Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2fe786a5 authored by Bowgo Tsai's avatar Bowgo Tsai
Browse files

Support removing AVB public keys 

AVB public keys might be installed into the first-stage ramdisk.
This CL supports removing some AVB keys during the signing process,
which can be useful when a key needs to be revoked.

Also correcting the path of force_debuggable detection.

Bug: 150109393
Test: make dist
Test: ./build/tools/releasetools/sign_target_files_apks \
      --remove_avb_public_keys key1.avbpubkey,key2.avbpubkey \
      out/dist/*-target_files-*.zip signed-target_files.zip
Change-Id: I1af95adbbec655f40121f3392965dd1950aca4e5
parent 5832bf1f

tools/releasetools/sign_target_files_apks.py

+25 −2
Original line number Diff line number Diff line
@@ -91,6 +91,14 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files 
      Replace the veritykeyid in BOOT/cmdline of input_target_file_zip

      with keyid of the cert pointed by <path_to_X509_PEM_cert_file>.



  --remove_avb_public_keys <key1>,<key2>,...

      Remove AVB public keys from the first-stage ramdisk. The key file to

      remove is located at either of the following dirs:

        - BOOT/RAMDISK/avb/ or

        - BOOT/RAMDISK/first_stage_ramdisk/avb/

      The second dir will be used for lookup if BOARD_USES_RECOVERY_AS_BOOT is

      set to true.



  --avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system,

         vbmeta_vendor}_algorithm <algorithm>

  --avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system,
@@ -150,6 +158,7 @@ OPTIONS.replace_ota_keys = False 
OPTIONS.replace_verity_public_key = False

OPTIONS.replace_verity_private_key = False

OPTIONS.replace_verity_keyid = False

OPTIONS.remove_avb_public_keys = None

OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys")

OPTIONS.avb_keys = {}

OPTIONS.avb_algorithms = {}
@@ -585,6 +594,18 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, 
          filename in ("BOOT/RAMDISK/verity_key",

                       "ROOT/verity_key")):

      pass

    elif (OPTIONS.remove_avb_public_keys and

          (filename.startswith("BOOT/RAMDISK/avb/") or

           filename.startswith("BOOT/RAMDISK/first_stage_ramdisk/avb/"))):

        matched_removal = False

        for key_to_remove in OPTIONS.remove_avb_public_keys:

          if filename.endswith(key_to_remove):

            matched_removal = True

            print("Removing AVB public key from ramdisk: %s" % filename)

            break

        if not matched_removal:

          # Copy it verbatim if we don't want to remove it.

          common.ZipWriteStr(output_tf_zip, out_info, data)



    # Skip verity keyid (for system_root_image use) if we will replace it.

    elif OPTIONS.replace_verity_keyid and filename == "BOOT/cmdline":
@@ -610,8 +631,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, 
    # Should NOT sign boot-debug.img.

    elif filename in (

        "BOOT/RAMDISK/force_debuggable",

        "RECOVERY/RAMDISK/force_debuggable"

        "RECOVERY/RAMDISK/first_stage_ramdisk/force_debuggable"):

        "BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"):

      raise common.ExternalError("debuggable boot.img cannot be signed")



    # A non-APK file; copy it verbatim.
@@ -1135,6 +1155,8 @@ def main(argv): 
      OPTIONS.replace_verity_private_key = (True, a)

    elif o == "--replace_verity_keyid":

      OPTIONS.replace_verity_keyid = (True, a)

    elif o == "--remove_avb_public_keys":

      OPTIONS.remove_avb_public_keys = a.split(",")

    elif o == "--avb_vbmeta_key":

      OPTIONS.avb_keys['vbmeta'] = a

    elif o == "--avb_vbmeta_algorithm":
@@ -1203,6 +1225,7 @@ def main(argv): 
          "replace_verity_public_key=",

          "replace_verity_private_key=",

          "replace_verity_keyid=",

          "remove_avb_public_keys=",

          "avb_apex_extra_args=",

          "avb_vbmeta_algorithm=",

          "avb_vbmeta_key=",