Merge "AVB: support chain partition signing" into oc-dr1-dev (680b29e7) · Commits · e / os / android_build

core/Makefile

+135 −37

Original line number	Diff line number	Diff line
		@@ -623,25 +623,25 @@ $(error TARGET_BOOTIMAGE_USE_EXT2 is not supported anymore)

		else ifeq (true,$(BOARD_AVB_ENABLE)) # TARGET_BOOTIMAGE_USE_EXT2 != true

		$(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(AVBTOOL) $(INTERNAL_BOOTIMAGE_FILES)
		$(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(AVBTOOL) $(INTERNAL_BOOTIMAGE_FILES) $(BOARD_AVB_BOOT_KEY_PATH)
		$(call pretty,"Target boot image: $@")
		$(hide) $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $@
		$(hide) $(call assert-max-image-size,$@,$(BOARD_BOOTIMAGE_PARTITION_SIZE))
		$(hide) $(AVBTOOL) add_hash_footer \
		--image $@ \
		--partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \
		--partition_name boot $(INTERNAL_AVB_SIGNING_ARGS) \
		--partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \
		$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)

		.PHONY: bootimage-nodeps
		bootimage-nodeps: $(MKBOOTIMG) $(AVBTOOL)
		bootimage-nodeps: $(MKBOOTIMG) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH)
		@echo "make $@: ignoring dependencies"
		$(hide) $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(INSTALLED_BOOTIMAGE_TARGET)
		$(hide) $(call assert-max-image-size,$(INSTALLED_BOOTIMAGE_TARGET),$(BOARD_BOOTIMAGE_PARTITION_SIZE))
		$(hide) $(AVBTOOL) add_hash_footer \
		--image $@ \
		--partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \
		--partition_name boot $(INTERNAL_AVB_SIGNING_ARGS) \
		--partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \
		$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)

		else ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_BOOT_SIGNER)) # BOARD_AVB_ENABLE != true
		@@ -996,12 +996,21 @@ $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot_
		$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot_subkey=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_SUBKEY)" >> $(1))
		$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "futility=$(notdir $(FUTILITY))" >> $(1))
		$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot_signer_cmd=$(VBOOT_SIGNER)" >> $(1))
		$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_signing_args=$(INTERNAL_AVB_SIGNING_ARGS)" >> $(1))
		$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_avbtool=$(notdir $(AVBTOOL))" >> $(1))
		$(if $(BOARD_AVB_ENABLE),$(hide) echo "system_avb_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))
		$(if $(BOARD_AVB_ENABLE),$(hide) echo "system_avb_add_hashtree_footer_args=$(BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))
		$(if $(BOARD_AVB_ENABLE),$(hide) echo "vendor_avb_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))
		$(if $(BOARD_AVB_ENABLE),$(hide) echo "vendor_avb_add_hashtree_footer_args=$(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))
		$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_system_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))
		$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_system_add_hashtree_footer_args=$(BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))
		$(if $(BOARD_AVB_ENABLE),\
		$(if $(BOARD_AVB_SYSTEM_KEY_PATH),\
		$(hide) echo "avb_system_key_path=$(BOARD_AVB_SYSTEM_KEY_PATH)" >> $(1)
		$(hide) echo "avb_system_algorithm=$(BOARD_AVB_SYSTEM_ALGORITHM)" >> $(1)
		$(hide) echo "avb_system_rollback_index_location=$(BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION)" >> $(1)))
		$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))
		$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_add_hashtree_footer_args=$(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))
		$(if $(BOARD_AVB_ENABLE),\
		$(if $(BOARD_AVB_VENDOR_KEY_PATH),\
		$(hide) echo "avb_vendor_key_path=$(BOARD_AVB_VENDOR_KEY_PATH)" >> $(1)
		$(hide) echo "avb_vendor_algorithm=$(BOARD_AVB_VENDOR_ALGORITHM)" >> $(1)
		$(hide) echo "avb_vendor_rollback_index_location=$(BOARD_AVB_VENDOR_ROLLBACK_INDEX_LOCATION)" >> $(1)))
		$(if $(filter true,$(BOARD_USES_RECOVERY_AS_BOOT)),\
		$(hide) echo "recovery_as_boot=true" >> $(1))
		$(if $(filter true,$(BOARD_BUILD_SYSTEM_ROOT_IMAGE)),\
		@@ -1214,7 +1223,7 @@ define build-recoveryimage-target
		$(hide) $(AVBTOOL) add_hash_footer \
		--image $(1) \
		--partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \
		--partition_name boot $(INTERNAL_AVB_SIGNING_ARGS) \
		--partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \
		$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS))
		$(if $(filter true,$(BOARD_USES_RECOVERY_AS_BOOT)), \
		$(hide) $(call assert-max-image-size,$(1),$(BOARD_BOOTIMAGE_PARTITION_SIZE)), \
		@@ -1230,7 +1239,7 @@ ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT))
		$(INSTALLED_BOOTIMAGE_TARGET) : $(VBOOT_SIGNER)
		endif
		ifeq (true,$(BOARD_AVB_ENABLE))
		$(INSTALLED_BOOTIMAGE_TARGET) : $(AVBTOOL)
		$(INSTALLED_BOOTIMAGE_TARGET) : $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH)
		endif
		$(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTFS) $(MKBOOTIMG) $(MINIGZIP) \
		$(INSTALLED_RAMDISK_TARGET) \
		@@ -1817,12 +1826,12 @@ ifdef BOARD_PREBUILT_DTBOIMAGE
		INSTALLED_DTBOIMAGE_TARGET := $(PRODUCT_OUT)/dtbo.img

