diff --git a/tools/releasetools/add_img_to_target_files.py b/tools/releasetools/add_img_to_target_files.py index b396188672..23f4412ed0 100644 --- a/tools/releasetools/add_img_to_target_files.py +++ b/tools/releasetools/add_img_to_target_files.py @@ -76,8 +76,6 @@ OPTIONS = common.OPTIONS OPTIONS.add_missing = False OPTIONS.rebuild_recovery = False OPTIONS.replace_updated_files_list = [] -OPTIONS.replace_verity_public_key = False -OPTIONS.replace_verity_private_key = False OPTIONS.is_signing = False # Use a fixed timestamp (01/01/2009 00:00:00 UTC) for files when packaging @@ -1063,9 +1061,11 @@ def main(argv): elif o in ("-r", "--rebuild_recovery",): OPTIONS.rebuild_recovery = True elif o == "--replace_verity_private_key": - OPTIONS.replace_verity_private_key = (True, a) + raise ValueError("--replace_verity_private_key is no longer supported," + " please switch to AVB") elif o == "--replace_verity_public_key": - OPTIONS.replace_verity_public_key = (True, a) + raise ValueError("--replace_verity_public_key is no longer supported," + " please switch to AVB") elif o == "--is_signing": OPTIONS.is_signing = True else: diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index 979f42bdb9..9b5bcab226 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -188,9 +188,6 @@ OPTIONS.skip_apks_with_path_prefix = set() OPTIONS.key_map = {} OPTIONS.rebuild_recovery = False OPTIONS.replace_ota_keys = False -OPTIONS.replace_verity_public_key = False -OPTIONS.replace_verity_private_key = False -OPTIONS.replace_verity_keyid = False OPTIONS.remove_avb_public_keys = None OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.avb_keys = {} @@ -663,11 +660,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, elif filename == "META/misc_info.txt": pass - # Skip verity public key if we will replace it. - elif (OPTIONS.replace_verity_public_key and - filename in ("BOOT/RAMDISK/verity_key", - "ROOT/verity_key")): - pass elif (OPTIONS.remove_avb_public_keys and (filename.startswith("BOOT/RAMDISK/avb/") or filename.startswith("BOOT/RAMDISK/first_stage_ramdisk/avb/"))): @@ -681,10 +673,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, # Copy it verbatim if we don't want to remove it. common.ZipWriteStr(output_tf_zip, out_info, data) - # Skip verity keyid (for system_root_image use) if we will replace it. - elif OPTIONS.replace_verity_keyid and filename == "BOOT/cmdline": - pass - # Skip the vbmeta digest as we will recalculate it. elif filename == "META/vbmeta_digest.txt": pass @@ -766,27 +754,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, if OPTIONS.replace_ota_keys: ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info) - # Replace the keyid string in misc_info dict. - if OPTIONS.replace_verity_private_key: - ReplaceVerityPrivateKey(misc_info, OPTIONS.replace_verity_private_key[1]) - - if OPTIONS.replace_verity_public_key: - # Replace the one in root dir in system.img. - ReplaceVerityPublicKey( - output_tf_zip, 'ROOT/verity_key', OPTIONS.replace_verity_public_key[1]) - - if not system_root_image: - # Additionally replace the copy in ramdisk if not using system-as-root. - ReplaceVerityPublicKey( - output_tf_zip, - 'BOOT/RAMDISK/verity_key', - OPTIONS.replace_verity_public_key[1]) - - # Replace the keyid string in BOOT/cmdline. - if OPTIONS.replace_verity_keyid: - ReplaceVerityKeyId(input_tf_zip, output_tf_zip, - OPTIONS.replace_verity_keyid[1]) - # Replace the AVB signing keys, if any. ReplaceAvbSigningKeys(misc_info) @@ -1003,64 +970,6 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info): WriteOtacerts(output_tf_zip, info.filename, mapped_keys + extra_keys) -def ReplaceVerityPublicKey(output_zip, filename, key_path): - """Replaces the verity public key at the given path in the given zip. - - Args: - output_zip: The output target_files zip. - filename: The archive name in the output zip. - key_path: The path to the public key. - """ - print("Replacing verity public key with %s" % (key_path,)) - common.ZipWrite(output_zip, key_path, arcname=filename) - - -def ReplaceVerityPrivateKey(misc_info, key_path): - """Replaces the verity private key in misc_info dict. - - Args: - misc_info: The info dict. - key_path: The path to the private key in PKCS#8 format. - """ - print("Replacing verity private key with %s" % (key_path,)) - misc_info["verity_key"] = key_path - - -def ReplaceVerityKeyId(input_zip, output_zip, key_path): - """Replaces the veritykeyid parameter in BOOT/cmdline. - - Args: - input_zip: The input target_files zip, which should be already open. - output_zip: The output target_files zip, which should be already open and - writable. - key_path: The path to the PEM encoded X.509 certificate. - """ - in_cmdline = input_zip.read("BOOT/cmdline").decode() - # Copy in_cmdline to output_zip if veritykeyid is not present. - if "veritykeyid" not in in_cmdline: - common.ZipWriteStr(output_zip, "BOOT/cmdline", in_cmdline) - return - - out_buffer = [] - for param in in_cmdline.split(): - if "veritykeyid" not in param: - out_buffer.append(param) - continue - - # Extract keyid using openssl command. - p = common.Run(["openssl", "x509", "-in", key_path, "-text"], - stdout=subprocess.PIPE, stderr=subprocess.PIPE) - keyid, stderr = p.communicate() - assert p.returncode == 0, "Failed to dump certificate: {}".format(stderr) - keyid = re.search( - r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower() - print("Replacing verity keyid with {}".format(keyid)) - out_buffer.append("veritykeyid=id:%s" % (keyid,)) - - out_cmdline = ' '.join(out_buffer).strip() + '\n' - common.ZipWriteStr(output_zip, "BOOT/cmdline", out_cmdline) - - def ReplaceMiscInfoTxt(input_zip, output_zip, misc_info): """Replaces META/misc_info.txt. @@ -1425,11 +1334,14 @@ def main(argv): new.append(i[0] + i[1:].strip()) OPTIONS.tag_changes = tuple(new) elif o == "--replace_verity_public_key": - OPTIONS.replace_verity_public_key = (True, a) + raise ValueError("--replace_verity_public_key is no longer supported," + " please switch to AVB") elif o == "--replace_verity_private_key": - OPTIONS.replace_verity_private_key = (True, a) + raise ValueError("--replace_verity_private_key is no longer supported," + " please switch to AVB") elif o == "--replace_verity_keyid": - OPTIONS.replace_verity_keyid = (True, a) + raise ValueError("--replace_verity_keyid is no longer supported, please" + " switch to AVB") elif o == "--remove_avb_public_keys": OPTIONS.remove_avb_public_keys = a.split(",") elif o == "--avb_vbmeta_key": diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py index 0f13add290..0cd7dac184 100644 --- a/tools/releasetools/test_sign_target_files_apks.py +++ b/tools/releasetools/test_sign_target_files_apks.py @@ -23,8 +23,8 @@ import common import test_utils from sign_target_files_apks import ( CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo, - ReplaceCerts, ReplaceGkiSigningKey, ReplaceVerityKeyId, RewriteAvbProps, - RewriteProps, WriteOtacerts) + ReplaceCerts, ReplaceGkiSigningKey, RewriteAvbProps, RewriteProps, + WriteOtacerts) class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase): @@ -154,64 +154,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te '\n'.join([prop[1] for prop in props]) + '\n', RewriteProps('\n'.join([prop[0] for prop in props]))) - def test_ReplaceVerityKeyId(self): - BOOT_CMDLINE1 = ( - "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 " - "androidboot.hardware=marlin user_debug=31 ehci-hcd.park=3 " - "lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff loop.max_part=7 " - "buildvariant=userdebug " - "veritykeyid=id:7e4333f9bba00adfe0ede979e28ed1920492b40f\n") - - BOOT_CMDLINE2 = ( - "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 " - "androidboot.hardware=marlin user_debug=31 ehci-hcd.park=3 " - "lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff loop.max_part=7 " - "buildvariant=userdebug " - "veritykeyid=id:d24f2590e9abab5cff5f59da4c4f0366e3f43e94\n") - - input_file = common.MakeTempFile(suffix='.zip') - with zipfile.ZipFile(input_file, 'w', allowZip64=True) as input_zip: - input_zip.writestr('BOOT/cmdline', BOOT_CMDLINE1) - - # Test with the first certificate. - cert_file = os.path.join(self.testdata_dir, 'verity.x509.pem') - - output_file = common.MakeTempFile(suffix='.zip') - with zipfile.ZipFile(input_file, 'r', allowZip64=True) as input_zip, \ - zipfile.ZipFile(output_file, 'w', allowZip64=True) as output_zip: - ReplaceVerityKeyId(input_zip, output_zip, cert_file) - - with zipfile.ZipFile(output_file) as output_zip: - self.assertEqual(BOOT_CMDLINE1, output_zip.read('BOOT/cmdline').decode()) - - # Test with the second certificate. - cert_file = os.path.join(self.testdata_dir, 'testkey.x509.pem') - - with zipfile.ZipFile(input_file, 'r', allowZip64=True) as input_zip, \ - zipfile.ZipFile(output_file, 'w', allowZip64=True) as output_zip: - ReplaceVerityKeyId(input_zip, output_zip, cert_file) - - with zipfile.ZipFile(output_file) as output_zip: - self.assertEqual(BOOT_CMDLINE2, output_zip.read('BOOT/cmdline').decode()) - - def test_ReplaceVerityKeyId_no_veritykeyid(self): - BOOT_CMDLINE = ( - "console=ttyHSL0,115200,n8 androidboot.hardware=bullhead boot_cpus=0-5 " - "lpm_levels.sleep_disabled=1 msm_poweroff.download_mode=0 " - "loop.max_part=7\n") - - input_file = common.MakeTempFile(suffix='.zip') - with zipfile.ZipFile(input_file, 'w', allowZip64=True) as input_zip: - input_zip.writestr('BOOT/cmdline', BOOT_CMDLINE) - - output_file = common.MakeTempFile(suffix='.zip') - with zipfile.ZipFile(input_file, 'r', allowZip64=True) as input_zip, \ - zipfile.ZipFile(output_file, 'w', allowZip64=True) as output_zip: - ReplaceVerityKeyId(input_zip, output_zip, None) - - with zipfile.ZipFile(output_file) as output_zip: - self.assertEqual(BOOT_CMDLINE, output_zip.read('BOOT/cmdline').decode()) - def test_ReplaceCerts(self): cert1_path = os.path.join(self.testdata_dir, 'platform.x509.pem') with open(cert1_path) as cert1_fp: