StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove replace verity key args

Browse Source 
We are removing VB support from release tools. This change aims to
remove the args related to replace verity key.

Bug: 242672222
Test: atest under build/make
Change-Id: I446a0b16e482c43542a1c0e41b24e80eb9fbc8e6
This commit is contained in:
hungweichen
2022-08-19 06:33:25 +00:00
parent 49447913f6
commit dd3fca09f6
3 changed files with 12 additions and 158 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tools/releasetools/add_img_to_target_files.py
View File

@@ -76,8 +76,6 @@ OPTIONS = common.OPTIONS
OPTIONS.add_missing = False OPTIONS.add_missing = False
OPTIONS.rebuild_recovery = False OPTIONS.rebuild_recovery = False
OPTIONS.replace_updated_files_list = [] OPTIONS.replace_updated_files_list = []
OPTIONS.replace_verity_public_key = False
OPTIONS.replace_verity_private_key = False
OPTIONS.is_signing = False OPTIONS.is_signing = False
# Use a fixed timestamp (01/01/2009 00:00:00 UTC) for files when packaging # Use a fixed timestamp (01/01/2009 00:00:00 UTC) for files when packaging
@@ -1063,9 +1061,11 @@ def main(argv):
elif o in ("-r", "--rebuild_recovery",): elif o in ("-r", "--rebuild_recovery",):
OPTIONS.rebuild_recovery = True OPTIONS.rebuild_recovery = True
elif o == "--replace_verity_private_key": elif o == "--replace_verity_private_key":
OPTIONS.replace_verity_private_key = (True, a) raise ValueError("--replace_verity_private_key is no longer supported,"
" please switch to AVB")
elif o == "--replace_verity_public_key": elif o == "--replace_verity_public_key":
OPTIONS.replace_verity_public_key = (True, a) raise ValueError("--replace_verity_public_key is no longer supported,"
" please switch to AVB")
elif o == "--is_signing": elif o == "--is_signing":
OPTIONS.is_signing = True OPTIONS.is_signing = True
else: else:

100
tools/releasetools/sign_target_files_apks.py
View File

@@ -188,9 +188,6 @@ OPTIONS.skip_apks_with_path_prefix = set()
OPTIONS.key_map = {} OPTIONS.key_map = {}
OPTIONS.rebuild_recovery = False OPTIONS.rebuild_recovery = False
OPTIONS.replace_ota_keys = False OPTIONS.replace_ota_keys = False
OPTIONS.replace_verity_public_key = False
OPTIONS.replace_verity_private_key = False
OPTIONS.replace_verity_keyid = False
OPTIONS.remove_avb_public_keys = None OPTIONS.remove_avb_public_keys = None
OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys")
OPTIONS.avb_keys = {} OPTIONS.avb_keys = {}
@@ -663,11 +660,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
elif filename == "META/misc_info.txt": elif filename == "META/misc_info.txt":
pass pass
# Skip verity public key if we will replace it.
elif (OPTIONS.replace_verity_public_key and
filename in ("BOOT/RAMDISK/verity_key",
"ROOT/verity_key")):
pass
elif (OPTIONS.remove_avb_public_keys and elif (OPTIONS.remove_avb_public_keys and
(filename.startswith("BOOT/RAMDISK/avb/") or (filename.startswith("BOOT/RAMDISK/avb/") or
filename.startswith("BOOT/RAMDISK/first_stage_ramdisk/avb/"))): filename.startswith("BOOT/RAMDISK/first_stage_ramdisk/avb/"))):
@@ -681,10 +673,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
# Copy it verbatim if we don't want to remove it. # Copy it verbatim if we don't want to remove it.
common.ZipWriteStr(output_tf_zip, out_info, data) common.ZipWriteStr(output_tf_zip, out_info, data)
# Skip verity keyid (for system_root_image use) if we will replace it.
elif OPTIONS.replace_verity_keyid and filename == "BOOT/cmdline":
pass
# Skip the vbmeta digest as we will recalculate it. # Skip the vbmeta digest as we will recalculate it.
elif filename == "META/vbmeta_digest.txt": elif filename == "META/vbmeta_digest.txt":
pass pass
@@ -766,27 +754,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
if OPTIONS.replace_ota_keys: if OPTIONS.replace_ota_keys:
ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info) ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info)
# Replace the keyid string in misc_info dict.
if OPTIONS.replace_verity_private_key:
ReplaceVerityPrivateKey(misc_info, OPTIONS.replace_verity_private_key[1])
if OPTIONS.replace_verity_public_key:
# Replace the one in root dir in system.img.
ReplaceVerityPublicKey(
output_tf_zip, 'ROOT/verity_key', OPTIONS.replace_verity_public_key[1])
if not system_root_image:
# Additionally replace the copy in ramdisk if not using system-as-root.
ReplaceVerityPublicKey(
output_tf_zip,
'BOOT/RAMDISK/verity_key',
OPTIONS.replace_verity_public_key[1])
# Replace the keyid string in BOOT/cmdline.
if OPTIONS.replace_verity_keyid:
ReplaceVerityKeyId(input_tf_zip, output_tf_zip,
OPTIONS.replace_verity_keyid[1])
# Replace the AVB signing keys, if any. # Replace the AVB signing keys, if any.
ReplaceAvbSigningKeys(misc_info) ReplaceAvbSigningKeys(misc_info)
@@ -1003,64 +970,6 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
WriteOtacerts(output_tf_zip, info.filename, mapped_keys + extra_keys) WriteOtacerts(output_tf_zip, info.filename, mapped_keys + extra_keys)
def ReplaceVerityPublicKey(output_zip, filename, key_path):
"""Replaces the verity public key at the given path in the given zip.
Args:
output_zip: The output target_files zip.
filename: The archive name in the output zip.
key_path: The path to the public key.
"""
print("Replacing verity public key with %s" % (key_path,))
common.ZipWrite(output_zip, key_path, arcname=filename)
def ReplaceVerityPrivateKey(misc_info, key_path):
"""Replaces the verity private key in misc_info dict.
Args:
misc_info: The info dict.
key_path: The path to the private key in PKCS#8 format.
"""
print("Replacing verity private key with %s" % (key_path,))
misc_info["verity_key"] = key_path
def ReplaceVerityKeyId(input_zip, output_zip, key_path):
"""Replaces the veritykeyid parameter in BOOT/cmdline.
Args:
input_zip: The input target_files zip, which should be already open.
output_zip: The output target_files zip, which should be already open and
writable.
key_path: The path to the PEM encoded X.509 certificate.
"""
in_cmdline = input_zip.read("BOOT/cmdline").decode()
# Copy in_cmdline to output_zip if veritykeyid is not present.
if "veritykeyid" not in in_cmdline:
common.ZipWriteStr(output_zip, "BOOT/cmdline", in_cmdline)
return
out_buffer = []
for param in in_cmdline.split():
if "veritykeyid" not in param:
out_buffer.append(param)
continue
# Extract keyid using openssl command.
p = common.Run(["openssl", "x509", "-in", key_path, "-text"],
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
keyid, stderr = p.communicate()
assert p.returncode == 0, "Failed to dump certificate: {}".format(stderr)
keyid = re.search(
r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower()
print("Replacing verity keyid with {}".format(keyid))
out_buffer.append("veritykeyid=id:%s" % (keyid,))
out_cmdline = ' '.join(out_buffer).strip() + '\n'
common.ZipWriteStr(output_zip, "BOOT/cmdline", out_cmdline)
def ReplaceMiscInfoTxt(input_zip, output_zip, misc_info): def ReplaceMiscInfoTxt(input_zip, output_zip, misc_info):
"""Replaces META/misc_info.txt. """Replaces META/misc_info.txt.
@@ -1425,11 +1334,14 @@ def main(argv):
new.append(i[0] + i[1:].strip()) new.append(i[0] + i[1:].strip())
OPTIONS.tag_changes = tuple(new) OPTIONS.tag_changes = tuple(new)
elif o == "--replace_verity_public_key": elif o == "--replace_verity_public_key":
OPTIONS.replace_verity_public_key = (True, a) raise ValueError("--replace_verity_public_key is no longer supported,"
" please switch to AVB")
elif o == "--replace_verity_private_key": elif o == "--replace_verity_private_key":
OPTIONS.replace_verity_private_key = (True, a) raise ValueError("--replace_verity_private_key is no longer supported,"
" please switch to AVB")
elif o == "--replace_verity_keyid": elif o == "--replace_verity_keyid":
OPTIONS.replace_verity_keyid = (True, a) raise ValueError("--replace_verity_keyid is no longer supported, please"
" switch to AVB")
elif o == "--remove_avb_public_keys": elif o == "--remove_avb_public_keys":
OPTIONS.remove_avb_public_keys = a.split(",") OPTIONS.remove_avb_public_keys = a.split(",")
elif o == "--avb_vbmeta_key": elif o == "--avb_vbmeta_key":

62
tools/releasetools/test_sign_target_files_apks.py
View File

@@ -23,8 +23,8 @@ import common
import test_utils import test_utils
from sign_target_files_apks import ( from sign_target_files_apks import (
CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo, CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo,
ReplaceCerts, ReplaceGkiSigningKey, ReplaceVerityKeyId, RewriteAvbProps, ReplaceCerts, ReplaceGkiSigningKey, RewriteAvbProps, RewriteProps,
RewriteProps, WriteOtacerts) WriteOtacerts)
class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase): class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase):
@@ -154,64 +154,6 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
'\n'.join([prop[1] for prop in props]) + '\n', '\n'.join([prop[1] for prop in props]) + '\n',
RewriteProps('\n'.join([prop[0] for prop in props]))) RewriteProps('\n'.join([prop[0] for prop in props])))
def test_ReplaceVerityKeyId(self):
BOOT_CMDLINE1 = (
"console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 "
"androidboot.hardware=marlin user_debug=31 ehci-hcd.park=3 "
"lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff loop.max_part=7 "
"buildvariant=userdebug "
"veritykeyid=id:7e4333f9bba00adfe0ede979e28ed1920492b40f\n")
BOOT_CMDLINE2 = (
"console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 "
"androidboot.hardware=marlin user_debug=31 ehci-hcd.park=3 "
"lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff loop.max_part=7 "
"buildvariant=userdebug "
"veritykeyid=id:d24f2590e9abab5cff5f59da4c4f0366e3f43e94\n")
input_file = common.MakeTempFile(suffix='.zip')
with zipfile.ZipFile(input_file, 'w', allowZip64=True) as input_zip:
input_zip.writestr('BOOT/cmdline', BOOT_CMDLINE1)
# Test with the first certificate.
cert_file = os.path.join(self.testdata_dir, 'verity.x509.pem')
output_file = common.MakeTempFile(suffix='.zip')
with zipfile.ZipFile(input_file, 'r', allowZip64=True) as input_zip, \
zipfile.ZipFile(output_file, 'w', allowZip64=True) as output_zip:
ReplaceVerityKeyId(input_zip, output_zip, cert_file)
with zipfile.ZipFile(output_file) as output_zip:
self.assertEqual(BOOT_CMDLINE1, output_zip.read('BOOT/cmdline').decode())
# Test with the second certificate.
cert_file = os.path.join(self.testdata_dir, 'testkey.x509.pem')
with zipfile.ZipFile(input_file, 'r', allowZip64=True) as input_zip, \
zipfile.ZipFile(output_file, 'w', allowZip64=True) as output_zip:
ReplaceVerityKeyId(input_zip, output_zip, cert_file)
with zipfile.ZipFile(output_file) as output_zip:
self.assertEqual(BOOT_CMDLINE2, output_zip.read('BOOT/cmdline').decode())
def test_ReplaceVerityKeyId_no_veritykeyid(self):
BOOT_CMDLINE = (
"console=ttyHSL0,115200,n8 androidboot.hardware=bullhead boot_cpus=0-5 "
"lpm_levels.sleep_disabled=1 msm_poweroff.download_mode=0 "
"loop.max_part=7\n")
input_file = common.MakeTempFile(suffix='.zip')
with zipfile.ZipFile(input_file, 'w', allowZip64=True) as input_zip:
input_zip.writestr('BOOT/cmdline', BOOT_CMDLINE)
output_file = common.MakeTempFile(suffix='.zip')
with zipfile.ZipFile(input_file, 'r', allowZip64=True) as input_zip, \
zipfile.ZipFile(output_file, 'w', allowZip64=True) as output_zip:
ReplaceVerityKeyId(input_zip, output_zip, None)
with zipfile.ZipFile(output_file) as output_zip:
self.assertEqual(BOOT_CMDLINE, output_zip.read('BOOT/cmdline').decode())
def test_ReplaceCerts(self): def test_ReplaceCerts(self):
cert1_path = os.path.join(self.testdata_dir, 'platform.x509.pem') cert1_path = os.path.join(self.testdata_dir, 'platform.x509.pem')
with open(cert1_path) as cert1_fp: with open(cert1_path) as cert1_fp: