Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6ceeb1a8 authored by Bowgo Tsai's avatar Bowgo Tsai
Browse files

Adding Android verified boot 1.0 metadata into ENG builds 

Adding verified boot metadata with a "disable magic". The resulting
metadata at the end of each image (e.g., system.img, vendor.img) will
be the same as triggering an "adb disable-verity" on an USERDEBUG image.

This can help simplify the code on fs_mgr, which won't have to check if
current image is an ENG build or not.

Bug: 63056044
Test: boot sailfish eng/userdebug builds
Change-Id: I95d23ac7b76c04d6d4483c9c4dc1de16bf0d9c3a
parent 492f67c0

core/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -997,6 +997,7 @@ $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verit 
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY)" >> $(1))

$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(notdir $(VERITY_SIGNER))" >> $(1))

$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY_FEC),$(hide) echo "verity_fec=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY_FEC)" >> $(1))

$(if $(filter eng, $(TARGET_BUILD_VARIANT)),$(hide) echo "verity_disable=true" >> $(1))

$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION),$(hide) echo "system_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION)" >> $(1))

$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION),$(hide) echo "vendor_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION)" >> $(1))

$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)" >> $(1))

core/tasks/tools/build_custom_image.mk

+1 −0
Original line number Diff line number Diff line
@@ -135,6 +135,7 @@ $(my_built_custom_image): $(INTERNAL_USERIMAGES_DEPS) $(my_built_modules) $(my_i 
	    echo "verity_block_device=$(PRIVATE_VERITY_BLOCK_DEVICE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)

	$(if $(PRIVATE_SUPPORT_VERITY_FEC),\

	  $(hide) echo "verity_fec=$(PRIVATE_SUPPORT_VERITY_FEC)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)

	$(if $(filter eng, $(TARGET_BUILD_VARIANT)),$(hide) echo "verity_disable=true" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)

	$(hide) echo "avb_avbtool=$(PRIVATE_AVB_AVBTOOL)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt

	$(if $(PRIVATE_AVB_KEY_PATH),\

	  $(hide) echo "avb_key_path=$(PRIVATE_AVB_KEY_PATH)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\

target/product/verity.mk

+10 −14
Original line number Diff line number Diff line
@@ -14,11 +14,8 @@ 
# limitations under the License.

#



# Provides dependencies necessary for verified boot (only for user and

# userdebug builds)

# Provides dependencies necessary for verified boot.



user_variant := $(filter user userdebug,$(TARGET_BUILD_VARIANT))

ifneq (,$(user_variant))

PRODUCT_SUPPORTS_BOOT_SIGNER := true

PRODUCT_SUPPORTS_VERITY := true

PRODUCT_SUPPORTS_VERITY_FEC := true
@@ -30,4 +27,3 @@ ifneq (,$(user_variant)) 


PRODUCT_PACKAGES += \

        verity_key
 
endif

tools/releasetools/build_image.py

+8 −2
Original line number Diff line number Diff line
@@ -225,12 +225,15 @@ def BuildVerityTree(sparse_image_path, verity_image_path, prop_dict): 
  return True



def BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt,

                        block_device, signer_path, key, signer_args):

                        block_device, signer_path, key, signer_args,

                        verity_disable):

  cmd = ["system/extras/verity/build_verity_metadata.py", "build",

         str(image_size), verity_metadata_path, root_hash, salt, block_device,

         signer_path, key]

  if signer_args:

    cmd.append("--signer_args=\"%s\"" % (' '.join(signer_args),))

  if verity_disable:

    cmd.append("--verity_disable")

  output, exit_code = RunCommand(cmd)

  if exit_code != 0:

    print "Could not build verity metadata! Error: %s" % output
@@ -334,8 +337,10 @@ def MakeVerityEnabledImage(out_file, fec_supported, prop_dict): 
  # build the metadata blocks

  root_hash = prop_dict["verity_root_hash"]

  salt = prop_dict["verity_salt"]

  verity_disable = "verity_disable" in prop_dict

  if not BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt,

                             block_dev, signer_path, signer_key, signer_args):

                             block_dev, signer_path, signer_key, signer_args,

                             verity_disable):

    shutil.rmtree(tempdir_name, ignore_errors=True)

    return False
@@ -644,6 +649,7 @@ def ImagePropFromGlobalDict(glob_dict, mount_point): 
      "verity_key",

      "verity_signer_cmd",

      "verity_fec",

      "verity_disable",

      "avb_enable",

      "avb_avbtool",

      "avb_salt",