Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a4d5f438 authored by Yi-Yo Chiang's avatar Yi-Yo Chiang
Browse files

Re-land: releasetools: Deprecate GKI build rules 

(Re-land of Ie882fccd864920289e48366e99a4ebd67e784d0d)

We no longer build GKIs from the platform tree.
These build commands were neither used nor maintained anymore, so clean
them up to reduce maintenance effort.
Keep the command line options as no-op, so existing scripts that still
specifies the deprecated options don't break.

Bug: 229701033
Test: presubmit
Change-Id: I0f7d05562dbc3eed29e902d6dc9a0f2e4083aaa6
parent b14bf5f6

tools/releasetools/Android.bp

+0 −3
Original line number Original line Diff line number Diff line
@@ -168,7 +168,6 @@ python_defaults { 
        "apexd_host",

        "apexd_host",

        "brillo_update_payload",

        "brillo_update_payload",

        "checkvintf",

        "checkvintf",

        "generate_gki_certificate",

        "lz4",

        "lz4",

        "toybox",

        "toybox",

        "unpack_bootimg",

        "unpack_bootimg",
@@ -245,7 +244,6 @@ python_library_host { 
        "boot_signer",

        "boot_signer",

        "brotli",

        "brotli",

        "bsdiff",

        "bsdiff",

        "generate_gki_certificate",

        "imgdiff",

        "imgdiff",

        "lz4",

        "lz4",

        "mkbootfs",

        "mkbootfs",
@@ -310,7 +308,6 @@ python_defaults { 
        "brotli",

        "brotli",

        "bsdiff",

        "bsdiff",

        "deapexer",

        "deapexer",

        "generate_gki_certificate",

        "imgdiff",

        "imgdiff",

        "lz4",

        "lz4",

        "mkbootfs",

        "mkbootfs",

tools/releasetools/common.py

+0 −67
Original line number Original line Diff line number Diff line
@@ -1565,50 +1565,6 @@ def GetAvbChainedPartitionArg(partition, info_dict, key=None): 
      pubkey_path=pubkey_path)

      pubkey_path=pubkey_path)









def _HasGkiCertificationArgs():

  return ("gki_signing_key_path" in OPTIONS.info_dict and

          "gki_signing_algorithm" in OPTIONS.info_dict)





def _GenerateGkiCertificate(image, image_name):

  key_path = OPTIONS.info_dict.get("gki_signing_key_path")

  algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")



  key_path = ResolveAVBSigningPathArgs(key_path)



  # Checks key_path exists, before processing --gki_signing_* args.

  if not os.path.exists(key_path):

    raise ExternalError(

        'gki_signing_key_path: "{}" not found'.format(key_path))



  output_certificate = tempfile.NamedTemporaryFile()

  cmd = [

      "generate_gki_certificate",

      "--name", image_name,

      "--algorithm", algorithm,

      "--key", key_path,

      "--output", output_certificate.name,

      image,

  ]



  signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "")

  signature_args = signature_args.strip()

  if signature_args:

    cmd.extend(["--additional_avb_args", signature_args])



  args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "")

  args = args.strip()

  if args:

    cmd.extend(["--additional_avb_args", args])



  RunAndCheckOutput(cmd)



  output_certificate.seek(os.SEEK_SET, 0)

  data = output_certificate.read()

  output_certificate.close()

  return data





def BuildVBMeta(image_path, partitions, name, needed_partitions,

def BuildVBMeta(image_path, partitions, name, needed_partitions,

                resolve_rollback_index_location_conflict=False):

                resolve_rollback_index_location_conflict=False):

  """Creates a VBMeta image.

  """Creates a VBMeta image.
@@ -1831,29 +1787,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, 




  RunAndCheckOutput(cmd)

  RunAndCheckOutput(cmd)





  if _HasGkiCertificationArgs():

    if not os.path.exists(img.name):

      raise ValueError("Cannot find GKI boot.img")

    if kernel_path is None or not os.path.exists(kernel_path):

      raise ValueError("Cannot find GKI kernel.img")



    # Certify GKI images.

    boot_signature_bytes = b''

    boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot")

    boot_signature_bytes += _GenerateGkiCertificate(

        kernel_path, "generic_kernel")



    BOOT_SIGNATURE_SIZE = 16 * 1024

    if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE:

      raise ValueError(

          f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}")

    boot_signature_bytes += (

        b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes)))

    assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE



    with open(img.name, 'ab') as f:

      f.write(boot_signature_bytes)



  # Sign the image if vboot is non-empty.

  # Sign the image if vboot is non-empty.

  if info_dict.get("vboot"):

  if info_dict.get("vboot"):

    path = "/" + partition_name

    path = "/" + partition_name

tools/releasetools/sign_target_files_apks.py

+4 −41
Original line number Original line Diff line number Diff line
@@ -124,14 +124,8 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files 




  --gki_signing_algorithm <algorithm>

  --gki_signing_algorithm <algorithm>

  --gki_signing_key <key>

  --gki_signing_key <key>

      Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate

      'boot signature' in a v4 boot.img. Otherwise it uses the existing values

      in info dict.



