StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge changes from topic "gki-avb-vts"

Browse Source 
* changes:
  releasetools: Android T GKI certification scheme
  Android T GKI certification scheme
This commit is contained in:
Yi-yo Chiang
2022-01-17 04:52:28 +00:00
committed by Gerrit Code Review
parent 3cf8f4b061 36054e2daf
commit 8b4e2fd6c0
5 changed files with 142 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
core/Makefile
View File

@@ -901,9 +901,11 @@ INTERNAL_BOOTIMAGE_ARGS := \
INTERNAL_INIT_BOOT_IMAGE_ARGS := INTERNAL_INIT_BOOT_IMAGE_ARGS :=
INTERNAL_BOOT_HAS_RAMDISK :=
ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true)
ifneq ($(BUILDING_INIT_BOOT_IMAGE),true) ifneq ($(BUILDING_INIT_BOOT_IMAGE),true)
INTERNAL_BOOTIMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET) INTERNAL_BOOTIMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET)
INTERNAL_BOOT_HAS_RAMDISK := true
else else
INTERNAL_INIT_BOOT_IMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET) INTERNAL_INIT_BOOT_IMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET)
endif endif
@@ -952,21 +954,48 @@ INTERNAL_MKBOOTIMG_VERSION_ARGS := \
--os_version $(PLATFORM_VERSION_LAST_STABLE) \ --os_version $(PLATFORM_VERSION_LAST_STABLE) \
--os_patch_level $(PLATFORM_SECURITY_PATCH) --os_patch_level $(PLATFORM_SECURITY_PATCH)
ifdef BOARD_GKI_SIGNING_KEY_PATH # $(1): image target to certify
ifndef BOARD_GKI_SIGNING_ALGORITHM # $(2): out certificate target
$(error BOARD_GKI_SIGNING_ALGORITHM should be defined with BOARD_GKI_SIGNING_KEY_PATH) # $(3): image name
endif # $(4): additional AVB arguments
INTERNAL_MKBOOTIMG_GKI_SINGING_ARGS := \ define generate_generic_boot_image_certificate
--gki_signing_key $(BOARD_GKI_SIGNING_KEY_PATH) \ rm -rf "$(2)"
--gki_signing_algorithm $(BOARD_GKI_SIGNING_ALGORITHM) \ mkdir -p "$(dir $(2))"
--gki_signing_avbtool_path $(AVBTOOL) $(GENERATE_GKI_CERTIFICATE) $(INTERNAL_GKI_CERTIFICATE_ARGS) \
endif --additional_avb_args "$(4)" \
--name "$(3)" --output "$(2)" "$(1)"
endef
# Using double quote to pass BOARD_GKI_SIGNING_SIGNATURE_ARGS as a single string INTERNAL_GKI_CERTIFICATE_ARGS :=
# to MKBOOTIMG, although it may contain multiple args. INTERNAL_GKI_CERTIFICATE_DEPS :=
ifdef BOARD_GKI_SIGNING_SIGNATURE_ARGS INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE :=
INTERNAL_MKBOOTIMG_GKI_SINGING_ARGS += \ ifdef BOARD_GKI_SIGNING_KEY_PATH
--gki_signing_signature_args "$(BOARD_GKI_SIGNING_SIGNATURE_ARGS)" ifndef BOARD_GKI_SIGNING_ALGORITHM
$(error BOARD_GKI_SIGNING_ALGORITHM should be defined with BOARD_GKI_SIGNING_KEY_PATH)
endif
INTERNAL_GKI_CERTIFICATE_ARGS := \
--key "$(BOARD_GKI_SIGNING_KEY_PATH)" \
--algorithm "$(BOARD_GKI_SIGNING_ALGORITHM)" \
--avbtool "$(AVBTOOL)"
# Quote and pass BOARD_GKI_SIGNING_SIGNATURE_ARGS as a single string argument.
ifdef BOARD_GKI_SIGNING_SIGNATURE_ARGS
INTERNAL_GKI_CERTIFICATE_ARGS += --additional_avb_args "$(BOARD_GKI_SIGNING_SIGNATURE_ARGS)"
endif
INTERNAL_GKI_CERTIFICATE_DEPS := \
$(GENERATE_GKI_CERTIFICATE) \
$(BOARD_GKI_SIGNING_KEY_PATH) \
$(AVBTOOL)
ifdef INSTALLED_RAMDISK_TARGET
INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE := \
$(call intermediates-dir-for,PACKAGING,generic_ramdisk)/boot_signature
$(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE): $(INSTALLED_RAMDISK_TARGET) $(INTERNAL_GKI_CERTIFICATE_DEPS)
$(call generate_generic_boot_image_certificate,$(INSTALLED_RAMDISK_TARGET),$@,generic_ramdisk,$(BOARD_AVB_INIT_BOOT_ADD_HASH_FOOTER_ARGS))
endif
endif endif
# Define these only if we are building boot # Define these only if we are building boot
@@ -983,8 +1012,15 @@ ifeq (true,$(BOARD_AVB_ENABLE))
# $1: boot image target # $1: boot image target
define build_boot_board_avb_enabled define build_boot_board_avb_enabled
$(MKBOOTIMG) --kernel $(call bootimage-to-kernel,$(1)) $(INTERNAL_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) \ $(eval kernel := $(call bootimage-to-kernel,$(1)))
$(INTERNAL_MKBOOTIMG_GKI_SINGING_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1) $(if $(BOARD_GKI_SIGNING_KEY_PATH), \
$(eval kernel_signature := $(call intermediates-dir-for,PACKAGING,generic_kernel)/$(notdir $(kernel)).boot_signature) \
$(call generate_generic_boot_image_certificate,$(kernel),$(kernel_signature),generic_kernel,$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)) $(newline) \
$(if $(INTERNAL_BOOT_HAS_RAMDISK), \
cat $(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE) >> $(kernel_signature) $(newline)))
$(MKBOOTIMG) --kernel $(kernel) $(INTERNAL_BOOTIMAGE_ARGS) \
$(if $(BOARD_GKI_SIGNING_KEY_PATH),--boot_signature "$(kernel_signature)",$(INTERNAL_MKBOOTIMG_VERSION_ARGS)) \
$(BOARD_MKBOOTIMG_ARGS) --output $(1)
$(call assert-max-image-size,$(1),$(call get-hash-image-max-size,$(call get-bootimage-partition-size,$(1),boot))) $(call assert-max-image-size,$(1),$(call get-hash-image-max-size,$(call get-bootimage-partition-size,$(1),boot)))
$(AVBTOOL) add_hash_footer \ $(AVBTOOL) add_hash_footer \
--image $(1) \ --image $(1) \
@@ -993,12 +1029,15 @@ define build_boot_board_avb_enabled
$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS) $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)
endef endef
$(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(AVBTOOL) $(INTERNAL_BOOTIMAGE_FILES) $(BOARD_AVB_BOOT_KEY_PATH) $(BOARD_GKI_SIGNING_KEY_PATH) ifdef INTERNAL_BOOT_HAS_RAMDISK
$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE)
endif
$(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(AVBTOOL) $(INTERNAL_BOOTIMAGE_FILES) $(BOARD_AVB_BOOT_KEY_PATH) $(INTERNAL_GKI_CERTIFICATE_DEPS)
$(call pretty,"Target boot image: $@") $(call pretty,"Target boot image: $@")
$(call build_boot_board_avb_enabled,$@) $(call build_boot_board_avb_enabled,$@)
.PHONY: bootimage-nodeps .PHONY: bootimage-nodeps
bootimage-nodeps: $(MKBOOTIMG) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH) $(BOARD_GKI_SIGNING_KEY_PATH) bootimage-nodeps: $(MKBOOTIMG) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH) $(INTERNAL_GKI_CERTIFICATE_DEPS)
@echo "make $@: ignoring dependencies" @echo "make $@: ignoring dependencies"
$(foreach b,$(INSTALLED_BOOTIMAGE_TARGET),$(call build_boot_board_avb_enabled,$(b))) $(foreach b,$(INSTALLED_BOOTIMAGE_TARGET),$(call build_boot_board_avb_enabled,$(b)))
@@ -1097,9 +1136,12 @@ ifdef BOARD_KERNEL_PAGESIZE
endif endif
ifeq ($(BOARD_AVB_ENABLE),true) ifeq ($(BOARD_AVB_ENABLE),true)
$(INSTALLED_INIT_BOOT_IMAGE_TARGET): $(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE)
$(INSTALLED_INIT_BOOT_IMAGE_TARGET): $(AVBTOOL) $(BOARD_AVB_INIT_BOOT_KEY_PATH) $(INSTALLED_INIT_BOOT_IMAGE_TARGET): $(AVBTOOL) $(BOARD_AVB_INIT_BOOT_KEY_PATH)
$(call pretty,"Target init_boot image: $@") $(call pretty,"Target init_boot image: $@")
$(MKBOOTIMG) $(INTERNAL_INIT_BOOT_IMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_INIT_ARGS) --output $@ $(MKBOOTIMG) $(INTERNAL_INIT_BOOT_IMAGE_ARGS) \
$(if $(BOARD_GKI_SIGNING_KEY_PATH),--boot_signature "$(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE)",$(INTERNAL_MKBOOTIMG_VERSION_ARGS)) \
$(BOARD_MKBOOTIMG_INIT_ARGS) --output "$@"
$(call assert-max-image-size,$@,$(BOARD_INIT_BOOT_IMAGE_PARTITION_SIZE)) $(call assert-max-image-size,$@,$(BOARD_INIT_BOOT_IMAGE_PARTITION_SIZE))
$(AVBTOOL) add_hash_footer \ $(AVBTOOL) add_hash_footer \
--image $@ \ --image $@ \
@@ -3774,6 +3816,13 @@ BOARD_AVB_PVMFW_ADD_HASH_FOOTER_ARGS += \
--prop com.android.build.pvmfw.security_patch:$(PVMFW_SECURITY_PATCH) --prop com.android.build.pvmfw.security_patch:$(PVMFW_SECURITY_PATCH)
endif endif
# For upgrading devices without a init_boot partition, the init_boot footer args
# should fallback to boot partition footer.
ifndef INSTALLED_INIT_BOOT_IMAGE_TARGET
BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS += \
$(BOARD_AVB_INIT_BOOT_ADD_HASH_FOOTER_ARGS)
endif
BOOT_FOOTER_ARGS := BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS BOOT_FOOTER_ARGS := BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS
INIT_BOOT_FOOTER_ARGS := BOARD_AVB_INIT_BOOT_ADD_HASH_FOOTER_ARGS INIT_BOOT_FOOTER_ARGS := BOARD_AVB_INIT_BOOT_ADD_HASH_FOOTER_ARGS
VENDOR_BOOT_FOOTER_ARGS := BOARD_AVB_VENDOR_BOOT_ADD_HASH_FOOTER_ARGS VENDOR_BOOT_FOOTER_ARGS := BOARD_AVB_VENDOR_BOOT_ADD_HASH_FOOTER_ARGS
@@ -4485,6 +4534,7 @@ INTERNAL_OTATOOLS_MODULES := \
fec \ fec \
fsck.f2fs \ fsck.f2fs \
fs_config \ fs_config \
generate_gki_certificate \
generate_verity_key \ generate_verity_key \
host_init_verifier \ host_init_verifier \
img2simg \ img2simg \

1
