Loading core/Makefile +15 −0 Original line number Diff line number Diff line Loading @@ -3303,26 +3303,41 @@ endif # Appends os version and security patch level as a AVB property descriptor BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS += \ --prop com.android.build.system.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.system.os_version:$(PLATFORM_VERSION) \ --prop com.android.build.system.security_patch:$(PLATFORM_SECURITY_PATCH) BOARD_AVB_PRODUCT_ADD_HASHTREE_FOOTER_ARGS += \ --prop com.android.build.product.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.product.os_version:$(PLATFORM_VERSION) \ --prop com.android.build.product.security_patch:$(PLATFORM_SECURITY_PATCH) BOARD_AVB_SYSTEM_EXT_ADD_HASHTREE_FOOTER_ARGS += \ --prop com.android.build.system_ext.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.system_ext.os_version:$(PLATFORM_VERSION) \ --prop com.android.build.system_ext.security_patch:$(PLATFORM_SECURITY_PATCH) BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS += \ --prop com.android.build.boot.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.boot.os_version:$(PLATFORM_VERSION) BOARD_AVB_VENDOR_BOOT_ADD_HASH_FOOTER_ARGS += \ --prop com.android.build.vendor_boot.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ BOARD_AVB_RECOVERY_ADD_HASH_FOOTER_ARGS += \ --prop com.android.build.recovery.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS += \ --prop com.android.build.vendor.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.vendor.os_version:$(PLATFORM_VERSION) BOARD_AVB_ODM_ADD_HASHTREE_FOOTER_ARGS += \ --prop com.android.build.odm.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.odm.os_version:$(PLATFORM_VERSION) BOARD_AVB_DTBO_ADD_HASH_FOOTER_ARGS += \ --prop com.android.build.dtbo.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) # The following vendor- and odm-specific images needs explicit SPL set per board. ifdef BOOT_SECURITY_PATCH BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS += \ Loading tools/releasetools/sign_target_files_apks.py +44 −12 Original line number Diff line number Diff line Loading @@ -153,6 +153,20 @@ OPTIONS.avb_algorithms = {} OPTIONS.avb_extra_args = {} AVB_FOOTER_ARGS_BY_PARTITION = { 'boot' : 'avb_boot_add_hash_footer_args', 'dtbo' : 'avb_dtbo_add_hash_footer_args', 'recovery' : 'avb_recovery_add_hash_footer_args', 'system' : 'avb_system_add_hashtree_footer_args', 'system_other' : 'avb_system_other_add_hashtree_footer_args', 'vendor' : 'avb_vendor_add_hashtree_footer_args', 'vendor_boot' : 'avb_vendor_boot_add_hash_footer_args', 'vbmeta' : 'avb_vbmeta_args', 'vbmeta_system' : 'avb_vbmeta_system_args', 'vbmeta_vendor' : 'avb_vbmeta_vendor_args', } def GetApkCerts(certmap): # apply the key remapping to the contents of the file for apk, cert in certmap.items(): Loading Loading @@ -622,6 +636,10 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, # Replace the AVB signing keys, if any. ReplaceAvbSigningKeys(misc_info) # Rewrite the props in AVB signing args. if misc_info.get('avb_enable') == 'true': RewriteAvbProps(misc_info) # Write back misc_info with the latest values. ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info) Loading Loading @@ -910,18 +928,6 @@ def ReplaceMiscInfoTxt(input_zip, output_zip, misc_info): def ReplaceAvbSigningKeys(misc_info): """Replaces the AVB signing keys.""" AVB_FOOTER_ARGS_BY_PARTITION = { 'boot' : 'avb_boot_add_hash_footer_args', 'dtbo' : 'avb_dtbo_add_hash_footer_args', 'recovery' : 'avb_recovery_add_hash_footer_args', 'system' : 'avb_system_add_hashtree_footer_args', 'system_other' : 'avb_system_other_add_hashtree_footer_args', 'vendor' : 'avb_vendor_add_hashtree_footer_args', 'vbmeta' : 'avb_vbmeta_args', 'vbmeta_system' : 'avb_vbmeta_system_args', 'vbmeta_vendor' : 'avb_vbmeta_vendor_args', } def ReplaceAvbPartitionSigningKey(partition): key = OPTIONS.avb_keys.get(partition) if not key: Loading @@ -946,6 +952,32 @@ def ReplaceAvbSigningKeys(misc_info): ReplaceAvbPartitionSigningKey(partition) def RewriteAvbProps(misc_info): """Rewrites the props in AVB signing args.""" for partition, args_key in AVB_FOOTER_ARGS_BY_PARTITION.items(): args = misc_info.get(args_key) if not args: continue tokens = [] changed = False for token in args.split(' '): fingerprint_key = 'com.android.build.{}.fingerprint'.format(partition) if not token.startswith(fingerprint_key): tokens.append(token) continue prefix, tag = token.rsplit('/', 1) tokens.append('{}/{}'.format(prefix, EditTags(tag))) changed = True if changed: result = ' '.join(tokens) print('Rewriting AVB prop for {}:\n'.format(partition)) print(' replace: {}'.format(args)) print(' with: {}'.format(result)) misc_info[args_key] = result def BuildKeyMap(misc_info, key_mapping_options): for s, d in key_mapping_options: if s is None: # -d option Loading tools/releasetools/test_sign_target_files_apks.py +36 −1 Original line number Diff line number Diff line Loading @@ -23,7 +23,8 @@ import common import test_utils from sign_target_files_apks import ( CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo, ReplaceCerts, ReplaceVerityKeyId, RewriteProps, WriteOtacerts) ReplaceCerts, ReplaceVerityKeyId, RewriteAvbProps, RewriteProps, WriteOtacerts) class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase): Loading Loading @@ -52,6 +53,40 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te # Tags are sorted. self.assertEqual(EditTags('xyz,abc,dev-keys,xyz'), ('abc,release-keys,xyz')) def test_RewriteAvbProps(self): misc_info = { 'avb_boot_add_hash_footer_args': ('--prop com.android.build.boot.os_version:R ' '--prop com.android.build.boot.security_patch:2019-09-05'), 'avb_system_add_hashtree_footer_args': ('--prop com.android.build.system.os_version:R ' '--prop com.android.build.system.security_patch:2019-09-05 ' '--prop com.android.build.system.fingerprint:' 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/test-keys'), 'avb_vendor_add_hashtree_footer_args': ('--prop com.android.build.vendor.os_version:R ' '--prop com.android.build.vendor.security_patch:2019-09-05 ' '--prop com.android.build.vendor.fingerprint:' 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/dev-keys'), } expected_dict = { 'avb_boot_add_hash_footer_args': ('--prop com.android.build.boot.os_version:R ' '--prop com.android.build.boot.security_patch:2019-09-05'), 'avb_system_add_hashtree_footer_args': ('--prop com.android.build.system.os_version:R ' '--prop com.android.build.system.security_patch:2019-09-05 ' '--prop com.android.build.system.fingerprint:' 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/release-keys'), 'avb_vendor_add_hashtree_footer_args': ('--prop com.android.build.vendor.os_version:R ' '--prop com.android.build.vendor.security_patch:2019-09-05 ' '--prop com.android.build.vendor.fingerprint:' 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/release-keys'), } RewriteAvbProps(misc_info) self.assertDictEqual(expected_dict, misc_info) def test_RewriteProps(self): props = ( ('', ''), Loading Loading
core/Makefile +15 −0 Original line number Diff line number Diff line Loading @@ -3303,26 +3303,41 @@ endif # Appends os version and security patch level as a AVB property descriptor BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS += \ --prop com.android.build.system.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.system.os_version:$(PLATFORM_VERSION) \ --prop com.android.build.system.security_patch:$(PLATFORM_SECURITY_PATCH) BOARD_AVB_PRODUCT_ADD_HASHTREE_FOOTER_ARGS += \ --prop com.android.build.product.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.product.os_version:$(PLATFORM_VERSION) \ --prop com.android.build.product.security_patch:$(PLATFORM_SECURITY_PATCH) BOARD_AVB_SYSTEM_EXT_ADD_HASHTREE_FOOTER_ARGS += \ --prop com.android.build.system_ext.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.system_ext.os_version:$(PLATFORM_VERSION) \ --prop com.android.build.system_ext.security_patch:$(PLATFORM_SECURITY_PATCH) BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS += \ --prop com.android.build.boot.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.boot.os_version:$(PLATFORM_VERSION) BOARD_AVB_VENDOR_BOOT_ADD_HASH_FOOTER_ARGS += \ --prop com.android.build.vendor_boot.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ BOARD_AVB_RECOVERY_ADD_HASH_FOOTER_ARGS += \ --prop com.android.build.recovery.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS += \ --prop com.android.build.vendor.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.vendor.os_version:$(PLATFORM_VERSION) BOARD_AVB_ODM_ADD_HASHTREE_FOOTER_ARGS += \ --prop com.android.build.odm.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) \ --prop com.android.build.odm.os_version:$(PLATFORM_VERSION) BOARD_AVB_DTBO_ADD_HASH_FOOTER_ARGS += \ --prop com.android.build.dtbo.fingerprint:$(BUILD_FINGERPRINT_FROM_FILE) # The following vendor- and odm-specific images needs explicit SPL set per board. ifdef BOOT_SECURITY_PATCH BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS += \ Loading
tools/releasetools/sign_target_files_apks.py +44 −12 Original line number Diff line number Diff line Loading @@ -153,6 +153,20 @@ OPTIONS.avb_algorithms = {} OPTIONS.avb_extra_args = {} AVB_FOOTER_ARGS_BY_PARTITION = { 'boot' : 'avb_boot_add_hash_footer_args', 'dtbo' : 'avb_dtbo_add_hash_footer_args', 'recovery' : 'avb_recovery_add_hash_footer_args', 'system' : 'avb_system_add_hashtree_footer_args', 'system_other' : 'avb_system_other_add_hashtree_footer_args', 'vendor' : 'avb_vendor_add_hashtree_footer_args', 'vendor_boot' : 'avb_vendor_boot_add_hash_footer_args', 'vbmeta' : 'avb_vbmeta_args', 'vbmeta_system' : 'avb_vbmeta_system_args', 'vbmeta_vendor' : 'avb_vbmeta_vendor_args', } def GetApkCerts(certmap): # apply the key remapping to the contents of the file for apk, cert in certmap.items(): Loading Loading @@ -622,6 +636,10 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, # Replace the AVB signing keys, if any. ReplaceAvbSigningKeys(misc_info) # Rewrite the props in AVB signing args. if misc_info.get('avb_enable') == 'true': RewriteAvbProps(misc_info) # Write back misc_info with the latest values. ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info) Loading Loading @@ -910,18 +928,6 @@ def ReplaceMiscInfoTxt(input_zip, output_zip, misc_info): def ReplaceAvbSigningKeys(misc_info): """Replaces the AVB signing keys.""" AVB_FOOTER_ARGS_BY_PARTITION = { 'boot' : 'avb_boot_add_hash_footer_args', 'dtbo' : 'avb_dtbo_add_hash_footer_args', 'recovery' : 'avb_recovery_add_hash_footer_args', 'system' : 'avb_system_add_hashtree_footer_args', 'system_other' : 'avb_system_other_add_hashtree_footer_args', 'vendor' : 'avb_vendor_add_hashtree_footer_args', 'vbmeta' : 'avb_vbmeta_args', 'vbmeta_system' : 'avb_vbmeta_system_args', 'vbmeta_vendor' : 'avb_vbmeta_vendor_args', } def ReplaceAvbPartitionSigningKey(partition): key = OPTIONS.avb_keys.get(partition) if not key: Loading @@ -946,6 +952,32 @@ def ReplaceAvbSigningKeys(misc_info): ReplaceAvbPartitionSigningKey(partition) def RewriteAvbProps(misc_info): """Rewrites the props in AVB signing args.""" for partition, args_key in AVB_FOOTER_ARGS_BY_PARTITION.items(): args = misc_info.get(args_key) if not args: continue tokens = [] changed = False for token in args.split(' '): fingerprint_key = 'com.android.build.{}.fingerprint'.format(partition) if not token.startswith(fingerprint_key): tokens.append(token) continue prefix, tag = token.rsplit('/', 1) tokens.append('{}/{}'.format(prefix, EditTags(tag))) changed = True if changed: result = ' '.join(tokens) print('Rewriting AVB prop for {}:\n'.format(partition)) print(' replace: {}'.format(args)) print(' with: {}'.format(result)) misc_info[args_key] = result def BuildKeyMap(misc_info, key_mapping_options): for s, d in key_mapping_options: if s is None: # -d option Loading
tools/releasetools/test_sign_target_files_apks.py +36 −1 Original line number Diff line number Diff line Loading @@ -23,7 +23,8 @@ import common import test_utils from sign_target_files_apks import ( CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo, ReplaceCerts, ReplaceVerityKeyId, RewriteProps, WriteOtacerts) ReplaceCerts, ReplaceVerityKeyId, RewriteAvbProps, RewriteProps, WriteOtacerts) class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase): Loading Loading @@ -52,6 +53,40 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te # Tags are sorted. self.assertEqual(EditTags('xyz,abc,dev-keys,xyz'), ('abc,release-keys,xyz')) def test_RewriteAvbProps(self): misc_info = { 'avb_boot_add_hash_footer_args': ('--prop com.android.build.boot.os_version:R ' '--prop com.android.build.boot.security_patch:2019-09-05'), 'avb_system_add_hashtree_footer_args': ('--prop com.android.build.system.os_version:R ' '--prop com.android.build.system.security_patch:2019-09-05 ' '--prop com.android.build.system.fingerprint:' 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/test-keys'), 'avb_vendor_add_hashtree_footer_args': ('--prop com.android.build.vendor.os_version:R ' '--prop com.android.build.vendor.security_patch:2019-09-05 ' '--prop com.android.build.vendor.fingerprint:' 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/dev-keys'), } expected_dict = { 'avb_boot_add_hash_footer_args': ('--prop com.android.build.boot.os_version:R ' '--prop com.android.build.boot.security_patch:2019-09-05'), 'avb_system_add_hashtree_footer_args': ('--prop com.android.build.system.os_version:R ' '--prop com.android.build.system.security_patch:2019-09-05 ' '--prop com.android.build.system.fingerprint:' 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/release-keys'), 'avb_vendor_add_hashtree_footer_args': ('--prop com.android.build.vendor.os_version:R ' '--prop com.android.build.vendor.security_patch:2019-09-05 ' '--prop com.android.build.vendor.fingerprint:' 'Android/aosp_taimen/taimen:R/QT/foo:userdebug/release-keys'), } RewriteAvbProps(misc_info) self.assertDictEqual(expected_dict, misc_info) def test_RewriteProps(self): props = ( ('', ''), Loading
