Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 267fe02f authored by Ricardo Cerqueira's avatar Ricardo Cerqueira
Browse files

build: Use the password manager for the verity key if possible 

If we're operating with a password dict, try to use it for verity

Change-Id: Ie0e8e33c873fc9f1ae9bd6da559f9cbbced183e9
Ref: CYNGNOS-3156
parent cf1d1dbb

tools/releasetools/build_image.py

+14 −1
Original line number Diff line number Diff line
@@ -106,13 +106,26 @@ def BuildVerityTree(sparse_image_path, verity_image_path, prop_dict): 


def BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt,

                        block_device, signer_path, key):

  verity_key = os.getenv("PRODUCT_VERITY_KEY", None)

  verity_key_password = None



  if verity_key and os.path.exists(verity_key+".pk8"):

    verity_key_passwords = {}

    verity_key_passwords.update(common.PasswordManager().GetPasswords(verity_key.split()))

    verity_key_password = verity_key_passwords[verity_key]



  cmd_template = (

      "system/extras/verity/build_verity_metadata.py %s %s %s %s %s %s %s")

  cmd = cmd_template % (image_size, verity_metadata_path, root_hash, salt,

                        block_device, signer_path, key)

  print(cmd)

  runcmd = ["system/extras/verity/build_verity_metadata.py", image_size, verity_metadata_path, root_hash, salt, block_device, signer_path, key];

  if verity_key_password is not None:

    sp = subprocess.Popen(runcmd, stdin=subprocess.PIPE)

    sp.communicate(verity_key_password)

  else:

    sp = subprocess.Popen(runcmd)



  sp.wait()



  if sp.returncode != 0:

tools/releasetools/common.py

+16 −2
Original line number Diff line number Diff line
@@ -339,6 +339,7 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None): 
  ramdisk_img = tempfile.NamedTemporaryFile()

  img = tempfile.NamedTemporaryFile()

  bootimg_key = os.getenv("PRODUCT_PRIVATE_KEY", None)

  verity_key = os.getenv("PRODUCT_VERITY_KEY", None)

  custom_boot_signer = os.getenv("PRODUCT_BOOT_SIGNER", None)



  if os.access(fs_config_file, os.F_OK):
@@ -480,8 +481,21 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None): 
    cmd.extend([path, img.name,

                info_dict["verity_key"] + ".pk8",

                info_dict["verity_key"] + ".x509.pem", img.name])

    verity_key_password = None



    if verity_key and os.path.exists(verity_key+".pk8") and kernel_pagesize > 0:

      verity_key_passwords = {}

      verity_key_passwords.update(PasswordManager().GetPasswords(verity_key.split()))

      verity_key_password = verity_key_passwords[verity_key]



    if verity_key_password is not None:

      verity_key_password += "\n"

      p = Run(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE)

      p.communicate(verity_key_password)

    else:

      p = Run(cmd)

      p.communicate()



    assert p.returncode == 0, "boot_signer of %s image failed" % path



  # Sign the image if vboot is non-empty.