Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9d164b63 authored by Yi-yo Chiang's avatar Yi-yo Chiang Committed by Gerrit Code Review
Browse files

Merge changes from topic "gki-avb-vts" 

* changes:
  releasetools: Update T GKI certification scheme
  Update T GKI certification scheme
parents 171c1e16 24da1a43

core/Makefile

+8 −29
Original line number Diff line number Diff line
@@ -906,11 +906,9 @@ INTERNAL_BOOTIMAGE_ARGS := \ 


INTERNAL_INIT_BOOT_IMAGE_ARGS :=



INTERNAL_BOOT_HAS_RAMDISK :=

ifneq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true)

  ifneq ($(BUILDING_INIT_BOOT_IMAGE),true)

    INTERNAL_BOOTIMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET)

    INTERNAL_BOOT_HAS_RAMDISK := true

  else

    INTERNAL_INIT_BOOT_IMAGE_ARGS += --ramdisk $(INSTALLED_RAMDISK_TARGET)

  endif
@@ -973,7 +971,6 @@ endef 


INTERNAL_GKI_CERTIFICATE_ARGS :=

INTERNAL_GKI_CERTIFICATE_DEPS :=

INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE :=

ifdef BOARD_GKI_SIGNING_KEY_PATH

  ifndef BOARD_GKI_SIGNING_ALGORITHM

    $(error BOARD_GKI_SIGNING_ALGORITHM should be defined with BOARD_GKI_SIGNING_KEY_PATH)
@@ -994,13 +991,6 @@ ifdef BOARD_GKI_SIGNING_KEY_PATH 
    $(BOARD_GKI_SIGNING_KEY_PATH) \

    $(AVBTOOL)



  ifdef INSTALLED_RAMDISK_TARGET

    INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE := \

      $(call intermediates-dir-for,PACKAGING,generic_ramdisk)/boot_signature



    $(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE): $(INSTALLED_RAMDISK_TARGET) $(INTERNAL_GKI_CERTIFICATE_DEPS)

	$(call generate_generic_boot_image_certificate,$(INSTALLED_RAMDISK_TARGET),$@,generic_ramdisk,$(BOARD_AVB_INIT_BOOT_ADD_HASH_FOOTER_ARGS))

  endif

endif



# Define these only if we are building boot
@@ -1018,14 +1008,16 @@ ifeq (true,$(BOARD_AVB_ENABLE)) 
# $1: boot image target

define build_boot_board_avb_enabled

  $(eval kernel := $(call bootimage-to-kernel,$(1)))

  $(MKBOOTIMG) --kernel $(kernel) $(INTERNAL_BOOTIMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1)

  $(if $(BOARD_GKI_SIGNING_KEY_PATH), \

    $(eval boot_signature := $(call intermediates-dir-for,PACKAGING,generic_boot)/$(notdir $(1)).boot_signature) \

    $(eval kernel_signature := $(call intermediates-dir-for,PACKAGING,generic_kernel)/$(notdir $(kernel)).boot_signature) \

    $(call generate_generic_boot_image_certificate,$(1),$(boot_signature),boot,$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)) $(newline) \

    $(call generate_generic_boot_image_certificate,$(kernel),$(kernel_signature),generic_kernel,$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)) $(newline) \

    $(if $(INTERNAL_BOOT_HAS_RAMDISK), \

      cat $(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE) >> $(kernel_signature) $(newline)))

  $(MKBOOTIMG) --kernel $(kernel) $(INTERNAL_BOOTIMAGE_ARGS) \

    $(if $(BOARD_GKI_SIGNING_KEY_PATH),--boot_signature "$(kernel_signature)",$(INTERNAL_MKBOOTIMG_VERSION_ARGS)) \

    $(BOARD_MKBOOTIMG_ARGS) --output $(1)

    cat $(kernel_signature) >> $(boot_signature) $(newline) \

    $(call assert-max-image-size,$(boot_signature),16 << 10) $(newline) \

    truncate -s $$(( 16 << 10 )) $(boot_signature) $(newline) \

    cat "$(boot_signature)" >> $(1))

  $(call assert-max-image-size,$(1),$(call get-hash-image-max-size,$(call get-bootimage-partition-size,$(1),boot)))

  $(AVBTOOL) add_hash_footer \

          --image $(1) \
@@ -1034,9 +1026,6 @@ define build_boot_board_avb_enabled 
          $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)

endef



ifdef INTERNAL_BOOT_HAS_RAMDISK

$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE)

endif

$(INSTALLED_BOOTIMAGE_TARGET): $(MKBOOTIMG) $(AVBTOOL) $(INTERNAL_BOOTIMAGE_FILES) $(BOARD_AVB_BOOT_KEY_PATH) $(INTERNAL_GKI_CERTIFICATE_DEPS)

	$(call pretty,"Target boot image: $@")

	$(call build_boot_board_avb_enabled,$@)
@@ -1141,12 +1130,9 @@ ifdef BOARD_KERNEL_PAGESIZE 
endif



ifeq ($(BOARD_AVB_ENABLE),true)

$(INSTALLED_INIT_BOOT_IMAGE_TARGET): $(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE)

$(INSTALLED_INIT_BOOT_IMAGE_TARGET): $(AVBTOOL) $(BOARD_AVB_INIT_BOOT_KEY_PATH)

	$(call pretty,"Target init_boot image: $@")

	$(MKBOOTIMG) $(INTERNAL_INIT_BOOT_IMAGE_ARGS) \

	  $(if $(BOARD_GKI_SIGNING_KEY_PATH),--boot_signature "$(INTERNAL_GENERIC_RAMDISK_BOOT_SIGNATURE)",$(INTERNAL_MKBOOTIMG_VERSION_ARGS)) \

	  $(BOARD_MKBOOTIMG_INIT_ARGS) --output "$@"

	$(MKBOOTIMG) $(INTERNAL_INIT_BOOT_IMAGE_ARGS) $(INTERNAL_MKBOOTIMG_VERSION_ARGS) $(BOARD_MKBOOTIMG_INIT_ARGS) --output "$@"

	$(call assert-max-image-size,$@,$(BOARD_INIT_BOOT_IMAGE_PARTITION_SIZE))

	$(AVBTOOL) add_hash_footer \

           --image $@ \
@@ -3930,13 +3916,6 @@ BOARD_AVB_PVMFW_ADD_HASH_FOOTER_ARGS += \ 
    --prop com.android.build.pvmfw.security_patch:$(PVMFW_SECURITY_PATCH)

endif



# For upgrading devices without a init_boot partition, the init_boot footer args

# should fallback to boot partition footer.

ifndef INSTALLED_INIT_BOOT_IMAGE_TARGET

BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS += \

    $(BOARD_AVB_INIT_BOOT_ADD_HASH_FOOTER_ARGS)

endif



BOOT_FOOTER_ARGS := BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS

INIT_BOOT_FOOTER_ARGS := BOARD_AVB_INIT_BOOT_ADD_HASH_FOOTER_ARGS

VENDOR_BOOT_FOOTER_ARGS := BOARD_AVB_VENDOR_BOOT_ADD_HASH_FOOTER_ARGS

tools/releasetools/common.py

+28 −27
Original line number Diff line number Diff line
@@ -1405,7 +1405,7 @@ def _HasGkiCertificationArgs(): 
          "gki_signing_algorithm" in OPTIONS.info_dict)





def _GenerateGkiCertificate(image, image_name, partition_name):

def _GenerateGkiCertificate(image, image_name):

  key_path = OPTIONS.info_dict.get("gki_signing_key_path")

  algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
@@ -1434,8 +1434,7 @@ def _GenerateGkiCertificate(image, image_name, partition_name): 
  if signature_args:

    cmd.extend(["--additional_avb_args", signature_args])



  args = OPTIONS.info_dict.get(

      "avb_" + partition_name + "_add_hash_footer_args", "")

  args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "")

  args = args.strip()

  if args:

    cmd.extend(["--additional_avb_args", args])
@@ -1628,24 +1627,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None, 
  if args and args.strip():

    cmd.extend(shlex.split(args))



  boot_signature = None

  if _HasGkiCertificationArgs():

    # Certify GKI images.

    boot_signature_bytes = b''

    if kernel_path is not None:

      boot_signature_bytes += _GenerateGkiCertificate(

          kernel_path, "generic_kernel", "boot")

    if has_ramdisk:

      boot_signature_bytes += _GenerateGkiCertificate(

          ramdisk_img.name, "generic_ramdisk", "init_boot")



    if len(boot_signature_bytes) > 0:

      boot_signature = tempfile.NamedTemporaryFile()

      boot_signature.write(boot_signature_bytes)

      boot_signature.flush()

      cmd.extend(["--boot_signature", boot_signature.name])

  else:

    # Certified GKI boot/init_boot image mustn't set 'mkbootimg_version_args'.

  args = info_dict.get("mkbootimg_version_args")

  if args and args.strip():

    cmd.extend(shlex.split(args))
@@ -1670,6 +1651,29 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None, 


  RunAndCheckOutput(cmd)



  if _HasGkiCertificationArgs():

    if not os.path.exists(img.name):

      raise ValueError("Cannot find GKI boot.img")

    if kernel_path is None or not os.path.exists(kernel_path):

      raise ValueError("Cannot find GKI kernel.img")



    # Certify GKI images.

    boot_signature_bytes = b''

    boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot")

    boot_signature_bytes += _GenerateGkiCertificate(

        kernel_path, "generic_kernel")



    BOOT_SIGNATURE_SIZE = 16 * 1024

    if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE:

      raise ValueError(

          f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}")

    boot_signature_bytes += (

        b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes)))

    assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE



    with open(img.name, 'ab') as f:

      f.write(boot_signature_bytes)



  if (info_dict.get("boot_signer") == "true" and

          info_dict.get("verity_key")):

    # Hard-code the path as "/boot" for two-step special recovery image (which
@@ -1730,9 +1734,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None, 
    ramdisk_img.close()

  img.close()



  if boot_signature is not None:

    boot_signature.close()



  return data

tools/releasetools/test_common.py

+2 −2
Original line number Diff line number Diff line
@@ -1642,7 +1642,7 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase): 
    }

    test_file = tempfile.NamedTemporaryFile()

    self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,

                      test_file.name, 'generic_kernel', 'boot')

                      test_file.name, 'generic_kernel')



  def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):

    pubkey = 'no_testkey_gki.pem'
@@ -1662,7 +1662,7 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase): 
    }

    test_file = tempfile.NamedTemporaryFile()

    self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,

                      test_file.name, 'generic_kernel', 'boot')

                      test_file.name, 'generic_kernel')



class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):

  """Checks the format of install-recovery.sh.