Loading core/Makefile +90 −48 Original line number Diff line number Diff line Loading @@ -516,28 +516,8 @@ INTERNAL_BOOTIMAGE_ARGS := \ $(addprefix --second ,$(INSTALLED_2NDBOOTLOADER_TARGET)) \ --kernel $(INSTALLED_KERNEL_TARGET) INTERNAL_BVBTOOL_MAKE_BOOT_IMAGE_ARGS := \ --kernel $(INSTALLED_KERNEL_TARGET) \ --rootfs_with_hashes $(PRODUCT_OUT)/system.img ifdef BOARD_BVB_ROLLBACK_INDEX INTERNAL_BVBTOOL_MAKE_BOOT_IMAGE_ARGS += \ --rollback_index $(BOARD_BVB_ROLLBACK_INDEX) endif ifndef BOARD_BVB_KEY_PATH # If key path isn't specified, use the 4096-bit test key. INTERNAL_BVBTOOL_SIGN_BOOT_IMAGE_ARGS := --algorithm SHA256_RSA4096 \ --key external/bvb/test/testkey_rsa4096.pem else INTERNAL_BVBTOOL_SIGN_BOOT_IMAGE_ARGS := \ --algorithm $(BOARD_BVB_ALGORITHM) --key $(BOARD_BVB_KEY_PATH) endif ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) INTERNAL_BOOTIMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET) INTERNAL_BVBTOOL_MAKE_BOOT_IMAGE_ARGS += --initrd $(INSTALLED_RAMDISK_TARGET) endif INTERNAL_BOOTIMAGE_FILES := $(filter-out --%,$(INTERNAL_BOOTIMAGE_ARGS)) Loading Loading @@ -577,28 +557,35 @@ ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) endif endif ifeq ($(BOARD_BVB_ENABLE),true) # We build recovery as boot image if BOARD_USES_RECOVERY_AS_BOOT is true. ifneq ($(BOARD_USES_RECOVERY_AS_BOOT),true) ifeq ($(TARGET_BOOTIMAGE_USE_EXT2),true) $(error TARGET_BOOTIMAGE_USE_EXT2 is not supported anymore) else ifeq (true,$(BOARD_AVB_ENABLE)) # TARGET_BOOTIMAGE_USE_EXT2 != true $(INSTALLED_BOOTIMAGE_TARGET): $(BVBTOOL) $(INTERNAL_BOOTIMAGE_FILES) $(PRODUCT_OUT)/system.img $(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(AVBTOOL) $(INTERNAL_BOOTIMAGE_FILES) $(call pretty,"Target boot image: $@") $(hide) $(BVBTOOL) make_boot_image $(INTERNAL_BVBTOOL_MAKE_BOOT_IMAGE_ARGS) $(BOARD_BVB_MAKE_BOOT_IMAGE_ARGS) --output $@ $(hide) $(BVBTOOL) sign_boot_image $(INTERNAL_BVBTOOL_SIGN_BOOT_IMAGE_ARGS) $(BOARD_BVB_SIGN_BOOT_IMAGE_ARGS) --image $@ $(hide) $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $@ $(hide) $(call assert-max-image-size,$@,$(BOARD_BOOTIMAGE_PARTITION_SIZE)) $(hide) $(AVBTOOL) add_hash_footer \ --image $@ \ --partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \ --partition_name boot $(INTERNAL_AVB_SIGNING_ARGS) \ $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS) .PHONY: bootimage-nodeps bootimage-nodeps: $(BVBTOOL) bootimage-nodeps: $(MKBOOTIMG) $(AVBTOOL) @echo "make $@: ignoring dependencies" $(hide) $(BVBTOOL) make_boot_image $(INTERNAL_BVBTOOL_MAKE_BOOT_IMAGE_ARGS) $(BOARD_BVB_MAKE_BOOT_IMAGE_ARGS) --output $(INSTALLED_BOOTIMAGE_TARGET) $(hide) $(BVBTOOL) sign_boot_image $(INTERNAL_BVBTOOL_SIGN_BOOT_IMAGE_ARGS) $(BOARD_BVB_SIGN_BOOT_IMAGE_ARGS) --image $(INSTALLED_BOOTIMAGE_TARGET) $(hide) $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(INSTALLED_BOOTIMAGE_TARGET) $(hide) $(call assert-max-image-size,$(INSTALLED_BOOTIMAGE_TARGET),$(BOARD_BOOTIMAGE_PARTITION_SIZE)) $(hide) $(AVBTOOL) add_hash_footer \ --image $@ \ --partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \ --partition_name boot $(INTERNAL_AVB_SIGNING_ARGS) \ $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS) else # BOARD_BVB_ENABLE # We build recovery as boot image if BOARD_USES_RECOVERY_AS_BOOT is true. ifneq ($(BOARD_USES_RECOVERY_AS_BOOT),true) ifeq ($(TARGET_BOOTIMAGE_USE_EXT2),true) $(error TARGET_BOOTIMAGE_USE_EXT2 is not supported anymore) else ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_BOOT_SIGNER)) # TARGET_BOOTIMAGE_USE_EXT2 != true else ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_BOOT_SIGNER)) # BOARD_AVB_ENABLE != true $(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_FILES) $(BOOT_SIGNER) $(call pretty,"Target boot image: $@") Loading Loading @@ -643,7 +630,6 @@ bootimage-nodeps: $(MKBOOTIMG) endif # TARGET_BOOTIMAGE_USE_EXT2 endif # BOARD_USES_RECOVERY_AS_BOOT endif # BOARD_BVB_ENABLE else # TARGET_NO_KERNEL # HACK: The top-level targets depend on the bootimage. Not all targets Loading Loading @@ -1194,13 +1180,15 @@ define build-systemimage-target fi; \ mkdir -p $(DIST_DIR); cp $(INSTALLED_FILES_FILE) $(DIST_DIR)/installed-files-rescued.txt; \ exit 1 ) $(if $(BOARD_BVB_ENABLE), $(hide) $(BVBTOOL) add_image_hashes $(BOARD_BVB_ADD_IMAGE_HASHES_ARGS) --image $(1)) $(if $(BOARD_AVB_ENABLE), \ $(hide) $(AVBTOOL) add_hashtree_footer \ --image $(1) \ --partition_size $(BOARD_SYSTEMIMAGE_PARTITION_SIZE) \ --partition_name system \ $(INTERNAL_AVB_SIGNING_ARGS) \ $(BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS)) endef ifeq ($(BOARD_BVB_ENABLE),true) FULL_SYSTEMIMAGE_DEPS += $(BVBTOOL) endif $(BUILT_SYSTEMIMAGE): $(FULL_SYSTEMIMAGE_DEPS) $(INSTALLED_FILES_FILE) $(BUILD_IMAGE_SRCS) $(call build-systemimage-target,$@) Loading Loading @@ -1515,6 +1503,60 @@ cacheimage-nodeps: | $(INTERNAL_USERIMAGES_DEPS) endif # BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE # ----------------------------------------------------------------- # vbmeta