From 8d212ea8735233211b38f55819841fa97a744eaa Mon Sep 17 00:00:00 2001 From: Sami Tolvanen Date: Thu, 6 Nov 2014 20:38:00 -0800 Subject: [PATCH] DO NOT MERGE: Change verity key formats Change boot, recovery, and verity metadata signing keys to use the same PKCS8 / X.509 PEM format as the other signing keys, and update build scripts to use correct arguments for the updated signing tools. Bug: 15984840 Bug: 18120110 Change-Id: I23ed5a004ecdad6cf7696487935ad5031eb8adf8 (cherry picked from commit 72d90eb1895932343586717daa1865019473b2f5) --- core/Makefile | 8 ++--- target/product/security/verity.pk8 | Bin 0 -> 1219 bytes target/product/security/verity.x509.pem | 24 +++++++++++++++ target/product/security/verity_key | Bin 524 -> 524 bytes .../product/security/verity_private_dev_key | 28 ------------------ target/product/verity.mk | 6 +++- tools/releasetools/common.py | 2 +- 7 files changed, 34 insertions(+), 34 deletions(-) create mode 100644 target/product/security/verity.pk8 create mode 100644 target/product/security/verity.x509.pem delete mode 100644 target/product/security/verity_private_dev_key diff --git a/core/Makefile b/core/Makefile index 7116254fed..8c4af9a892 100644 --- a/core/Makefile +++ b/core/Makefile @@ -510,14 +510,14 @@ else ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY)) # TARGE $(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_FILES) $(BOOT_SIGNER) $(call pretty,"Target boot image: $@") $(hide) $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $@ - $(BOOT_SIGNER) /boot $@ $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY) $@ + $(BOOT_SIGNER) /boot $@ $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).x509.pem $@ $(hide) $(call assert-max-image-size,$@,$(BOARD_BOOTIMAGE_PARTITION_SIZE)) .PHONY: bootimage-nodeps bootimage-nodeps: $(MKBOOTIMG) $(BOOT_SIGNER) @echo "make $@: ignoring dependencies" $(hide) $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(INSTALLED_BOOTIMAGE_TARGET) - $(BOOT_SIGNER) /boot $(INSTALLED_BOOTIMAGE_TARGET) $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY) $(INSTALLED_BOOTIMAGE_TARGET) + $(BOOT_SIGNER) /boot $(INSTALLED_BOOTIMAGE_TARGET) $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).x509.pem $(INSTALLED_BOOTIMAGE_TARGET) $(hide) $(call assert-max-image-size,$(INSTALLED_BOOTIMAGE_TARGET),$(BOARD_BOOTIMAGE_PARTITION_SIZE)) else # PRODUCT_SUPPORTS_VERITY != true @@ -725,7 +725,7 @@ $(if $(INTERNAL_USERIMAGES_SPARSE_EXT_FLAG),$(hide) echo "extfs_sparse_flag=$(IN $(if $(mkyaffs2_extra_flags),$(hide) echo "mkyaffs2_extra_flags=$(mkyaffs2_extra_flags)" >> $(1)) $(hide) echo "selinux_fc=$(SELINUX_FC)" >> $(1) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY)" >> $(1)) -$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY)" >> $(1)) +$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).pk8" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(VERITY_SIGNER)" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION),$(hide) echo "system_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION)" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION),$(hide) echo "vendor_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION)" >> $(1)) @@ -869,7 +869,7 @@ $(INSTALLED_RECOVERYIMAGE_TARGET): $(MKBOOTFS) $(MKBOOTIMG) $(MINIGZIP) \ $(hide) $(MKBOOTFS) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk) $(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $@ ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY)) - $(BOOT_SIGNER) /recovery $@ $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY) $@ + $(BOOT_SIGNER) /recovery $@ $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).x509.pem $@ endif $(hide) $(call assert-max-image-size,$@,$(BOARD_RECOVERYIMAGE_PARTITION_SIZE)) @echo ----- Made recovery image: $@ -------- diff --git a/target/product/security/verity.pk8 b/target/product/security/verity.pk8 new file mode 100644 index 0000000000000000000000000000000000000000..bebf216cb6004b5c6665d044916c8a5a70f4a12b GIT binary patch literal 1219 zcmV;!1U&mNf&{+;0RS)!1_>&LNQUrsW5^Br2+u}0)hbn0O;#@O)pJU zk$QWxJKN`JXXMf3GhwFmf~sQc5HpLXW)JJ2phAh6v*Nf;L&5#EipG7q6%@NiP&1C5 zD~cQ|6A`V+<{KQH7JjIH&CU#y7dlJ!fThd)S6dMGLvI}2yUh2>PnPSuoiq2=?Pl6T zaL&?6?)ogsYESo1ja=sH7nu(=P}@Mw5wjV{O;vLyTI9w$NIFyP2-!D#E6lG@#i0RX z&!nR5RDWv#zEjRN4M*Lg&C;CDa3e;-HwifHrX@fGXP418BSkBj2eQ2ou6i9`juh0o zBU4X}(EAjGp~z`!sh3nbKon($r*4=YPm_BShO<@1mVAVlm$ zD9=yWK|e}|G5TSFSQRFzdH*xY zgIPN*BNBwfol-TXX5#p5)M)dPl7jmJQ2Gv(*Ym!j$FB{5swvIpd-Slm)`GxcHM>N< z=qwC5ks5erFMHPzIEXs4156qVPhcaHx|jz4_eld#x|4N6g;ISU`V^mclfpv-O5-}s zCDaLL1Up}63MrecTJ4u}ku{vxgXcqjtWUEC09s5Q2)zY>lWfc=XuX&M^1V3`QYB$9*s{u3$!abr0$fUJ z-12GL=T3KRPhSrASRWxC4Q0urGV;N^XA z(~i%%tC+CGVzR;ACxiZOzztALDPz}*l?T220d|ALu*L%VKTw`qR9YCy6s^XC;N|^x zul{=N zxMq-2@ZMecjS-do1NIF#cZ?k}jaJ5br_xSWG zb~V#f9(rZtO=Is~*?;GDu(P&EhR3l3vD*_CUl`&1rfw4z)+vb2OAfb9b>HpD2)1|X zHff6lW9d0QbM@FopS{X-j{?^ndXUUrpQG5+qVDrwoszQpxbtr<-zTL5q~cNgVs+&@ z2C)KxfdHOmL!fWm!wfP<2Mlq=g8;nS3Mq#2s_*R^>nR|;8&bwy?9T|Fo6wYa_|xdV zOUsZ*;cW!aem(yO0-@)ToG{KSNO$)g^D87t%DobVP%fxxWmfP hk4vOBJnVsAiAcI)+4Ln>*X%OBo25xJ{%5YX31a)eQE>nO literal 0 HcmV?d00001 diff --git a/target/product/security/verity.x509.pem b/target/product/security/verity.x509.pem new file mode 100644 index 0000000000..86399c3c1d --- /dev/null +++ b/target/product/security/verity.x509.