		ifeq ($(BOARD_AVB_ENABLE),true)
		$(INSTALLED_DTBOIMAGE_TARGET): $(BOARD_PREBUILT_DTBOIMAGE) $(AVBTOOL)
		$(INSTALLED_DTBOIMAGE_TARGET): $(BOARD_PREBUILT_DTBOIMAGE) $(AVBTOOL) $(BOARD_AVB_DTBO_KEY_PATH)
		cp $(BOARD_PREBUILT_DTBOIMAGE) $@
		$(AVBTOOL) add_hash_footer \
		--image $@ \
		--partition_size $(BOARD_DTBOIMG_PARTITION_SIZE) \
		--partition_name dtbo $(INTERNAL_AVB_SIGNING_ARGS) \
		--partition_name dtbo $(INTERNAL_AVB_DTBO_SIGNING_ARGS) \
		$(BOARD_AVB_DTBO_ADD_HASH_FOOTER_ARGS)
		else
		$(INSTALLED_DTBOIMAGE_TARGET): $(BOARD_PREBUILT_DTBOIMAGE)
		@@ -1836,39 +1845,98 @@ endif
		ifeq ($(BOARD_AVB_ENABLE),true)

		BUILT_VBMETAIMAGE_TARGET := $(PRODUCT_OUT)/vbmeta.img
		AVB_CHAIN_KEY_DIR := $(TARGET_OUT_INTERMEDIATES)/avb_chain_keys

		INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS := \
		--include_descriptors_from_image $(INSTALLED_BOOTIMAGE_TARGET) \
		--include_descriptors_from_image $(INSTALLED_SYSTEMIMAGE) \
		ifdef BOARD_AVB_KEY_PATH
		$(if $(BOARD_AVB_ALGORITHM),,$(error BOARD_AVB_ALGORITHM is not defined))
		else
		# If key path isn't specified, use the 4096-bit test key.
		BOARD_AVB_ALGORITHM := SHA256_RSA4096
		BOARD_AVB_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem
		endif

		INTERNAL_AVB_SIGNING_ARGS := \
		--algorithm $(BOARD_AVB_ALGORITHM) --key $(BOARD_AVB_KEY_PATH)

		BOOT_FOOTER_ARGS := BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS
		DTBO_FOOTER_ARGS := BOARD_AVB_DTBO_ADD_HASH_FOOTER_ARGS
		SYSTEM_FOOTER_ARGS := BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS
		VENDOR_FOOTER_ARGS := BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS

		# Check and set required build variables for a chain partition.
		# $(1): the partition to enable AVB chain, e.g., BOOT or SYSTEM.
		define check-and-set-avb-chain-args
		$(eval PART := $(1))
		$(eval part=$(shell echo $(PART) \| tr A-Z a-z))

		$(eval _key_path := BOARD_AVB_$(PART)_KEY_PATH)
		$(eval _signing_algorithm := BOARD_AVB_$(PART)_ALGORITHM)
		$(eval _rollback_index := BOARD_AVB_$(PART)_ROLLBACK_INDEX)
		$(eval _rollback_index_location := BOARD_AVB_$(PART)_ROLLBACK_INDEX_LOCATION)
		$(if $($(_key_path)),,$(error $(_key_path) is not defined))
		$(if $($(_signing_algorithm)),,$(error $(_signing_algorithm) is not defined))
		$(if $($(_rollback_index)),,$(error $(_rollback_index) is not defined))
		$(if $($(_rollback_index_location)),,$(error $(_rollback_index_location) is not defined))

		# Set INTERNAL_AVB_(PART)_SIGNING_ARGS
		$(eval _signing_args := INTERNAL_AVB_$(PART)_SIGNING_ARGS)
		$(eval $(_signing_args) := \
		--algorithm $($(_signing_algorithm)) --key $($(_key_path)))

		$(eval INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += \
		--chain_partition $(part):$($(_rollback_index_location)):$(AVB_CHAIN_KEY_DIR)/$(part).avbpubkey)

		# Set rollback_index via footer args
		$(eval _footer_args := $(PART)_FOOTER_ARGS)
		$(eval $($(_footer_args)) += --rollback_index $($(_rollback_index)))
		endef

		ifdef BOARD_AVB_BOOT_KEY_PATH
		$(eval $(call check-and-set-avb-chain-args,BOOT))
		else
		INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += \
		--include_descriptors_from_image $(INSTALLED_BOOTIMAGE_TARGET)
		endif

		ifdef BOARD_AVB_SYSTEM_KEY_PATH
		$(eval $(call check-and-set-avb-chain-args,SYSTEM))
		else
		INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += \
		--include_descriptors_from_image $(INSTALLED_SYSTEMIMAGE)
		endif

		ifdef INSTALLED_VENDORIMAGE_TARGET
		ifdef BOARD_AVB_VENDOR_KEY_PATH
		$(eval $(call check-and-set-avb-chain-args,VENDOR))
		else
		INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += \
		--include_descriptors_from_image $(INSTALLED_VENDORIMAGE_TARGET)
		endif
		endif

		ifdef INSTALLED_DTBOIMAGE_TARGET
		ifdef BOARD_AVB_DTBO_KEY_PATH
		$(eval $(call check-and-set-avb-chain-args,DTBO))
		else
		INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += \
		--include_descriptors_from_image $(INSTALLED_DTBOIMAGE_TARGET)
		endif
		endif

		INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += --padding_size 4096

		# Add kernel cmdline descriptor for kernel to mount system.img as root with
		# dm-verity. This works when system.img is either chained or not-chained:
		# - chained: The --setup_as_rootfs_from_kernel option will add dm-verity kernel
		# cmdline descriptor to system.img
		# - not-chained: The --include_descriptors_from_image option for make_vbmeta_image
		# will include the kernel cmdline descriptor from system.img into vbmeta.img
		ifeq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true)
		INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += --setup_rootfs_from_kernel $(BUILT_SYSTEMIMAGE)
		BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS += --setup_as_rootfs_from_kernel
		endif

		ifdef BOARD_AVB_ROLLBACK_INDEX
		INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += --rollback_index $(BOARD_AVB_ROLLBACK_INDEX)
		endif

		ifndef BOARD_AVB_KEY_PATH
		# If key path isn't specified, use the 4096-bit test key.
		INTERNAL_AVB_SIGNING_ARGS := \
		--algorithm SHA256_RSA4096 \
		--key external/avb/test/data/testkey_rsa4096.pem
		else
		INTERNAL_AVB_SIGNING_ARGS := \
		--algorithm $(BOARD_AVB_ALGORITHM) --key $(BOARD_AVB_KEY_PATH)
		BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --rollback_index $(BOARD_AVB_ROLLBACK_INDEX)
		endif

		ifndef BOARD_BOOTIMAGE_PARTITION_SIZE
		@@ -1879,17 +1947,36 @@ ifndef BOARD_SYSTEMIMAGE_PARTITION_SIZE
		$(error BOARD_SYSTEMIMAGE_PARTITION_SIZE must be set for BOARD_AVB_ENABLE)
		endif

		# $(1): the directory to extract public keys to
		define extract-avb-chain-public-keys
		$(if $(BOARD_AVB_BOOT_KEY_PATH),\
		$(hide) $(AVBTOOL) extract_public_key --key $(BOARD_AVB_BOOT_KEY_PATH) \
		--output $(1)/boot.avbpubkey)
		$(if $(BOARD_AVB_SYSTEM_KEY_PATH),\
		$(hide) $(AVBTOOL) extract_public_key --key $(BOARD_AVB_SYSTEM_KEY_PATH) \
		--output $(1)/system.avbpubkey)
		$(if $(BOARD_AVB_VENDOR_KEY_PATH),\
		$(hide) $(AVBTOOL) extract_public_key --key $(BOARD_AVB_VENDOR_KEY_PATH) \
		--output $(1)/vendor.avbpubkey)
		$(if $(BOARD_AVB_DTBO_KEY_PATH),\
		$(hide) $(AVBTOOL) extract_public_key --key $(BOARD_AVB_DTBO_KEY_PATH) \
		--output $(1)/dtbo.avbpubkey)
		endef

		define build-vbmetaimage-target
		$(call pretty,"Target vbmeta image: $(INSTALLED_VBMETAIMAGE_TARGET)")
		$(hide) mkdir -p $(AVB_CHAIN_KEY_DIR)
		$(call extract-avb-chain-public-keys, $(AVB_CHAIN_KEY_DIR))
		$(hide) $(AVBTOOL) make_vbmeta_image \
		$(INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS) \
		$(INTERNAL_AVB_SIGNING_ARGS) \
		$(BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS) \
		--output $@
		$(hide) rm -rf $(AVB_CHAIN_KEY_DIR)
		endef

		INSTALLED_VBMETAIMAGE_TARGET := $(BUILT_VBMETAIMAGE_TARGET)
		$(INSTALLED_VBMETAIMAGE_TARGET): $(AVBTOOL) $(INSTALLED_BOOTIMAGE_TARGET) $(INSTALLED_SYSTEMIMAGE) $(INSTALLED_VENDORIMAGE_TARGET) $(INSTALLED_DTBOIMAGE_TARGET)
		$(INSTALLED_VBMETAIMAGE_TARGET): $(AVBTOOL) $(INSTALLED_BOOTIMAGE_TARGET) $(INSTALLED_SYSTEMIMAGE) $(INSTALLED_VENDORIMAGE_TARGET) $(INSTALLED_DTBOIMAGE_TARGET) $(BOARD_AVB_KEY_PATH)
		$(build-vbmetaimage-target)

		.PHONY: vbmetaimage-nodeps
		@@ -2303,11 +2390,17 @@ ifeq ($(BOARD_USES_FULL_RECOVERY_IMAGE),true)
		$(hide) echo "full_recovery_image=true" >> $(zip_root)/META/misc_info.txt
		endif
		ifeq ($(BOARD_AVB_ENABLE),true)
		$(hide) echo "board_avb_enable=true" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "board_avb_rollback_index=$(BOARD_AVB_ROLLBACK_INDEX)" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "board_avb_boot_add_hash_footer_args=$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "board_avb_make_vbmeta_image_args=$(BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS)" >> $(zip_root)/META/misc_info.txt
		endif
		$(hide) echo "avb_enable=true" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "avb_vbmeta_key_path=$(BOARD_AVB_KEY_PATH)" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "avb_vbmeta_algorithm=$(BOARD_AVB_ALGORITHM)" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "avb_vbmeta_args=$(BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS)" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "avb_boot_add_hash_footer_args=$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)" >> $(zip_root)/META/misc_info.txt
		ifdef BOARD_AVB_BOOT_KEY_PATH
		$(hide) echo "avb_boot_key_path=$(BOARD_AVB_BOOT_KEY_PATH)" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "avb_boot_algorithm=$(BOARD_AVB_BOOT_ALGORITHM)" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "avb_boot_rollback_index_location=$(BOARD_AVB_BOOT_ROLLBACK_INDEX_LOCATION)" >> $(zip_root)/META/misc_info.txt
		endif # BOARD_AVB_BOOT_KEY_PATH
		endif # BOARD_AVB_ENABLE
		ifdef BOARD_BPT_INPUT_FILES
		$(hide) echo "board_bpt_enable=true" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "board_bpt_make_table_args=$(BOARD_BPT_MAKE_TABLE_ARGS)" >> $(zip_root)/META/misc_info.txt
		@@ -2365,10 +2458,15 @@ ifdef BOARD_PREBUILT_DTBOIMAGE
		$(hide) echo "has_dtbo=true" >> $(zip_root)/META/misc_info.txt
		ifeq ($(BOARD_AVB_ENABLE),true)
		$(hide) echo "dtbo_size=$(BOARD_DTBOIMG_PARTITION_SIZE)" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "board_avb_dtbo_add_hash_footer_args=$(BOARD_AVB_DTBO_ADD_HASH_FOOTER_ARGS)" \
		$(hide) echo "avb_dtbo_add_hash_footer_args=$(BOARD_AVB_DTBO_ADD_HASH_FOOTER_ARGS)" >> $(zip_root)/META/misc_info.txt
		ifdef BOARD_AVB_DTBO_KEY_PATH
		$(hide) echo "avb_dtbo_key_path=$(BOARD_AVB_DTBO_KEY_PATH)" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "avb_dtbo_algorithm=$(BOARD_AVB_DTBO_ALGORITHM)" >> $(zip_root)/META/misc_info.txt
		$(hide) echo "avb_dtbo_rollback_index_location=$(BOARD_AVB_DTBO_ROLLBACK_INDEX_LOCATION)" \
		>> $(zip_root)/META/misc_info.txt
		endif
		endif
		endif # BOARD_AVB_DTBO_KEY_PATH
		endif # BOARD_AVB_ENABLE
		endif # BOARD_PREBUILT_DTBOIMAGE
		@# Run fs_config on all the system, vendor, boot ramdisk,
		@# and recovery ramdisk files in the zip, and save the output
		$(hide) $(call fs_config,$(zip_root)/SYSTEM,system/) > $(zip_root)/META/filesystem_config.txt

tools/releasetools/add_img_to_target_files.py

+43 −17

Original line number	Diff line number	Diff line
		@@ -192,14 +192,14 @@ def AddDtbo(output_zip, prefix="IMAGES/"):
		shutil.copy(dtbo_prebuilt_path, img.name)

