Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fa58c8aa authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Use deterministic salt for AVB footer of prebuilt boot img" into main... 

Merge "Use deterministic salt for AVB footer of prebuilt boot img" into main am: 07f84b7b am: fa0091a9

Original change: https://android-review.googlesource.com/c/platform/build/+/2794713



Change-Id: Ica324fbafcd30ee37aa05a864f2c7b0eef554636
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 72fc2828 fa0091a9

core/Makefile

+5 −1
Original line number Diff line number Diff line
@@ -1444,15 +1444,19 @@ INTERNAL_PREBUILT_BOOTIMAGE := $(BOARD_PREBUILT_BOOTIMAGE) 
INSTALLED_BOOTIMAGE_TARGET := $(PRODUCT_OUT)/boot.img



ifeq ($(BOARD_AVB_ENABLE),true)

$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH)

$(INSTALLED_BOOTIMAGE_TARGET): PRIVATE_WORKING_DIR := $(call intermediates-dir-for,PACKAGING,prebuilt_bootimg)

$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH) $(UNPACK_BOOTIMG)

	cp $(INTERNAL_PREBUILT_BOOTIMAGE) $@

	$(UNPACK_BOOTIMG) --boot_img $(INTERNAL_PREBUILT_BOOTIMAGE) --out $(PRIVATE_WORKING_DIR)

	chmod +w $@

	$(AVBTOOL) add_hash_footer \

	    --image $@ \

	    --salt `sha256sum $(PRIVATE_WORKING_DIR)/kernel | cut -d " " -f 1` \

	    $(call get-partition-size-argument,$(BOARD_BOOTIMAGE_PARTITION_SIZE)) \

	    --partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \

	    $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)





$(call declare-container-license-metadata,$(INSTALLED_BOOTIMAGE_TARGET),SPDX-license-identifier-GPL-2.0-only SPDX-license-identifier-Apache-2.0,restricted notice,$(BUILD_SYSTEM)/LINUX_KERNEL_COPYING build/soong/licenses/LICENSE,"Boot Image",bool)

$(call declare-container-license-deps,$(INSTALLED_BOOTIMAGE_TARGET),$(INTERNAL_PREBUILT_BOOTIMAGE),$(PRODUCT_OUT)/:/)

core/config.mk

+1 −0
Original line number Diff line number Diff line
@@ -722,6 +722,7 @@ else 
BUILD_SUPER_IMAGE := $(BOARD_CUSTOM_BUILD_SUPER_IMAGE)

endif

IMG_FROM_TARGET_FILES := $(HOST_OUT_EXECUTABLES)/img_from_target_files$(HOST_EXECUTABLE_SUFFIX)

UNPACK_BOOTIMG := $(HOST_OUT_EXECUTABLES)/unpack_bootimg

MAKE_RECOVERY_PATCH := $(HOST_OUT_EXECUTABLES)/make_recovery_patch$(HOST_EXECUTABLE_SUFFIX)

OTA_FROM_TARGET_FILES := $(HOST_OUT_EXECUTABLES)/ota_from_target_files$(HOST_EXECUTABLE_SUFFIX)

OTA_FROM_RAW_IMG := $(HOST_OUT_EXECUTABLES)/ota_from_raw_img$(HOST_EXECUTABLE_SUFFIX)

tools/releasetools/common.py

+9 −1
Original line number Diff line number Diff line
@@ -1947,7 +1947,15 @@ def _SignBootableImage(image_path, prebuilt_name, partition_name, 
    cmd = [avbtool, "add_hash_footer", "--image", image_path,

           "--partition_size", str(part_size), "--partition_name",

           partition_name]

    AppendAVBSigningArgs(cmd, partition_name)

    # Use sha256 of the kernel as salt for reproducible builds

    with tempfile.TemporaryDirectory() as tmpdir:

      RunAndCheckOutput(["unpack_bootimg", "--boot_img", image_path, "--out", tmpdir])

      for filename in ["kernel", "ramdisk", "vendor_ramdisk00"]:

        path = os.path.join(tmpdir, filename)

        if os.path.exists(path) and os.path.getsize(path):

          with open(path, "rb") as fp:

            salt = sha256(fp.read()).hexdigest()

    AppendAVBSigningArgs(cmd, partition_name, salt)

    args = info_dict.get("avb_" + partition_name + "_add_hash_footer_args")

    if args and args.strip():

      split_args = ResolveAVBSigningPathArgs(shlex.split(args))