image ifeq ($(BOARD_AVB_ENABLE),true) BUILT_VBMETAIMAGE_TARGET := $(PRODUCT_OUT)/vbmeta.img INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS := \ --include_descriptors_from_image $(INSTALLED_BOOTIMAGE_TARGET) \ --include_descriptors_from_image $(INSTALLED_SYSTEMIMAGE) \ --generate_dm_verity_cmdline_from_hashtree $(INSTALLED_SYSTEMIMAGE) ifdef BOARD_AVB_ROLLBACK_INDEX INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += --rollback_index $(BOARD_AVB_ROLLBACK_INDEX) endif ifndef BOARD_AVB_KEY_PATH # If key path isn't specified, use the 4096-bit test key. INTERNAL_AVB_SIGNING_ARGS := \ --algorithm SHA256_RSA4096 \ --key external/avb/test/data/testkey_rsa4096.pem else INTERNAL_AVB_SIGNING_ARGS := \ --algorithm $(BOARD_AVB_ALGORITHM) --key $(BOARD_AVB_KEY_PATH) endif ifndef BOARD_BOOTIMAGE_PARTITION_SIZE $(error BOARD_BOOTIMAGE_PARTITION_SIZE must be set for BOARD_AVB_ENABLE) endif ifndef BOARD_SYSTEMIMAGE_PARTITION_SIZE $(error BOARD_SYSTEMIMAGE_PARTITION_SIZE must be set for BOARD_AVB_ENABLE) endif define build-vbmetaimage-target $(call pretty,"Target vbmeta image: $(INSTALLED_VBMETAIMAGE_TARGET)") $(hide) $(AVBTOOL) make_vbmeta_image \ $(INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS) \ $(INTERNAL_AVB_SIGNING_ARGS) \ $(BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS) \ --output $@ endef INSTALLED_VBMETAIMAGE_TARGET := $(BUILT_VBMETAIMAGE_TARGET) $(INSTALLED_VBMETAIMAGE_TARGET): $(AVBTOOL) $(INSTALLED_BOOTIMAGE_TARGET) $(INSTALLED_SYSTEMIMAGE) $(build-vbmetaimage-target) .PHONY: vbmetaimage-nodeps vbmetaimage-nodeps: $(build-vbmetaimage-target) # We need $(AVBTOOL) for system.img generation. FULL_SYSTEMIMAGE_DEPS += $(AVBTOOL) endif # BOARD_AVB_ENABLE # ----------------------------------------------------------------- # vendor partition image Loading Loading @@ -1898,14 +1940,14 @@ endif ifeq ($(BOARD_USES_FULL_RECOVERY_IMAGE),true) $(hide) echo "full_recovery_image=true" >> $(zip_root)/META/misc_info.txt endif ifeq ($(BOARD_BVB_ENABLE),true) $(hide) echo "board_bvb_enable=true" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_make_boot_image_args=$(BOARD_BVB_MAKE_BOOT_IMAGE_ARGS)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_sign_boot_image_args=$(BOARD_BVB_SIGN_BOOT_IMAGE_ARGS)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_algorithm=$(BOARD_BVB_ALGORITHM)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_key_path=$(BOARD_BVB_KEY_PATH)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_rollback_index=$(BOARD_BVB_ROLLBACK_INDEX)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_add_image_hashes_args=$(BOARD_BVB_ADD_IMAGE_HASHES_ARGS)" >> $(zip_root)/META/misc_info.txt ifeq ($(BOARD_AVB_ENABLE),true) $(hide) echo "board_avb_enable=true" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_rollback_index=$(BOARD_AVB_ROLLBACK_INDEX)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_key_path=$(BOARD_AVB_KEY_PATH)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_algorithm=$(BOARD_AVB_ALGORITHM)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_boot_add_hash_footer_args=$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_system_add_hashtree_footer_args=$(BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_make_vbmeta_image_args=$(BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS)" >> $(zip_root)/META/misc_info.txt endif ifdef BOARD_BPT_INPUT_FILES $(hide) echo "board_bpt_enable=true" >> $(zip_root)/META/misc_info.txt Loading core/config.mk +3 −3 Original line number Diff line number Diff line Loading @@ -538,10 +538,10 @@ BPTTOOL := $(HOST_OUT_EXECUTABLES)/bpttool$(HOST_EXECUTABLE_SUFFIX) else BPTTOOL := $(BOARD_CUSTOM_BPTTOOL) endif ifeq (,$(strip $(BOARD_CUSTOM_BVBTOOL))) BVBTOOL := $(HOST_OUT_EXECUTABLES)/bvbtool$(HOST_EXECUTABLE_SUFFIX) ifeq (,$(strip $(BOARD_CUSTOM_AVBTOOL))) AVBTOOL := $(HOST_OUT_EXECUTABLES)/avbtool$(HOST_EXECUTABLE_SUFFIX) else BVBTOOL := $(BOARD_CUSTOM_BVBTOOL) AVBTOOL := $(BOARD_CUSTOM_AVBTOOL) endif APICHECK := $(HOST_OUT_EXECUTABLES)/apicheck$(HOST_EXECUTABLE_SUFFIX) FS_GET_STATS := $(HOST_OUT_EXECUTABLES)/fs_get_stats$(HOST_EXECUTABLE_SUFFIX) Loading core/main.mk +5 −0 Original line number Diff line number Diff line Loading @@ -82,6 +82,7 @@ dont_bother_goals := clean clobber dataclean installclean \ ramdisk-nodeps \ bootimage-nodeps \ recoveryimage-nodeps \ vbmetaimage-nodeps \ product-graph dump-products ifneq ($(filter $(dont_bother_goals), $(MAKECMDGOALS)),) Loading Loading @@ -936,6 +937,9 @@ vendorimage: $(INSTALLED_VENDORIMAGE_TARGET) .PHONY: bootimage bootimage: $(INSTALLED_BOOTIMAGE_TARGET) .PHONY: vbmetaimage vbmetaimage: $(INSTALLED_VBMETAIMAGE_TARGET) .PHONY: auxiliary auxiliary: $(INSTALLED_AUX_TARGETS) Loading @@ -945,6 +949,7 @@ droidcore: files \ systemimage \ $(INSTALLED_BOOTIMAGE_TARGET) \ $(INSTALLED_RECOVERYIMAGE_TARGET) \ $(INSTALLED_VBMETAIMAGE_TARGET) \ $(INSTALLED_USERDATAIMAGE_TARGET) \ $(INSTALLED_CACHEIMAGE_TARGET) \ $(INSTALLED_BPTIMAGE_TARGET) \ Loading tools/releasetools/add_img_to_target_files.py +38 −35 Original line number Diff line number Diff line Loading @@ -96,18 +96,22 @@ def AddSystem(output_zip, prefix="IMAGES/", recovery_img=None, boot_img=None): imgname = BuildSystem(OPTIONS.input_tmp, OPTIONS.info_dict, block_list=block_list) # If requested, calculate and add dm-verity integrity hashes and # AVB: if enabled, calculate and add dm-verity integrity hashes and # metadata to system.img. if OPTIONS.info_dict.get("board_bvb_enable", None) == "true": bvbtool = os.getenv('BVBTOOL') or "bvbtool" cmd = [bvbtool, "add_image_hashes", "--image", imgname] args = OPTIONS.info_dict.get("board_bvb_add_image_hashes_args", None) if OPTIONS.info_dict.get("board_avb_enable", None) == "true": avbtool = os.getenv('AVBTOOL') or "avbtool" part_size = OPTIONS.info_dict.get("system_size", None) cmd = [avbtool, "add_hashtree_footer", "--image", imgname, "--partition_size", str(part_size), "--partition_name", "system"] common.AppendAVBSigningArgs(cmd) args = OPTIONS.info_dict.get("board_avb_system_add_hashtree_footer_args", None) if args and args.strip(): cmd.extend(shlex.split(args)) p = common.Run(cmd, stdout=subprocess.PIPE) p.communicate() assert p.returncode == 0, "bvbtool add_image_hashes of %s image failed" % ( os.path.basename(OPTIONS.input_tmp),) assert p.returncode == 0, "avbtool add_hashtree_footer of %s failed" % ( os.path.basename(OPTIONS.input_tmp)) common.ZipWrite(output_zip, imgname, prefix + "system.img") common.ZipWrite(output_zip, block_list, prefix + "system.map") Loading Loading @@ -251,6 +255,25 @@ def AddUserdata(output_zip, prefix="IMAGES/"): shutil.rmtree(temp_dir) def AddVBMeta(output_zip, boot_img_path, system_img_path, prefix="IMAGES/"): """Create a VBMeta image and store it in output_zip.""" _, img_file_name = tempfile.mkstemp() avbtool = os.getenv('AVBTOOL') or "avbtool" cmd = [avbtool, "make_vbmeta_image", "--output", img_file_name, "--include_descriptors_from_image", boot_img_path, "--include_descriptors_from_image", system_img_path, "--generate_dm_verity_cmdline_from_hashtree", system_img_path] common.AppendAVBSigningArgs(cmd) args = OPTIONS.info_dict.get("board_avb_make_vbmeta_image_args", None) if args and args.strip(): cmd.extend(shlex.split(args)) p = common.Run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.communicate() assert p.returncode == 0, "avbtool make_vbmeta_image failed" common.ZipWrite(output_zip, img_file_name, prefix + "vbmeta.img") def AddPartitionTable(output_zip, prefix="IMAGES/"): """Create a partition table image and store it in output_zip.""" Loading Loading @@ -346,15 +369,6 @@ def AddImagesToTargetFiles(filename): has_recovery = (OPTIONS.info_dict.get("no_recovery") != "true") system_root_image = (OPTIONS.info_dict.get("system_root_image", None) == "true") board_bvb_enable = (OPTIONS.info_dict.get("board_bvb_enable", None) == "true") # Brillo Verified Boot is incompatible with certain # configurations. Explicitly check for these. if board_bvb_enable: assert not has_recovery, "has_recovery incompatible with bvb" assert not system_root_image, "system_root_image incompatible with bvb" assert not OPTIONS.rebuild_recovery, "rebuild_recovery incompatible with bvb" assert not has_vendor, "VENDOR images currently incompatible with bvb" def banner(s): print "\n\n++++ " + s + " ++++\n\n" Loading @@ -367,12 +381,6 @@ def AddImagesToTargetFiles(filename): if OPTIONS.rebuild_recovery: boot_image = common.GetBootableImage( "IMAGES/boot.img", "boot.img", OPTIONS.input_tmp, "BOOT") else: if board_bvb_enable: # With Brillo Verified Boot, we need to build system.img before # boot.img since the latter includes the dm-verity root hash and # salt for the former. pass else: banner("boot") boot_image = common.GetBootableImage( Loading @@ -399,15 +407,6 @@ def AddImagesToTargetFiles(filename): banner("system") system_img_path = AddSystem( output_zip, recovery_img=recovery_image, boot_img=boot_image) if OPTIONS.info_dict.get("board_bvb_enable", None) == "true": # If we're using Brillo Verified Boot, we can now build boot.img # given that we have system.img. banner("boot") boot_image = common.GetBootableImage( "IMAGES/boot.img", "boot.img", OPTIONS.input_tmp, "BOOT", system_img_path=system_img_path) if boot_image: boot_image.AddToZip(output_zip) if has_vendor: banner("vendor") AddVendor(output_zip) Loading @@ -419,6 +418,10 @@ def AddImagesToTargetFiles(filename): if OPTIONS.info_dict.get("board_bpt_enable", None) == "true": banner("partition-table") AddPartitionTable(output_zip) if OPTIONS.info_dict.get("board_avb_enable", None) == "true": banner("vbmeta") boot_contents = boot_image.WriteToTemp() AddVBMeta(output_zip, boot_contents.name, system_img_path) # For devices using A/B update, copy over images from RADIO/ and/or # VENDOR_IMAGES/ to IMAGES/ and make sure we have all the needed Loading tools/releasetools/common.py +27 −113 Original line number Diff line number Diff line Loading @@ -384,6 +384,16 @@ def DumpInfoDict(d): print "%-25s = (%s) %s" % (k, type(v).