Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d9a58852 authored by Treehugger Robot's avatar Treehugger Robot Committed by Gerrit Code Review
Browse files

Merge "Enable AVB signing on GSI"

parents 88207d0d 9d28638c

core/Makefile

+0 −16
Original line number Diff line number Diff line
@@ -2804,14 +2804,6 @@ $(INSTALLED_VBMETAIMAGE_TARGET): \ 
vbmetaimage-nodeps:

	$(build-vbmetaimage-target)



else ifeq (true,$(BOARD_BUILD_DISABLED_VBMETAIMAGE))

BUILT_DISABLED_VBMETAIMAGE := $(PRODUCT_OUT)/vbmeta.img



INSTALLED_VBMETAIMAGE_TARGET := $(BUILT_DISABLED_VBMETAIMAGE)

$(INSTALLED_VBMETAIMAGE_TARGET): $(AVBTOOL)

	$(hide) $(AVBTOOL) make_vbmeta_image \

	  --flag 2 --padding_size 4096 --output $@



endif # BOARD_AVB_ENABLE



# -----------------------------------------------------------------
@@ -3416,14 +3408,6 @@ ifeq ($(BREAKPAD_GENERATE_SYMBOLS),true) 
	@# If breakpad symbols have been generated, add them to the zip.

	$(hide) $(ACP) -r $(TARGET_OUT_BREAKPAD) $(zip_root)/BREAKPAD

endif

# BOARD_BUILD_DISABLED_VBMETAIMAGE is used to build a special vbmeta.img

# that disables AVB verification. The content is fixed and we can just copy

# it to $(zip_root)/IMAGES without passing some info into misc_info.txt for

# regeneration.

ifeq (true,$(BOARD_BUILD_DISABLED_VBMETAIMAGE))

	$(hide) mkdir -p $(zip_root)/IMAGES

	$(hide) cp $(INSTALLED_VBMETAIMAGE_TARGET) $(zip_root)/IMAGES/

endif

ifdef BOARD_PREBUILT_VENDORIMAGE

	$(hide) mkdir -p $(zip_root)/IMAGES

	$(hide) cp $(INSTALLED_VENDORIMAGE_TARGET) $(zip_root)/IMAGES/

target/board/BoardConfigEmuCommon.mk

+3 −2
Original line number Diff line number Diff line
@@ -28,8 +28,9 @@ USE_OPENGL_RENDERER := true 
TARGET_COPY_OUT_VENDOR := vendor



# ~100 MB vendor image. Please adjust system image / vendor image sizes

# when finalizing them.

BOARD_VENDORIMAGE_PARTITION_SIZE := 100000000

# when finalizing them. The partition size needs to be a multiple of image

# block size: 4096.

BOARD_VENDORIMAGE_PARTITION_SIZE := 100003840

BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE := ext4

BOARD_FLASH_BLOCK_SIZE := 512

DEVICE_MATRIX_FILE   := device/generic/goldfish/compatibility_matrix.xml

target/board/BoardConfigGsiCommon.mk

+16 −8
Original line number Diff line number Diff line
@@ -14,14 +14,22 @@ TARGET_USERIMAGES_SPARSE_EXT_DISABLED := false 
BOARD_SYSTEMIMAGE_PARTITION_RESERVED_SIZE := 67108864



# Android Verified Boot (AVB):

#   Builds a special vbmeta.img that disables AVB verification.

#   Otherwise, AVB will prevent the device from booting the generic system.img.

#   Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity

#   metadata into system.img.

ifeq ($(BOARD_AVB_ENABLE),true)

$(error BOARD_AVB_ENABLE cannot be set for GSI)

endif

BOARD_BUILD_DISABLED_VBMETAIMAGE := true

#   1) Sets BOARD_AVB_ENABLE to sign the GSI image.

#   2) Sets AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (--flag 2) in

#      vbmeta.img to disable AVB verification.

#

# To disable AVB for GSI, use the vbmeta.img and the GSI together.

# To enable AVB for GSI, include the GSI public key into the device-specific

# vbmeta.img.

BOARD_AVB_ENABLE := true

BOARD_AVB_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)

BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2



# Enable chain partition for system.

BOARD_AVB_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem

BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048

BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)

BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1



ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))

# GSI is always userdebug and needs a couple of properties taking precedence

target/board/treble_common.mk

+16 −8
Original line number Diff line number Diff line
@@ -53,11 +53,19 @@ NUM_FRAMEBUFFER_SURFACE_BUFFERS := 3 
USE_XML_AUDIO_POLICY_CONF := 1



# Android Verified Boot (AVB):

#   Builds a special vbmeta.img that disables AVB verification.

#   Otherwise, AVB will prevent the device from booting the generic system.img.

#   Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity

#   metadata into system.img.

ifeq ($(BOARD_AVB_ENABLE),true)

$(error BOARD_AVB_ENABLE cannot be set for Treble GSI)

endif

BOARD_BUILD_DISABLED_VBMETAIMAGE := true
 
#   1) Sets BOARD_AVB_ENABLE to sign the GSI image.

#   2) Sets AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (--flag 2) in

#      vbmeta.img to disable AVB verification.

#

# To disable AVB for GSI, use the vbmeta.img and the GSI together.

# To enable AVB for GSI, include the GSI public key into the device-specific

# vbmeta.img.

BOARD_AVB_ENABLE := true

BOARD_AVB_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)

BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2



# Enable chain partition for system.

BOARD_AVB_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem

BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048

BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)

BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1