StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Use deterministic salt for boot image avb footer" into main am: 2b181f9aa1 am: 006c13c27b

Browse Source 
Original change: https://android-review.googlesource.com/c/platform/build/+/2768202

Change-Id: I821633c3ce6b918c9b5129a9a419c1e71e3e415f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Treehugger Robot
2023-10-04 18:18:06 +00:00
committed by Automerger Merge Worker
parent f1942a76cc 006c13c27b
commit efc6bdd970
2 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
core/Makefile
View File

@@ -1233,6 +1233,7 @@ define build_boot_from_kernel_avb_enabled
$(AVBTOOL) add_hash_footer \ $(AVBTOOL) add_hash_footer \
--image $(1) \ --image $(1) \
$(call get-partition-size-argument,$(call get-bootimage-partition-size,$(1),boot)) \ $(call get-partition-size-argument,$(call get-bootimage-partition-size,$(1),boot)) \
--salt `sha256sum "$(kernel)" | cut -d " " -f 1` \
--partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \ --partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \
$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS) $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)
endef endef

11
tools/releasetools/common.py
View File

@@ -1410,7 +1410,7 @@ def RunHostInitVerifier(product_out, partition_map):
return RunAndCheckOutput(cmd) return RunAndCheckOutput(cmd)
def AppendAVBSigningArgs(cmd, partition): def AppendAVBSigningArgs(cmd, partition, avb_salt=None):
"""Append signing arguments for avbtool.""" """Append signing arguments for avbtool."""
# e.g., "--key path/to/signing_key --algorithm SHA256_RSA4096" # e.g., "--key path/to/signing_key --algorithm SHA256_RSA4096"
key_path = ResolveAVBSigningPathArgs( key_path = ResolveAVBSigningPathArgs(
@@ -1418,7 +1418,8 @@ def AppendAVBSigningArgs(cmd, partition):
algorithm = OPTIONS.info_dict.get("avb_" + partition + "_algorithm") algorithm = OPTIONS.info_dict.get("avb_" + partition + "_algorithm")
if key_path and algorithm: if key_path and algorithm:
cmd.extend(["--key", key_path, "--algorithm", algorithm]) cmd.extend(["--key", key_path, "--algorithm", algorithm])
avb_salt = OPTIONS.info_dict.get("avb_salt") if avb_salt is None:
avb_salt = OPTIONS.info_dict.get("avb_salt")
# make_vbmeta_image doesn't like "--salt" (and it's not needed). # make_vbmeta_image doesn't like "--salt" (and it's not needed).
if avb_salt and not partition.startswith("vbmeta"): if avb_salt and not partition.startswith("vbmeta"):
cmd.extend(["--salt", avb_salt]) cmd.extend(["--salt", avb_salt])
@@ -1825,7 +1826,11 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file,
cmd = [avbtool, "add_hash_footer", "--image", img.name, cmd = [avbtool, "add_hash_footer", "--image", img.name,
"--partition_size", str(part_size), "--partition_name", "--partition_size", str(part_size), "--partition_name",
partition_name] partition_name]
AppendAVBSigningArgs(cmd, partition_name) salt = None
if kernel_path is not None:
with open(kernel_path, "rb") as fp:
salt = sha256(fp.read()).hexdigest()
AppendAVBSigningArgs(cmd, partition_name, salt)
args = info_dict.get("avb_" + partition_name + "_add_hash_footer_args") args = info_dict.get("avb_" + partition_name + "_add_hash_footer_args")
if args and args.strip(): if args and args.strip():
split_args = ResolveAVBSigningPathArgs(shlex.split(args)) split_args = ResolveAVBSigningPathArgs(shlex.split(args))