StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Enable AVB signing on GSI"

Browse Source
This commit is contained in:
Treehugger Robot
2018-09-11 06:21:21 +00:00
committed by Gerrit Code Review
parent 88207d0d65 9d28638cfc
commit d9a58852bd
4 changed files with 35 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
core/Makefile
View File

@@ -2804,14 +2804,6 @@ $(INSTALLED_VBMETAIMAGE_TARGET): \
vbmetaimage-nodeps: vbmetaimage-nodeps:
$(build-vbmetaimage-target) $(build-vbmetaimage-target)
else ifeq (true,$(BOARD_BUILD_DISABLED_VBMETAIMAGE))
BUILT_DISABLED_VBMETAIMAGE := $(PRODUCT_OUT)/vbmeta.img
INSTALLED_VBMETAIMAGE_TARGET := $(BUILT_DISABLED_VBMETAIMAGE)
$(INSTALLED_VBMETAIMAGE_TARGET): $(AVBTOOL)
$(hide) $(AVBTOOL) make_vbmeta_image \
--flag 2 --padding_size 4096 --output $@
endif # BOARD_AVB_ENABLE endif # BOARD_AVB_ENABLE
# ----------------------------------------------------------------- # -----------------------------------------------------------------
@@ -3416,14 +3408,6 @@ ifeq ($(BREAKPAD_GENERATE_SYMBOLS),true)
@# If breakpad symbols have been generated, add them to the zip. @# If breakpad symbols have been generated, add them to the zip.
$(hide) $(ACP) -r $(TARGET_OUT_BREAKPAD) $(zip_root)/BREAKPAD $(hide) $(ACP) -r $(TARGET_OUT_BREAKPAD) $(zip_root)/BREAKPAD
endif endif
# BOARD_BUILD_DISABLED_VBMETAIMAGE is used to build a special vbmeta.img
# that disables AVB verification. The content is fixed and we can just copy
# it to $(zip_root)/IMAGES without passing some info into misc_info.txt for
# regeneration.
ifeq (true,$(BOARD_BUILD_DISABLED_VBMETAIMAGE))
$(hide) mkdir -p $(zip_root)/IMAGES
$(hide) cp $(INSTALLED_VBMETAIMAGE_TARGET) $(zip_root)/IMAGES/
endif
ifdef BOARD_PREBUILT_VENDORIMAGE ifdef BOARD_PREBUILT_VENDORIMAGE
$(hide) mkdir -p $(zip_root)/IMAGES $(hide) mkdir -p $(zip_root)/IMAGES
$(hide) cp $(INSTALLED_VENDORIMAGE_TARGET) $(zip_root)/IMAGES/ $(hide) cp $(INSTALLED_VENDORIMAGE_TARGET) $(zip_root)/IMAGES/

5
target/board/BoardConfigEmuCommon.mk
View File

@@ -28,8 +28,9 @@ USE_OPENGL_RENDERER := true
TARGET_COPY_OUT_VENDOR := vendor TARGET_COPY_OUT_VENDOR := vendor
# ~100 MB vendor image. Please adjust system image / vendor image sizes # ~100 MB vendor image. Please adjust system image / vendor image sizes
# when finalizing them. # when finalizing them. The partition size needs to be a multiple of image
BOARD_VENDORIMAGE_PARTITION_SIZE := 100000000 # block size: 4096.
BOARD_VENDORIMAGE_PARTITION_SIZE := 100003840
BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE := ext4 BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE := ext4
BOARD_FLASH_BLOCK_SIZE := 512 BOARD_FLASH_BLOCK_SIZE := 512
DEVICE_MATRIX_FILE := device/generic/goldfish/compatibility_matrix.xml DEVICE_MATRIX_FILE := device/generic/goldfish/compatibility_matrix.xml

24
target/board/BoardConfigGsiCommon.mk
View File

@@ -14,14 +14,22 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := false
BOARD_SYSTEMIMAGE_PARTITION_RESERVED_SIZE := 67108864 BOARD_SYSTEMIMAGE_PARTITION_RESERVED_SIZE := 67108864
# Android Verified Boot (AVB): # Android Verified Boot (AVB):
# Builds a special vbmeta.img that disables AVB verification. # 1) Sets BOARD_AVB_ENABLE to sign the GSI image.
# Otherwise, AVB will prevent the device from booting the generic system.img. # 2) Sets AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (--flag 2) in
# Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity # vbmeta.img to disable AVB verification.
# metadata into system.img. #
ifeq ($(BOARD_AVB_ENABLE),true) # To disable AVB for GSI, use the vbmeta.img and the GSI together.
$(error BOARD_AVB_ENABLE cannot be set for GSI) # To enable AVB for GSI, include the GSI public key into the device-specific
endif # vbmeta.img.
BOARD_BUILD_DISABLED_VBMETAIMAGE := true BOARD_AVB_ENABLE := true
BOARD_AVB_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2
# Enable chain partition for system.
BOARD_AVB_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048
BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT))) ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
# GSI is always userdebug and needs a couple of properties taking precedence # GSI is always userdebug and needs a couple of properties taking precedence

24
target/board/treble_common.mk
View File

@@ -53,11 +53,19 @@ NUM_FRAMEBUFFER_SURFACE_BUFFERS := 3
USE_XML_AUDIO_POLICY_CONF := 1 USE_XML_AUDIO_POLICY_CONF := 1
# Android Verified Boot (AVB): # Android Verified Boot (AVB):
# Builds a special vbmeta.img that disables AVB verification. # 1) Sets BOARD_AVB_ENABLE to sign the GSI image.
# Otherwise, AVB will prevent the device from booting the generic system.img. # 2) Sets AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (--flag 2) in
# Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity # vbmeta.img to disable AVB verification.
# metadata into system.img. #
ifeq ($(BOARD_AVB_ENABLE),true) # To disable AVB for GSI, use the vbmeta.img and the GSI together.
$(error BOARD_AVB_ENABLE cannot be set for Treble GSI) # To enable AVB for GSI, include the GSI public key into the device-specific
endif # vbmeta.img.
BOARD_BUILD_DISABLED_VBMETAIMAGE := true BOARD_AVB_ENABLE := true
BOARD_AVB_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2
# Enable chain partition for system.
BOARD_AVB_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048
BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1