core/config.mk
View File

@@ -593,6 +593,7 @@ VTSC := $(HOST_OUT_EXECUTABLES)/vtsc$(HOST_EXECUTABLE_SUFFIX)
MKBOOTFS := $(HOST_OUT_EXECUTABLES)/mkbootfs$(HOST_EXECUTABLE_SUFFIX) MKBOOTFS := $(HOST_OUT_EXECUTABLES)/mkbootfs$(HOST_EXECUTABLE_SUFFIX)
MINIGZIP := $(HOST_OUT_EXECUTABLES)/minigzip$(HOST_EXECUTABLE_SUFFIX) MINIGZIP := $(HOST_OUT_EXECUTABLES)/minigzip$(HOST_EXECUTABLE_SUFFIX)
LZ4 := $(HOST_OUT_EXECUTABLES)/lz4$(HOST_EXECUTABLE_SUFFIX) LZ4 := $(HOST_OUT_EXECUTABLES)/lz4$(HOST_EXECUTABLE_SUFFIX)
GENERATE_GKI_CERTIFICATE := $(HOST_OUT_EXECUTABLES)/generate_gki_certificate$(HOST_EXECUTABLE_SUFFIX)
ifeq (,$(strip $(BOARD_CUSTOM_MKBOOTIMG))) ifeq (,$(strip $(BOARD_CUSTOM_MKBOOTIMG)))
MKBOOTIMG := $(HOST_OUT_EXECUTABLES)/mkbootimg$(HOST_EXECUTABLE_SUFFIX) MKBOOTIMG := $(HOST_OUT_EXECUTABLES)/mkbootimg$(HOST_EXECUTABLE_SUFFIX)
else else

3
tools/releasetools/Android.bp
View File

@@ -162,6 +162,7 @@ python_defaults {
required: [ required: [
"brillo_update_payload", "brillo_update_payload",
"checkvintf", "checkvintf",
"generate_gki_certificate",
"minigzip", "minigzip",
"lz4", "lz4",
"toybox", "toybox",
@@ -236,6 +237,7 @@ python_library_host {
"boot_signer", "boot_signer",
"brotli", "brotli",
"bsdiff", "bsdiff",
"generate_gki_certificate",
"imgdiff", "imgdiff",
"minigzip", "minigzip",
"lz4", "lz4",
@@ -301,6 +303,7 @@ python_defaults {
"brotli", "brotli",
"bsdiff", "bsdiff",
"deapexer", "deapexer",
"generate_gki_certificate",
"imgdiff", "imgdiff",
"minigzip", "minigzip",
"lz4", "lz4",

83
tools/releasetools/common.py
View File

@@ -1396,34 +1396,52 @@ def GetAvbChainedPartitionArg(partition, info_dict, key=None):
return "{}:{}:{}".format(partition, rollback_index_location, pubkey_path) return "{}:{}:{}".format(partition, rollback_index_location, pubkey_path)
def AppendGkiSigningArgs(cmd): def _HasGkiCertificationArgs():
"""Append GKI signing arguments for mkbootimg.""" return ("gki_signing_key_path" in OPTIONS.info_dict and
# e.g., --gki_signing_key path/to/signing_key "gki_signing_algorithm" in OPTIONS.info_dict)
# --gki_signing_algorithm SHA256_RSA4096"
def _GenerateGkiCertificate(image, image_name, partition_name):
key_path = OPTIONS.info_dict.get("gki_signing_key_path") key_path = OPTIONS.info_dict.get("gki_signing_key_path")
# It's fine that a non-GKI boot.img has no gki_signing_key_path. algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
if not key_path:
return
if not os.path.exists(key_path) and OPTIONS.search_path: if not os.path.exists(key_path) and OPTIONS.search_path:
new_key_path = os.path.join(OPTIONS.search_path, key_path) new_key_path = os.path.join(OPTIONS.search_path, key_path)
if os.path.exists(new_key_path): if os.path.exists(new_key_path):
key_path = new_key_path key_path = new_key_path
# Checks key_path exists, before appending --gki_signing_* args. # Checks key_path exists, before processing --gki_signing_* args.
