From 7bcb55b41493660db2ebc63b802f947d177bc874 Mon Sep 17 00:00:00 2001 From: Bowgo Tsai Date: Mon, 10 May 2021 12:58:02 +0800 Subject: [PATCH] Fix GKI 2.0 signing in the release process In the release signing process, it uses --signing_helper_with_files for avbtool. This can be done by passing --gki_signing_signature_args="--signing_helper_with_files=/path/to/helper.sh" for mkbootimg. However, this only works when there is a default value of "gki_signing_signature_args" in the misc_info.txt, to be appended with more extra args. Adding a default value "--prop foo:bar" to make it work. Note: also move the BOARD_GKI_* signing config to BoardConfigGsiCommon.mk, so we don't have to duplicate the settings for each architecture. Bug: 178559811 Bug: 177862434 Test: `make bootimage` `unpack_bootimg --boot_img $OUT/boot.img --out unpack` `avbtool info_image --image ./unpack/boot_signature` Change-Id: I8bd8ad3acf324931b47d45fd30bc590206b1927e --- target/board/BoardConfigGsiCommon.mk | 8 ++++++++ target/board/generic_arm64/BoardConfig.mk | 4 ---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/target/board/BoardConfigGsiCommon.mk b/target/board/BoardConfigGsiCommon.mk index c577870de5..95ba1d0425 100644 --- a/target/board/BoardConfigGsiCommon.mk +++ b/target/board/BoardConfigGsiCommon.mk @@ -30,6 +30,14 @@ BOARD_PRODUCTIMAGE_FILE_SYSTEM_TYPE := # the devices with metadata parition BOARD_USES_METADATA_PARTITION := true +# Enable GKI 2.0 signing. +BOARD_GKI_SIGNING_KEY_PATH := build/make/target/product/gsi/testkey_rsa2048.pem +BOARD_GKI_SIGNING_ALGORITHM := SHA256_RSA2048 +# The following is needed to allow release signing process appends more extra +# args, e.g., passing --signing_helper_with_files from mkbootimg to avbtool. +# See b/178559811 for more details. +BOARD_GKI_SIGNING_SIGNATURE_ARGS := --prop foo:bar + # Android Verified Boot (AVB): # Set the rollback index to zero, to prevent the device bootloader from # updating the last seen rollback index in the tamper-evident storage. diff --git a/target/board/generic_arm64/BoardConfig.mk b/target/board/generic_arm64/BoardConfig.mk index 12293276af..423faf9c2b 100644 --- a/target/board/generic_arm64/BoardConfig.mk +++ b/target/board/generic_arm64/BoardConfig.mk @@ -77,10 +77,6 @@ BOARD_RAMDISK_USE_LZ4 := true BOARD_BOOT_HEADER_VERSION := 4 BOARD_MKBOOTIMG_ARGS += --header_version $(BOARD_BOOT_HEADER_VERSION) -# Enable GKI 2.0 signing. -BOARD_GKI_SIGNING_KEY_PATH := build/make/target/product/gsi/testkey_rsa2048.pem -BOARD_GKI_SIGNING_ALGORITHM := SHA256_RSA2048 - BOARD_KERNEL_BINARIES := \ kernel-4.19-gz \ kernel-5.4 kernel-5.4-gz kernel-5.4-lz4 \