Support AVB signing for BOARD_PREBUILT_BOOTIMAGE

Devices using GKI architecture will use a prebuilt boot.img. However, we should still sign this prebuilt boot.img with device-specific AVB keys. Steps to test the CL. 1. In a device BoardConfig.mk: # Uses a prebuilt boot.img TARGET_NO_KERNEL := true BOARD_PREBUILT_BOOTIMAGE := device/google/redbull/boot.img # Enable chained vbmeta for the boot image. # The following can be absent, where the hash descriptor of the # 'boot' partition will be stored then signed in vbmeta.img instead. BOARD_AVB_BOOT_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem BOARD_AVB_BOOT_ALGORITHM := SHA256_RSA4096 BOARD_AVB_BOOT_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP) BOARD_AVB_BOOT_ROLLBACK_INDEX_LOCATION := 2 2. `make bootimage`, then `avbtool info_image --image $OUT/boot.img`, checks the image is re-signed with a device-specific key 3. `make dist` to generate out/dist/TF.zip 4. `unzip out/dist/TF.zip IMAGES/boot.img` 5. `avbtool info_image --image out/dist/IMAGES/boot.img`, checks the image is re-signed with a device-specific key 6. `sign_target_files_apks \ --avb_boot_key=external/avb/test/data/testkey_rsa8192.pem \ --avb_boot_algorithm=SHA256_RSA8192 \ --avb_boot_extra_args="--prop test:sign" \ ./out/dist/*-target_files-eng.*.zip signed.zip`, resign the TF.zip 7. `unzip signed.zip IMAGES/boot.img`, then use `avbtool info_image` to check the boot.img is re-signed with the --avb_boot_key in step 6. Bug: 188485657 Test: above steps Change-Id: I7ee8b3ffe6a86aaca34bbb7a8898a97b3f8bd801
2021-05-20 00:14:42 +08:00
parent 3ff3f1088d
commit cf9ead8972
3 changed files with 65 additions and 4 deletions
--- a/core/Makefile
+++ b/core/Makefile
@@ -1036,7 +1036,20 @@ else # TARGET_NO_KERNEL == "true"
 ifdef BOARD_PREBUILT_BOOTIMAGE
 INTERNAL_PREBUILT_BOOTIMAGE := $(BOARD_PREBUILT_BOOTIMAGE)
 INSTALLED_BOOTIMAGE_TARGET := $(PRODUCT_OUT)/boot.img
-$(eval $(call copy-one-file,$(INTERNAL_PREBUILT_BOOTIMAGE),$(INSTALLED_BOOTIMAGE_TARGET)))
+
+ifeq ($(BOARD_AVB_ENABLE),true)
+$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH)
+	cp $(INTERNAL_PREBUILT_BOOTIMAGE) $@
+	$(AVBTOOL) add_hash_footer \
+	    --image $@ \
+	    --partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \
+	    --partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \
+	    $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)
+else
+$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE)
+	cp $(INTERNAL_PREBUILT_BOOTIMAGE) $@
+endif # BOARD_AVB_ENABLE
+
 else # BOARD_PREBUILT_BOOTIMAGE not defined
 INSTALLED_BOOTIMAGE_TARGET :=
 endif # BOARD_PREBUILT_BOOTIMAGE
@@ -5107,12 +5120,17 @@ ifdef BOARD_PREBUILT_SYSTEM_EXTIMAGE
 	$(hide) mkdir -p $(zip_root)/IMAGES
 	$(hide) cp $(INSTALLED_SYSTEM_EXTIMAGE_TARGET) $(zip_root)/IMAGES/
 endif
+ifndef BOARD_PREBUILT_BOOTIMAGE
 ifneq (,$(INTERNAL_PREBUILT_BOOTIMAGE) $(filter true,$(BOARD_COPY_BOOT_IMAGE_TO_TARGET_FILES)))
 ifdef INSTALLED_BOOTIMAGE_TARGET
 	$(hide) mkdir -p $(zip_root)/IMAGES
 	$(hide) cp $(INSTALLED_BOOTIMAGE_TARGET) $(zip_root)/IMAGES/
 endif # INSTALLED_BOOTIMAGE_TARGET
 endif # INTERNAL_PREBUILT_BOOTIMAGE != "" || BOARD_COPY_BOOT_IMAGE_TO_TARGET_FILES == true
+else # BOARD_PREBUILT_BOOTIMAGE is defined
+	$(hide) mkdir -p $(zip_root)/PREBUILT_IMAGES
+	$(hide) cp $(INSTALLED_BOOTIMAGE_TARGET) $(zip_root)/PREBUILT_IMAGES/
+endif # BOARD_PREBUILT_BOOTIMAGE
 ifdef BOARD_PREBUILT_ODMIMAGE
 	$(hide) mkdir -p $(zip_root)/IMAGES
 	$(hide) cp $(INSTALLED_ODMIMAGE_TARGET) $(zip_root)/IMAGES/
--- a/core/board_config.mk
+++ b/core/board_config.mk
@@ -379,6 +379,8 @@ BUILDING_BOOT_IMAGE :=
 ifeq ($(PRODUCT_BUILD_BOOT_IMAGE),)
  ifeq ($(BOARD_USES_RECOVERY_AS_BOOT),true)
    BUILDING_BOOT_IMAGE :=
+  else ifdef BOARD_PREBUILT_BOOTIMAGE
+    BUILDING_BOOT_IMAGE :=
  else ifdef BOARD_BOOTIMAGE_PARTITION_SIZE
    BUILDING_BOOT_IMAGE := true
  else ifneq (,$(foreach kernel,$(BOARD_KERNEL_BINARIES),$(BOARD_$(call to-upper,$(kernel))_BOOTIMAGE_PARTITION_SIZE)))