  --gki_signing_extra_args <args>

  --gki_signing_extra_args <args>

      Specify any additional args that are needed to generate 'boot signature'

      DEPRECATED Does nothing.

      (e.g. --prop foo:bar). The args will be appended to the existing ones

      in info dict.





  --android_jar_path <path>

  --android_jar_path <path>

      Path to the android.jar to repack the apex file.

      Path to the android.jar to repack the apex file.
@@ -221,9 +215,6 @@ OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") 
OPTIONS.avb_keys = {}

OPTIONS.avb_keys = {}

OPTIONS.avb_algorithms = {}

OPTIONS.avb_algorithms = {}

OPTIONS.avb_extra_args = {}

OPTIONS.avb_extra_args = {}

OPTIONS.gki_signing_key = None

OPTIONS.gki_signing_algorithm = None

OPTIONS.gki_signing_extra_args = None

OPTIONS.android_jar_path = None

OPTIONS.android_jar_path = None

OPTIONS.vendor_partitions = set()

OPTIONS.vendor_partitions = set()

OPTIONS.vendor_otatools = None

OPTIONS.vendor_otatools = None
@@ -595,7 +586,7 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info, 
        [len(os.path.basename(i.filename)) for i in input_tf_zip.infolist()

        [len(os.path.basename(i.filename)) for i in input_tf_zip.infolist()

         if GetApkFileInfo(i.filename, compressed_extension, [])[0]])

         if GetApkFileInfo(i.filename, compressed_extension, [])[0]])

  except ValueError:

  except ValueError:

    # Sets this to zero for targets without APK files, e.g., gki_arm64.

    # Sets this to zero for targets without APK files.

    maxsize = 0

    maxsize = 0





  for info in input_tf_zip.infolist():

  for info in input_tf_zip.infolist():
@@ -818,9 +809,6 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info, 
  if misc_info.get('avb_enable') == 'true':

  if misc_info.get('avb_enable') == 'true':

    RewriteAvbProps(misc_info)

    RewriteAvbProps(misc_info)





  # Replace the GKI signing key for boot.img, if any.

  ReplaceGkiSigningKey(misc_info)



  # Write back misc_info with the latest values.

  # Write back misc_info with the latest values.

  ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info)

  ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info)
@@ -1102,27 +1090,6 @@ def RewriteAvbProps(misc_info): 
      misc_info[args_key] = result

      misc_info[args_key] = result









def ReplaceGkiSigningKey(misc_info):

  """Replaces the GKI signing key."""



  key = OPTIONS.gki_signing_key

  if not key:

    return



  algorithm = OPTIONS.gki_signing_algorithm

  if not algorithm:

    raise ValueError("Missing --gki_signing_algorithm")



  print('Replacing GKI signing key with "%s" (%s)' % (key, algorithm))

  misc_info["gki_signing_algorithm"] = algorithm

  misc_info["gki_signing_key_path"] = key



  extra_args = OPTIONS.gki_signing_extra_args

  if extra_args:

    print('Setting GKI signing args: "%s"' % (extra_args))

    misc_info["gki_signing_signature_args"] = extra_args





def BuildKeyMap(misc_info, key_mapping_options):

def BuildKeyMap(misc_info, key_mapping_options):

  for s, d in key_mapping_options:

  for s, d in key_mapping_options:

    if s is None:   # -d option

    if s is None:   # -d option
@@ -1477,12 +1444,6 @@ def main(argv): 
      # 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'.

      # 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'.

      partition, extra_args = a.split("=", 1)

      partition, extra_args = a.split("=", 1)

      OPTIONS.avb_extra_args[partition] = extra_args

      OPTIONS.avb_extra_args[partition] = extra_args

    elif o == "--gki_signing_key":

      OPTIONS.gki_signing_key = a

    elif o == "--gki_signing_algorithm":

      OPTIONS.gki_signing_algorithm = a

    elif o == "--gki_signing_extra_args":

      OPTIONS.gki_signing_extra_args = a

    elif o == "--vendor_otatools":

    elif o == "--vendor_otatools":

      OPTIONS.vendor_otatools = a

      OPTIONS.vendor_otatools = a

    elif o == "--vendor_partitions":

    elif o == "--vendor_partitions":
@@ -1493,6 +1454,8 @@ def main(argv): 
      OPTIONS.override_apk_keys = a

      OPTIONS.override_apk_keys = a

    elif o == "--override_apex_keys":

    elif o == "--override_apex_keys":