if not os.path.exists(key_path): if not os.path.exists(key_path):
raise ExternalError( raise ExternalError(
'gki_signing_key_path: "{}" not found'.format(key_path)) 'gki_signing_key_path: "{}" not found'.format(key_path))
algorithm = OPTIONS.info_dict.get("gki_signing_algorithm") output_certificate = tempfile.NamedTemporaryFile()
if key_path and algorithm: cmd = [
cmd.extend(["--gki_signing_key", key_path, "generate_gki_certificate",
"--gki_signing_algorithm", algorithm]) "--name", image_name,
"--algorithm", algorithm,
"--key", key_path,
"--output", output_certificate.name,
image,
]
signature_args = OPTIONS.info_dict.get("gki_signing_signature_args") signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "")
if signature_args: signature_args = signature_args.strip()
cmd.extend(["--gki_signing_signature_args", signature_args]) if signature_args:
cmd.extend(["--additional_avb_args", signature_args])
args = OPTIONS.info_dict.get(
"avb_" + partition_name + "_add_hash_footer_args", "")
args = args.strip()
if args:
cmd.extend(["--additional_avb_args", args])
RunAndCheckOutput(cmd)
output_certificate.seek(os.SEEK_SET, 0)
data = output_certificate.read()
output_certificate.close()
return data
def BuildVBMeta(image_path, partitions, name, needed_partitions): def BuildVBMeta(image_path, partitions, name, needed_partitions):
@@ -1549,6 +1567,8 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
if kernel and not os.access(os.path.join(sourcedir, kernel), os.F_OK): if kernel and not os.access(os.path.join(sourcedir, kernel), os.F_OK):
return None return None
kernel_path = os.path.join(sourcedir, kernel) if kernel else None
if has_ramdisk and not os.access(os.path.join(sourcedir, "RAMDISK"), os.F_OK): if has_ramdisk and not os.access(os.path.join(sourcedir, "RAMDISK"), os.F_OK):
return None return None
@@ -1563,8 +1583,8 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
mkbootimg = os.getenv('MKBOOTIMG') or "mkbootimg" mkbootimg = os.getenv('MKBOOTIMG') or "mkbootimg"
cmd = [mkbootimg] cmd = [mkbootimg]
if kernel: if kernel_path is not None:
cmd += ["--kernel", os.path.join(sourcedir, kernel)] cmd.extend(["--kernel", kernel_path])
fn = os.path.join(sourcedir, "second") fn = os.path.join(sourcedir, "second")
if os.access(fn, os.F_OK): if os.access(fn, os.F_OK):
@@ -1604,15 +1624,31 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
if args and args.strip(): if args and args.strip():
cmd.extend(shlex.split(args)) cmd.extend(shlex.split(args))
args = info_dict.get("mkbootimg_version_args") boot_signature = None
if args and args.strip(): if _HasGkiCertificationArgs():
cmd.extend(shlex.split(args)) # Certify GKI images.
boot_signature_bytes = b''
if kernel_path is not None:
boot_signature_bytes += _GenerateGkiCertificate(
kernel_path, "generic_kernel", "boot")
if has_ramdisk:
boot_signature_bytes += _GenerateGkiCertificate(
ramdisk_img.name, "generic_ramdisk", "init_boot")
if len(boot_signature_bytes) > 0:
boot_signature = tempfile.NamedTemporaryFile()
boot_signature.write(boot_signature_bytes)
boot_signature.flush()
cmd.extend(["--boot_signature", boot_signature.name])
else:
# Certified GKI boot/init_boot image mustn't set 'mkbootimg_version_args'.
args = info_dict.get("mkbootimg_version_args")
if args and args.strip():
cmd.extend(shlex.split(args))
if has_ramdisk: if has_ramdisk:
cmd.extend(["--ramdisk", ramdisk_img.name]) cmd.extend(["--ramdisk", ramdisk_img.name])
AppendGkiSigningArgs(cmd)
img_unsigned = None img_unsigned = None
if info_dict.get("vboot"): if info_dict.get("vboot"):
img_unsigned = tempfile.NamedTemporaryFile() img_unsigned = tempfile.NamedTemporaryFile()
@@ -1690,6 +1726,9 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
ramdisk_img.close() ramdisk_img.close()
img.close() img.close()
if boot_signature is not None:
boot_signature.close()
return data return data

105
tools/releasetools/test_common.py
View File

@@ -1631,66 +1631,7 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
self.assertEqual('3', chained_partition_args[1]) self.assertEqual('3', chained_partition_args[1])
self.assertTrue(os.path.exists(chained_partition_args[2])) self.assertTrue(os.path.exists(chained_partition_args[2]))
@test_utils.SkipIfExternalToolsUnavailable() def test_GenerateGkiCertificate_KeyPathNotFound(self):
def test_AppendGkiSigningArgs_NoSigningKeyPath(self):
# A non-GKI boot.img has no gki_signing_key_path.
common.OPTIONS.info_dict = {
# 'gki_signing_key_path': pubkey,
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
# Tests no --gki_signing_* args are appended if there is no
# gki_signing_key_path.
cmd = ['mkbootimg', '--header_version', '4']
expected_cmd = ['mkbootimg', '--header_version', '4']
common.AppendGkiSigningArgs(cmd)
self.assertEqual(cmd, expected_cmd)
def test_AppendGkiSigningArgs_NoSigningAlgorithm(self):
pubkey = os.path.join(self.testdata_dir, 'testkey_gki.pem')
with open(pubkey, 'wb') as f:
f.write(b'\x00' * 100)
self.assertTrue(os.path.exists(pubkey))
# Tests no --gki_signing_* args are appended if there is no
# gki_signing_algorithm.
common.OPTIONS.info_dict = {
'gki_signing_key_path': pubkey,
# 'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
cmd = ['mkbootimg', '--header_version', '4']
expected_cmd = ['mkbootimg', '--header_version', '4']
common.AppendGkiSigningArgs(cmd)
self.assertEqual(cmd, expected_cmd)
@test_utils.SkipIfExternalToolsUnavailable()
def test_AppendGkiSigningArgs(self):
pubkey = os.path.join(self.testdata_dir, 'testkey_gki.pem')
with open(pubkey, 'wb') as f:
f.write(b'\x00' * 100)
self.assertTrue(os.path.exists(pubkey))
common.OPTIONS.info_dict = {
'gki_signing_key_path': pubkey,
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
cmd = ['mkbootimg', '--header_version', '4']
common.AppendGkiSigningArgs(cmd)
expected_cmd = [
'mkbootimg', '--header_version', '4',
'--gki_signing_key', pubkey,
'--gki_signing_algorithm', 'SHA256_RSA4096',
'--gki_signing_signature_args', '--prop foo:bar'
]
self.assertEqual(cmd, expected_cmd)
@test_utils.SkipIfExternalToolsUnavailable()
def test_AppendGkiSigningArgs_KeyPathNotFound(self):
pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem') pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem')
self.assertFalse(os.path.exists(pubkey)) self.assertFalse(os.path.exists(pubkey))
@@ -1699,41 +1640,11 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
'gki_signing_algorithm': 'SHA256_RSA4096', 'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar', 'gki_signing_signature_args': '--prop foo:bar',
} }
cmd = ['mkbootimg', '--header_version', '4'] test_file = tempfile.NamedTemporaryFile()
self.assertRaises(common.ExternalError, common.AppendGkiSigningArgs, cmd) self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
test_file.name, 'generic_kernel', 'boot')
@test_utils.SkipIfExternalToolsUnavailable() def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):
def test_AppendGkiSigningArgs_SearchKeyPath(self):
pubkey = 'testkey_gki.pem'
self.assertFalse(os.path.exists(pubkey))
# Tests it should replace the pubkey with an existed key under
# OPTIONS.search_path, i.e., os.path.join(OPTIONS.search_path, pubkey).
search_path_dir = common.MakeTempDir()
search_pubkey = os.path.join(search_path_dir, pubkey)
with open(search_pubkey, 'wb') as f:
f.write(b'\x00' * 100)
self.assertTrue(os.path.exists(search_pubkey))
common.OPTIONS.search_path = search_path_dir
common.OPTIONS.info_dict = {
'gki_signing_key_path': pubkey,
'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar',
}
cmd = ['mkbootimg', '--header_version', '4']
common.AppendGkiSigningArgs(cmd)
expected_cmd = [
'mkbootimg', '--header_version', '4',
'--gki_signing_key', search_pubkey,
'--gki_signing_algorithm', 'SHA256_RSA4096',
'--gki_signing_signature_args', '--prop foo:bar'
]
self.assertEqual(cmd, expected_cmd)
@test_utils.SkipIfExternalToolsUnavailable()
def test_AppendGkiSigningArgs_SearchKeyPathNotFound(self):
pubkey = 'no_testkey_gki.pem' pubkey = 'no_testkey_gki.pem'
self.assertFalse(os.path.exists(pubkey)) self.assertFalse(os.path.exists(pubkey))
@@ -1749,9 +1660,9 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
'gki_signing_algorithm': 'SHA256_RSA4096', 'gki_signing_algorithm': 'SHA256_RSA4096',
'gki_signing_signature_args': '--prop foo:bar', 'gki_signing_signature_args': '--prop foo:bar',
} }
cmd = ['mkbootimg', '--header_version', '4'] test_file = tempfile.NamedTemporaryFile()
self.assertRaises(common.ExternalError, common.AppendGkiSigningArgs, cmd) self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
test_file.name, 'generic_kernel', 'boot')
class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase): class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
"""Checks the format of install-recovery.sh. """Checks the format of install-recovery.sh.