Bug: 68224784
Test: Enable AVB on aosp_bullhead-userdebug. `m dist`. Note that the
prebuilt vendor.img needs to be AVB-signed first.
Test: `m dist` with aosp_walleye-userdebug.
Change-Id: I18235e4d0dde6af71a96e46ec434480cc9a22bef
AddImagesToTargetFiles() takes either a zip file, or a zip root as
input. We used to create IMAGES/ directory only when working with zip
root input. Commit 262bf3f0b5 has changed
to also stage boot / recovery images there when working with a zip file.
This CL makes sure the directory is always available under both modes.
Bug: 63456822
Test: zip -d target_files.zip IMAGES/\*;
add_img_to_target_files.py target_files.zip
Test: sign_target_files_apks.py target_files.zip signed-target_files.zip
Change-Id: Iea91d0403cdec1b16bb93bb71d3ed06856b8f7c3
If only vbmeta.img is missing from the target_files.zip,
'add_img_to_target_files.py -a' will fail to re-create vbmeta.img.
++++ vbmeta ++++
Traceback (most recent call last):
File "./build/make/tools/releasetools/add_img_to_target_files.py", line 693, in <module>
main(sys.argv[1:])
File "./build/make/tools/releasetools/add_img_to_target_files.py", line 687, in main
AddImagesToTargetFiles(args[0])
File "./build/make/tools/releasetools/add_img_to_target_files.py", line 584, in AddImagesToTargetFiles
boot_contents = boot_image.WriteToTemp()
AttributeError: 'NoneType' object has no attribute 'WriteToTemp'
Because it has skipped loading the boot.img, which leads to the above error.
Bug: 63456822
Test: As follows:
$ zip -d target_files.zip vbmeta.img
$ add_img_to_target_files.py -a target_files.zip
Test: `m dist` on aosp_arm64-userdebug
Change-Id: Ieba5f0b6848c3ec5d8bcfd24d48cc5af8b39f06c
Test: `m dist` on Linux and macOS.
Test: Use an existing target_files.zip for bullhead. Remove IMAGES/*
and rebuild the images with 'add_img_to_target_files.py -a'. It
generates idential images as in the original TF.zip.
Change-Id: I803656bf2c924dce53f2271dcb967a94fff48440
We have added support in mkuserimg_mke2fs.sh that allows specifying
filesystem UUID and hash seed UUID. This CL generates and passes the
UUIDs based on the image name and build fingerprint. This way we can
rebuild and get identical images.
Note that this only applies to images generated with `m dist` and with
signing tools (sign_target_files_apks.py and
add_img_to_target_files.py). Images under $OUT (built with `make`) are
not affected.
Bug: 64994964
Test: lunch marlin-userdebug; run `m dist` twice (after deleting the
intermediate files under $OUT/obj/PACKAGING), and compare the
generated images.
Change-Id: I41cf4e5869582bb930af2f35a8e9c79bff43b2a2
(cherry picked from commit 3aa21e6bb9)
We want the generated images being identical for the same source files.
Currently the generated ext4 image (either from make_ext4fs or mke2fs)
is reproducible, but the AVB footer added by avbtool contain changes
because of the random salt being used.
This CL changes the avbtool invocation to specify "--salt <hexstring>"
(already supported by avbtool) to use reproducible salt that's computed
based on fingerprints (or thumbprints if applicable).
Bug: 67023482
Test: Regenerate images from the same source as follows:
Use a target_files.zip from an AVB-enabled target.
$ zip -d target_files.zip IMAGES/\*
$ ./build/make/tools/releasetools/add_img_to_target_files.py \
-v target_files.zip
Repeat the above commands and compare the generated images.
Change-Id: Id9db17ae0132ca3a820b4be5a5ef06ca3fef71ed
(cherry picked from commit 8f05cca1d9)
vendor.img could be built from the source - in which case we have
unpacked files under VENDOR/ - or dropped in as a prebuilt binary blob.
We should consider either of them as target having a vendor partition.
Because we need to add its AVB hashtree info into vbmeta.img if target
is using AVB. Otherwise libfs_mgr would refuse to mount this
"AVB-enabled" vendor.img.
For targets not using AVB, this change is no-op.
