diff --git a/core/Makefile b/core/Makefile index 0d47e633b6..8914869a93 100644 --- a/core/Makefile +++ b/core/Makefile @@ -3699,7 +3699,9 @@ endif # BOARD_PREBUILT_DTBOIMAGE # Protected VM firmware image ifeq ($(BOARD_USES_PVMFWIMAGE),true) INSTALLED_PVMFWIMAGE_TARGET := $(PRODUCT_OUT)/pvmfw.img +INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET := $(PRODUCT_OUT)/pvmfw_embedded.avbpubkey INTERNAL_PREBUILT_PVMFWIMAGE := packages/modules/Virtualization/pvmfw/pvmfw.img +INTERNAL_PVMFW_EMBEDDED_AVBKEY := external/avb/test/data/testkey_rsa4096_pub.bin ifdef BOARD_PREBUILT_PVMFWIMAGE PREBUILT_PVMFWIMAGE_TARGET := $(BOARD_PREBUILT_PVMFWIMAGE) @@ -3719,6 +3721,10 @@ else $(eval $(call copy-one-file,$(PREBUILT_PVMFWIMAGE_TARGET),$(INSTALLED_PVMFWIMAGE_TARGET))) endif +$(INSTALLED_PVMFWIMAGE_TARGET): $(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET) + +$(eval $(call copy-one-file,$(INTERNAL_PVMFW_EMBEDDED_AVBKEY),$(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET))) + endif # BOARD_USES_PVMFWIMAGE # Returns a list of image targets corresponding to the given list of partitions. For example, it @@ -5305,6 +5311,7 @@ $(BUILT_TARGET_FILES_PACKAGE): \ $(INSTALLED_CACHEIMAGE_TARGET) \ $(INSTALLED_DTBOIMAGE_TARGET) \ $(INSTALLED_PVMFWIMAGE_TARGET) \ + $(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET) \ $(INSTALLED_CUSTOMIMAGES_TARGET) \ $(INSTALLED_ANDROID_INFO_TXT_TARGET) \ $(INSTALLED_KERNEL_TARGET) \ @@ -5642,6 +5649,7 @@ endif # BOARD_PREBUILT_DTBOIMAGE ifeq ($(BOARD_USES_PVMFWIMAGE),true) $(hide) mkdir -p $(zip_root)/PREBUILT_IMAGES $(hide) cp $(INSTALLED_PVMFWIMAGE_TARGET) $(zip_root)/PREBUILT_IMAGES/ + $(hide) cp $(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET) $(zip_root)/PREBUILT_IMAGES/ endif ifdef BOARD_PREBUILT_BOOTLOADER $(hide) mkdir -p $(zip_root)/IMAGES diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index e06f4e6e2a..054315f4e4 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -688,6 +688,39 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, print(" Rewriting AVB public key of system_other in /product") common.ZipWrite(output_tf_zip, public_key, filename) + # Updates pvmfw embedded public key with the virt APEX payload key. + elif filename == "PREBUILT_IMAGES/pvmfw.img": + # Find the name of the virt APEX in the target files. + namelist = input_tf_zip.namelist() + apex_gen = (GetApexFilename(f) for f in namelist if IsApexFile(f)) + virt_apex_re = re.compile("^com\.([^\.]+\.)?android\.virt\.apex$") + virt_apex = next((a for a in apex_gen if virt_apex_re.match(a)), None) + if not virt_apex: + print("Removing %s from ramdisk: virt APEX not found" % filename) + else: + print("Replacing %s embedded key with %s key" % (filename, virt_apex)) + # Get the current and new embedded keys. + payload_key, container_key, sign_tool = apex_keys[virt_apex] + new_pubkey_path = common.ExtractAvbPublicKey( + misc_info['avb_avbtool'], payload_key) + with open(new_pubkey_path, 'rb') as f: + new_pubkey = f.read() + pubkey_info = copy.copy( + input_tf_zip.getinfo("PREBUILT_IMAGES/pvmfw_embedded.avbpubkey")) + old_pubkey = input_tf_zip.read(pubkey_info.filename) + # Validate the keys and image. + if len(old_pubkey) != len(new_pubkey): + raise common.ExternalError("pvmfw embedded public key size mismatch") + pos = data.find(old_pubkey) + if pos == -1: + raise common.ExternalError("pvmfw embedded public key not found") + # Replace the key and copy new files. + new_data = data[:pos] + new_pubkey + data[pos+len(old_pubkey):] + common.ZipWriteStr(output_tf_zip, out_info, new_data) + common.ZipWriteStr(output_tf_zip, pubkey_info, new_pubkey) + elif filename == "PREBUILT_IMAGES/pvmfw_embedded.avbpubkey": + pass + # Should NOT sign boot-debug.img. elif filename in ( "BOOT/RAMDISK/force_debuggable",