		# AVB-sign the image as needed.
		if OPTIONS.info_dict.get("board_avb_enable") == "true":
		if OPTIONS.info_dict.get("avb_enable") == "true":
		avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"]
		part_size = OPTIONS.info_dict["dtbo_size"]
		# The AVB hash footer will be replaced if already present.
		cmd = [avbtool, "add_hash_footer", "--image", img.name,
		"--partition_size", str(part_size), "--partition_name", "dtbo"]
		cmd.extend(shlex.split(OPTIONS.info_dict["avb_signing_args"]))
		args = OPTIONS.info_dict.get("board_avb_dtbo_add_hash_footer_args")
		common.AppendAVBSigningArgs(cmd, "dtbo")
		args = OPTIONS.info_dict.get("avb_dtbo_add_hash_footer_args")
		if args and args.strip():
		cmd.extend(shlex.split(args))
		p = common.Run(cmd, stdout=subprocess.PIPE)
		@@ -271,7 +271,7 @@ def CreateImage(input_dir, info_dict, what, output_file, block_list=None):
		# by the avb tool.
		is_verity_partition = "verity_block_device" in image_props
		verity_supported = (image_props.get("verity") == "true" or
		image_props.get("board_avb_enable") == "true")
		image_props.get("avb_enable") == "true")
		is_avb_enable = image_props.get("avb_hashtree_enable") == "true"
		if verity_supported and (is_verity_partition or is_avb_enable):
		adjusted_blocks_value = image_props.get("partition_size")
		@@ -334,25 +334,51 @@ def AddUserdata(output_zip, prefix="IMAGES/"):
		img.Write()


		def AppendVBMetaArgsForPartition(cmd, partition, img_path, public_key_dir):
		if not img_path:
		return

		# Check if chain partition is used.
		key_path = OPTIONS.info_dict.get("avb_" + partition + "_key_path")
		if key_path:
		# extract public key in AVB format to be included in vbmeta.img
		avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"]
		public_key_path = os.path.join(public_key_dir, "%s.avbpubkey" % partition)
		p = common.Run([avbtool, "extract_public_key", "--key", key_path,
		"--output", public_key_path],
		stdout=subprocess.PIPE, stderr=subprocess.PIPE)
		p.communicate()
		assert p.returncode == 0, \
		"avbtool extract_public_key fail for partition: %r" % partition

		rollback_index_location = OPTIONS.info_dict[
		"avb_" + partition + "_rollback_index_location"]
		cmd.extend(["--chain_partition", "%s:%s:%s" % (
		partition, rollback_index_location, public_key_path)])
		else:
		cmd.extend(["--include_descriptors_from_image", img_path])


		def AddVBMeta(output_zip, boot_img_path, system_img_path, vendor_img_path,
		dtbo_img_path, prefix="IMAGES/"):
		"""Create a VBMeta image and store it in output_zip."""
		img = OutputFile(output_zip, OPTIONS.input_tmp, prefix, "vbmeta.img")
		avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"]
		cmd = [avbtool, "make_vbmeta_image",
		"--output", img.name,
		"--include_descriptors_from_image", boot_img_path,
		"--include_descriptors_from_image", system_img_path]
		if vendor_img_path is not None:
		cmd.extend(["--include_descriptors_from_image", vendor_img_path])
		if dtbo_img_path is not None:
		cmd.extend(["--include_descriptors_from_image", dtbo_img_path])
		if OPTIONS.info_dict.get("system_root_image") == "true":
		cmd.extend(["--setup_rootfs_from_kernel", system_img_path])
		cmd.extend(shlex.split(OPTIONS.info_dict["avb_signing_args"]))
		args = OPTIONS.info_dict.get("board_avb_make_vbmeta_image_args")
		cmd = [avbtool, "make_vbmeta_image", "--output", img.name]
		common.AppendAVBSigningArgs(cmd, "vbmeta")

		public_key_dir = tempfile.mkdtemp(prefix="avbpubkey-")
		OPTIONS.tempfiles.append(public_key_dir)

		AppendVBMetaArgsForPartition(cmd, "boot", boot_img_path, public_key_dir)
		AppendVBMetaArgsForPartition(cmd, "system", system_img_path, public_key_dir)
		AppendVBMetaArgsForPartition(cmd, "vendor", vendor_img_path, public_key_dir)
		AppendVBMetaArgsForPartition(cmd, "dtbo", dtbo_img_path, public_key_dir)

		args = OPTIONS.info_dict.get("avb_vbmeta_args")
		if args and args.strip():
		cmd.extend(shlex.split(args))

		p = common.Run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
		p.communicate()
		assert p.returncode == 0, "avbtool make_vbmeta_image failed"
		@@ -553,7 +579,7 @@ def AddImagesToTargetFiles(filename):
		banner("dtbo")
		dtbo_img_path = AddDtbo(output_zip)

		if OPTIONS.info_dict.get("board_avb_enable") == "true":
		if OPTIONS.info_dict.get("avb_enable") == "true":
		banner("vbmeta")
		boot_contents = boot_image.WriteToTemp()
		AddVBMeta(output_zip, boot_contents.name, system_img_path,

tools/releasetools/build_image.py

+45 −32

File changed.

Preview size limit exceeded, changes collapsed.

tools/releasetools/common.py

+12 −3

Original line number	Diff line number	Diff line
		@@ -345,6 +345,15 @@ def DumpInfoDict(d):
		print("%-25s = (%s) %s" % (k, type(v).__name__, v))


		def AppendAVBSigningArgs(cmd, partition):
		"""Append signing arguments for avbtool."""
		# e.g., "--key path/to/signing_key --algorithm SHA256_RSA4096"
		key_path = OPTIONS.info_dict.get("avb_" + partition + "_key_path")
		algorithm = OPTIONS.info_dict.get("avb_" + partition + "_algorithm")
		if key_path and algorithm:
		cmd.extend(["--key", key_path, "--algorithm", algorithm])


		def _BuildBootableImage(sourcedir, fs_config_file, info_dict=None,
		has_ramdisk=False, two_step_image=False):
		"""Build a bootable image from the specified sourcedir.
		@@ -480,13 +489,13 @@ def _BuildBootableImage(sourcedir, fs_config_file, info_dict=None,
		img_keyblock.close()

		# AVB: if enabled, calculate and add hash to boot.img.
		if info_dict.get("board_avb_enable", None) == "true":
		if info_dict.get("avb_enable") == "true":
		avbtool = os.getenv('AVBTOOL') or info_dict["avb_avbtool"]
		part_size = info_dict["boot_size"]
		cmd = [avbtool, "add_hash_footer", "--image", img.name,
		"--partition_size", str(part_size), "--partition_name", "boot"]
		cmd.extend(shlex.split(info_dict["avb_signing_args"]))
		args = info_dict.get("board_avb_boot_add_hash_footer_args")
		AppendAVBSigningArgs(cmd, "boot")
		args = info_dict.get("avb_boot_add_hash_footer_args")
		if args and args.strip():
		cmd.extend(shlex.split(args))
		p = Run(cmd, stdout=subprocess.PIPE)

tools/releasetools/ota_from_target_files.py

+1 −1

Original line number	Diff line number	Diff line
		@@ -1168,7 +1168,7 @@ def WriteABOTAPackageWithBrilloScript(target_file, output_file,
		# into A/B OTA package.
		target_zip = zipfile.ZipFile(target_file, "r")
		if (OPTIONS.info_dict.get("verity") == "true" or
		OPTIONS.info_dict.get("board_avb_enable") == "true"):
		OPTIONS.info_dict.get("avb_enable") == "true"):
		care_map_path = "META/care_map.txt"
		namelist = target_zip.namelist()
		if care_map_path in namelist: