Use deterministic salt for boot image avb footer (de53f7df) · Commits · e / os / android_build

core/Makefile

+1 −0

Original line number	Diff line number	Diff line
		@@ -1233,6 +1233,7 @@ define build_boot_from_kernel_avb_enabled
		$(AVBTOOL) add_hash_footer \
		--image $(1) \
		$(call get-partition-size-argument,$(call get-bootimage-partition-size,$(1),boot)) \
		--salt `sha256sum "$(kernel)" \| cut -d " " -f 1` \
		--partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \
		$(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)
		endef

+8 −3

Original line number	Diff line number	Diff line
		@@ -1410,7 +1410,7 @@ def RunHostInitVerifier(product_out, partition_map):
		return RunAndCheckOutput(cmd)


		def AppendAVBSigningArgs(cmd, partition):
		def AppendAVBSigningArgs(cmd, partition, avb_salt=None):
		"""Append signing arguments for avbtool."""
		# e.g., "--key path/to/signing_key --algorithm SHA256_RSA4096"
		key_path = ResolveAVBSigningPathArgs(
		@@ -1418,6 +1418,7 @@ def AppendAVBSigningArgs(cmd, partition):
		algorithm = OPTIONS.info_dict.get("avb_" + partition + "_algorithm")
		if key_path and algorithm:
		cmd.extend(["--key", key_path, "--algorithm", algorithm])
		if avb_salt is None:
		avb_salt = OPTIONS.info_dict.get("avb_salt")
		# make_vbmeta_image doesn't like "--salt" (and it's not needed).
		if avb_salt and not partition.startswith("vbmeta"):
		@@ -1825,7 +1826,11 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file,
		cmd = [avbtool, "add_hash_footer", "--image", img.name,
		"--partition_size", str(part_size), "--partition_name",
		partition_name]
		AppendAVBSigningArgs(cmd, partition_name)
		salt = None
		if kernel_path is not None:
		with open(kernel_path, "rb") as fp:
		salt = sha256(fp.read()).hexdigest()
		AppendAVBSigningArgs(cmd, partition_name, salt)
		args = info_dict.get("avb_" + partition_name + "_add_hash_footer_args")
		if args and args.strip():
		split_args = ResolveAVBSigningPathArgs(shlex.split(args))