From a4d5f4380b96b840c69cef72950aad4df2bc6a16 Mon Sep 17 00:00:00 2001 From: Yi-Yo Chiang Date: Wed, 24 Jan 2024 14:10:17 +0800 Subject: [PATCH] Re-land: releasetools: Deprecate GKI build rules (Re-land of Ie882fccd864920289e48366e99a4ebd67e784d0d) We no longer build GKIs from the platform tree. These build commands were neither used nor maintained anymore, so clean them up to reduce maintenance effort. Keep the command line options as no-op, so existing scripts that still specifies the deprecated options don't break. Bug: 229701033 Test: presubmit Change-Id: I0f7d05562dbc3eed29e902d6dc9a0f2e4083aaa6 --- tools/releasetools/Android.bp | 3 - tools/releasetools/common.py | 67 ------------------- tools/releasetools/sign_target_files_apks.py | 45 ++----------- tools/releasetools/test_common.py | 34 ---------- .../test_sign_target_files_apks.py | 52 +------------- tools/releasetools/validate_target_files.py | 2 +- 6 files changed, 6 insertions(+), 197 deletions(-) diff --git a/tools/releasetools/Android.bp b/tools/releasetools/Android.bp index bd8ce14738..4941c710ff 100644 --- a/tools/releasetools/Android.bp +++ b/tools/releasetools/Android.bp @@ -168,7 +168,6 @@ python_defaults { "apexd_host", "brillo_update_payload", "checkvintf", - "generate_gki_certificate", "lz4", "toybox", "unpack_bootimg", @@ -245,7 +244,6 @@ python_library_host { "boot_signer", "brotli", "bsdiff", - "generate_gki_certificate", "imgdiff", "lz4", "mkbootfs", @@ -310,7 +308,6 @@ python_defaults { "brotli", "bsdiff", "deapexer", - "generate_gki_certificate", "imgdiff", "lz4", "mkbootfs", diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py index 7451ccc1b2..199037728d 100644 --- a/tools/releasetools/common.py +++ b/tools/releasetools/common.py @@ -1565,50 +1565,6 @@ def GetAvbChainedPartitionArg(partition, info_dict, key=None): pubkey_path=pubkey_path) -def _HasGkiCertificationArgs(): - return ("gki_signing_key_path" in OPTIONS.info_dict and - "gki_signing_algorithm" in OPTIONS.info_dict) - - -def _GenerateGkiCertificate(image, image_name): - key_path = OPTIONS.info_dict.get("gki_signing_key_path") - algorithm = OPTIONS.info_dict.get("gki_signing_algorithm") - - key_path = ResolveAVBSigningPathArgs(key_path) - - # Checks key_path exists, before processing --gki_signing_* args. - if not os.path.exists(key_path): - raise ExternalError( - 'gki_signing_key_path: "{}" not found'.format(key_path)) - - output_certificate = tempfile.NamedTemporaryFile() - cmd = [ - "generate_gki_certificate", - "--name", image_name, - "--algorithm", algorithm, - "--key", key_path, - "--output", output_certificate.name, - image, - ] - - signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "") - signature_args = signature_args.strip() - if signature_args: - cmd.extend(["--additional_avb_args", signature_args]) - - args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "") - args = args.strip() - if args: - cmd.extend(["--additional_avb_args", args]) - - RunAndCheckOutput(cmd) - - output_certificate.seek(os.SEEK_SET, 0) - data = output_certificate.read() - output_certificate.close() - return data - - def BuildVBMeta(image_path, partitions, name, needed_partitions, resolve_rollback_index_location_conflict=False): """Creates a VBMeta image. @@ -1831,29 +1787,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, RunAndCheckOutput(cmd) - if _HasGkiCertificationArgs(): - if not os.path.exists(img.name): - raise ValueError("Cannot find GKI boot.img") - if kernel_path is None or not os.path.exists(kernel_path): - raise ValueError("Cannot find GKI kernel.img") - - # Certify GKI images. - boot_signature_bytes = b'' - boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot") - boot_signature_bytes += _GenerateGkiCertificate( - kernel_path, "generic_kernel") - - BOOT_SIGNATURE_SIZE = 16 * 1024 - if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE: - raise ValueError( - f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}") - boot_signature_bytes += ( - b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes))) - assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE - - with open(img.name, 'ab') as f: - f.write(boot_signature_bytes) - # Sign the image if vboot