Merge "Re-land: releasetools: Deprecate GKI build rules" into main am: accdd3f087

Original change: https://android-review.googlesource.com/c/platform/build/+/2926251

Change-Id: Ieca18099a1cdfec26e014ddd2e40e041295c2d36
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Yi-Yo Chiang
2024-01-25 06:17:12 +00:00
committed by Automerger Merge Worker
6 changed files with 6 additions and 197 deletions

View File

@@ -168,7 +168,6 @@ python_defaults {
"apexd_host",
"brillo_update_payload",
"checkvintf",
"generate_gki_certificate",
"lz4",
"toybox",
"unpack_bootimg",
@@ -245,7 +244,6 @@ python_library_host {
"boot_signer",
"brotli",
"bsdiff",
"generate_gki_certificate",
"imgdiff",
"lz4",
"mkbootfs",
@@ -310,7 +308,6 @@ python_defaults {
"brotli",
"bsdiff",
"deapexer",
"generate_gki_certificate",
"imgdiff",
"lz4",
"mkbootfs",

View File

@@ -1565,50 +1565,6 @@ def GetAvbChainedPartitionArg(partition, info_dict, key=None):
pubkey_path=pubkey_path)
def _HasGkiCertificationArgs():
return ("gki_signing_key_path" in OPTIONS.info_dict and
"gki_signing_algorithm" in OPTIONS.info_dict)
def _GenerateGkiCertificate(image, image_name):
key_path = OPTIONS.info_dict.get("gki_signing_key_path")
algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
key_path = ResolveAVBSigningPathArgs(key_path)
# Checks key_path exists, before processing --gki_signing_* args.
if not os.path.exists(key_path):
raise ExternalError(
'gki_signing_key_path: "{}" not found'.format(key_path))
output_certificate = tempfile.NamedTemporaryFile()
cmd = [
"generate_gki_certificate",
"--name", image_name,
"--algorithm", algorithm,
"--key", key_path,
"--output", output_certificate.name,
image,
]
signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "")
signature_args = signature_args.strip()
if signature_args:
cmd.extend(["--additional_avb_args", signature_args])
args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "")
args = args.strip()
if args:
cmd.extend(["--additional_avb_args", args])
RunAndCheckOutput(cmd)
output_certificate.seek(os.SEEK_SET, 0)
data = output_certificate.read()
output_certificate.close()
return data
def BuildVBMeta(image_path, partitions, name, needed_partitions,
resolve_rollback_index_location_conflict=False):
"""Creates a VBMeta image.
@@ -1831,29 +1787,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file,
RunAndCheckOutput(cmd)
if _HasGkiCertificationArgs():
if not os.path.exists(img.name):
raise ValueError("Cannot find GKI boot.img")
if kernel_path is None or not os.path.exists(kernel_path):
raise ValueError("Cannot find GKI kernel.img")
# Certify GKI images.
boot_signature_bytes = b''
boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot")
boot_signature_bytes += _GenerateGkiCertificate(
kernel_path, "generic_kernel")
BOOT_SIGNATURE_SIZE = 16 * 1024
if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE:
raise ValueError(
f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}")
boot_signature_bytes += (
b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes)))
assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE
with open(img.name, 'ab') as f:
f.write(boot_signature_bytes)
# Sign the image if vboot is non-empty.
if info_dict.get("vboot"):
path = "/" + partition_name

View File

@@ -124,14 +124,8 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files
--gki_signing_algorithm <algorithm>
--gki_signing_key <key>
Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate
'boot signature' in a v4 boot.img. Otherwise it uses the existing values
in info dict.
--gki_signing_extra_args <args>
Specify any additional args that are needed to generate 'boot signature'
(e.g. --prop foo:bar). The args will be appended to the existing ones
in info dict.
DEPRECATED Does nothing.
--android_jar_path <path>
Path to the android.jar to repack the apex file.
@@ -221,9 +215,6 @@ OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys")
OPTIONS.avb_keys = {}
OPTIONS.avb_algorithms = {}
OPTIONS.avb_extra_args = {}
OPTIONS.gki_signing_key = None
OPTIONS.gki_signing_algorithm = None
OPTIONS.gki_signing_extra_args = None
OPTIONS.android_jar_path = None
OPTIONS.vendor_partitions = set()
OPTIONS.vendor_otatools = None
@@ -595,7 +586,7 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info,
[len(os.path.basename(i.filename)) for i in input_tf_zip.infolist()
if GetApkFileInfo(i.filename, compressed_extension, [])[0]])
except ValueError:
# Sets this to zero for targets without APK files, e.g., gki_arm64.
# Sets this to zero for targets without APK files.
maxsize = 0
for info in input_tf_zip.infolist():
@@ -818,9 +809,6 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info,
if misc_info.get('avb_enable') == 'true':
RewriteAvbProps(misc_info)
# Replace the GKI signing key for boot.img, if any.
ReplaceGkiSigningKey(misc_info)
# Write back misc_info with the latest values.
ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info)
@@ -1102,27 +1090,6 @@ def RewriteAvbProps(misc_info):
misc_info[args_key] = result
def ReplaceGkiSigningKey(misc_info):
"""Replaces the GKI signing key."""
key = OPTIONS.gki_signing_key
if not key:
return
algorithm = OPTIONS.gki_signing_algorithm
if not algorithm:
raise ValueError("Missing --gki_signing_algorithm")
print('Replacing GKI signing key with "%s" (%s)' % (key, algorithm))
misc_info["gki_signing_algorithm"] = algorithm
misc_info["gki_signing_key_path"] = key
extra_args = OPTIONS.gki_signing_extra_args
if extra_args:
print('Setting GKI signing args: "%s"' % (extra_args))
misc_info["gki_signing_signature_args"] = extra_args
def BuildKeyMap(misc_info, key_mapping_options):
for s, d in key_mapping_options:
if s is None: # -d option
@@ -1477,12 +1444,6 @@ def main(argv):
# 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'.
partition, extra_args = a.split("=", 1)
OPTIONS.avb_extra_args[partition] = extra_args
elif o == "--gki_signing_key":
OPTIONS.gki_signing_key = a
elif o == "--gki_signing_algorithm":
OPTIONS.gki_signing_algorithm = a
elif o == "--gki_signing_extra_args":
OPTIONS.gki_signing_extra_args = a
elif o == "--vendor_otatools":
OPTIONS.vendor_otatools = a
elif o == "--vendor_partitions":
@@ -1493,6 +1454,8 @@ def main(argv):
OPTIONS.override_apk_keys = a
elif o == "--override_apex_keys":
OPTIONS.override_apex_keys = a
elif o in ("--gki_signing_key", "--gki_signing_algorithm", "--gki_signing_extra_args"):
print(f"{o} is deprecated and does nothing")
else:
return False
return True

