Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 04fca7f8 authored by Bowgo Tsai's avatar Bowgo Tsai
Browse files

Fix (pvmfw.img) Embed correct public key for Microdroid verification 

The previous commit (I551e14fa6a0c63e3cef334b953f670cf9c465e10)
incorrectly embedded the APEX public key ('apex_pubkey') into
pvmfw.img. This key is used to verify `apex_payload.img`
within `com.android.virt.apex`, not the Microdroid image.

This commit embeds the correct public key, which verifies
`microdroid_vbmeta.img` inside `apex_payload.img`.

Bug: 384813199
Test: m sign_target_files_apks
Test: sign_target_files_apks --allow_gsi_debug_sepolicy \
        --extra_apex_payload_key com.android.virt.apex= \
        -e com.android.virt.apex= \
        gsi_arm64-target_files-${build_id}.zip signed.zip
Test: unzip signed.zip IMAGES/pvmfw.img
Test: avbtool extract_public_key --key external/avb/test/data/testkey_rsa4096.pem --out key.pub
Test: grep -U -F -f key.pub IMAGES/pvmfw.img => grep: IMAGES/pvmfw.img: binary file matches
Change-Id: Ic8ae72898b8ab6067402b26eef9ed1b876a778f7
parent 13b89483

tools/releasetools/sign_target_files_apks.py

+33 −3
Original line number Diff line number Diff line
@@ -378,6 +378,37 @@ def GetApexKeys(keys_info, key_map): 
  return keys_info





def GetMicrodroidVbmetaKey(virt_apex_path, avbtool_path):

  """Extracts the AVB public key from microdroid_vbmeta.img within a virt apex.



  Args:

    virt_apex_path: The path to the com.android.virt.apex file.

    avbtool_path: The path to the avbtool executable.



  Returns:

    The AVB public key (bytes).

  """

  # Creates an ApexApkSigner to extract microdroid_vbmeta.img.

  # No need to set key_passwords/codename_to_api_level_map since

  # we won't do signing here.

  apex_signer = apex_utils.ApexApkSigner(

      virt_apex_path,

      None,  # key_passwords

      None)  # codename_to_api_level_map

  payload_dir = apex_signer.ExtractApexPayload(virt_apex_path)

  microdroid_vbmeta_image = os.path.join(

      payload_dir, 'etc', 'fs', 'microdroid_vbmeta.img')



  # Extracts the avb public key from microdroid_vbmeta.img.

  with tempfile.NamedTemporaryFile() as microdroid_pubkey:

    common.RunAndCheckOutput([

        avbtool_path, 'info_image',

        '--image', microdroid_vbmeta_image,

        '--output_pubkey', microdroid_pubkey.name])

    with open(microdroid_pubkey.name, 'rb') as f:

      return f.read()





def GetApkFileInfo(filename, compressed_extension, skipped_prefixes):

  """Returns the APK info based on the given filename.
@@ -879,9 +910,8 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip: zipfile.Zip 


        # b/384813199: handles the pre-signed com.android.virt.apex in GSI.

        if payload_key == 'PRESIGNED':

          with input_tf_zip.open(virt_apex_path) as apex_fp:

            with zipfile.ZipFile(apex_fp) as apex_zip:

              new_pubkey = apex_zip.read('apex_pubkey')

          new_pubkey = GetMicrodroidVbmetaKey(virt_apex_path,

                                              misc_info['avb_avbtool'])

        else:

          new_pubkey_path = common.ExtractAvbPublicKey(

              misc_info['avb_avbtool'], payload_key)