StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Also install verity_key to ramdisk for non-system-as-root target.

Browse Source 
The commit in d14b895665
(https://android-review.googlesource.com/c/platform/build/+/728287)
changed partition layout, to always build the root dir into system.img,
even for devices not using system-as-root (i.e. the ones with separate
boot ramdisk).

With the new layout, there will be two root dirs for non-system-as-root
targets during the boot. If such a device uses Verified Boot 1.0,
/verity_key needs to be available in both roots, to establish the chain
of trust.
 - bootloader uses the baked-in key to verify boot.img; it then loads
   the ramdisk from the verified boot.img
 - First stage init uses /verity_key (in ramdisk) to verify and mount
   system.img at /system, then chroot's to it
 - Second stage init uses /verity_key (in system.img) to verify and
   mount other partitions

This CL adds rules to additionally install verity_key into ramdisk for
such targets.

Bug: 139770257
Test: Set up a target to use non-system-as-root
      (BOARD_BUILD_SYSTEM_ROOT_IMAGE != true). `m dist`.
Test: Check that both ROOT/verity_key and BOOT/RAMDISK/verity_key exist
      in the built target_files.zip.
Test: Run validate_target_files to validate the above target_files.zip.
      $ validate_target_files \
          --verity_key_mincrypt /path/to/verity_key \
          target_files.zip
Test: Run sign_target_files_apks to sign the above target. Re-run
      validate_target_files on the signed target_files.zip.
Test: python -m unittest test_validate_target_files
Change-Id: Ibe7e771c8c376429add85851ac86055564765d3c
This commit is contained in:
Tao Bao
2019-09-16 12:10:43 -07:00
parent 0b67e41f3f
commit c99819311c
4 changed files with 113 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
tools/releasetools/sign_target_files_apks.py
View File

@@ -602,11 +602,16 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
ReplaceVerityPrivateKey(misc_info, OPTIONS.replace_verity_private_key[1])
if OPTIONS.replace_verity_public_key:
dest = "ROOT/verity_key" if system_root_image else "BOOT/RAMDISK/verity_key"
# We are replacing the one in boot image only, since the one under
# recovery won't ever be needed.
# Replace the one in root dir in system.img.
ReplaceVerityPublicKey(
output_tf_zip, dest, OPTIONS.replace_verity_public_key[1])
output_tf_zip, 'ROOT/verity_key', OPTIONS.replace_verity_public_key[1])
if not system_root_image:
# Additionally replace the copy in ramdisk if not using system-as-root.
ReplaceVerityPublicKey(
output_tf_zip,
'BOOT/RAMDISK/verity_key',
OPTIONS.replace_verity_public_key[1])
# Replace the keyid string in BOOT/cmdline.
if OPTIONS.replace_verity_keyid: