Moving system_other key into product.img

Currently system_other AVB public key is placed in system.img. However, this makes it's harder to have a *generic* system.img across different product configs. Moving the key to /product partition to allow more product-specific AVB keys. Device board config can add /product/etc/fstab.postinstall, to mount system_other with this key in /product. It can specify different mount options, file systems, verity settings, etc., in this product-specific fstab as well. Bug: 123611926 Test: `make productimage` checks the following is generated. $OUT/product/etc/security/avb/system_other.avbpubkey Also checks it's included in $OUT/installed-files-product.{json, txt} Test: run the following command and checks that PRODUCT/etc/security/avb/system_other.avbpubkey is updated: ./build/tools/releasetools/sign_target_files_apks \ --avb_system_other_algorithm SHA256_RSA2048 \ --avb_system_other_key external/avb/test/data/testkey_rsa2048.pem \ out/dist/*-target_files-*.zip signed-target_files.zip Change-Id: I6804f29941bec54375d80bd68a5aedb5c23b842e
2019-02-27 10:15:51 +08:00
parent 995c632cdc
commit e4544b1c02
4 changed files with 41 additions and 31 deletions
--- a/tools/releasetools/build_image.py
+++ b/tools/releasetools/build_image.py
@@ -740,28 +740,6 @@ def SaveGlobalDict(filename, glob_dict):
    f.writelines(["%s=%s" % (key, value) for (key, value) in glob_dict.items()])


-def ExtractSystemOtherAvbKey(in_dir, glob_dict):
-  if glob_dict.get("avb_system_extract_system_other_key") != "true":
-    return
-
-  extract_to = os.path.join(in_dir, "etc/security/avb/system_other.avbpubkey")
-  extract_to_dir = os.path.dirname(extract_to)
-
-  if os.path.isdir(extract_to_dir):
-    shutil.rmtree(extract_to_dir)
-  elif os.path.isfile(extract_to_dir):
-    os.remove(extract_to_dir)
-  os.mkdir(extract_to_dir);
-
-  # Extracts the public key used to sign system_other.img, into system.img:
-  #   /system/etc/security/avb/system_other.avbpubkey.
-  avbtool = glob_dict.get("avb_avbtool")
-  extract_from = glob_dict.get("avb_system_other_key_path")
-  cmd = [avbtool, "extract_public_key", "--key", extract_from,
-         "--output", extract_to]
-  common.RunAndCheckOutput(cmd, verbose=False)
-
-
 def main(argv):
  if len(argv) < 4 or len(argv) > 5:
    print(__doc__)
@@ -785,7 +763,6 @@ def main(argv):
    mount_point = ""
    if image_filename == "system.img":
      mount_point = "system"
-      ExtractSystemOtherAvbKey(in_dir, glob_dict)
    elif image_filename == "system_other.img":
      mount_point = "system_other"
    elif image_filename == "userdata.img":