Merge "Support removing AVB public keys" am: b5aad1b937
Change-Id: Id96c2d48b5ea4f5b63e09970d8139433bae042aa
This commit is contained in:
Automerger Merge Worker
commit
33c9bd38da
|
|
@ -91,6 +91,14 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files
|
|||
Replace the veritykeyid in BOOT/cmdline of input_target_file_zip
|
||||
with keyid of the cert pointed by <path_to_X509_PEM_cert_file>.
|
||||
|
||||
--remove_avb_public_keys <key1>,<key2>,...
|
||||
Remove AVB public keys from the first-stage ramdisk. The key file to
|
||||
remove is located at either of the following dirs:
|
||||
- BOOT/RAMDISK/avb/ or
|
||||
- BOOT/RAMDISK/first_stage_ramdisk/avb/
|
||||
The second dir will be used for lookup if BOARD_USES_RECOVERY_AS_BOOT is
|
||||
set to true.
|
||||
|
||||
--avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system,
|
||||
vbmeta_vendor}_algorithm <algorithm>
|
||||
--avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system,
|
||||
|
|
@ -150,6 +158,7 @@ OPTIONS.replace_ota_keys = False
|
|||
OPTIONS.replace_verity_public_key = False
|
||||
OPTIONS.replace_verity_private_key = False
|
||||
OPTIONS.replace_verity_keyid = False
|
||||
OPTIONS.remove_avb_public_keys = None
|
||||
OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys")
|
||||
OPTIONS.avb_keys = {}
|
||||
OPTIONS.avb_algorithms = {}
|
||||
|
|
@ -585,6 +594,18 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
|||
filename in ("BOOT/RAMDISK/verity_key",
|
||||
"ROOT/verity_key")):
|
||||
pass
|
||||
elif (OPTIONS.remove_avb_public_keys and
|
||||
(filename.startswith("BOOT/RAMDISK/avb/") or
|
||||
filename.startswith("BOOT/RAMDISK/first_stage_ramdisk/avb/"))):
|
||||
matched_removal = False
|
||||
for key_to_remove in OPTIONS.remove_avb_public_keys:
|
||||
if filename.endswith(key_to_remove):
|
||||
matched_removal = True
|
||||
print("Removing AVB public key from ramdisk: %s" % filename)
|
||||
break
|
||||
if not matched_removal:
|
||||
# Copy it verbatim if we don't want to remove it.
|
||||
common.ZipWriteStr(output_tf_zip, out_info, data)
|
||||
|
||||
# Skip verity keyid (for system_root_image use) if we will replace it.
|
||||
elif OPTIONS.replace_verity_keyid and filename == "BOOT/cmdline":
|
||||
|
|
@ -610,8 +631,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
|||
# Should NOT sign boot-debug.img.
|
||||
elif filename in (
|
||||
"BOOT/RAMDISK/force_debuggable",
|
||||
"RECOVERY/RAMDISK/force_debuggable"
|
||||
"RECOVERY/RAMDISK/first_stage_ramdisk/force_debuggable"):
|
||||
"BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"):
|
||||
raise common.ExternalError("debuggable boot.img cannot be signed")
|
||||
|
||||
# A non-APK file; copy it verbatim.
|
||||
|
|
@ -1135,6 +1155,8 @@ def main(argv):
|
|||
OPTIONS.replace_verity_private_key = (True, a)
|
||||
elif o == "--replace_verity_keyid":
|
||||
OPTIONS.replace_verity_keyid = (True, a)
|
||||
elif o == "--remove_avb_public_keys":
|
||||
OPTIONS.remove_avb_public_keys = a.split(",")
|
||||
elif o == "--avb_vbmeta_key":
|
||||
OPTIONS.avb_keys['vbmeta'] = a
|
||||
elif o == "--avb_vbmeta_algorithm":
|
||||
|
|
@ -1203,6 +1225,7 @@ def main(argv):
|
|||
"replace_verity_public_key=",
|
||||
"replace_verity_private_key=",
|
||||
"replace_verity_keyid=",
|
||||
"remove_avb_public_keys=",
|
||||
"avb_apex_extra_args=",
|
||||
"avb_vbmeta_algorithm=",
|
||||
"avb_vbmeta_key=",
|
||||
|
|
|
|||
Loading…
Reference in New Issue