View File

@@ -1605,40 +1605,6 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
self.assertEqual(3, chained_partition_args.rollback_index_location)
self.assertTrue(os.path.exists(chained_partition_args.pubkey_path))
def test_GenerateGkiCertificate_KeyPathNotFound(self):
pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem')
self.assertFalse(os.path.exists(pubkey))
common.OPTIONS.info_dict = {
'gki_signing_key_path': pubkey,
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
common.OPTIONS.search_path = None
test_file = tempfile.NamedTemporaryFile()
self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
test_file.name, 'generic_kernel')
def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):
pubkey = 'no_testkey_gki.pem'
self.assertFalse(os.path.exists(pubkey))
# Tests it should raise ExternalError if no key found under
# OPTIONS.search_path.
search_path_dir = common.MakeTempDir()
search_pubkey = os.path.join(search_path_dir, pubkey)
self.assertFalse(os.path.exists(search_pubkey))
common.OPTIONS.search_path = search_path_dir
common.OPTIONS.info_dict = {
'gki_signing_key_path': pubkey,
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
test_file = tempfile.NamedTemporaryFile()
self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
test_file.name, 'generic_kernel')
class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
"""Checks the format of install-recovery.sh.

View File

@@ -23,8 +23,7 @@ import common
import test_utils
from sign_target_files_apks import (
CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo,
ReplaceCerts, ReplaceGkiSigningKey, RewriteAvbProps, RewriteProps,
WriteOtacerts)
ReplaceCerts, RewriteAvbProps, RewriteProps, WriteOtacerts)
class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase):
@@ -536,52 +535,3 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
def test_ReplaceGkiSigningKey(self):
common.OPTIONS.gki_signing_key = 'release_gki_key'
common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'
common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
misc_info = {
'gki_signing_key_path': 'default_gki_key',
'gki_signing_algorithm': 'default_gki_algorithm',
'gki_signing_signature_args': 'default_gki_signature_args',
}
expected_dict = {
'gki_signing_key_path': 'release_gki_key',
'gki_signing_algorithm': 'release_gki_algorithm',
'gki_signing_signature_args': 'release_gki_signature_extra_args',
}
ReplaceGkiSigningKey(misc_info)
self.assertDictEqual(expected_dict, misc_info)
def test_ReplaceGkiSigningKey_MissingSigningAlgorithm(self):
common.OPTIONS.gki_signing_key = 'release_gki_key'
common.OPTIONS.gki_signing_algorithm = None
common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
misc_info = {
'gki_signing_key_path': 'default_gki_key',
'gki_signing_algorithm': 'default_gki_algorithm',
'gki_signing_signature_args': 'default_gki_signature_args',
}
self.assertRaises(ValueError, ReplaceGkiSigningKey, misc_info)
def test_ReplaceGkiSigningKey_MissingSigningKeyNop(self):
common.OPTIONS.gki_signing_key = None
common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'
common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
# No change to misc_info if common.OPTIONS.gki_signing_key is missing.
misc_info = {
'gki_signing_key_path': 'default_gki_key',
'gki_signing_algorithm': 'default_gki_algorithm',
'gki_signing_signature_args': 'default_gki_signature_args',
}
expected_dict = {
'gki_signing_key_path': 'default_gki_key',
'gki_signing_algorithm': 'default_gki_algorithm',
'gki_signing_signature_args': 'default_gki_signature_args',
}
ReplaceGkiSigningKey(misc_info)
self.assertDictEqual(expected_dict, misc_info)

View File

@@ -132,7 +132,7 @@ def ValidateFileConsistency(input_zip, input_tmp, info_dict):
return
# Verify IMAGES/system.img if applicable.
# Some targets, e.g., gki_arm64, gki_x86_64, etc., are system.img-less.
# Some targets are system.img-less.
if 'IMAGES/system.img' in input_zip.namelist():
CheckAllFiles('system')