Bug: 65462819
Test: Having vendor.img as prebuilt, `make dist`. Check that the
generated vbmeta.img contains the info from vendor.img.
Test: Build, flash and boot the above image.zip.
Change-Id: Iaeb30e2059cb33fb39f23e5ffd28f338d00ccbfc
In BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS, if we have defined
"--include_descriptors_from_image" with an image file whose path points
to source tree, add_img_to_target_files.py or sign_target_files_apks.py
may fail to find the file. Because these scripts may run without a
source tree, by taking target_files.zip as the only input.
This CL scans additional locations in the input target_files.zip to find
those missing files in avb_vbmeta_args. As long as the files are included
in the target_files.zip, they get a second chance to be found.
Bug: 63910867
Test: As follows:
1. Setup BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS with a local file path;
2. Remove the local file;
3. sign_target_files_apks.py fails without this CL;
4. sign_target_files_apks.py works.
Change-Id: I3c58f80a5535db02b74cfe40d0c0beff72587cf8
(cherry picked from commit 1dc5d47653)
system_avb_hashtree_enable has been renamed to
avb_system_hashtree_enable in commit
3e599ead66. 'care_map.txt' is missing due
to the change.
Bug: 63142730
Test: `m dist` and check IMAGES/care_map.txt exists in target_files zip.
Change-Id: I60c269b41df844b50353d357bf67c20f15548642
Radio images are added to INSTALLED_RADIOIMAGE_TARGET, which by default
will be packed under RADIO/ in a target_files zip. This CL introduces
BOARD_PACK_RADIOIMAGES that allows additionally copying them into
IMAGES/, which will then be included into <product>-img.zip.
Bug: 62195105
Test: Define BOARD_PACK_RADIOIMAGES and `m dist`. Check the generated
target_files zip and <product>-img.zip.
Change-Id: I3deafd2dfecd1d4dbfdfc2d002fc40ef22fb60ea
In case the system/vendor image is updated for an A/B target file, we'll
delay the write of META/care_map.txt. Specifically, we'll run "zip -d"
to remove the old entry and then zip in the new one from tmp dir.
Bug: 62345693
Test: Run add_img_to_target_files.py on sailfish target files, and
care_map.txt is updated.
Change-Id: Id2f9997aac50c0740e6944d0d0d43d98f5fc6c29
Current build system will include AVB metadata from each partition and
store them into /vbmeta partiton when BOARD_AVB_ENABLE is set, which makes
each partition tightly-coupled.
Add the support for 'chain partition':
- The vbmeta of each partition is stored on the same partition itself.
- The public key used to verify each partition is stored in /vbmeta.
For example, the following build variables are required to enable chain
partition for system partition:
- BOARD_AVB_SYSTEM_KEY_PATH := path/to/system_private_key
- BOARD_AVB_SYSTEM_ALGORITHM := SHA512_RSA8192
- BOARD_AVB_SYSTEM_ROLLBACK_INDEX := 1
- BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 2
The corresponding settings will be added into META/misc_info.txt for
build_image.py and/or add_img_to_target_files.py:
- avb_system_key_path=path/to/system_private_key
- avb_system_algorithm=SHA512_RSA8192
- avb_system_add_hashtree_footer_args=--rollback_index 1
- avb_system_rollback_index_location=2
To enable chain partition for other partitions, just replace SYSTEM with
BOOT, VENDOR and/or DTBO in the build variables.
Also switch from `avbtool make_vbmeta_image --setup_rootfs_from_kernel system.img ...`
to `avbtool add_hashtree_footer --image system.img --setup_as_rootfs_from_kernel...`
when BOARD_BUILD_SYSTEM_ROOT_IMAGE is true. This works for both chained
and no-chained:
- chained: `avbtool add_hashtree_footer --setup_as_rootfs_from_kernel` will
add dm-verity kernel cmdline descriptor to system.img
- no-chained: `avbtool make_vbmeta_image --include_descriptors_from_image
system.img` will include the kernel cmdline descriptor from system.img into
vbmeta.img
Bug: 38399657
Test: `make` pass, flash images from $OUT and boot device without chain partitions
Test: `make` pass, flash images from $OUT and boot device with chain partitions
Test: `make dist` pass, flash images from TF.zip and boot device without chain partitions
Test: `make dist` pass, flash images from TF.zip and boot device with chain partitions
Test: follow the same steps in
https://android-review.googlesource.com/#/c/407572/
Change-Id: I344f79290743d7d47b5e7441b3a21df812a69099
board_avb_algorithm and board_avb_key_path are overlapping with
avb_signing_args. In core/Makefile, only avb_signing_args (i.e.
