Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1e04bf72 authored by Bowgo Tsai's avatar Bowgo Tsai
Browse files

Sign system_other.img with AVB 

Support signing system_other.img but shouldn't include it into the
top-level vbmeta.img. system_other verifiation will not be included
in /vbmeta chains and will be done separately.

Bug: 112103720
Test: avbtool info_image --image $OUT/system_other.img
Test: avbtool info_image --image $OUT/vbmeta.img, checks 'system_other' is NOT included.
Test: Checks $OUT/obj/PACKAGING/system_other_intermediates/system_other_image_info.txt
      See the following:
        avb_system_other_hashtree_enable=true
        avb_system_other_add_hashtree_footer_args=--rollback_index 1551744000
        avb_system_other_key_path=external/avb/test/data/testkey_rsa4096.pem
        avb_system_other_algorithm=SHA256_RSA4096

Change-Id: Ia152aaab1387dcf556a42222adb39ea76881263a
parent 241d7cdb

core/Makefile

+23 −0
Original line number Diff line number Diff line
@@ -1409,6 +1409,12 @@ $(if $(BOARD_AVB_ENABLE),\ 
        $(hide) echo "avb_system_key_path=$(BOARD_AVB_SYSTEM_KEY_PATH)" >> $(1)

        $(hide) echo "avb_system_algorithm=$(BOARD_AVB_SYSTEM_ALGORITHM)" >> $(1)

        $(hide) echo "avb_system_rollback_index_location=$(BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION)" >> $(1)))

$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_system_other_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))

$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_system_other_add_hashtree_footer_args=$(BOARD_AVB_SYSTEM_OTHER_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))

$(if $(BOARD_AVB_ENABLE),\

    $(if $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH),\

        $(hide) echo "avb_system_other_key_path=$(BOARD_AVB_SYSTEM_OTHER_KEY_PATH)" >> $(1)

        $(hide) echo "avb_system_other_algorithm=$(BOARD_AVB_SYSTEM_OTHER_ALGORITHM)" >> $(1)))

$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))

$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_add_hashtree_footer_args=$(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))

$(if $(BOARD_AVB_ENABLE),\
@@ -2811,6 +2817,23 @@ BOARD_AVB_ALGORITHM := SHA256_RSA4096 
BOARD_AVB_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem

endif



# AVB signing for system_other.img.

ifdef BUILDING_SYSTEM_OTHER_IMAGE

ifdef BOARD_AVB_SYSTEM_OTHER_KEY_PATH

$(if $(BOARD_AVB_SYSTEM_OTHER_ALGORITHM),,$(error BOARD_AVB_SYSTEM_OTHER_ALGORITHM is not defined))

else

# If key path isn't specified, use the same key as BOARD_AVB_KEY_PATH.

BOARD_AVB_SYSTEM_OTHER_KEY_PATH := $(BOARD_AVB_KEY_PATH)

BOARD_AVB_SYSTEM_OTHER_ALGORITHM := $(BOARD_AVB_ALGORITHM)

endif



ifndef BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX

BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)

endif



BOARD_AVB_SYSTEM_OTHER_ADD_HASHTREE_FOOTER_ARGS += --rollback_index $(BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX)

endif # end of AVB for BUILDING_SYSTEM_OTHER_IMAGE



INTERNAL_AVB_PARTITIONS_IN_CHAINED_VBMETA_IMAGES := \

    $(BOARD_AVB_VBMETA_SYSTEM) \

    $(BOARD_AVB_VBMETA_VENDOR)

tools/releasetools/build_image.py

+4 −4
Original line number Diff line number Diff line
@@ -569,11 +569,11 @@ def ImagePropFromGlobalDict(glob_dict, mount_point): 
  elif mount_point == "system_other":

    # We inherit the selinux policies of /system since we contain some of its

    # files.

    copy_prop("avb_system_hashtree_enable", "avb_hashtree_enable")

    copy_prop("avb_system_add_hashtree_footer_args",

    copy_prop("avb_system_other_hashtree_enable", "avb_hashtree_enable")

    copy_prop("avb_system_other_add_hashtree_footer_args",

              "avb_add_hashtree_footer_args")

    copy_prop("avb_system_key_path", "avb_key_path")

    copy_prop("avb_system_algorithm", "avb_algorithm")

    copy_prop("avb_system_other_key_path", "avb_key_path")

    copy_prop("avb_system_other_algorithm", "avb_algorithm")

    copy_prop("fs_type", "fs_type")

    copy_prop("system_fs_type", "fs_type")

    copy_prop("system_size", "partition_size")