Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9d28638c authored by Bowgo Tsai's avatar Bowgo Tsai
Browse files

Enable AVB signing on GSI 

In current GSI builds, AVB signing is not allowed.
We should allow signing GSI image, while building a vbmeta.img with
AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (flag 2).

When need to disable AVB, use the vbmeta.img above together with the
GSI. When need enable AVB on GSI, include the GSI public key into the
device-specific vbmeta.img. Note that GSI is a chain partition so the
keys used to sign GSI and vbmeta.img are different.

Bug: 112293933
Test: build aosp_arm64-userdebug, checks flag 2 is set in vbmeta.img
      and there is AVB HASHTREE in system.img
      `avbtool info_image --image $OUT/system.img`
      `avbtool info_image --image $OUT/vbmeta.img`

Change-Id: If1eff317621882994e7dcbf37cd35f5bfa16b69a
parent 99ed1b4f

core/Makefile

+0 −16
Original line number Diff line number Diff line
@@ -2795,14 +2795,6 @@ $(INSTALLED_VBMETAIMAGE_TARGET): \ 
vbmetaimage-nodeps:

	$(build-vbmetaimage-target)



else ifeq (true,$(BOARD_BUILD_DISABLED_VBMETAIMAGE))

BUILT_DISABLED_VBMETAIMAGE := $(PRODUCT_OUT)/vbmeta.img



INSTALLED_VBMETAIMAGE_TARGET := $(BUILT_DISABLED_VBMETAIMAGE)

$(INSTALLED_VBMETAIMAGE_TARGET): $(AVBTOOL)

	$(hide) $(AVBTOOL) make_vbmeta_image \

	  --flag 2 --padding_size 4096 --output $@



endif # BOARD_AVB_ENABLE



# -----------------------------------------------------------------
@@ -3406,14 +3398,6 @@ ifeq ($(BREAKPAD_GENERATE_SYMBOLS),true) 
	@# If breakpad symbols have been generated, add them to the zip.

	$(hide) $(ACP) -r $(TARGET_OUT_BREAKPAD) $(zip_root)/BREAKPAD

endif

# BOARD_BUILD_DISABLED_VBMETAIMAGE is used to build a special vbmeta.img

# that disables AVB verification. The content is fixed and we can just copy

# it to $(zip_root)/IMAGES without passing some info into misc_info.txt for

# regeneration.

ifeq (true,$(BOARD_BUILD_DISABLED_VBMETAIMAGE))

	$(hide) mkdir -p $(zip_root)/IMAGES

	$(hide) cp $(INSTALLED_VBMETAIMAGE_TARGET) $(zip_root)/IMAGES/

endif

ifdef BOARD_PREBUILT_VENDORIMAGE

	$(hide) mkdir -p $(zip_root)/IMAGES

	$(hide) cp $(INSTALLED_VENDORIMAGE_TARGET) $(zip_root)/IMAGES/

target/board/BoardConfigEmuCommon.mk

+3 −2
Original line number Diff line number Diff line
@@ -28,8 +28,9 @@ USE_OPENGL_RENDERER := true 
TARGET_COPY_OUT_VENDOR := vendor



# ~100 MB vendor image. Please adjust system image / vendor image sizes

# when finalizing them.

BOARD_VENDORIMAGE_PARTITION_SIZE := 100000000

# when finalizing them. The partition size needs to be a multiple of image

# block size: 4096.

BOARD_VENDORIMAGE_PARTITION_SIZE := 100003840

BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE := ext4

BOARD_FLASH_BLOCK_SIZE := 512

DEVICE_MATRIX_FILE   := device/generic/goldfish/compatibility_matrix.xml

target/board/BoardConfigGsiCommon.mk

+16 −8
Original line number Diff line number Diff line
@@ -14,14 +14,22 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := false 
BOARD_SYSTEMIMAGE_PARTITION_RESERVED_SIZE := 67108864



# Android Verified Boot (AVB):

#   Builds a special vbmeta.img that disables AVB verification.

#   Otherwise, AVB will prevent the device from booting the generic system.img.

#   Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity

#   metadata into system.img.

ifeq ($(BOARD_AVB_ENABLE),true)

$(error BOARD_AVB_ENABLE cannot be set for GSI)

endif

BOARD_BUILD_DISABLED_VBMETAIMAGE := true

#   1) Sets BOARD_AVB_ENABLE to sign the GSI image.

#   2) Sets AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (--flag 2) in

#      vbmeta.img to disable AVB verification.

#

# To disable AVB for GSI, use the vbmeta.img and the GSI together.

# To enable AVB for GSI, include the GSI public key into the device-specific

# vbmeta.img.

BOARD_AVB_ENABLE := true

BOARD_AVB_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)

BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2



# Enable chain partition for system.

BOARD_AVB_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem

BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048

BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)

BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1



ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))

# GSI is always userdebug and needs a couple of properties taking precedence

target/board/treble_common.mk

+16 −8
Original line number Diff line number Diff line
@@ -53,11 +53,19 @@ NUM_FRAMEBUFFER_SURFACE_BUFFERS := 3 
USE_XML_AUDIO_POLICY_CONF := 1



# Android Verified Boot (AVB):

#   Builds a special vbmeta.img that disables AVB verification.

#   Otherwise, AVB will prevent the device from booting the generic system.img.

#   Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity

#   metadata into system.img.

ifeq ($(BOARD_AVB_ENABLE),true)

$(error BOARD_AVB_ENABLE cannot be set for Treble GSI)

endif

BOARD_BUILD_DISABLED_VBMETAIMAGE := true
 
#   1) Sets BOARD_AVB_ENABLE to sign the GSI image.

#   2) Sets AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (--flag 2) in

#      vbmeta.img to disable AVB verification.

#

# To disable AVB for GSI, use the vbmeta.img and the GSI together.

# To enable AVB for GSI, include the GSI public key into the device-specific

# vbmeta.img.

BOARD_AVB_ENABLE := true

BOARD_AVB_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)

BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2



# Enable chain partition for system.

BOARD_AVB_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem

BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048

BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)

BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1