Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fa0091a9 authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Use deterministic salt for AVB footer of prebuilt boot img" into main am: 07f84b7b 

Original change: https://android-review.googlesource.com/c/platform/build/+/2794713



Change-Id: I31deb3c465031bf5ed06a52f5eb7c8b82ba4ef4f
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents d9ed78ac 07f84b7b

core/Makefile

+5 −1
Original line number Diff line number Diff line
@@ -1444,15 +1444,19 @@ INTERNAL_PREBUILT_BOOTIMAGE := $(BOARD_PREBUILT_BOOTIMAGE) 
INSTALLED_BOOTIMAGE_TARGET := $(PRODUCT_OUT)/boot.img



ifeq ($(BOARD_AVB_ENABLE),true)

$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH)

$(INSTALLED_BOOTIMAGE_TARGET): PRIVATE_WORKING_DIR := $(call intermediates-dir-for,PACKAGING,prebuilt_bootimg)

$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH) $(UNPACK_BOOTIMG)

	cp $(INTERNAL_PREBUILT_BOOTIMAGE) $@

	$(UNPACK_BOOTIMG) --boot_img $(INTERNAL_PREBUILT_BOOTIMAGE) --out $(PRIVATE_WORKING_DIR)

	chmod +w $@

	$(AVBTOOL) add_hash_footer \

	    --image $@ \

	    --salt `sha256sum $(PRIVATE_WORKING_DIR)/kernel | cut -d " " -f 1` \

	    $(call get-partition-size-argument,$(BOARD_BOOTIMAGE_PARTITION_SIZE)) \

	    --partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \

	    $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)





$(call declare-container-license-metadata,$(INSTALLED_BOOTIMAGE_TARGET),SPDX-license-identifier-GPL-2.0-only SPDX-license-identifier-Apache-2.0,restricted notice,$(BUILD_SYSTEM)/LINUX_KERNEL_COPYING build/soong/licenses/LICENSE,"Boot Image",bool)

$(call declare-container-license-deps,$(INSTALLED_BOOTIMAGE_TARGET),$(INTERNAL_PREBUILT_BOOTIMAGE),$(PRODUCT_OUT)/:/)

core/config.mk

+1 −0
Original line number Diff line number Diff line
@@ -722,6 +722,7 @@ else 
BUILD_SUPER_IMAGE := $(BOARD_CUSTOM_BUILD_SUPER_IMAGE)

endif

IMG_FROM_TARGET_FILES := $(HOST_OUT_EXECUTABLES)/img_from_target_files$(HOST_EXECUTABLE_SUFFIX)

UNPACK_BOOTIMG := $(HOST_OUT_EXECUTABLES)/unpack_bootimg

MAKE_RECOVERY_PATCH := $(HOST_OUT_EXECUTABLES)/make_recovery_patch$(HOST_EXECUTABLE_SUFFIX)

OTA_FROM_TARGET_FILES := $(HOST_OUT_EXECUTABLES)/ota_from_target_files$(HOST_EXECUTABLE_SUFFIX)

OTA_FROM_RAW_IMG := $(HOST_OUT_EXECUTABLES)/ota_from_raw_img$(HOST_EXECUTABLE_SUFFIX)

tools/releasetools/common.py

+9 −1
Original line number Diff line number Diff line
@@ -1947,7 +1947,15 @@ def _SignBootableImage(image_path, prebuilt_name, partition_name, 
    cmd = [avbtool, "add_hash_footer", "--image", image_path,

           "--partition_size", str(part_size), "--partition_name",

           partition_name]

    AppendAVBSigningArgs(cmd, partition_name)

    # Use sha256 of the kernel as salt for reproducible builds

    with tempfile.TemporaryDirectory() as tmpdir:

      RunAndCheckOutput(["unpack_bootimg", "--boot_img", image_path, "--out", tmpdir])

      for filename in ["kernel", "ramdisk", "vendor_ramdisk00"]:

        path = os.path.join(tmpdir, filename)

        if os.path.exists(path) and os.path.getsize(path):

          with open(path, "rb") as fp:

            salt = sha256(fp.read()).hexdigest()

    AppendAVBSigningArgs(cmd, partition_name, salt)

    args = info_dict.get("avb_" + partition_name + "_add_hash_footer_args")

    if args and args.strip():

      split_args = ResolveAVBSigningPathArgs(shlex.split(args))