INTERNAL_AVB_SIGNING_ARGS) will be used in the AVB-signing command. It
covers the contents in board_avb_{algorithm,key_path}. We should do the
same thing in tools/releasetools to avoid potential inconsistency.
This CL cleans up the logic in tools/releasetools, by always using
avb_signing_args. This also allows easier signing key replacement (so we
can replace the key/algorithm/signer in 'avb_signing_args').
board_avb_system_add_hashtree_footer_args is unused in releasetools
script, and the same information has been covered by
system_avb_add_hashtree_footer_args. This CL removes this arg as well.
Test: `m dist`. Then a) check the removed three args no longer exist in
META/misc_info.txt; b) check that rebuilding images with
add_img_to_target_files.py uses the same parameters.
Change-Id: I7db890b5c942de5b6868d8d1ebf937586d4729c0
When AVB is enabled, generate care_map.txt and add it to the target
files. Also copy it into the OTA package where it will later be used
by the update_verifier.
Bug: 62208947
Test: \
1. Run add_img_to_target_files on the TF of a new pixel device,
and care_map.txt generates successfully.
2. Make dist in oc-dr1-release and find care_map.txt in the OTA package.
3. update_verifier succeeds in reading all the blocks on the care_map,
and fails to read out-of-bound blocks.
Change-Id: I2881711e6f87789cb7de150dbeca18b756fed68a
This is a step to enable signing a given target_files zip with release
keys.
When calling sign_target_files_apks.py, we will delete all the entries
under IMAGES/ in order to re-generate them (with the proper release
keys). In order to support that, we need to pack everything in need into
TF.zip.
Steps to test the CL.
a) Choose a target that has both AVB and DTBO enabled.
$ m dist
b) Check IMAGES/dtbo.img and PREBUILT_IMAGES/dtbo.img both exist in the
generated out/dist/TF.zip.
c) Remove the entries under IMAGES/ from the generated TF.zip.
$ zip -d TF.zip IMAGES/\*
d) Re-generate the images with TF.zip.
$ build/make/tools/releasetools/add_img_to_target_files.py TF.zip
e) Check that IMAGES/dtbo.img is re-generated, and it's identical to the
image in b). Note that by default the re-generated image will carry a
different footer, because of the random salt. This CL is verified by
specifying the same salt.
Bug: 38315721
Test: see above.
Change-Id: I0bdc4e1cd4800962dc3902ca550dad6a8ca56c78
If we pass "rebuild_recovery" to add_img_to_target_files, the recovery
patch is rebuilt. But related files under SYSTEM/ (e.g.
SYSTEM/recovery-from-boot.p && SYSTEM/bin/install-recovery.sh) are not
updated.
This may cause a mismatch between system.img and SYSTEM/, and
may lead to a failure in validate_target_files.py.
Bug: 62096364
Test: Rebuild the system image in the TF and observe the recovery files
under SYSTEM/ get updated.
Change-Id: I7d679a612a86d02cf2eff81d1d120c0067138ed9
Uses avbtool to sign vendor.img if BOARD_AVB_ENABLE is set.
It also allows appending additional arguments to avbtool via
BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS.
e.g.,
BOARD_AVB_ENABLE := true
BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS := --generate_fec
Bug: 35415839
Test: "make" with the above variables and use avbtool to check vbmeta is
appended to vendor.img
Test: "make dist" with the above variables
Change-Id: I8ada38dff3def6d34613e77c67944def8a49f464
system_root_image has been dead since commit
2ce63edab7.
Test: pylint --rcfile=pylintrc add_img_to_target_files.py
Change-Id: Id791747b7313923b82279a21d264a998455a92d4
In addition to the current behavior of add_img_to_target_files working
on an existing zip file, allow passing in a directory where the target
files have already been extracted. When in this mode, it writes the
images out to that directory instead of the zip file.
