Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 21bc61eb authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Use deterministic salt for AVB footer of prebuilt boot img" into main... 

Merge "Use deterministic salt for AVB footer of prebuilt boot img" into main am: 07f84b7b am: fa0091a9 am: fa58c8aa

Original change: https://android-review.googlesource.com/c/platform/build/+/2794713



Change-Id: I2385f7fe7f558458b8af2b388a929b6e4448f6d3
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 97ddd82e fa58c8aa

core/Makefile

+5 −1
Original line number Diff line number Diff line
@@ -1444,15 +1444,19 @@ INTERNAL_PREBUILT_BOOTIMAGE := $(BOARD_PREBUILT_BOOTIMAGE) 
INSTALLED_BOOTIMAGE_TARGET := $(PRODUCT_OUT)/boot.img



ifeq ($(BOARD_AVB_ENABLE),true)

$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH)

$(INSTALLED_BOOTIMAGE_TARGET): PRIVATE_WORKING_DIR := $(call intermediates-dir-for,PACKAGING,prebuilt_bootimg)

$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH) $(UNPACK_BOOTIMG)

	cp $(INTERNAL_PREBUILT_BOOTIMAGE) $@

	$(UNPACK_BOOTIMG) --boot_img $(INTERNAL_PREBUILT_BOOTIMAGE) --out $(PRIVATE_WORKING_DIR)

	chmod +w $@

	$(AVBTOOL) add_hash_footer \

	    --image $@ \

	    --salt `sha256sum $(PRIVATE_WORKING_DIR)/kernel | cut -d " " -f 1` \

	    $(call get-partition-size-argument,$(BOARD_BOOTIMAGE_PARTITION_SIZE)) \

	    --partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \

	    $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)





$(call declare-container-license-metadata,$(INSTALLED_BOOTIMAGE_TARGET),SPDX-license-identifier-GPL-2.0-only SPDX-license-identifier-Apache-2.0,restricted notice,$(BUILD_SYSTEM)/LINUX_KERNEL_COPYING build/soong/licenses/LICENSE,"Boot Image",bool)

$(call declare-container-license-deps,$(INSTALLED_BOOTIMAGE_TARGET),$(INTERNAL_PREBUILT_BOOTIMAGE),$(PRODUCT_OUT)/:/)

core/config.mk

+1 −0
Original line number Diff line number Diff line
@@ -722,6 +722,7 @@ else 
BUILD_SUPER_IMAGE := $(BOARD_CUSTOM_BUILD_SUPER_IMAGE)

endif

IMG_FROM_TARGET_FILES := $(HOST_OUT_EXECUTABLES)/img_from_target_files$(HOST_EXECUTABLE_SUFFIX)

UNPACK_BOOTIMG := $(HOST_OUT_EXECUTABLES)/unpack_bootimg

MAKE_RECOVERY_PATCH := $(HOST_OUT_EXECUTABLES)/make_recovery_patch$(HOST_EXECUTABLE_SUFFIX)

OTA_FROM_TARGET_FILES := $(HOST_OUT_EXECUTABLES)/ota_from_target_files$(HOST_EXECUTABLE_SUFFIX)

OTA_FROM_RAW_IMG := $(HOST_OUT_EXECUTABLES)/ota_from_raw_img$(HOST_EXECUTABLE_SUFFIX)

tools/releasetools/common.py

+9 −1
Original line number Diff line number Diff line
@@ -1947,7 +1947,15 @@ def _SignBootableImage(image_path, prebuilt_name, partition_name, 
    cmd = [avbtool, "add_hash_footer", "--image", image_path,

           "--partition_size", str(part_size), "--partition_name",

           partition_name]

    AppendAVBSigningArgs(cmd, partition_name)

    # Use sha256 of the kernel as salt for reproducible builds

    with tempfile.TemporaryDirectory() as tmpdir:

      RunAndCheckOutput(["unpack_bootimg", "--boot_img", image_path, "--out", tmpdir])

      for filename in ["kernel", "ramdisk", "vendor_ramdisk00"]:

        path = os.path.join(tmpdir, filename)

        if os.path.exists(path) and os.path.getsize(path):

          with open(path, "rb") as fp:

            salt = sha256(fp.read()).hexdigest()

    AppendAVBSigningArgs(cmd, partition_name, salt)

    args = info_dict.get("avb_" + partition_name + "_add_hash_footer_args")

    if args and args.strip():

      split_args = ResolveAVBSigningPathArgs(shlex.split(args))