      OPTIONS.override_apex_keys = a

      OPTIONS.override_apex_keys = a

    elif o in ("--gki_signing_key",  "--gki_signing_algorithm",  "--gki_signing_extra_args"):

      print(f"{o} is deprecated and does nothing")

    else:

    else:

      return False

      return False

    return True

    return True

tools/releasetools/test_common.py

+0 −34
Original line number Original line Diff line number Diff line
@@ -1605,40 +1605,6 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase): 
    self.assertEqual(3, chained_partition_args.rollback_index_location)

    self.assertEqual(3, chained_partition_args.rollback_index_location)

    self.assertTrue(os.path.exists(chained_partition_args.pubkey_path))

    self.assertTrue(os.path.exists(chained_partition_args.pubkey_path))





  def test_GenerateGkiCertificate_KeyPathNotFound(self):

    pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem')

    self.assertFalse(os.path.exists(pubkey))



    common.OPTIONS.info_dict = {

        'gki_signing_key_path': pubkey,

        'gki_signing_algorithm': 'SHA256_RSA4096',

        'gki_signing_signature_args': '--prop foo:bar',

    }

    common.OPTIONS.search_path = None

    test_file = tempfile.NamedTemporaryFile()

    self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,

                      test_file.name, 'generic_kernel')



  def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):

    pubkey = 'no_testkey_gki.pem'

    self.assertFalse(os.path.exists(pubkey))



    # Tests it should raise ExternalError if no key found under

    # OPTIONS.search_path.

    search_path_dir = common.MakeTempDir()

    search_pubkey = os.path.join(search_path_dir, pubkey)

    self.assertFalse(os.path.exists(search_pubkey))



    common.OPTIONS.search_path = search_path_dir

    common.OPTIONS.info_dict = {

        'gki_signing_key_path': pubkey,

        'gki_signing_algorithm': 'SHA256_RSA4096',

        'gki_signing_signature_args': '--prop foo:bar',

    }

    test_file = tempfile.NamedTemporaryFile()

    self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,

                      test_file.name, 'generic_kernel')







class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):

class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):

  """Checks the format of install-recovery.sh.

  """Checks the format of install-recovery.sh.

tools/releasetools/test_sign_target_files_apks.py

+1 −51
Original line number Original line Diff line number Diff line
@@ -23,8 +23,7 @@ import common 
import test_utils

import test_utils

from sign_target_files_apks import (

from sign_target_files_apks import (

    CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo,

    CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo,

    ReplaceCerts, ReplaceGkiSigningKey, RewriteAvbProps, RewriteProps,

    ReplaceCerts, RewriteAvbProps, RewriteProps, WriteOtacerts)

    WriteOtacerts)









class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase):

class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase):
@@ -536,52 +535,3 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te 
            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',

            'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',

            'build/make/target/product/security/testkey', None),

            'build/make/target/product/security/testkey', None),

        }, keys_info)
 
        }, keys_info)
 


  def test_ReplaceGkiSigningKey(self):

    common.OPTIONS.gki_signing_key = 'release_gki_key'

    common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'

    common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'



    misc_info = {

        'gki_signing_key_path': 'default_gki_key',

        'gki_signing_algorithm': 'default_gki_algorithm',

        'gki_signing_signature_args': 'default_gki_signature_args',

    }

    expected_dict = {

        'gki_signing_key_path': 'release_gki_key',

        'gki_signing_algorithm': 'release_gki_algorithm',

        'gki_signing_signature_args': 'release_gki_signature_extra_args',

    }

    ReplaceGkiSigningKey(misc_info)

    self.assertDictEqual(expected_dict, misc_info)



  def test_ReplaceGkiSigningKey_MissingSigningAlgorithm(self):

    common.OPTIONS.gki_signing_key = 'release_gki_key'

    common.OPTIONS.gki_signing_algorithm = None

    common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'



    misc_info = {

        'gki_signing_key_path': 'default_gki_key',

        'gki_signing_algorithm': 'default_gki_algorithm',

        'gki_signing_signature_args': 'default_gki_signature_args',

    }

    self.assertRaises(ValueError, ReplaceGkiSigningKey, misc_info)



  def test_ReplaceGkiSigningKey_MissingSigningKeyNop(self):

    common.OPTIONS.gki_signing_key = None

    common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'

    common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'



    # No change to misc_info if common.OPTIONS.gki_signing_key is missing.

    misc_info = {

        'gki_signing_key_path': 'default_gki_key',

        'gki_signing_algorithm': 'default_gki_algorithm',

        'gki_signing_signature_args': 'default_gki_signature_args',

    }

    expected_dict = {

        'gki_signing_key_path': 'default_gki_key',

        'gki_signing_algorithm': 'default_gki_algorithm',

        'gki_signing_signature_args': 'default_gki_signature_args',

    }

    ReplaceGkiSigningKey(misc_info)

    self.assertDictEqual(expected_dict, misc_info)