Support removing AVB public keys
AVB public keys might be installed into the first-stage ramdisk.
This CL supports removing some AVB keys during the signing process,
which can be useful when a key needs to be revoked.
Also correcting the path of force_debuggable detection.
Bug: 150109393
Test: make dist
Test: ./build/tools/releasetools/sign_target_files_apks \
--remove_avb_public_keys key1.avbpubkey,key2.avbpubkey \
out/dist/*-target_files-*.zip signed-target_files.zip
Change-Id: I1af95adbbec655f40121f3392965dd1950aca4e5
Merged-In: I1af95adbbec655f40121f3392965dd1950aca4e5
(cherry picked from commit 2fe786a528)
This commit is contained in:
Bowgo Tsai
@@ -91,6 +91,14 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files
|
||||
Replace the veritykeyid in BOOT/cmdline of input_target_file_zip
|
||||
with keyid of the cert pointed by <path_to_X509_PEM_cert_file>.
|
||||
|
||||
--remove_avb_public_keys <key1>,<key2>,...
|
||||
Remove AVB public keys from the first-stage ramdisk. The key file to
|
||||
remove is located at either of the following dirs:
|
||||
- BOOT/RAMDISK/avb/ or
|
||||
- BOOT/RAMDISK/first_stage_ramdisk/avb/
|
||||
The second dir will be used for lookup if BOARD_USES_RECOVERY_AS_BOOT is
|
||||
set to true.
|
||||
|
||||
--avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system,
|
||||
vbmeta_vendor}_algorithm <algorithm>
|
||||
--avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system,
|
||||
@@ -150,6 +158,7 @@ OPTIONS.replace_ota_keys = False
|
||||
OPTIONS.replace_verity_public_key = False
|
||||
OPTIONS.replace_verity_private_key = False
|
||||
OPTIONS.replace_verity_keyid = False
|
||||
OPTIONS.remove_avb_public_keys = None
|
||||
OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys")
|
||||
OPTIONS.avb_keys = {}
|
||||
OPTIONS.avb_algorithms = {}
|
||||
@@ -585,6 +594,18 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
||||
filename in ("BOOT/RAMDISK/verity_key",
|
||||
"ROOT/verity_key")):
|
||||
pass
|
||||
elif (OPTIONS.remove_avb_public_keys and
|
||||
(filename.startswith("BOOT/RAMDISK/avb/") or
|
||||
filename.startswith("BOOT/RAMDISK/first_stage_ramdisk/avb/"))):
|
||||
matched_removal = False
|
||||
for key_to_remove in OPTIONS.remove_avb_public_keys:
|
||||
if filename.endswith(key_to_remove):
|
||||
matched_removal = True
|
||||
print("Removing AVB public key from ramdisk: %s" % filename)
|
||||
break
|
||||
if not matched_removal:
|
||||
# Copy it verbatim if we don't want to remove it.
|
||||
common.ZipWriteStr(output_tf_zip, out_info, data)
|
||||
|
||||
# Skip verity keyid (for system_root_image use) if we will replace it.
|
||||
elif OPTIONS.replace_verity_keyid and filename == "BOOT/cmdline":
|
||||
@@ -610,8 +631,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
||||
# Should NOT sign boot-debug.img.
|
||||
elif filename in (
|
||||
"BOOT/RAMDISK/force_debuggable",
|
||||
"RECOVERY/RAMDISK/force_debuggable"
|
||||
"RECOVERY/RAMDISK/first_stage_ramdisk/force_debuggable"):
|
||||
"BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"):
|
||||
raise common.ExternalError("debuggable boot.img cannot be signed")
|
||||
|
||||
# A non-APK file; copy it verbatim.
|
||||
@@ -1135,6 +1155,8 @@ def main(argv):
|
||||
OPTIONS.replace_verity_private_key = (True, a)
|
||||
elif o == "--replace_verity_keyid":
|
||||
OPTIONS.replace_verity_keyid = (True, a)
|
||||
elif o == "--remove_avb_public_keys":
|
||||
OPTIONS.remove_avb_public_keys = a.split(",")
|
||||
elif o == "--avb_vbmeta_key":
|
||||
OPTIONS.avb_keys['vbmeta'] = a
|
||||
elif o == "--avb_vbmeta_algorithm":
|
||||
@@ -1203,6 +1225,7 @@ def main(argv):
|
||||
"replace_verity_public_key=",
|
||||
"replace_verity_private_key=",
|
||||
"replace_verity_keyid=",
|
||||
"remove_avb_public_keys=",
|
||||
"avb_apex_extra_args=",
|
||||
"avb_vbmeta_algorithm=",
|
||||
"avb_vbmeta_key=",
|
||||
|
||||
Reference in New Issue
Block a user