This allows us to call add_img_to_target_files on the temp directory
used during the build to create the target files package, saving the
time and space of unzipping what we just zipped. This also allows us to
use the parallel soong_zip, which compresses the images much faster.
Test: aosp_marlin target_files zip is the same before/after this change
Test: marlin target_files zip is the same before/after this change
Test: bullhead target_files zip is the same before/after this change
Change-Id: I155654cdc7ad7754ba4ef76ec69c31f504a58198
This remove the fstab dependency when building the OTA package for
marlin/sailfish.
Bug: 35811655
Test: OTA package builds successfully for sailfish.
Change-Id: If223d11dddca396c47262042c576f9e7d0cb5b33
(cherry picked from commit 7d051adc3b)
Commit f1a13180db intended to remove the
verity blocks from care_map.txt, but it added new code without removing
the old one. This leads to a malformed care_map.txt and causes
update_verifier failure.
Bug: 34391662
Test: 'm -j dist' gives a TF.zip with 4-line META/care_map.txt (as
opposed to a 6-line file).
Change-Id: I7ff1aa525795c4b049af54c1755b0f0ea84f7e0e
When reading /dev/block/dm-X, update_verifier isn't able to access the
verity meta blocks at the end of the system/vendor partition. So we need
to remove these block ranges from the care_map.
Bug: 34391662
Test: care_map generated successfully without verity meta blocks
Change-Id: Id57c602b7e5fd1b0c9d1e1fe5fcdd74e85b6b255
In two-step OTAs, we write recovery image to /boot as the first step so
that we can reboot from there and install a new recovery image to
/recovery. However, bootloader will show "Your device is corrupt"
message when booting /boot with the recovery image. Because the recovery
image encodes the path of "/recovery" as part of the signature metadata,
which fails the verified boot.
This CL generates a special "recovery-two-step.img" in addition to the
regular recovery.img. This image encodes "/boot" when being signed,
which will be flashed to /boot at stage 1/3 in a two-step OTA.
Here are the desired changes:
- 'IMAGES/recovery-two-step.img' exists in target_files.zip for non-A/B
targets (e.g. bullhead). The image should not exist for targets that
don't have a recovery partition (e.g. A/B devices like sailfish).
- <device>-img.zip should not contain 'recovery-two-step.img'.
- Nothing should change when building non-two-step OTAs. For two-step
OTAs, 'recovery-two-step.img' should be included in the OTA package;
'updater-script' should flash this image to /boot at stage 1/3.
- When building a two-step OTA with an input TF.zip that doesn't have
IMAGES/recovery-two-step.img, it should use the existing
IMAGES/recovery.img instead.
Bug: 32986477
Test: Tested the steps above on bullhead and sailfish.
Change-Id: I34e6c599bcf2011d4cd5c926999418b3975d6d0f
system/extras/verity/build_verity_metadata.py now accepts
"--signer_args" to specify verity signer args.
Also remove the duplicate "--verity_signer_args" in
add_img_to_target_files.py, as we already have that in common.py.
Bug: 31500665
Test: Building and signing work w/ and w/o --signer_args.
Change-Id: I02f59c50a1ebf15c5505e9fffd5b9bbbbaa785be
While the system.img images currently built with AVB support verify
correctly, mounting the filesystem content fails. This is because
'avbtool add_hashtree_footer' used to claim some of the unused /
DONT_CARE space for stashing the verity tables and this resulting in the
mapped device ending up being smaller causing the mount failure.
Fix this by leaving enough room for AVB hashtree and metadata before
building the image. This is achieved by moving the AVB hashtree support
into build_image.py and using a just added '--calc_max_image_size'
option to 'avbtool add_hashtree_footer' to figure out how much space to
leave out.
This depends on https://android-review.googlesource.com/#/c/281821/
Bug: 31264226
Test: Mounting dm-verity set up from system.img now works.
Merged-In: I4c5de1004c1059f8c582e76b3b8517d427aa1a87
Change-Id: I945a5f1f6782791736cd319f216cfa6b448fb04d
This updates the build system for the new Android Verified Boot
codebase. As this is based on Brillo Verified Boot, this change replaces
the existing BVB support.
Android Verified Boot is enabled by the BOARD_AVB_ENABLE variable
BOARD_AVB_ENABLE := true
This will make the build system create vbmeta.img which will contain a
hash descriptor for boot.img, a hashtree descriptor for system.img, a
kernel-cmdline descriptor for setting up dm-verity for system.img and
append a hash-tree to system.img.
Additionally, the descriptors are left in boot.img and system.img so a
third party can create their own vbmeta.img file linking - using the
option --chain_partition - to these images. If this is not needed
footers can be erased using the 'avbtool erase_footer' command. It's
also harmless to just leave them in the images.
By default, the algorithm SHA256_RSA4096 is used with a test key from
the AVB source directory. This can be overriden by the
BOARD_AVB_ALGORITHM and BOARD_AVB_KEY_PATH variables to use e.g. a
4096-bit RSA key and SHA-512:
BOARD_AVB_ALGORITHM := SHA512_RSA4096
BOARD_AVB_KEY_PATH := /path/to/rsa_key_4096bits.pem
To prevent rollback attacks, the rollback index should be increased on a
regular basis. The rollback index can be set with the
BOARD_AVB_ROLLBACK_INDEX variable:
BOARD_AVB_ROLLBACK_INDEX := 5
If this is not set, the rollback index defaults to 0.
The variable BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS can be used to specify
additional options passed to 'avbtool make_vbmeta_image'. Typical
options to be used here include '--prop', '--prop_from_file', and
'--chain_partition'.
The variable BOARD_AVBTOOL_BOOT_ADD_HASH_FOOTER_ARGS can be used to
specify additional options passed to 'avbtool add_hash_footer' for
boot.img. Typical options to be used here include '--hash_algorithm' and
'--salt'.
The variable BOARD_AVBTOOL_SYSTEM_ADD_HASHTREE_FOOTER_ARGS can be used
to specify additional options passed to 'avbtool add_hashtree_footer'
for systems.img. Typical options to be used here include
'--hash_algorithm', '--salt', and '--block_size'.
BUG=31264226
TEST=Manually tested on edison-eng by inspecting {boot, system,
vbmeta}.img in out/ directory as well as their counterparts in
the IMAGES/ directory of edision-target_files-eng.zeuthen.zip
Merged-In: Ic9a61cfc65c148b12996e57f04da5432eef6b982
Change-Id: I97042655bca15e7eac899f12c5bada2f6184d307
The userdata.img and cache.img entries are not useful in signed builds;
because fastboot doesn't look at these two entries in the *img.zip when
flashing a device. And they aren't used elsewhere. Therefore, skip
building the image files for them when signing the target files with
sign_target_files_apks. Also, add an option "--is_signing" to avoid
adding these two images when we call add_img_to_target_files.
Change-Id: I39ba91a86d9a856d7d01771f6d1403dbf21f2011
Test: Run sign_target_files_apks on a target file and userdata/cache.img doesn't not generate.
Bug: 30642470
add_img_to_target_files.py fails when the target_files.zip is over 4GiB
when adding IMAGES/ folder. Specify the flag to allow creating
target_files.zip with ZIP64 extension.
Other zip artifacts (-img.zip, -ota.zip etc) remain in non-ZIP64 format.
zip2zip is not affected, which still creates non-ZIP64 zips even when
copying from target_files in ZIP64.
Bug: 30961841
Test: "make dist" with large system image and check the artifacts.
Change-Id: I0568745f01ef8f0239081f783eac92288d4fdd84
Generate a new file containing care_data of system (and vendor)
partition, and add it under META/ of target file package. For
A/B update, copy this file to OTA package for later use by
update_verifier.
Bug: 27175949
Change-Id: I90bb972703afaeb94bc3efe718fd81b1cfbcabcc
add_img_to_target_files.py has an option of "-a" to add missing
images only. Under this option, the script should skip copying
the radio images for A/B devices when given image exists already
under "IMAGES/".
Test: Run the command on an A/B device, the existing radio images under "IMAGES/" don't get overwritten; and missing images are added correctly.
Bug: 29608905
Change-Id: Ie034b85a5d777d53e367f99470cea4d19cb1aaaf
For AB devices, support flashing two system partitions for factory use.
The normal system image on one partition, but without dex preopt. And a
system_other image that just contains the odex files. The dex files will
not be stripped out of the system image, in case the second system
partition is wiped.
Setting BOARD_USES_SYSTEM_OTHER_ODEX := true in the BoardConfig.mk
enables this behavior.
One can control which directories are placed in system_other by the
SYSTEM_OTHER_ODEX_FILTER configuration variable. Currently we default
to only copying only app and priv-app odexs.
Bug: 29278988
Change-Id: I7f4e87da919e7dc6a89fd8c668193cd4e98631bc
This change will enable the target zip to include partition defined in
BRILLO_VENDOR_PARTITIONS. This is necessary for OTA to support
partitions other than boot and system in ab_partitions.txt.
The target zip will include images in BRILLO_VENDOR_PARTITIONS if
defined, under VENDOR_IMAGES/ with path kept. Also any vendor partitions
defined in AB_OTA_PARTITIONS will be copied to IMAGES/ in the target zip.
BUG: 28623063
Change-Id: Ic479048dfb8ac506acf827865e784fcb0432a1d5
This change will enable the target zip to include partition defined in
BRILLO_VENDOR_PARTITIONS. This is necessary for OTA to support
partitions other than boot and system in ab_partitions.txt.
BUG: 28623063
Change-Id: I6e0969c31c9ad2e8285c6f560825c160aa8c4d55
To generate partition tables in the Android build system, simply add
the path to a .bpt file to the BOARD_BPT_INPUT_FILES variable.
BOARD_BPT_INPUT_FILES += "hardware/bsp/vendor/soc/board/board-specific.bpt"
The variable BOARD_BPT_DISK_SIZE can be used to specify or override
the disk size, for example:
BOARD_BPT_DISK_SIZE := "10 GiB"
Additional arguments to 'bpttool make_table' can be specified in the
variable BOARD_BPT_MAKE_TABLE_ARGS.
If BOARD_BPT_INPUT_FILES is set, the build system generates two files
partition-table.img
partition-table.bpt
in ${ANDROID_PRODUCT_OUT} using 'bpttool make_table'. The former is
the binary partition tables generated using bptool's --output_gpt
option and the latter is a JSON file generated using the --output_json
option. These files will also be put in the IMAGES/ directory of
target-files.zip when running 'm dist'.
BUG=27831397
TEST=Manually tested.
Change-Id: Iedd15354afb2dd483dcb9bc001360b2a37fd6dc0
The following variables are introduced
BOARD_BVB_ENABLE: can be set to true to build boot.img and system.img
files compatible with Brillo Verfied Boot.
BOARD_BVB_ROLLBACK_INDEX: can be set to an integer to use for the
rollback index.
BOARD_BVB_KEY_PATH, BOARD_BVB_ALGORITHM: If set, the former must be a
path to the private key used to sign the boot image and the latter must
be the algorithm to use. If unset, a test-key stored in the tree will
be used.
BOARD_BVB_MAKE_BOOT_IMAGE_ARGS: Extra options to pass to 'bvbtool
make_boot_image'.
BOARD_BVB_SIGN_BOOT_IMAGE_ARGS: Extra options to pass to 'bvbtool
sign_boot_image'.
BOARD_BVB_ADD_IMAGE_HASHES_ARGS: Extra options to pass to 'bvbtool
add_image_hashes'.
BOARD_CUSTOM_BVBTOOL: Can be set to specify what bvbtool program to
use.
The existing BOARD_KERNEL_CMDLINE variable is also used, as are existing
kernel and initrd-related variables. Therefore, simply adding
BOARD_BVB_ENABLE := true
to an existing Makefile should do the trick.
Bug: 26185038
TEST=Added 'BOARD_BVB_ENABLE := true' to hardware/bsp/intel/soc/edison/soc.mk
and built an image and then ran bvbtool's info_boot_image and
info_image_hashes commands on the resulting boot.img and system.img
files and verified that the information was correct. Also ran 'm dist'
and verified that the boot.img and system.img files in the resulting
target_files.zip file had similar information.
Change-Id: I08045ed8b0cbddc7c3acdd3a6f2c4bb75cb44bbc
