Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Unverified Commit 55c5936b authored by Brint E. Kriebel's avatar Brint E. Kriebel Committed by Michael Bestas
Browse files

releasetools: Add bootable image signing 

Set PRODUCT_PRIVATE_KEY to the path of the boot image signing
certificate to sign an image for secure boot.

Change-Id: I2c767c6f9c3740bed3d7094d2d0b50a075e08abc
parent 975df640

tools/releasetools/common.py

+39 −1
Original line number Diff line number Diff line
@@ -432,6 +432,7 @@ def _BuildBootableImage(sourcedir, fs_config_file, info_dict=None, 
    info_dict = OPTIONS.info_dict



  img = tempfile.NamedTemporaryFile()

  bootimg_key = os.getenv("PRODUCT_PRIVATE_KEY", None)



  if has_ramdisk:

    ramdisk_img = make_ramdisk()
@@ -488,8 +489,9 @@ def _BuildBootableImage(sourcedir, fs_config_file, info_dict=None, 


    fn = os.path.join(sourcedir, "pagesize")

    if os.access(fn, os.F_OK):

      kernel_pagesize = open(fn).read().rstrip("\n")

      cmd.append("--pagesize")

      cmd.append(open(fn).read().rstrip("\n"))

      cmd.append(kernel_pagesize)



    args = info_dict.get("mkbootimg_args", None)

    if args and args.strip():
@@ -514,6 +516,42 @@ def _BuildBootableImage(sourcedir, fs_config_file, info_dict=None, 
  assert p.returncode == 0, "mkbootimg of %s image failed" % (

      os.path.basename(sourcedir),)



  if bootimg_key and os.path.exists(bootimg_key) and kernel_pagesize > 0:

    print "Signing bootable image..."

    bootimg_key_passwords = {}

    bootimg_key_passwords.update(PasswordManager().GetPasswords(bootimg_key.split()))

    bootimg_key_password = bootimg_key_passwords[bootimg_key]

    if bootimg_key_password is not None:

        bootimg_key_password += "\n"

    img_sha256 = tempfile.NamedTemporaryFile()

    img_sig = tempfile.NamedTemporaryFile()

    img_sig_padded = tempfile.NamedTemporaryFile()

    img_secure = tempfile.NamedTemporaryFile()

    p = Run(["openssl", "dgst", "-sha256", "-binary", "-out", img_sha256.name, img.name],

        stdout=subprocess.PIPE)

    p.communicate()

    assert p.returncode == 0, "signing of bootable image failed"

    p = Run(["openssl", "rsautl", "-sign", "-in", img_sha256.name, "-inkey", bootimg_key, "-out",

        img_sig.name, "-passin", "stdin"], stdin=subprocess.PIPE, stdout=subprocess.PIPE)

    p.communicate(bootimg_key_password)

    assert p.returncode == 0, "signing of bootable image failed"

    p = Run(["dd", "if=/dev/zero", "of=%s" % img_sig_padded.name, "bs=%s" % kernel_pagesize,

        "count=1"], stdout=subprocess.PIPE)

    p.communicate()

    assert p.returncode == 0, "signing of bootable image failed"

    p = Run(["dd", "if=%s" % img_sig.name, "of=%s" % img_sig_padded.name, "conv=notrunc"],

        stdout=subprocess.PIPE)

    p.communicate()

    assert p.returncode == 0, "signing of bootable image failed"

    p = Run(["cat", img.name, img_sig_padded.name], stdout=img_secure.file.fileno())

    p.communicate()

    assert p.returncode == 0, "signing of bootable image failed"

    shutil.copyfile(img_secure.name, img.name)

    img_sha256.close()

    img_sig.close()

    img_sig_padded.close()

    img_secure.close()



  if (info_dict.get("boot_signer", None) == "true" and

      info_dict.get("verity_key", None)):

    path = "/" + os.path.basename(sourcedir).lower()