am 53602955: Merge "Add support to sign bootable images with vboot_signer"
* commit '536029551d31d8084c444063349291781ee43ae1': Add support to sign bootable images with vboot_signer
This commit is contained in:
commit
ae26f5b002
|
@ -717,6 +717,10 @@ $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verit
|
||||||
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(VERITY_SIGNER)" >> $(1))
|
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(VERITY_SIGNER)" >> $(1))
|
||||||
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION),$(hide) echo "system_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION)" >> $(1))
|
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION),$(hide) echo "system_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION)" >> $(1))
|
||||||
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION),$(hide) echo "vendor_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION)" >> $(1))
|
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION),$(hide) echo "vendor_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION)" >> $(1))
|
||||||
|
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)" >> $(1))
|
||||||
|
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_KEY)" >> $(1))
|
||||||
|
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "futility=$(FUTILITY)" >> $(1))
|
||||||
|
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot_signer_cmd=$(VBOOT_SIGNER)" >> $(1))
|
||||||
$(if $(filter true,$(BOARD_BUILD_SYSTEM_ROOT_IMAGE)),\
|
$(if $(filter true,$(BOARD_BUILD_SYSTEM_ROOT_IMAGE)),\
|
||||||
$(hide) echo "system_root_image=true" >> $(1);\
|
$(hide) echo "system_root_image=true" >> $(1);\
|
||||||
echo "ramdisk_dir=$(TARGET_ROOT_OUT)" >> $(1))
|
echo "ramdisk_dir=$(TARGET_ROOT_OUT)" >> $(1))
|
||||||
|
@ -847,9 +851,13 @@ define build-recoveryimage-target
|
||||||
$(hide) cat $(INSTALLED_DEFAULT_PROP_TARGET) $(recovery_build_prop) \
|
$(hide) cat $(INSTALLED_DEFAULT_PROP_TARGET) $(recovery_build_prop) \
|
||||||
> $(TARGET_RECOVERY_ROOT_OUT)/default.prop
|
> $(TARGET_RECOVERY_ROOT_OUT)/default.prop
|
||||||
$(hide) $(MKBOOTFS) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk)
|
$(hide) $(MKBOOTFS) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk)
|
||||||
$(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1)
|
$(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)), \
|
||||||
|
$(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1).unsigned, \
|
||||||
|
$(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1))
|
||||||
$(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY)),\
|
$(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY)),\
|
||||||
$(BOOT_SIGNER) /recovery $(1) $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).x509.pem $(1))
|
$(BOOT_SIGNER) /recovery $(1) $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).x509.pem $(1))
|
||||||
|
$(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)), \
|
||||||
|
$(VBOOT_SIGNER) $(FUTILITY) $(1).unsigned $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_KEY).vbpubk $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_KEY).vbprivk $(1).keyblock $(1))
|
||||||
$(hide) $(call assert-max-image-size,$(1),$(BOARD_RECOVERYIMAGE_PARTITION_SIZE))
|
$(hide) $(call assert-max-image-size,$(1),$(BOARD_RECOVERYIMAGE_PARTITION_SIZE))
|
||||||
@echo ----- Made recovery image: $(1) --------
|
@echo ----- Made recovery image: $(1) --------
|
||||||
endef
|
endef
|
||||||
|
|
|
@ -346,6 +346,12 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None):
|
||||||
if args and args.strip():
|
if args and args.strip():
|
||||||
cmd.extend(shlex.split(args))
|
cmd.extend(shlex.split(args))
|
||||||
|
|
||||||
|
img_unsigned = None
|
||||||
|
if info_dict.get("vboot", None):
|
||||||
|
img_unsigned = tempfile.NamedTemporaryFile()
|
||||||
|
cmd.extend(["--ramdisk", ramdisk_img.name,
|
||||||
|
"--output", img_unsigned.name])
|
||||||
|
else:
|
||||||
cmd.extend(["--ramdisk", ramdisk_img.name,
|
cmd.extend(["--ramdisk", ramdisk_img.name,
|
||||||
"--output", img.name])
|
"--output", img.name])
|
||||||
|
|
||||||
|
@ -362,6 +368,18 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None):
|
||||||
p.communicate()
|
p.communicate()
|
||||||
assert p.returncode == 0, "boot_signer of %s image failed" % path
|
assert p.returncode == 0, "boot_signer of %s image failed" % path
|
||||||
|
|
||||||
|
# Sign the image if vboot is non-empty.
|
||||||
|
elif info_dict.get("vboot", None):
|
||||||
|
path = "/" + os.path.basename(sourcedir).lower()
|
||||||
|
img_keyblock = tempfile.NamedTemporaryFile()
|
||||||
|
cmd = [info_dict["vboot_signer_cmd"], info_dict["futility"],
|
||||||
|
img_unsigned.name, info_dict["vboot_key"] + ".vbpubk",
|
||||||
|
info_dict["vboot_key"] + ".vbprivk", img_keyblock.name,
|
||||||
|
img.name]
|
||||||
|
p = Run(cmd, stdout=subprocess.PIPE)
|
||||||
|
p.communicate()
|
||||||
|
assert p.returncode == 0, "vboot_signer of %s image failed" % path
|
||||||
|
|
||||||
img.seek(os.SEEK_SET, 0)
|
img.seek(os.SEEK_SET, 0)
|
||||||
data = img.read()
|
data = img.read()
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue