM
$(error BOARD_GKI_SIGNING_ALGORITHM should be defined with BOARD_GKI_SIGNING_KEY_PATH) $(error BOARD_GKI_SIGNING_ALGORITHM should be defined with BOARD_GKI_SIGNING_KEY_PATH)
@@ -994,13 +991,6 @@ ifdef BOARD_GKI_SIGNING_KEY_PATH
$(BOARD_GKI_SIGNING_KEY_PATH) \ $(BOARD_GKI_SIGNING_KEY_PATH) \
$(AVBTOOL) $(AVBTOOL)
ifdef INSTALLED_RAMDISK_TARGET
INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE := \
$(call intermediates-dir-for,PACKAGING,generic_ramdisk)/boot_signature
$(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE): $(INSTALLED_RAMDISK_TARGET) $(INTERNAL_GKI_CERTIFICATE_DEPS)
$(call generate_generic_boot_image_certificate,$(INSTALLED_RAMDISK_TARGET),$@,generic_ramdisk,$(BOARD_AVB_INIT_BOOT_ADD_HASH_FOOTER_ARGS))
endif
endif endif
# Define these only if we are building boot # Define these only if we are building boot
@@ -1018,14 +1008,16 @@ ifeq (true,$(BOARD_AVB_ENABLE))
# $1: boot image target # $1: boot image target
define build_boot_board_avb_enabled define build_boot_board_avb_enabled
$(eval kernel := $(call bootimage-to-kernel,$(1))) $(eval kernel := $(call bootimage-to-kernel,$(1)))
$(MKBOOTIMG) --kernel $(kernel) $(INTERNAL_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1)
$(if $(BOARD_GKI_SIGNING_KEY_PATH), \ $(if $(BOARD_GKI_SIGNING_KEY_PATH), \
$(eval boot_signature := $(call intermediates-dir-for,PACKAGING,generic_boot)/$(notdir $(1)).boot_signature) \
$(eval kernel_signature := $(call intermediates-dir-for,PACKAGING,generic_kernel)/$(notdir $(kernel)).boot_signature) \ $(eval kernel_signature := $(call intermediates-dir-for,PACKAGING,generic_kernel)/$(notdir $(kernel)).boot_signature) \
$(call generate_generic_boot_image_certificate,$(1),$(boot_signature),boot,$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)) $(newline) \
$(call generate_generic_boot_image_certificate,$(kernel),$(kernel_signature),generic_kernel,$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)) $(newline) \ $(call generate_generic_boot_image_certificate,$(kernel),$(kernel_signature),generic_kernel,$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)) $(newline) \
$(if $(INTERNAL_BOOT_HAS_RAMDISK), \ cat $(kernel_signature) >> $(boot_signature) $(newline) \
cat $(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE) >> $(kernel_signature) $(newline))) $(call assert-max-image-size,$(boot_signature),16 << 10) $(newline) \
$(MKBOOTIMG) --kernel $(kernel) $(INTERNAL_BOOTIMAGE_ARGS) \ truncate -s $$(( 16 << 10 )) $(boot_signature) $(newline) \
$(if $(BOARD_GKI_SIGNING_KEY_PATH),--boot_signature "$(kernel_signature)",$(INTERNAL_MKBOOTIMG_VERSION_ARGS)) \ cat "$(boot_signature)" >> $(1))
$(BOARD_MKBOOTIMG_ARGS) --output $(1)
$(call assert-max-image-size,$(1),$(call get-hash-image-max-size,$(call get-bootimage-partition-size,$(1),boot))) $(call assert-max-image-size,$(1),$(call get-hash-image-max-size,$(call get-bootimage-partition-size,$(1),boot)))
$(AVBTOOL) add_hash_footer \ $(AVBTOOL) add_hash_footer \
--image $(1) \ --image $(1) \
@@ -1034,9 +1026,6 @@ define build_boot_board_avb_enabled
$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS) $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)
endef endef
ifdef INTERNAL_BOOT_HAS_RAMDISK
$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE)
endif
$(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(AVBTOOL) $(INTERNAL_BOOTIMAGE_FILES) $(BOARD_AVB_BOOT_KEY_PATH) $(INTERNAL_GKI_CERTIFICATE_DEPS) $(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(AVBTOOL) $(INTERNAL_BOOTIMAGE_FILES) $(BOARD_AVB_BOOT_KEY_PATH) $(INTERNAL_GKI_CERTIFICATE_DEPS)
$(call pretty,"Target boot image: $@") $(call pretty,"Target boot image: $@")
$(call build_boot_board_avb_enabled,$@) $(call build_boot_board_avb_enabled,$@)
@@ -1141,12 +1130,9 @@ ifdef BOARD_KERNEL_PAGESIZE
endif endif
ifeq ($(BOARD_AVB_ENABLE),true) ifeq ($(BOARD_AVB_ENABLE),true)
$(INSTALLED_INIT_BOOT_IMAGE_TARGET): $(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE)
$(INSTALLED_INIT_BOOT_IMAGE_TARGET): $(AVBTOOL) $(BOARD_AVB_INIT_BOOT_KEY_PATH) $(INSTALLED_INIT_BOOT_IMAGE_TARGET): $(AVBTOOL) $(BOARD_AVB_INIT_BOOT_KEY_PATH)
$(call pretty,"Target init_boot image: $@") $(call pretty,"Target init_boot image: $@")
$(MKBOOTIMG) $(INTERNAL_INIT_BOOT_IMAGE_ARGS) \ $(MKBOOTIMG) $(INTERNAL_INIT_BOOT_IMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_INIT_ARGS) --output "$@"
$(if $(BOARD_GKI_SIGNING_KEY_PATH),--boot_signature "$(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE)",$(INTERNAL_MKBOOTIMG_VERSION_ARGS)) \
$(BOARD_MKBOOTIMG_INIT_ARGS) --output "$@"
$(call assert-max-image-size,$@,$(BOARD_INIT_BOOT_IMAGE_PARTITION_SIZE)) $(call assert-max-image-size,$@,$(BOARD_INIT_BOOT_IMAGE_PARTITION_SIZE))
$(AVBTOOL) add_hash_footer \ $(AVBTOOL) add_hash_footer \
--image $@ \ --image $@ \
@@ -3930,13 +3916,6 @@ BOARD_AVB_PVMFW_ADD_HASH_FOOTER_ARGS += \
--prop com.android.build.pvmfw.security_patch:$(PVMFW_SECURITY_PATCH) --prop com.android.build.pvmfw.security_patch:$(PVMFW_SECURITY_PATCH)
endif endif
# For upgrading devices without a init_boot partition, the init_boot footer args
# should fallback to boot partition footer.
ifndef INSTALLED_INIT_BOOT_IMAGE_TARGET
BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS += \
$(BOARD_AVB_INIT_BOOT_ADD_HASH_FOOTER_ARGS)
endif
BOOT_FOOTER_ARGS := BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS BOOT_FOOTER_ARGS := BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS
INIT_BOOT_FOOTER_ARGS := BOARD_AVB_INIT_BOOT_ADD_HASH_FOOTER_ARGS INIT_BOOT_FOOTER_ARGS := BOARD_AVB_INIT_BOOT_ADD_HASH_FOOTER_ARGS
VENDOR_BOOT_FOOTER_ARGS := BOARD_AVB_VENDOR_BOOT_ADD_HASH_FOOTER_ARGS VENDOR_BOOT_FOOTER_ARGS := BOARD_AVB_VENDOR_BOOT_ADD_HASH_FOOTER_ARGS

49
tools/releasetools/common.py
View File

@@ -1405,7 +1405,7 @@ def _HasGkiCertificationArgs():
"gki_signing_algorithm" in OPTIONS.info_dict) "gki_signing_algorithm" in OPTIONS.info_dict)
def _GenerateGkiCertificate(image, image_name, partition_name): def _GenerateGkiCertificate(image, image_name):
key_path = OPTIONS.info_dict.get("gki_signing_key_path") key_path = OPTIONS.info_dict.get("gki_signing_key_path")
algorithm = OPTIONS.info_dict.get("gki_signing_algorithm") algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
@@ -1434,8 +1434,7 @@ def _GenerateGkiCertificate(image, image_name, partition_name):
if signature_args: if signature_args:
cmd.extend(["--additional_avb_args", signature_args]) cmd.extend(["--additional_avb_args", signature_args])
args = OPTIONS.info_dict.get( args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "")
"avb_" + partition_name + "_add_hash_footer_args", "")
args = args.strip() args = args.strip()
if args: if args:
cmd.extend(["--additional_avb_args", args]) cmd.extend(["--additional_avb_args", args])
@@ -1628,24 +1627,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
if args and args.strip(): if args and args.strip():
cmd.extend(shlex.split(args)) cmd.extend(shlex.split(args))
boot_signature = None
if _HasGkiCertificationArgs():
# Certify GKI images.
boot_signature_bytes = b''
if kernel_path is not None:
boot_signature_bytes += _GenerateGkiCertificate(
kernel_path, "generic_kernel", "boot")
if has_ramdisk:
boot_signature_bytes += _GenerateGkiCertificate(
ramdisk_img.name, "generic_ramdisk", "init_boot")
if len(boot_signature_bytes) > 0:
boot_signature = tempfile.NamedTemporaryFile()
boot_signature.write(boot_signature_bytes)
boot_signature.flush()
cmd.extend(["--boot_signature", boot_signature.name])
else:
# Certified GKI boot/init_boot image mustn't set 'mkbootimg_version_args'.
args = info_dict.get("mkbootimg_version_args") args = info_dict.get("mkbootimg_version_args")
if args and args.strip(): if args and args.strip():
cmd.extend(shlex.split(args)) cmd.extend(shlex.split(args))
@@ -1670,6 +1651,29 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
RunAndCheckOutput(cmd) RunAndCheckOutput(cmd)
if _HasGkiCertificationArgs():
if not os.path.exists(img.name):
raise ValueError("Cannot find GKI boot.img")
if kernel_path is None or not os.path.exists(kernel_path):
raise ValueError("Cannot find GKI kernel.img")
# Certify GKI images.
boot_signature_bytes = b''
boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot")
boot_signature_bytes += _GenerateGkiCertificate(
kernel_path, "generic_kernel")
BOOT_SIGNATURE_SIZE = 16 * 1024
if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE:
raise ValueError(
f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}")
boot_signature_bytes += (
b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes)))
assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE
with open(img.name, 'ab') as f:
f.write(boot_signature_bytes)
if (info_dict.get("boot_signer") == "true" and if (info_dict.get("boot_signer") == "true" and
info_dict.get("verity_key")): info_dict.get("verity_key")):
# Hard-code the path as "/boot" for two-step special recovery image (which # Hard-code the path as "/boot" for two-step special recovery image (which
@@ -1730,9 +1734,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
ramdisk_img.close() ramdisk_img.close()
img.close() img.close()
if boot_signature is not None:
boot_signature.close()
return data return data

4
tools/releasetools/test_common.py
View File

@@ -1642,7 +1642,7 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
} }
test_file = tempfile.NamedTemporaryFile() test_file = tempfile.NamedTemporaryFile()
self.assertRaises(common.ExternalError, common._GenerateGkiCertificate, self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
test_file.name, 'generic_kernel', 'boot') test_file.name, 'generic_kernel')
def test_GenerateGkiCertificate_SearchKeyPathNotFound(self): def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):
pubkey = 'no_testkey_gki.pem' pubkey = 'no_testkey_gki.pem'
@@ -1662,7 +1662,7 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
} }
test_file = tempfile.NamedTemporaryFile() test_file = tempfile.NamedTemporaryFile()
self.assertRaises(common.ExternalError, common._GenerateGkiCertificate, self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
test_file.name, 'generic_kernel', 'boot') test_file.name, 'generic_kernel')
class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase): class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
"""Checks the format of install-recovery.sh. """Checks the format of install-recovery.sh.