releasetools: Android T GKI certification scheme (36054e2d) · Commits · e / os / android_build

tools/releasetools/Android.bp

+3 −0

Original line number	Diff line number	Diff line
		@@ -162,6 +162,7 @@ python_defaults {
		required: [
		"brillo_update_payload",
		"checkvintf",
		"generate_gki_certificate",
		"minigzip",
		"lz4",
		"toybox",
		@@ -236,6 +237,7 @@ python_library_host {
		"boot_signer",
		"brotli",
		"bsdiff",
		"generate_gki_certificate",
		"imgdiff",
		"minigzip",
		"lz4",
		@@ -301,6 +303,7 @@ python_defaults {
		"brotli",
		"bsdiff",
		"deapexer",
		"generate_gki_certificate",
		"imgdiff",
		"minigzip",
		"lz4",

tools/releasetools/common.py

+61 −22

Original line number	Diff line number	Diff line
		@@ -1396,34 +1396,52 @@ def GetAvbChainedPartitionArg(partition, info_dict, key=None):
		return "{}:{}:{}".format(partition, rollback_index_location, pubkey_path)


		def AppendGkiSigningArgs(cmd):
		"""Append GKI signing arguments for mkbootimg."""
		# e.g., --gki_signing_key path/to/signing_key
		# --gki_signing_algorithm SHA256_RSA4096"
		def _HasGkiCertificationArgs():
		return ("gki_signing_key_path" in OPTIONS.info_dict and
		"gki_signing_algorithm" in OPTIONS.info_dict)


		def _GenerateGkiCertificate(image, image_name, partition_name):
		key_path = OPTIONS.info_dict.get("gki_signing_key_path")
		# It's fine that a non-GKI boot.img has no gki_signing_key_path.
		if not key_path:
		return
		algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")

		if not os.path.exists(key_path) and OPTIONS.search_path:
		new_key_path = os.path.join(OPTIONS.search_path, key_path)
		if os.path.exists(new_key_path):
		key_path = new_key_path

		# Checks key_path exists, before appending --gki_signing_* args.
		# Checks key_path exists, before processing --gki_signing_* args.
		if not os.path.exists(key_path):
		raise ExternalError(
		'gki_signing_key_path: "{}" not found'.format(key_path))

		algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
		if key_path and algorithm:
		cmd.extend(["--gki_signing_key", key_path,
		"--gki_signing_algorithm", algorithm])
		output_certificate = tempfile.NamedTemporaryFile()
		cmd = [
		"generate_gki_certificate",
		"--name", image_name,
		"--algorithm", algorithm,
		"--key", key_path,
		"--output", output_certificate.name,
		image,
		]

		signature_args = OPTIONS.info_dict.get("gki_signing_signature_args")
		signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "")
		signature_args = signature_args.strip()
		if signature_args:
		cmd.extend(["--gki_signing_signature_args", signature_args])
		cmd.extend(["--additional_avb_args", signature_args])

		args = OPTIONS.info_dict.get(
		"avb_" + partition_name + "_add_hash_footer_args", "")
		args = args.strip()
		if args:
		cmd.extend(["--additional_avb_args", args])

		RunAndCheckOutput(cmd)

		output_certificate.seek(os.SEEK_SET, 0)
		data = output_certificate.read()
		output_certificate.close()
		return data


		def BuildVBMeta(image_path, partitions, name, needed_partitions):
		@@ -1549,6 +1567,8 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
		if kernel and not os.access(os.path.join(sourcedir, kernel), os.F_OK):
		return None

		kernel_path = os.path.join(sourcedir, kernel) if kernel else None

		if has_ramdisk and not os.access(os.path.join(sourcedir, "RAMDISK"), os.F_OK):
		return None

		@@ -1563,8 +1583,8 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
		mkbootimg = os.getenv('MKBOOTIMG') or "mkbootimg"

		cmd = [mkbootimg]
		if kernel:
		cmd += ["--kernel", os.path.join(sourcedir, kernel)]
		if kernel_path is not None:
		cmd.extend(["--kernel", kernel_path])

		fn = os.path.join(sourcedir, "second")
		if os.access(fn, os.F_OK):
		@@ -1604,6 +1624,24 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
		if args and args.strip():
		cmd.extend(shlex.split(args))

		boot_signature = None
		if _HasGkiCertificationArgs():
		# Certify GKI images.
		boot_signature_bytes = b''
		if kernel_path is not None:
		boot_signature_bytes += _GenerateGkiCertificate(
		kernel_path, "generic_kernel", "boot")
		if has_ramdisk:
		boot_signature_bytes += _GenerateGkiCertificate(
		ramdisk_img.name, "generic_ramdisk", "init_boot")

		if len(boot_signature_bytes) > 0:
		boot_signature = tempfile.NamedTemporaryFile()
		boot_signature.write(boot_signature_bytes)
		boot_signature.flush()
		cmd.extend(["--boot_signature", boot_signature.name])
		else:
		# Certified GKI boot/init_boot image mustn't set 'mkbootimg_version_args'.
		args = info_dict.get("mkbootimg_version_args")
		if args and args.strip():
		cmd.extend(shlex.split(args))
		@@ -1611,8 +1649,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
		if has_ramdisk:
		cmd.extend(["--ramdisk", ramdisk_img.name])

		AppendGkiSigningArgs(cmd)

		img_unsigned = None
		if info_dict.get("vboot"):
		img_unsigned = tempfile.NamedTemporaryFile()
		@@ -1690,6 +1726,9 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
		ramdisk_img.close()
		img.close()

		if boot_signature is not None:
		boot_signature.close()

		return data

tools/releasetools/test_common.py

+8 −97

Original line number	Diff line number	Diff line
		@@ -1631,66 +1631,7 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
		self.assertEqual('3', chained_partition_args[1])
		self.assertTrue(os.path.exists(chained_partition_args[2]))

		@test_utils.SkipIfExternalToolsUnavailable()
		def test_AppendGkiSigningArgs_NoSigningKeyPath(self):
		# A non-GKI boot.img has no gki_signing_key_path.
		common.OPTIONS.info_dict = {
		# 'gki_signing_key_path': pubkey,
		'gki_signing_algorithm': 'SHA256_RSA4096',
		'gki_signing_signature_args': '--prop foo:bar',
		}

		# Tests no --gki_signing_* args are appended if there is no
		# gki_signing_key_path.
		cmd = ['mkbootimg', '--header_version', '4']
		expected_cmd = ['mkbootimg', '--header_version', '4']
		common.AppendGkiSigningArgs(cmd)
		self.assertEqual(cmd, expected_cmd)

		def test_AppendGkiSigningArgs_NoSigningAlgorithm(self):
		pubkey = os.path.join(self.testdata_dir, 'testkey_gki.pem')
		with open(pubkey, 'wb') as f:
		f.write(b'\x00' * 100)
		self.assertTrue(os.path.exists(pubkey))

		# Tests no --gki_signing_* args are appended if there is no
		# gki_signing_algorithm.
		common.OPTIONS.info_dict = {
		'gki_signing_key_path': pubkey,
		# 'gki_signing_algorithm': 'SHA256_RSA4096',
		'gki_signing_signature_args': '--prop foo:bar',
		}

		cmd = ['mkbootimg', '--header_version', '4']
		expected_cmd = ['mkbootimg', '--header_version', '4']
		common.AppendGkiSigningArgs(cmd)
		self.assertEqual(cmd, expected_cmd)

		@test_utils.SkipIfExternalToolsUnavailable()
		def test_AppendGkiSigningArgs(self):
		pubkey = os.path.join(self.testdata_dir, 'testkey_gki.pem')
		with open(pubkey, 'wb') as f:
		f.write(b'\x00' * 100)
		self.assertTrue(os.path.exists(pubkey))

		common.OPTIONS.info_dict = {
		'gki_signing_key_path': pubkey,
		'gki_signing_algorithm': 'SHA256_RSA4096',
		'gki_signing_signature_args': '--prop foo:bar',
		}
		cmd = ['mkbootimg', '--header_version', '4']
		common.AppendGkiSigningArgs(cmd)

		expected_cmd = [
		'mkbootimg', '--header_version', '4',
		'--gki_signing_key', pubkey,
		'--gki_signing_algorithm', 'SHA256_RSA4096',
		'--gki_signing_signature_args', '--prop foo:bar'
		]
		self.assertEqual(cmd, expected_cmd)

		@test_utils.SkipIfExternalToolsUnavailable()
		def test_AppendGkiSigningArgs_KeyPathNotFound(self):
		def test_GenerateGkiCertificate_KeyPathNotFound(self):
		pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem')
		self.assertFalse(os.path.exists(pubkey))

		@@ -1699,41 +1640,11 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
		'gki_signing_algorithm': 'SHA256_RSA4096',
		'gki_signing_signature_args': '--prop foo:bar',
		}
		cmd = ['mkbootimg', '--header_version', '4']
		self.assertRaises(common.ExternalError, common.AppendGkiSigningArgs, cmd)

		@test_utils.SkipIfExternalToolsUnavailable()
		def test_AppendGkiSigningArgs_SearchKeyPath(self):
		pubkey = 'testkey_gki.pem'
		self.assertFalse(os.path.exists(pubkey))
		test_file = tempfile.NamedTemporaryFile()
		self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
		test_file.name, 'generic_kernel', 'boot')

		# Tests it should replace the pubkey with an existed key under
		# OPTIONS.search_path, i.e., os.path.join(OPTIONS.search_path, pubkey).
		search_path_dir = common.MakeTempDir()
		search_pubkey = os.path.join(search_path_dir, pubkey)
		with open(search_pubkey, 'wb') as f:
		f.write(b'\x00' * 100)
		self.assertTrue(os.path.exists(search_pubkey))

		common.OPTIONS.search_path = search_path_dir
		common.OPTIONS.info_dict = {
		'gki_signing_key_path': pubkey,
		'gki_signing_algorithm': 'SHA256_RSA4096',
		'gki_signing_signature_args': '--prop foo:bar',
		}
		cmd = ['mkbootimg', '--header_version', '4']
		common.AppendGkiSigningArgs(cmd)

		expected_cmd = [
		'mkbootimg', '--header_version', '4',
		'--gki_signing_key', search_pubkey,
		'--gki_signing_algorithm', 'SHA256_RSA4096',
		'--gki_signing_signature_args', '--prop foo:bar'
		]
		self.assertEqual(cmd, expected_cmd)

		@test_utils.SkipIfExternalToolsUnavailable()
		def test_AppendGkiSigningArgs_SearchKeyPathNotFound(self):
		def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):
		pubkey = 'no_testkey_gki.pem'
		self.assertFalse(os.path.exists(pubkey))

		@@ -1749,9 +1660,9 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
		'gki_signing_algorithm': 'SHA256_RSA4096',
		'gki_signing_signature_args': '--prop foo:bar',
		}
		cmd = ['mkbootimg', '--header_version', '4']
		self.assertRaises(common.ExternalError, common.AppendGkiSigningArgs, cmd)

		test_file = tempfile.NamedTemporaryFile()
		self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
		test_file.name, 'generic_kernel', 'boot')

		class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
		"""Checks the format of install-recovery.sh.