__name__, v) def AppendAVBSigningArgs(cmd): """Append signing arguments for avbtool.""" keypath = OPTIONS.info_dict.get("board_avb_key_path", None) algorithm = OPTIONS.info_dict.get("board_avb_algorithm", None) if not keypath or not algorithm: algorithm = "SHA256_RSA4096" keypath = "external/avb/test/data/testkey_rsa4096.pem" cmd.extend(["--key", keypath, "--algorithm", algorithm]) def _BuildBootableImage(sourcedir, fs_config_file, info_dict=None, has_ramdisk=False): """Build a bootable image from the specified sourcedir. Loading Loading @@ -503,111 +513,20 @@ def _BuildBootableImage(sourcedir, fs_config_file, info_dict=None, img_unsigned.close() img_keyblock.close() img.seek(os.SEEK_SET, 0) data = img.read() if has_ramdisk: ramdisk_img.close() img.close() return data def _BuildBvbBootableImage(sourcedir, fs_config_file, system_img_path, info_dict=None, has_ramdisk=False): """Build a bootable image compatible with Brillo Verified Boot from the specified sourcedir. Take a kernel, cmdline, system image path, and optionally a ramdisk directory from the input (in 'sourcedir'), and turn them into a boot image. Return the image data, or None if sourcedir does not appear to contains files for building the requested image. """ def make_ramdisk(): ramdisk_img = tempfile.NamedTemporaryFile() if os.access(fs_config_file, os.F_OK): cmd = ["mkbootfs", "-f", fs_config_file, os.path.join(sourcedir, "RAMDISK")] else: cmd = ["mkbootfs", os.path.join(sourcedir, "RAMDISK")] p1 = Run(cmd, stdout=subprocess.PIPE) p2 = Run(["minigzip"], stdin=p1.stdout, stdout=ramdisk_img.file.fileno()) p2.wait() p1.wait() assert p1.returncode == 0, "mkbootfs of %s ramdisk failed" % (sourcedir,) assert p2.returncode == 0, "minigzip of %s ramdisk failed" % (sourcedir,) return ramdisk_img if not os.access(os.path.join(sourcedir, "kernel"), os.F_OK): return None if has_ramdisk and not os.access(os.path.join(sourcedir, "RAMDISK"), os.F_OK): return None if info_dict is None: info_dict = OPTIONS.info_dict img = tempfile.NamedTemporaryFile() if has_ramdisk: ramdisk_img = make_ramdisk() # use BVBTOOL from environ, or "bvbtool" if empty or not set bvbtool = os.getenv('BVBTOOL') or "bvbtool" # First, create boot.img. cmd = [bvbtool, "make_boot_image"] fn = os.path.join(sourcedir, "cmdline") if os.access(fn, os.F_OK): cmd.append("--kernel_cmdline") cmd.append(open(fn).read().rstrip("\n")) cmd.extend(["--kernel", os.path.join(sourcedir, "kernel")]) if has_ramdisk: cmd.extend(["--initrd", ramdisk_img.name]) cmd.extend(["--rootfs_with_hashes", system_img_path]) args = info_dict.get("board_bvb_make_boot_image_args", None) if args and args.strip(): cmd.extend(shlex.split(args)) rollback_index = info_dict.get("board_bvb_rollback_index", None) if rollback_index and rollback_index.strip(): cmd.extend(["--rollback_index", rollback_index.strip()]) cmd.extend(["--output", img.name]) p = Run(cmd, stdout=subprocess.PIPE) p.communicate() assert p.returncode == 0, "bvbtool make_boot_image of %s image failed" % ( os.path.basename(sourcedir),) # Then, sign boot.img. cmd = [bvbtool, "sign_boot_image", "--image", img.name] algorithm = info_dict.get("board_bvb_algorithm", None) key_path = info_dict.get("board_bvb_key_path", None) if algorithm and algorithm.strip() and key_path and key_path.strip(): cmd.extend(["--algorithm", algorithm, "--key", key_path]) else: cmd.extend(["--algorithm", "SHA256_RSA4096"]) cmd.extend(["--key", "external/bvb/test/testkey_rsa4096.pem"]) args = info_dict.get("board_bvb_sign_boot_image_args", None) # AVB: if enabled, calculate and add hash to boot.img. if OPTIONS.info_dict.get("board_avb_enable", None) == "true": avbtool = os.getenv('AVBTOOL') or "avbtool" part_size = OPTIONS.info_dict.get("boot_size", None) cmd = [avbtool, "add_hash_footer", "--image", img.name, "--partition_size", str(part_size), "--partition_name", "boot"] AppendAVBSigningArgs(cmd) args = OPTIONS.info_dict.get("board_avb_boot_add_hash_footer_args", None) if args and args.strip(): cmd.extend(shlex.split(args)) p = Run(cmd, stdout=subprocess.PIPE) p.communicate() assert p.returncode == 0, "bvbtool sign_boot_image of %s image failed" % ( os.path.basename(sourcedir),) assert p.returncode == 0, "avbtool add_hash_footer of %s failed" % ( os.path.basename(OPTIONS.input_tmp)) img.seek(os.SEEK_SET, 0) data = img.read() Loading Loading @@ -650,11 +569,6 @@ def GetBootableImage(name, prebuilt_name, unpack_dir, tree_subdir, info_dict.get("recovery_as_boot") == "true") fs_config = "META/" + tree_subdir.lower() + "_filesystem_config.txt" if info_dict.get("board_bvb_enable", None) == "true": data = _BuildBvbBootableImage(os.path.join(unpack_dir, tree_subdir), os.path.join(unpack_dir, fs_config), system_img_path, info_dict, has_ramdisk) else: data = _BuildBootableImage(os.path.join(unpack_dir, tree_subdir), os.path.join(unpack_dir, fs_config), info_dict, has_ramdisk) Loading Loading
