StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge changes from topic "gki-avb-vts"

Browse Source 
* changes:
  releasetools: Android T GKI certification scheme
  Android T GKI certification scheme
This commit is contained in:
Yi-yo Chiang
2022-01-17 04:52:28 +00:00
committed by Gerrit Code Review
parent 3cf8f4b061 36054e2daf
commit 8b4e2fd6c0
5 changed files with 142 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
tools/releasetools/Android.bp
View File

@@ -162,6 +162,7 @@ python_defaults {
required: [
"brillo_update_payload",
"checkvintf",
"generate_gki_certificate",
"minigzip",
"lz4",
"toybox",
@@ -236,6 +237,7 @@ python_library_host {
"boot_signer",
"brotli",
"bsdiff",
"generate_gki_certificate",
"imgdiff",
"minigzip",
"lz4",
@@ -301,6 +303,7 @@ python_defaults {
"brotli",
"bsdiff",
"deapexer",
"generate_gki_certificate",
"imgdiff",
"minigzip",
"lz4",

83
tools/releasetools/common.py
View File

@@ -1396,34 +1396,52 @@ def GetAvbChainedPartitionArg(partition, info_dict, key=None):
return "{}:{}:{}".format(partition, rollback_index_location, pubkey_path)
def AppendGkiSigningArgs(cmd):
"""Append GKI signing arguments for mkbootimg."""
# e.g., --gki_signing_key path/to/signing_key
# --gki_signing_algorithm SHA256_RSA4096"
def _HasGkiCertificationArgs():
return ("gki_signing_key_path" in OPTIONS.info_dict and
"gki_signing_algorithm" in OPTIONS.info_dict)
def _GenerateGkiCertificate(image, image_name, partition_name):
key_path = OPTIONS.info_dict.get("gki_signing_key_path")
# It's fine that a non-GKI boot.img has no gki_signing_key_path.
if not key_path:
return
algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
if not os.path.exists(key_path) and OPTIONS.search_path:
new_key_path = os.path.join(OPTIONS.search_path, key_path)
if os.path.exists(new_key_path):
key_path = new_key_path
# Checks key_path exists, before appending --gki_signing_* args.
# Checks key_path exists, before processing --gki_signing_* args.
if not os.path.exists(key_path):
raise ExternalError(
'gki_signing_key_path: "{}" not found'.format(key_path))
algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
if key_path and algorithm:
cmd.extend(["--gki_signing_key", key_path,
"--gki_signing_algorithm", algorithm])
output_certificate = tempfile.NamedTemporaryFile()
cmd = [
"generate_gki_certificate",
"--name", image_name,
"--algorithm", algorithm,
"--key", key_path,
"--output", output_certificate.name,
image,
]
signature_args = OPTIONS.info_dict.get("gki_signing_signature_args")
if signature_args:
cmd.extend(["--gki_signing_signature_args", signature_args])
signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "")
signature_args = signature_args.strip()
if signature_args:
cmd.extend(["--additional_avb_args", signature_args])
args = OPTIONS.info_dict.get(
"avb_" + partition_name + "_add_hash_footer_args", "")
args = args.strip()
if args:
cmd.extend(["--additional_avb_args", args])
RunAndCheckOutput(cmd)
output_certificate.seek(os.SEEK_SET, 0)
data = output_certificate.read()
output_certificate.close()
return data
def BuildVBMeta(image_path, partitions, name, needed_partitions):
@@ -1549,6 +1567,8 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
if kernel and not os.access(os.path.join(sourcedir, kernel), os.F_OK):
return None
kernel_path = os.path.join(sourcedir, kernel) if kernel else None
if has_ramdisk and not os.access(os.path.join(sourcedir, "RAMDISK"), os.F_OK):
return None
@@ -1563,8 +1583,8 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
mkbootimg = os.getenv('MKBOOTIMG') or "mkbootimg"
cmd = [mkbootimg]
if kernel:
cmd += ["--kernel", os.path.join(sourcedir, kernel)]
if kernel_path is not None:
cmd.extend(["--kernel", kernel_path])
fn = os.path.join(sourcedir, "second")
if os.access(fn, os.F_OK):
@@ -1604,15 +1624,31 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
if args and args.strip():
cmd.extend(shlex.split(args))
args = info_dict.get("mkbootimg_version_args")
if args and args.strip():
cmd.extend(shlex.split(args))
boot_signature = None
if _HasGkiCertificationArgs():
# Certify GKI images.
boot_signature_bytes = b''
if kernel_path is not None:
boot_signature_bytes += _GenerateGkiCertificate(
kernel_path, "generic_kernel", "boot")
if has_ramdisk:
boot_signature_bytes += _GenerateGkiCertificate(
ramdisk_img.name, "generic_ramdisk", "init_boot")
if len(boot_signature_bytes) > 0:
boot_signature = tempfile.NamedTemporaryFile()
boot_signature.write(boot_signature_bytes)
boot_signature.flush()
cmd.extend(["--boot_signature", boot_signature.name])
else:
# Certified GKI boot/init_boot image mustn't set 'mkbootimg_version_args'.
args = info_dict.get("mkbootimg_version_args")
if args and args.strip():
cmd.extend(shlex.split(args))
if has_ramdisk:
cmd.extend(["--ramdisk", ramdisk_img.name])
AppendGkiSigningArgs(cmd)
img_unsigned = None
if info_dict.get("vboot"):
img_unsigned = tempfile.NamedTemporaryFile()
@@ -1690,6 +1726,9 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
ramdisk_img.close()
img.close()
if boot_signature is not None:
boot_signature.close()
return data

105
tools/releasetools/test_common.py
View File

@@ -1631,66 +1631,7 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
self.assertEqual('3', chained_partition_args[1])
self.assertTrue(os.path.exists(chained_partition_args[2]))
@test_utils.SkipIfExternalToolsUnavailable()
def test_AppendGkiSigningArgs_NoSigningKeyPath(self):
# A non-GKI boot.img has no gki_signing_key_path.
common.OPTIONS.info_dict = {
# 'gki_signing_key_path': pubkey,
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
# Tests no --gki_signing_* args are appended if there is no
# gki_signing_key_path.
cmd = ['mkbootimg', '--header_version', '4']
expected_cmd = ['mkbootimg', '--header_version', '4']
common.AppendGkiSigningArgs(cmd)
self.assertEqual(cmd, expected_cmd)
def test_AppendGkiSigningArgs_NoSigningAlgorithm(self):
pubkey = os.path.join(self.testdata_dir, 'testkey_gki.pem')
with open(pubkey, 'wb') as f:
f.write(b'\x00' * 100)
self.assertTrue(os.path.exists(pubkey))
# Tests no --gki_signing_* args are appended if there is no
# gki_signing_algorithm.
common.OPTIONS.info_dict = {
'gki_signing_key_path': pubkey,
# 'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
cmd = ['mkbootimg', '--header_version', '4']
expected_cmd = ['mkbootimg', '--header_version', '4']
common.AppendGkiSigningArgs(cmd)
self.assertEqual(cmd, expected_cmd)
@test_utils.SkipIfExternalToolsUnavailable()
def test_AppendGkiSigningArgs(self):
pubkey = os.path.join(self.testdata_dir, 'testkey_gki.pem')
with open(pubkey, 'wb') as f:
f.write(b'\x00' * 100)
self.assertTrue(os.path.exists(pubkey))
common.OPTIONS.info_dict = {
'gki_signing_key_path': pubkey,
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
cmd = ['mkbootimg', '--header_version', '4']
common.AppendGkiSigningArgs(cmd)
expected_cmd = [
'mkbootimg', '--header_version', '4',
'--gki_signing_key', pubkey,
'--gki_signing_algorithm', 'SHA256_RSA4096',
'--gki_signing_signature_args', '--prop foo:bar'
]
self.assertEqual(cmd, expected_cmd)
@test_utils.SkipIfExternalToolsUnavailable()
def test_AppendGkiSigningArgs_KeyPathNotFound(self):
def test_GenerateGkiCertificate_KeyPathNotFound(self):
pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem')
self.assertFalse(os.path.exists(pubkey))
@@ -1699,41 +1640,11 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
cmd = ['mkbootimg', '--header_version', '4']
self.assertRaises(common.ExternalError, common.AppendGkiSigningArgs, cmd)
test_file = tempfile.NamedTemporaryFile()
self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
test_file.name, 'generic_kernel', 'boot')
@test_utils.SkipIfExternalToolsUnavailable()
def test_AppendGkiSigningArgs_SearchKeyPath(self):
pubkey = 'testkey_gki.pem'
self.assertFalse(os.path.exists(pubkey))
# Tests it should replace the pubkey with an existed key under
# OPTIONS.search_path, i.e., os.path.join(OPTIONS.search_path, pubkey).
search_path_dir = common.MakeTempDir()
search_pubkey = os.path.join(search_path_dir, pubkey)
with open(search_pubkey, 'wb') as f:
f.write(b'\x00' * 100)
self.assertTrue(os.path.exists(search_pubkey))
common.OPTIONS.search_path = search_path_dir
common.OPTIONS.info_dict = {
'gki_signing_key_path': pubkey,
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
cmd = ['mkbootimg', '--header_version', '4']
common.AppendGkiSigningArgs(cmd)
expected_cmd = [
'mkbootimg', '--header_version', '4',
'--gki_signing_key', search_pubkey,
'--gki_signing_algorithm', 'SHA256_RSA4096',
'--gki_signing_signature_args', '--prop foo:bar'
]
self.assertEqual(cmd, expected_cmd)
@test_utils.SkipIfExternalToolsUnavailable()
def test_AppendGkiSigningArgs_SearchKeyPathNotFound(self):
def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):
pubkey = 'no_testkey_gki.pem'
self.assertFalse(os.path.exists(pubkey))
@@ -1749,9 +1660,9 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
cmd = ['mkbootimg', '--header_version', '4']
self.assertRaises(common.ExternalError, common.AppendGkiSigningArgs, cmd)
test_file = tempfile.NamedTemporaryFile()
self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
test_file.name, 'generic_kernel', 'boot')
class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
"""Checks the format of install-recovery.sh.