Merge "Support verifying system_other"

core/Makefile

@@ -1436,7 +1436,8 @@ $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_system_other_add_hashtree_footer_args
 $(if $(BOARD_AVB_ENABLE),\
     $(if $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH),\
         $(hide) echo "avb_system_other_key_path=$(BOARD_AVB_SYSTEM_OTHER_KEY_PATH)" >> $(1)
-        $(hide) echo "avb_system_other_algorithm=$(BOARD_AVB_SYSTEM_OTHER_ALGORITHM)" >> $(1)))
+        $(hide) echo "avb_system_other_algorithm=$(BOARD_AVB_SYSTEM_OTHER_ALGORITHM)" >> $(1)
+        $(hide) echo "avb_system_extract_system_other_key=true" >> $(1)))
 $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))
 $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_add_hashtree_footer_args=$(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))
 $(if $(BOARD_AVB_ENABLE),\
@@ -2941,6 +2942,10 @@ BOARD_AVB_SYSTEM_OTHER_KEY_PATH := $(BOARD_AVB_KEY_PATH)
 BOARD_AVB_SYSTEM_OTHER_ALGORITHM := $(BOARD_AVB_ALGORITHM)
 endif
 
+# To extract the public key of SYSTEM_OTHER_KEY_PATH will into system.img:
+# /system/etc/security/avb/system_other.avbpubkey.
+FULL_SYSTEMIMAGE_DEPS += $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH)
+
 ifndef BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX
 BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
 endif

tools/releasetools/build_image.py

@@ -739,6 +739,26 @@ def SaveGlobalDict(filename, glob_dict):
   with open(filename, "w") as f:
     f.writelines(["%s=%s" % (key, value) for (key, value) in glob_dict.items()])
 
+def ExtractSystemOtherAvbKey(in_dir, glob_dict):
+  if glob_dict.get("avb_system_extract_system_other_key") != "true":
+    return
+
+  extract_to = os.path.join(in_dir, "etc/security/avb/system_other.avbpubkey")
+  extract_to_dir = os.path.dirname(extract_to)
+
+  if os.path.isdir(extract_to_dir):
+    shutil.rmtree(extract_to_dir)
+  elif os.path.isfile(extract_to_dir):
+    os.remove(extract_to_dir)
+  os.mkdir(extract_to_dir);
+
+  # Extracts the public key used to sign system_other.img, into system.img:
+  #   /system/etc/security/avb/system_other.avbpubkey.
+  avbtool = os.getenv('AVBTOOL') or glob_dict.get("avb_avbtool")
+  extract_from = glob_dict.get("avb_system_other_key_path")
+  cmd = [avbtool, "extract_public_key", "--key", extract_from,
+         "--output", extract_to]
+  common.RunAndCheckOutput(cmd, verbose=False)
 
 def main(argv):
   if len(argv) < 4 or len(argv) > 5:
@@ -763,6 +783,7 @@ def main(argv):
     mount_point = ""
     if image_filename == "system.img":
       mount_point = "system"
+      ExtractSystemOtherAvbKey(in_dir, glob_dict)
     elif image_filename == "system_other.img":
       mount_point = "system_other"
     elif image_filename == "userdata.img":