StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use deterministic salt for boot image avb footer

Browse Source 
avbtool by default generates a random salt everytime, this makes builds
less reproducible. Use sha256 checksum of kernel image as the hex to
make the build reproducible.

Test: th
Bug: 293313353

Change-Id: I959b3dee77654098ab9fde475f11eaee8d40c790
This commit is contained in:
Kelvin Zhang
2023-10-03 12:21:28 -07:00
parent d61f2efdbb
commit de53f7df43
2 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
core/Makefile
View File

@@ -1233,6 +1233,7 @@ define build_boot_from_kernel_avb_enabled
$(AVBTOOL) add_hash_footer \ $(AVBTOOL) add_hash_footer \
--image $(1) \ --image $(1) \
$(call get-partition-size-argument,$(call get-bootimage-partition-size,$(1),boot)) \ $(call get-partition-size-argument,$(call get-bootimage-partition-size,$(1),boot)) \
--salt `sha256sum "$(kernel)" | cut -d " " -f 1` \
--partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \ --partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \
$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS) $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)
endef endef

11
tools/releasetools/common.py
View File

@@ -1410,7 +1410,7 @@ def RunHostInitVerifier(product_out, partition_map):
return RunAndCheckOutput(cmd) return RunAndCheckOutput(cmd)
def AppendAVBSigningArgs(cmd, partition): def AppendAVBSigningArgs(cmd, partition, avb_salt=None):
"""Append signing arguments for avbtool.""" """Append signing arguments for avbtool."""
# e.g., "--key path/to/signing_key --algorithm SHA256_RSA4096" # e.g., "--key path/to/signing_key --algorithm SHA256_RSA4096"
key_path = ResolveAVBSigningPathArgs( key_path = ResolveAVBSigningPathArgs(
@@ -1418,7 +1418,8 @@ def AppendAVBSigningArgs(cmd, partition):
algorithm = OPTIONS.info_dict.get("avb_" + partition + "_algorithm") algorithm = OPTIONS.info_dict.get("avb_" + partition + "_algorithm")
if key_path and algorithm: if key_path and algorithm:
cmd.extend(["--key", key_path, "--algorithm", algorithm]) cmd.extend(["--key", key_path, "--algorithm", algorithm])
avb_salt = OPTIONS.info_dict.get("avb_salt") if avb_salt is None:
avb_salt = OPTIONS.info_dict.get("avb_salt")
# make_vbmeta_image doesn't like "--salt" (and it's not needed). # make_vbmeta_image doesn't like "--salt" (and it's not needed).
if avb_salt and not partition.startswith("vbmeta"): if avb_salt and not partition.startswith("vbmeta"):
cmd.extend(["--salt", avb_salt]) cmd.extend(["--salt", avb_salt])
@@ -1825,7 +1826,11 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file,
cmd = [avbtool, "add_hash_footer", "--image", img.name, cmd = [avbtool, "add_hash_footer", "--image", img.name,
"--partition_size", str(part_size), "--partition_name", "--partition_size", str(part_size), "--partition_name",
partition_name] partition_name]
AppendAVBSigningArgs(cmd, partition_name) salt = None
if kernel_path is not None:
with open(kernel_path, "rb") as fp:
salt = sha256(fp.read()).hexdigest()
AppendAVBSigningArgs(cmd, partition_name, salt)
args = info_dict.get("avb_" + partition_name + "_add_hash_footer_args") args = info_dict.get("avb_" + partition_name + "_add_hash_footer_args")
if args and args.strip(): if args and args.strip():
split_args = ResolveAVBSigningPathArgs(shlex.split(args)) split_args = ResolveAVBSigningPathArgs(shlex.split(args))