core/Makefile +90 −48 Original line number Diff line number Diff line Loading @@ -516,28 +516,8 @@ INTERNAL_BOOTIMAGE_ARGS := \ $(addprefix --second ,$(INSTALLED_2NDBOOTLOADER_TARGET)) \ --kernel $(INSTALLED_KERNEL_TARGET) INTERNAL_BVBTOOL_MAKE_BOOT_IMAGE_ARGS := \ --kernel $(INSTALLED_KERNEL_TARGET) \ --rootfs_with_hashes $(PRODUCT_OUT)/system.img ifdef BOARD_BVB_ROLLBACK_INDEX INTERNAL_BVBTOOL_MAKE_BOOT_IMAGE_ARGS += \ --rollback_index $(BOARD_BVB_ROLLBACK_INDEX) endif ifndef BOARD_BVB_KEY_PATH # If key path isn't specified, use the 4096-bit test key. INTERNAL_BVBTOOL_SIGN_BOOT_IMAGE_ARGS := --algorithm SHA256_RSA4096 \ --key external/bvb/test/testkey_rsa4096.pem else INTERNAL_BVBTOOL_SIGN_BOOT_IMAGE_ARGS := \ --algorithm $(BOARD_BVB_ALGORITHM) --key $(BOARD_BVB_KEY_PATH) endif ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) INTERNAL_BOOTIMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET) INTERNAL_BVBTOOL_MAKE_BOOT_IMAGE_ARGS += --initrd $(INSTALLED_RAMDISK_TARGET) endif INTERNAL_BOOTIMAGE_FILES := $(filter-out --%,$(INTERNAL_BOOTIMAGE_ARGS)) Loading Loading @@ -577,28 +557,35 @@ ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) endif endif ifeq ($(BOARD_BVB_ENABLE),true) # We build recovery as boot image if BOARD_USES_RECOVERY_AS_BOOT is true. ifneq ($(BOARD_USES_RECOVERY_AS_BOOT),true) ifeq ($(TARGET_BOOTIMAGE_USE_EXT2),true) $(error TARGET_BOOTIMAGE_USE_EXT2 is not supported anymore) else ifeq (true,$(BOARD_AVB_ENABLE)) # TARGET_BOOTIMAGE_USE_EXT2 != true $(INSTALLED_BOOTIMAGE_TARGET): $(BVBTOOL) $(INTERNAL_BOOTIMAGE_FILES) $(PRODUCT_OUT)/system.img $(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(AVBTOOL) $(INTERNAL_BOOTIMAGE_FILES) $(call pretty,"Target boot image: $@") $(hide) $(BVBTOOL) make_boot_image $(INTERNAL_BVBTOOL_MAKE_BOOT_IMAGE_ARGS) $(BOARD_BVB_MAKE_BOOT_IMAGE_ARGS) --output $@ $(hide) $(BVBTOOL) sign_boot_image $(INTERNAL_BVBTOOL_SIGN_BOOT_IMAGE_ARGS) $(BOARD_BVB_SIGN_BOOT_IMAGE_ARGS) --image $@ $(hide) $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $@ $(hide) $(call assert-max-image-size,$@,$(BOARD_BOOTIMAGE_PARTITION_SIZE)) $(hide) $(AVBTOOL) add_hash_footer \ --image $@ \ --partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \ --partition_name boot $(INTERNAL_AVB_SIGNING_ARGS) \ $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS) .PHONY: bootimage-nodeps bootimage-nodeps: $(BVBTOOL) bootimage-nodeps: $(MKBOOTIMG) $(AVBTOOL) @echo "make $@: ignoring dependencies" $(hide) $(BVBTOOL) make_boot_image $(INTERNAL_BVBTOOL_MAKE_BOOT_IMAGE_ARGS) $(BOARD_BVB_MAKE_BOOT_IMAGE_ARGS) --output $(INSTALLED_BOOTIMAGE_TARGET) $(hide) $(BVBTOOL) sign_boot_image $(INTERNAL_BVBTOOL_SIGN_BOOT_IMAGE_ARGS) $(BOARD_BVB_SIGN_BOOT_IMAGE_ARGS) --image $(INSTALLED_BOOTIMAGE_TARGET) $(hide) $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(INSTALLED_BOOTIMAGE_TARGET) $(hide) $(call assert-max-image-size,$(INSTALLED_BOOTIMAGE_TARGET),$(BOARD_BOOTIMAGE_PARTITION_SIZE)) $(hide) $(AVBTOOL) add_hash_footer \ --image $@ \ --partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \ --partition_name boot $(INTERNAL_AVB_SIGNING_ARGS) \ $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS) else # BOARD_BVB_ENABLE # We build recovery as boot image if BOARD_USES_RECOVERY_AS_BOOT is true. ifneq ($(BOARD_USES_RECOVERY_AS_BOOT),true) ifeq ($(TARGET_BOOTIMAGE_USE_EXT2),true) $(error TARGET_BOOTIMAGE_USE_EXT2 is not supported anymore) else ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_BOOT_SIGNER)) # TARGET_BOOTIMAGE_USE_EXT2 != true else ifeq (true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_BOOT_SIGNER)) # BOARD_AVB_ENABLE != true $(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(INTERNAL_BOOTIMAGE_FILES) $(BOOT_SIGNER) $(call pretty,"Target boot image: $@") Loading Loading @@ -643,7 +630,6 @@ bootimage-nodeps: $(MKBOOTIMG) endif # TARGET_BOOTIMAGE_USE_EXT2 endif # BOARD_USES_RECOVERY_AS_BOOT endif # BOARD_BVB_ENABLE else # TARGET_NO_KERNEL # HACK: The top-level targets depend on the bootimage. Not all targets Loading Loading @@ -1194,13 +1180,15 @@ define build-systemimage-target fi; \ mkdir -p $(DIST_DIR); cp $(INSTALLED_FILES_FILE) $(DIST_DIR)/installed-files-rescued.txt; \ exit 1 ) $(if $(BOARD_BVB_ENABLE), $(hide) $(BVBTOOL) add_image_hashes $(BOARD_BVB_ADD_IMAGE_HASHES_ARGS) --image $(1)) $(if $(BOARD_AVB_ENABLE), \ $(hide) $(AVBTOOL) add_hashtree_footer \ --image $(1) \ --partition_size $(BOARD_SYSTEMIMAGE_PARTITION_SIZE) \ --partition_name system \ $(INTERNAL_AVB_SIGNING_ARGS) \ $(BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS)) endef ifeq ($(BOARD_BVB_ENABLE),true) FULL_SYSTEMIMAGE_DEPS += $(BVBTOOL) endif $(BUILT_SYSTEMIMAGE): $(FULL_SYSTEMIMAGE_DEPS) $(INSTALLED_FILES_FILE) $(BUILD_IMAGE_SRCS) $(call build-systemimage-target,$@) Loading Loading @@ -1515,6 +1503,60 @@ cacheimage-nodeps: | $(INTERNAL_USERIMAGES_DEPS) endif # BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE # ----------------------------------------------------------------- # vbmeta