releasetools: Update T GKI certification scheme

          "gki_signing_algorithm" in OPTIONS.info_dict)

def _GenerateGkiCertificate(image, image_name, partition_name):

def _GenerateGkiCertificate(image, image_name):

  key_path = OPTIONS.info_dict.get("gki_signing_key_path")

  algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")

  if signature_args:

    cmd.extend(["--additional_avb_args", signature_args])

  args = OPTIONS.info_dict.get(

      "avb_" + partition_name + "_add_hash_footer_args", "")

  args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "")

  args = args.strip()

  if args:

    cmd.extend(["--additional_avb_args", args])

  if args and args.strip():

    cmd.extend(shlex.split(args))

  boot_signature = None

  if _HasGkiCertificationArgs():

    # Certify GKI images.

    boot_signature_bytes = b''

    if kernel_path is not None:

      boot_signature_bytes += _GenerateGkiCertificate(

          kernel_path, "generic_kernel", "boot")

    if has_ramdisk:

      boot_signature_bytes += _GenerateGkiCertificate(

          ramdisk_img.name, "generic_ramdisk", "init_boot")

    if len(boot_signature_bytes) > 0:

      boot_signature = tempfile.NamedTemporaryFile()

      boot_signature.write(boot_signature_bytes)

      boot_signature.flush()

      cmd.extend(["--boot_signature", boot_signature.name])

  else:

    # Certified GKI boot/init_boot image mustn't set 'mkbootimg_version_args'.

  args = info_dict.get("mkbootimg_version_args")

  if args and args.strip():

    cmd.extend(shlex.split(args))

  RunAndCheckOutput(cmd)

  if _HasGkiCertificationArgs():

    if not os.path.exists(img.name):

      raise ValueError("Cannot find GKI boot.img")

    if kernel_path is None or not os.path.exists(kernel_path):

      raise ValueError("Cannot find GKI kernel.img")

    # Certify GKI images.

    boot_signature_bytes = b''

    boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot")

    boot_signature_bytes += _GenerateGkiCertificate(

        kernel_path, "generic_kernel")

    BOOT_SIGNATURE_SIZE = 16 * 1024

    if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE:

      raise ValueError(

          f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}")

    boot_signature_bytes += (

        b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes)))

    assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE

    with open(img.name, 'ab') as f:

      f.write(boot_signature_bytes)

  if (info_dict.get("boot_signer") == "true" and

          info_dict.get("verity_key")):

    # Hard-code the path as "/boot" for two-step special recovery image (which

    ramdisk_img.close()

  img.close()

  if boot_signature is not None:

    boot_signature.close()

  return data

    }

    test_file = tempfile.NamedTemporaryFile()

    self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,

                      test_file.name, 'generic_kernel', 'boot')

                      test_file.name, 'generic_kernel')

  def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):

    pubkey = 'no_testkey_gki.pem'

    }

    test_file = tempfile.NamedTemporaryFile()

    self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,

                      test_file.name, 'generic_kernel', 'boot')

                      test_file.name, 'generic_kernel')

class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):

  """Checks the format of install-recovery.sh.