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID/TCCAuWgAwIBAgIJAJcPmDkJqolJMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4g +VmlldzEQMA4GA1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UE +AwwHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe +Fw0xNDExMDYxOTA3NDBaFw00MjAzMjQxOTA3NDBaMIGUMQswCQYDVQQGEwJVUzET +MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEQMA4G +A1UECgwHQW5kcm9pZDEQMA4GA1UECwwHQW5kcm9pZDEQMA4GA1UEAwwHQW5kcm9p +ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAOjreE0vTVSRenuzO9vnaWfk0eQzYab0gqpi +6xAzi6dmD+ugoEKJmbPiuE5Dwf21isZ9uhUUu0dQM46dK4ocKxMRrcnmGxydFn6o +fs3ODJMXOkv2gKXL/FdbEPdDbxzdu8z3yk+W67udM/fW7WbaQ3DO0knu+izKak/3 +T41c5uoXmQ81UNtAzRGzGchNVXMmWuTGOkg6U+0I2Td7K8yvUMWhAWPPpKLtVH9r +AL5TzjYNR92izdKcz3AjRsI3CTjtpiVABGeX0TcjRSuZB7K9EK56HV+OFNS6I1NP +jdD7FIShyGlqqZdUOkAUZYanbpgeT5N7QL6uuqcGpoTOkalu6kkCAwEAAaNQME4w +HQYDVR0OBBYEFH5DM/m7oArf4O3peeKO0ZIEkrQPMB8GA1UdIwQYMBaAFH5DM/m7 +oArf4O3peeKO0ZIEkrQPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB +AHO3NSvDE5jFvMehGGtS8BnFYdFKRIglDMc4niWSzhzOVYRH4WajxdtBWc5fx0ix +NF/+hVKVhP6AIOQa+++sk+HIi7RvioPPbhjcsVlZe7cUEGrLSSveGouQyc+j0+m6 +JF84kszIl5GGNMTnx0XRPO+g8t6h5LWfnVydgZfpGRRg+WHewk1U2HlvTjIceb0N +dcoJ8WKJAFWdcuE7VIm4w+vF/DYX/A2Oyzr2+QRhmYSv1cusgAeC1tvH4ap+J1Lg +UnOu5Kh/FqPLLSwNVQp4Bu7b9QFfqK8Moj84bj88NqRGZgDyqzuTrFxn6FW7dmyA +yttuAJAEAymk1mipd9+zp38= +-----END CERTIFICATE----- diff --git a/target/product/security/verity_key b/target/product/security/verity_key index 8db965facbb8cfc22f5418000acb0d118a18499f..31982d95ad57005430b65bb28dbfd39adb231347 100644 GIT binary patch literal 524 zcmV+n0`vVq00007*!mSo>Tao#&V;50r@F4bKzox<9++;YhGi5$I#idbYH7%!gcSSG zjZae}y3`boUmbd`5WTVonJYyjH_?}81VAOG?KlZH!bT%-&z#cDqTNRgHqKMN0Be6# z?V_a5V*#PXP_N7@dpFq#?Nd5PI>zK$CUaFy$QiQ{%|P2wH4m8=>gHUHPxnu1$}IZs zNz%@6L)vET*7q}=yX%%u%J-5hU2_YhlG{L7_)_Deb!lMK$yeyDyHog5qH$*mC+ zD;$a|osKh5N4pdix_!oqwf(_EPPpQ;nTbN6pz9B2r;9TX>td>c^rm4mRQO5Icr(+stoA0|`|}7FmS+A=VX_>8 zY{CI-h?eiWdWapYX_c4Z!3_b~H#5fBwAQHXK>snOd)%677I<*-H^|dT5Y^3neCwAV z5g%<5@KOth19r#9E`RiKU>MT}%f}#VQ~0Nv^RDDd7csx@I@O`AG3{dh1+U@!cT>&$ z`t<&6{lIv z3>7*#JyVz`Cw}yzgzR+mS5>~Zv*(NJVAtv?$+6U)bdQ0Z+=ER#cycyX(HeyfDx_qF z1_SWm8=E_DiG=qVIJ%VmPD=7CY8*yQRlkNJRvB?F4wI&F$Yf2+=|)7?>`+_tVg}&9 z*E#6bL1Z6m)y2?iCk807a+246%|5~;ET_?botL=gcagYDie0T7lZZ1J<P<0Wn zx8uDb>uK1EW6%YK1pV162)M~CFpM67=CzKu(VB&*tPWxNU+JxY%6dzPpPLl>YD_G^ z=?V$THLOdjkSB4@LCPtXxWsPuRWAtwL57lKY`V+%LxPFouOh22H>5xz*jFM$=dUd+ zoykznefa&Gz!~z}>dd#upG{Thv`6xWv@1MR7?S+#`n{Y(uy6G?VzkXFC6RqJ)mJLY zZozX?_APuge*QJ|LC7fEuZM-Pp^2Ndm>nfSF2nLo>Urs{--A+gqFe<}z2F2?ySxW_ O5(Neb`b5V80097p)B`vG diff --git a/target/product/security/verity_private_dev_key b/target/product/security/verity_private_dev_key deleted file mode 100644 index 92528e9eb9..0000000000 --- a/target/product/security/verity_private_dev_key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQxdVrH2RB1eg5 -17/gBmLzW1Ds10RG6ctNZMhxppMOLnEZViKGv1VNRhxqK/JKTv2UujgZ94SJcDub -G+DwAwaGZKQqDYUa0VU2cng8TYPcnYGPdJ7Usckp6tdg64vns7e+VVf0dOyEovR+ -JyeYUz05OhUMYP9xJIhpA2XnXe5Ekb9iTFSYo9uBpoXDD4IY7aOqUxSbv9wMtyIp -dl+oTm0+kqRRi4KoxGHV0CzDseEUuWG/Kp/7aVF9Sg45NcC6KYvrGysUKA+Bt09O -feDn/HRpT9SfRElJa5DRms33UBUtnom15F4yd4vvFgubB0nkPOUuwfZhTFfgeuY4 -H2bHkjKbAgMBAAECggEAMpFYqkPGQvQO9cO+ZALoAM4Dgfp6PTrv1WUt7+lLAUpa -dqqYXk8F2Fu9EjJm03ziix237QI5Bhk7Nsy/5SK2d+L0qILx1JcTrsZ3PRQBdnRo -J1k2B4qwkQii9oTXNF4hiWaekUWo7E+ULOJLAuhWkf/xjTgJZ1xT9iuuiSYFSnIa -9ABNH0vCaKEkW/4ri6fdtXmO26C/ltJlnozl86x07PIFh4uBas7/40E8ykFP00CS -zdhMh+2DGyCb1Q0eJ1IfGILNatkLNEd2BHgQ7qNBkN9yShZfhvIPblr5gSUlZplX -diV20ZGLAfByKWgZZWKkwl9KzaisL/J/4dr2UlSVEQKBgQDxAYTsgoTkkP0TKzr3 -i3ljT8OuVOj6TwZVBJYe2MIJ3veivS3gWB53FpsKthbib7y8ifIakn15mQkNCK5R -7H7F5lvZCNnB6shY5Dz7nLJxKLALcAg+d12l3gTbFQeFDs0iQQJF7P8hs/GPF7kY -Layb7EF0uzYjyHJCKtFdaZaeZwKBgQDdwvCb7NJVeGTcE97etL+8acu9y4GlqKEF -o0Vkw8TjNKj/KuDkbkAk9hXxU1ZCmDU3y6r8CVHYl0Sqh08plEhkYB/j3sFy81zY -3xu/rLFysBwjeJHHlPjRTYkdKr9pABmm8NIEShvu9u8i+mpOhjbX72HxZL+i4Fou -gz58wEdBrQKBgG8CfyKdn+7UJe3tbLTXRquK8xxauhGJ0uXYPfmpZ/8596C7OOVs -UWQTQoj1hKb6RtolRCIfNbKL3hJl3D2aDG7Fg6r9m6fpqCzhvIE9FShwUF6EVRfI -zZb4JA5xqkwMnEpZ3V0uI/p3Mx3xFG3ho+8SLLhC/1YOHysBI/y+BQWjAoGAYiqQ -PkXYWhOAeleleeqDUdF3al3y1zVNimRbLJ7owjcmdEYz5YrUhEgXMIvWjIY6UKes -2gL6IynbMK3TIjHM1fojQ8jw04TdXfdtnizBJGbHHgCab8IHXwe2oZ2xu7ZapKbI -ITP5J5BSDabSdk49attB/Qy/NEeiRCK+/5RSNsUCgYAg6vX9VqMEkhPHeoFfdLGD -EQPPN6QLrQ4Zif0GKxH96znNSv0rXdNp9t0kyapdgzMuCwIEuOkCSiKgmfjTWnYO -qh5HMUuD2VbfWwI9jVujQMRmqiaFF7VxxA1bP5j1hJlI6cn1Fjlpi+NsNZN4nm3Q -92SEwX2vDgjrU0NAtFFL1Q== ------END PRIVATE KEY----- diff --git a/target/product/verity.mk b/target/product/verity.mk index 4a1ca5e3ce..0361b64144 100644 --- a/target/product/verity.mk +++ b/target/product/verity.mk @@ -17,7 +17,11 @@ # Provides dependencies necessary for verified boot PRODUCT_SUPPORTS_VERITY := true -PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verity_private_dev_key + +# The dev key is used to sign boot and recovery images, and the verity +# metadata table. Actual product deliverables will be re-signed by hand. +# We expect this file to exist with the suffixes ".x509.pem" and ".pk8". +PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verity PRODUCT_PACKAGES += \ verity_key diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py index 96075a9c47..6865a5d62c 100644 --- a/tools/releasetools/common.py +++ b/tools/releasetools/common.py @@ -347,7 +347,7 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None): if info_dict.get("verity_key", None): path = "/" + os.path.basename(sourcedir).lower() - cmd = ["boot_signer", path, img.name, info_dict["verity_key"], img.name] + cmd = ["boot_signer", path, img.name, info_dict["verity_key"] + ".pk8", info_dict["verity_key"] + ".x509.pem", img.name] p = Run(cmd, stdout=subprocess.PIPE) p.communicate() assert p.returncode == 0, "boot_signer of %s image failed" % path