image ifeq ($(BOARD_AVB_ENABLE),true) BUILT_VBMETAIMAGE_TARGET := $(PRODUCT_OUT)/vbmeta.img INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS := \ --include_descriptors_from_image $(INSTALLED_BOOTIMAGE_TARGET) \ --include_descriptors_from_image $(INSTALLED_SYSTEMIMAGE) \ --generate_dm_verity_cmdline_from_hashtree $(INSTALLED_SYSTEMIMAGE) ifdef BOARD_AVB_ROLLBACK_INDEX INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += --rollback_index $(BOARD_AVB_ROLLBACK_INDEX) endif ifndef BOARD_AVB_KEY_PATH # If key path isn't specified, use the 4096-bit test key. INTERNAL_AVB_SIGNING_ARGS := \ --algorithm SHA256_RSA4096 \ --key external/avb/test/data/testkey_rsa4096.pem else INTERNAL_AVB_SIGNING_ARGS := \ --algorithm $(BOARD_AVB_ALGORITHM) --key $(BOARD_AVB_KEY_PATH) endif ifndef BOARD_BOOTIMAGE_PARTITION_SIZE $(error BOARD_BOOTIMAGE_PARTITION_SIZE must be set for BOARD_AVB_ENABLE) endif ifndef BOARD_SYSTEMIMAGE_PARTITION_SIZE $(error BOARD_SYSTEMIMAGE_PARTITION_SIZE must be set for BOARD_AVB_ENABLE) endif define build-vbmetaimage-target $(call pretty,"Target vbmeta image: $(INSTALLED_VBMETAIMAGE_TARGET)") $(hide) $(AVBTOOL) make_vbmeta_image \ $(INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS) \ $(INTERNAL_AVB_SIGNING_ARGS) \ $(BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS) \ --output $@ endef INSTALLED_VBMETAIMAGE_TARGET := $(BUILT_VBMETAIMAGE_TARGET) $(INSTALLED_VBMETAIMAGE_TARGET): $(AVBTOOL) $(INSTALLED_BOOTIMAGE_TARGET) $(INSTALLED_SYSTEMIMAGE) $(build-vbmetaimage-target) .PHONY: vbmetaimage-nodeps vbmetaimage-nodeps: $(build-vbmetaimage-target) # We need $(AVBTOOL) for system.img generation. FULL_SYSTEMIMAGE_DEPS += $(AVBTOOL) endif # BOARD_AVB_ENABLE # ----------------------------------------------------------------- # vendor partition image Loading Loading @@ -1898,14 +1940,14 @@ endif ifeq ($(BOARD_USES_FULL_RECOVERY_IMAGE),true) $(hide) echo "full_recovery_image=true" >> $(zip_root)/META/misc_info.txt endif ifeq ($(BOARD_BVB_ENABLE),true) $(hide) echo "board_bvb_enable=true" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_make_boot_image_args=$(BOARD_BVB_MAKE_BOOT_IMAGE_ARGS)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_sign_boot_image_args=$(BOARD_BVB_SIGN_BOOT_IMAGE_ARGS)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_algorithm=$(BOARD_BVB_ALGORITHM)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_key_path=$(BOARD_BVB_KEY_PATH)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_rollback_index=$(BOARD_BVB_ROLLBACK_INDEX)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_bvb_add_image_hashes_args=$(BOARD_BVB_ADD_IMAGE_HASHES_ARGS)" >> $(zip_root)/META/misc_info.txt ifeq ($(BOARD_AVB_ENABLE),true) $(hide) echo "board_avb_enable=true" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_rollback_index=$(BOARD_AVB_ROLLBACK_INDEX)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_key_path=$(BOARD_AVB_KEY_PATH)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_algorithm=$(BOARD_AVB_ALGORITHM)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_boot_add_hash_footer_args=$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_system_add_hashtree_footer_args=$(BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS)" >> $(zip_root)/META/misc_info.txt $(hide) echo "board_avb_make_vbmeta_image_args=$(BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS)" >> $(zip_root)/META/misc_info.txt endif ifdef BOARD_BPT_INPUT_FILES $(hide) echo "board_bpt_enable=true" >> $(zip_root)/META/misc_info.txt Loading
core/config.mk +3 −3 Original line number Diff line number Diff line Loading @@ -538,10 +538,10 @@ BPTTOOL := $(HOST_OUT_EXECUTABLES)/bpttool$(HOST_EXECUTABLE_SUFFIX) else BPTTOOL := $(BOARD_CUSTOM_BPTTOOL) endif ifeq (,$(strip $(BOARD_CUSTOM_BVBTOOL))) BVBTOOL := $(HOST_OUT_EXECUTABLES)/bvbtool$(HOST_EXECUTABLE_SUFFIX) ifeq (,$(strip $(BOARD_CUSTOM_AVBTOOL))) AVBTOOL := $(HOST_OUT_EXECUTABLES)/avbtool$(HOST_EXECUTABLE_SUFFIX) else BVBTOOL := $(BOARD_CUSTOM_BVBTOOL) AVBTOOL := $(BOARD_CUSTOM_AVBTOOL) endif APICHECK := $(HOST_OUT_EXECUTABLES)/apicheck$(HOST_EXECUTABLE_SUFFIX) FS_GET_STATS := $(HOST_OUT_EXECUTABLES)/fs_get_stats$(HOST_EXECUTABLE_SUFFIX) Loading
core/main.mk +5 −0 Original line number Diff line number Diff line Loading @@ -82,6 +82,7 @@ dont_bother_goals := clean clobber dataclean installclean \ ramdisk-nodeps \ bootimage-nodeps \ recoveryimage-nodeps \ vbmetaimage-nodeps \ product-graph dump-products ifneq ($(filter $(dont_bother_goals), $(MAKECMDGOALS)),) Loading Loading @@ -936,6 +937,9 @@ vendorimage: $(INSTALLED_VENDORIMAGE_TARGET) .PHONY: bootimage bootimage: $(INSTALLED_BOOTIMAGE_TARGET) .PHONY: vbmetaimage vbmetaimage: $(INSTALLED_VBMETAIMAGE_TARGET) .PHONY: auxiliary auxiliary: $(INSTALLED_AUX_TARGETS) Loading @@ -945,6 +949,7 @@ droidcore: files \ systemimage \ $(INSTALLED_BOOTIMAGE_TARGET) \ $(INSTALLED_RECOVERYIMAGE_TARGET) \ $(INSTALLED_VBMETAIMAGE_TARGET) \ $(INSTALLED_USERDATAIMAGE_TARGET) \ $(INSTALLED_CACHEIMAGE_TARGET) \ $(INSTALLED_BPTIMAGE_TARGET) \ Loading
tools/releasetools/add_img_to_target_files.py +38 −35 Original line number Diff line number Diff line Loading @@ -96,18 +96,22 @@ def AddSystem(output_zip, prefix="IMAGES/", recovery_img=None, boot_img=None): imgname = BuildSystem(OPTIONS.input_tmp, OPTIONS.info_dict, block_list=block_list) # If requested, calculate and add dm-verity integrity hashes and # AVB: if enabled, calculate and add dm-verity integrity hashes and # metadata to system.img. if OPTIONS.info_dict.get("board_bvb_enable", None) == "true": bvbtool = os.getenv('BVBTOOL') or "bvbtool" cmd = [bvbtool, "add_image_hashes", "--image", imgname] args = OPTIONS.info_dict.get("board_bvb_add_image_hashes_args", None) if OPTIONS.info_dict.get("board_avb_enable", None) == "true": avbtool = os.getenv('AVBTOOL') or "avbtool" part_size = OPTIONS.info_dict.get("system_size", None) cmd = [avbtool, "add_hashtree_footer", "--image", imgname, "--partition_size", str(part_size), "--partition_name", "system"] common.AppendAVBSigningArgs(cmd) args = OPTIONS.info_dict.get("board_avb_system_add_hashtree_footer_args", None) if args and args.strip(): cmd.extend(shlex.split(args)) p = common.Run(cmd, stdout=subprocess.PIPE) p.communicate() assert p.returncode == 0, "bvbtool add_image_hashes of %s image failed" % ( os.path.basename(OPTIONS.input_tmp),) assert p.returncode == 0, "avbtool add_hashtree_footer of %s failed" % ( os.path.basename(OPTIONS.input_tmp)) common.ZipWrite(output_zip, imgname, prefix + "system.img") common.ZipWrite(output_zip, block_list, prefix + "system.map") Loading Loading @@ -251,6 +255,25 @@ def AddUserdata(output_zip, prefix="IMAGES/"): shutil.rmtree(temp_dir) def AddVBMeta(output_zip, boot_img_path, system_img_path, prefix="IMAGES/"): """Create a VBMeta image and store it in output_zip.""" _, img_file_name = tempfile.mkstemp() avbtool = os.getenv('AVBTOOL') or "avbtool" cmd = [avbtool, "make_vbmeta_image", "--output", img_file_name, "--include_descriptors_from_image", boot_img_path, "--include_descriptors_from_image", system_img_path, "--generate_dm_verity_cmdline_from_hashtree", system_img_path] common.AppendAVBSigningArgs(cmd) args = OPTIONS.info_dict.get("board_avb_make_vbmeta_image_args", None) if args and args.strip(): cmd.extend(shlex.split(args)) p = common.Run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.communicate() assert p.returncode == 0, "avbtool make_vbmeta_image failed" common.ZipWrite(output_zip, img_file_name, prefix + "vbmeta.img") def AddPartitionTable(output_zip, prefix="IMAGES/"): """Create a partition table image and store it in output_zip.""" Loading Loading @@ -346,15 +369,6 @@ def AddImagesToTargetFiles(filename): has_recovery = (OPTIONS.info_dict.get("no_recovery") != "true") system_root_image = (OPTIONS.info_dict.get("system_root_image", None) == "true") board_bvb_enable = (OPTIONS.info_dict.get("board_bvb_enable", None) == "true") # Brillo Verified Boot is incompatible with certain # configurations. Explicitly check for these. if board_bvb_enable: assert not has_recovery, "has_recovery incompatible with bvb" assert not system_root_image, "system_root_image incompatible with bvb" assert not OPTIONS.rebuild_recovery, "rebuild_recovery incompatible with bvb" assert not has_vendor, "VENDOR images currently incompatible with bvb" def banner(s): print "\n\n++++ " + s + " ++++\n\n" Loading @@ -367,12 +381,6 @@ def AddImagesToTargetFiles(filename): if OPTIONS.rebuild_recovery: boot_image = common.GetBootableImage( "IMAGES/boot.img", "boot.img", OPTIONS.input_tmp, "BOOT") else: if board_bvb_enable: # With Brillo Verified Boot, we need to build system.img before # boot.img since the latter includes the dm-verity root hash and # salt for the former. pass else: banner("boot") boot_image = common.GetBootableImage( Loading @@ -399,15 +407,6 @@ def AddImagesToTargetFiles(filename): banner("system") system_img_path = AddSystem( output_zip, recovery_img=recovery_image, boot_img=boot_image) if OPTIONS.info_dict.get("board_bvb_enable", None) == "true": # If we're using Brillo Verified Boot, we can now build boot.img # given that we have system.img. banner("boot") boot_image = common.GetBootableImage( "IMAGES/boot.img", "boot.img", OPTIONS.input_tmp, "BOOT", system_img_path=system_img_path) if boot_image: boot_image.AddToZip(output_zip) if has_vendor: banner("vendor") AddVendor(output_zip) Loading @@ -419,6 +418,10 @@ def AddImagesToTargetFiles(filename): if OPTIONS.info_dict.get("board_bpt_enable", None) == "true": banner("partition-table") AddPartitionTable(output_zip) if OPTIONS.info_dict.get("board_avb_enable", None) == "true": banner("vbmeta") boot_contents = boot_image.WriteToTemp() AddVBMeta(output_zip, boot_contents.name, system_img_path) # For devices using A/B update, copy over images from RADIO/ and/or # VENDOR_IMAGES/ to IMAGES/ and make sure we have all the needed Loading
tools/releasetools/common.py +27 −113 Original line number Diff line number Diff line Loading @@ -384,6 +384,16 @@ def DumpInfoDict(d): print "%-25s = (%s) %s" % (k, type(v).__name__, v) def AppendAVBSigningArgs(cmd): """Append signing arguments for avbtool.""" keypath = OPTIONS.info_dict.get("board_avb_key_path", None) algorithm = OPTIONS.info_dict.get("board_avb_algorithm", None) if not keypath or not algorithm: algorithm = "SHA256_RSA4096" keypath = "external/avb/test/data/testkey_rsa4096.pem" cmd.extend(["--key", keypath, "--algorithm", algorithm]) def _BuildBootableImage(sourcedir, fs_config_file, info_dict=None, has_ramdisk=False): """Build a bootable image from the specified sourcedir. Loading Loading @@ -503,111 +513,20 @@ def _BuildBootableImage(sourcedir, fs_config_file, info_dict=None, img_unsigned.close() img_keyblock.close() img.seek(os.SEEK_SET, 0) data = img.read() if has_ramdisk: ramdisk_img.close() img.close() return data def _BuildBvbBootableImage(sourcedir, fs_config_file, system_img_path, info_dict=None, has_ramdisk=False): """Build a bootable image compatible with Brillo Verified Boot from the specified sourcedir. Take a kernel, cmdline, system image path, and optionally a ramdisk directory from the input (in 'sourcedir'), and turn them into a boot image. Return the image data, or None if sourcedir does not appear to contains files for building the requested image. """ def make_ramdisk(): ramdisk_img = tempfile.NamedTemporaryFile() if os.access(fs_config_file, os.F_OK): cmd = ["mkbootfs", "-f", fs_config_file, os.path.join(sourcedir, "RAMDISK")] else: cmd = ["mkbootfs", os.path.join(sourcedir, "RAMDISK")] p1 = Run(cmd, stdout=subprocess.PIPE) p2 = Run(["minigzip"], stdin=p1.stdout, stdout=ramdisk_img.file.fileno()) p2.wait() p1.wait() assert p1.returncode == 0, "mkbootfs of %s ramdisk failed" % (sourcedir,) assert p2.returncode == 0, "minigzip of %s ramdisk failed" % (sourcedir,) return ramdisk_img if not os.access(os.path.join(sourcedir, "kernel"), os.F_OK): return None if has_ramdisk and not os.access(os.path.join(sourcedir, "RAMDISK"), os.F_OK): return None if info_dict is None: info_dict = OPTIONS.info_dict img = tempfile.NamedTemporaryFile() if has_ramdisk: ramdisk_img = make_ramdisk() # use BVBTOOL from environ, or "bvbtool" if empty or not set bvbtool = os.getenv('BVBTOOL') or "bvbtool" # First, create boot.img. cmd = [bvbtool, "make_boot_image"] fn = os.path.join(sourcedir, "cmdline") if os.access(fn, os.F_OK): cmd.append("--kernel_cmdline") cmd.append(open(fn).read().rstrip("\n")) cmd.extend(["--kernel", os.path.join(sourcedir, "kernel")]) if has_ramdisk: cmd.extend(["--initrd", ramdisk_img.name]) cmd.extend(["--rootfs_with_hashes", system_img_path]) args = info_dict.get("board_bvb_make_boot_image_args", None) if args and args.strip(): cmd.extend(shlex.split(args)) rollback_index = info_dict.get("board_bvb_rollback_index", None) if rollback_index and rollback_index.strip(): cmd.extend(["--rollback_index", rollback_index.strip()]) cmd.extend(["--output", img.name]) p = Run(cmd, stdout=subprocess.PIPE) p.communicate() assert p.returncode == 0, "bvbtool make_boot_image of %s image failed" % ( os.path.basename(sourcedir),) # Then, sign boot.img. cmd = [bvbtool, "sign_boot_image", "--image", img.name] algorithm = info_dict.get("board_bvb_algorithm", None) key_path = info_dict.get("board_bvb_key_path", None) if algorithm and algorithm.strip() and key_path and key_path.strip(): cmd.extend(["--algorithm", algorithm, "--key", key_path]) else: cmd.extend(["--algorithm", "SHA256_RSA4096"]) cmd.extend(["--key", "external/bvb/test/testkey_rsa4096.pem"]) args = info_dict.get("board_bvb_sign_boot_image_args", None) # AVB: if enabled, calculate and add hash to boot.img. if OPTIONS.info_dict.get("board_avb_enable", None) == "true": avbtool = os.getenv('AVBTOOL') or "avbtool" part_size = OPTIONS.info_dict.get("boot_size", None) cmd = [avbtool, "add_hash_footer", "--image", img.name, "--partition_size", str(part_size), "--partition_name", "boot"] AppendAVBSigningArgs(cmd) args = OPTIONS.info_dict.get("board_avb_boot_add_hash_footer_args", None) if args and args.strip(): cmd.extend(shlex.split(args)) p = Run(cmd, stdout=subprocess.PIPE) p.communicate() assert p.returncode == 0, "bvbtool sign_boot_image of %s image failed" % ( os.path.basename(sourcedir),) assert p.returncode == 0, "avbtool add_hash_footer of %s failed" % ( os.path.basename(OPTIONS.input_tmp)) img.seek(os.SEEK_SET, 0) data = img.read() Loading Loading @@ -650,11 +569,6 @@ def GetBootableImage(name, prebuilt_name, unpack_dir, tree_subdir, info_dict.get("recovery_as_boot") == "true") fs_config = "META/" + tree_subdir.lower() + "_filesystem_config.txt" if info_dict.get("board_bvb_enable", None) == "true": data = _BuildBvbBootableImage(os.path.join(unpack_dir, tree_subdir), os.path.join(unpack_dir, fs_config), system_img_path, info_dict, has_ramdisk) else: data = _BuildBootableImage(os.path.join(unpack_dir, tree_subdir), os.path.join(unpack_dir, fs_config), info_dict, has_ramdisk) Loading