is non-empty. if info_dict.get("vboot"): path = "/" + partition_name diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index 7b497c1f93..bf69decec4 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -124,14 +124,8 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files --gki_signing_algorithm --gki_signing_key - Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate - 'boot signature' in a v4 boot.img. Otherwise it uses the existing values - in info dict. - --gki_signing_extra_args - Specify any additional args that are needed to generate 'boot signature' - (e.g. --prop foo:bar). The args will be appended to the existing ones - in info dict. + DEPRECATED Does nothing. --android_jar_path Path to the android.jar to repack the apex file. @@ -221,9 +215,6 @@ OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.avb_keys = {} OPTIONS.avb_algorithms = {} OPTIONS.avb_extra_args = {} -OPTIONS.gki_signing_key = None -OPTIONS.gki_signing_algorithm = None -OPTIONS.gki_signing_extra_args = None OPTIONS.android_jar_path = None OPTIONS.vendor_partitions = set() OPTIONS.vendor_otatools = None @@ -595,7 +586,7 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info, [len(os.path.basename(i.filename)) for i in input_tf_zip.infolist() if GetApkFileInfo(i.filename, compressed_extension, [])[0]]) except ValueError: - # Sets this to zero for targets without APK files, e.g., gki_arm64. + # Sets this to zero for targets without APK files. maxsize = 0 for info in input_tf_zip.infolist(): @@ -818,9 +809,6 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info, if misc_info.get('avb_enable') == 'true': RewriteAvbProps(misc_info) - # Replace the GKI signing key for boot.img, if any. - ReplaceGkiSigningKey(misc_info) - # Write back misc_info with the latest values. ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info) @@ -1102,27 +1090,6 @@ def RewriteAvbProps(misc_info): misc_info[args_key] = result -def ReplaceGkiSigningKey(misc_info): - """Replaces the GKI signing key.""" - - key = OPTIONS.gki_signing_key - if not key: - return - - algorithm = OPTIONS.gki_signing_algorithm - if not algorithm: - raise ValueError("Missing --gki_signing_algorithm") - - print('Replacing GKI signing key with "%s" (%s)' % (key, algorithm)) - misc_info["gki_signing_algorithm"] = algorithm - misc_info["gki_signing_key_path"] = key - - extra_args = OPTIONS.gki_signing_extra_args - if extra_args: - print('Setting GKI signing args: "%s"' % (extra_args)) - misc_info["gki_signing_signature_args"] = extra_args - - def BuildKeyMap(misc_info, key_mapping_options): for s, d in key_mapping_options: if s is None: # -d option @@ -1477,12 +1444,6 @@ def main(argv): # 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'. partition, extra_args = a.split("=", 1) OPTIONS.avb_extra_args[partition] = extra_args - elif o == "--gki_signing_key": - OPTIONS.gki_signing_key = a - elif o == "--gki_signing_algorithm": - OPTIONS.gki_signing_algorithm = a - elif o == "--gki_signing_extra_args": - OPTIONS.gki_signing_extra_args = a elif o == "--vendor_otatools": OPTIONS.vendor_otatools = a elif o == "--vendor_partitions": @@ -1493,6 +1454,8 @@ def main(argv): OPTIONS.override_apk_keys = a elif o == "--override_apex_keys": OPTIONS.override_apex_keys = a + elif o in ("--gki_signing_key", "--gki_signing_algorithm", "--gki_signing_extra_args"): + print(f"{o} is deprecated and does nothing") else: return False return True diff --git a/tools/releasetools/test_common.py b/tools/releasetools/test_common.py index 9b2e66791d..2989338fe8 100644 --- a/tools/releasetools/test_common.py +++ b/tools/releasetools/test_common.py @@ -1605,40 +1605,6 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase): self.assertEqual(3, chained_partition_args.rollback_index_location) self.assertTrue(os.path.exists(chained_partition_args.pubkey_path)) - def test_GenerateGkiCertificate_KeyPathNotFound(self): - pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem') - self.assertFalse(os.path.exists(pubkey)) - - common.OPTIONS.info_dict = { - 'gki_signing_key_path': pubkey, - 'gki_signing_algorithm': 'SHA256_RSA4096', - 'gki_signing_signature_args': '--prop foo:bar', - } - common.OPTIONS.search_path = None - test_file = tempfile.NamedTemporaryFile() - self.assertRaises(common.ExternalError, common._GenerateGkiCertificate, - test_file.name, 'generic_kernel') - - def test_GenerateGkiCertificate_SearchKeyPathNotFound(self): - pubkey = 'no_testkey_gki.pem' - self.assertFalse(os.path.exists(pubkey)) - - # Tests it should raise ExternalError if no key found under - # OPTIONS.search_path. - search_path_dir = common.MakeTempDir() - search_pubkey = os.path.join(search_path_dir, pubkey) - self.assertFalse(os.path.exists(search_pubkey)) - - common.OPTIONS.search_path = search_path_dir - common.OPTIONS.info_dict = { - 'gki_signing_key_path': pubkey, - 'gki_signing_algorithm': 'SHA256_RSA4096', - 'gki_signing_signature_args': '--prop foo:bar', - } - test_file = tempfile.NamedTemporaryFile() - self.assertRaises(common.ExternalError, common._GenerateGkiCertificate, - test_file.name, 'generic_kernel') - class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase): """Checks the format of install-recovery.sh. diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py index 0cd7dac184..9cc6df428c 100644 --- a/tools/releasetools/test_sign_target_files_apks.py +++ b/tools/releasetools/test_sign_target_files_apks.py @@ -23,8 +23,7 @@ import common import test_utils from sign_target_files_apks import ( CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo, - ReplaceCerts, ReplaceGkiSigningKey, RewriteAvbProps, RewriteProps, - WriteOtacerts) + ReplaceCerts, RewriteAvbProps, RewriteProps, WriteOtacerts) class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase): @@ -536,52 +535,3 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem', 'build/make/target/product/security/testkey', None), }, keys_info) - - def test_ReplaceGkiSigningKey(self): - common.OPTIONS.gki_signing_key = 'release_gki_key' - common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm' - common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args' - - misc_info = { - 'gki_signing_key_path': 'default_gki_key', - 'gki_signing_algorithm': 'default_gki_algorithm', - 'gki_signing_signature_args': 'default_gki_signature_args', - } - expected_dict = { - 'gki_signing_key_path': 'release_gki_key', - 'gki_signing_algorithm': 'release_gki_algorithm', - 'gki_signing_signature_args': 'release_gki_signature_extra_args', - } - ReplaceGkiSigningKey(misc_info) - self.assertDictEqual(expected_dict, misc_info) - - def test_ReplaceGkiSigningKey_MissingSigningAlgorithm(self): - common.OPTIONS.gki_signing_key = 'release_gki_key' - common.OPTIONS.gki_signing_algorithm = None - common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args' - - misc_info = { - 'gki_signing_key_path': 'default_gki_key', - 'gki_signing_algorithm': 'default_gki_algorithm', - 'gki_signing_signature_args': 'default_gki_signature_args', - } - self.assertRaises(ValueError, ReplaceGkiSigningKey, misc_info) - - def test_ReplaceGkiSigningKey_MissingSigningKeyNop(self): - common.OPTIONS.gki_signing_key = None - common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm' - common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args' - - # No change to misc_info if common.OPTIONS.gki_signing_key is missing. - misc_info = { - 'gki_signing_key_path': 'default_gki_key', - 'gki_signing_algorithm': 'default_gki_algorithm', - 'gki_signing_signature_args': 'default_gki_signature_args', - } - expected_dict = { - 'gki_signing_key_path': 'default_gki_key', - 'gki_signing_algorithm': 'default_gki_algorithm', - 'gki_signing_signature_args': 'default_gki_signature_args', - } - ReplaceGkiSigningKey(misc_info) - self.assertDictEqual(expected_dict, misc_info) diff --git a/tools/releasetools/validate_target_files.py b/tools/releasetools/validate_target_files.py index 8da4fa2e8a..88fd8929e5 100755 --- a/tools/releasetools/validate_target_files.py +++ b/tools/releasetools/validate_target_files.py @@ -132,7 +132,7 @@ def ValidateFileConsistency(input_zip, input_tmp, info_dict): return # Verify IMAGES/system.img if applicable. - # Some targets, e.g., gki_arm64, gki_x86_64, etc., are system.img-less. + # Some targets are system.img-less. if 'IMAGES/system.img' in input_zip.namelist(): CheckAllFiles('system')