Fix the path for verity_key replacement when signing.
system_root_image expects the key at ROOT/verity_key as opposed to BOOT/verity_key. Also refactor the verity key replacement lines. Bug: 29397395 Test: 'sign_target_files_apks.py --replace_verity_private_key newkey --replace_verity_public_key newkey.pub target_files.zip signed-target_files.zip' and verify the replaced key in boot.img. Change-Id: I58a5defff4be008ad55d4b5a5b7148569c3b8d66
This commit is contained in:
Tao Bao
parent
2abbbd0333
commit
e0ee794fa1
|
|
@ -65,9 +65,19 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files
|
||||||
removed. Changes are processed in the order they appear.
|
removed. Changes are processed in the order they appear.
|
||||||
Default value is "-test-keys,-dev-keys,+release-keys".
|
Default value is "-test-keys,-dev-keys,+release-keys".
|
||||||
|
|
||||||
|
--replace_verity_private_key <key>
|
||||||
|
Replace the private key used for verity signing. It expects a filename
|
||||||
|
WITHOUT the extension (e.g. verity_key).
|
||||||
|
|
||||||
|
--replace_verity_public_key <key>
|
||||||
|
Replace the certificate (public key) used for verity verification. The
|
||||||
|
key file replaces the one at BOOT/RAMDISK/verity_key (or ROOT/verity_key
|
||||||
|
for devices using system_root_image). It expects the key filename WITH
|
||||||
|
the extension (e.g. verity_key.pub).
|
||||||
|
|
||||||
--replace_verity_keyid <path_to_X509_PEM_cert_file>
|
--replace_verity_keyid <path_to_X509_PEM_cert_file>
|
||||||
Replace the veritykeyid in BOOT/cmdline of input_target_file_zip
|
Replace the veritykeyid in BOOT/cmdline of input_target_file_zip
|
||||||
with keyid of the cert pointed by <path_to_X509_PEM_cert_file>
|
with keyid of the cert pointed by <path_to_X509_PEM_cert_file>.
|
||||||
"""
|
"""
|
||||||
|
|
||||||
import sys
|
import sys
|
||||||
|
|
@ -204,26 +214,6 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
||||||
data = input_tf_zip.read(info.filename)
|
data = input_tf_zip.read(info.filename)
|
||||||
out_info = copy.copy(info)
|
out_info = copy.copy(info)
|
||||||
|
|
||||||
# Replace keys if requested.
|
|
||||||
if (info.filename == "META/misc_info.txt" and
|
|
||||||
OPTIONS.replace_verity_private_key):
|
|
||||||
ReplaceVerityPrivateKey(input_tf_zip, output_tf_zip, misc_info,
|
|
||||||
OPTIONS.replace_verity_private_key[1])
|
|
||||||
elif (info.filename in ("BOOT/RAMDISK/verity_key",
|
|
||||||
"BOOT/verity_key") and
|
|
||||||
OPTIONS.replace_verity_public_key):
|
|
||||||
new_data = ReplaceVerityPublicKey(output_tf_zip, info.filename,
|
|
||||||
OPTIONS.replace_verity_public_key[1])
|
|
||||||
write_to_temp(info.filename, info.external_attr, new_data)
|
|
||||||
elif (info.filename == "BOOT/cmdline" and
|
|
||||||
OPTIONS.replace_verity_keyid):
|
|
||||||
new_cmdline = ReplaceVerityKeyId(input_tf_zip, output_tf_zip,
|
|
||||||
OPTIONS.replace_verity_keyid[1])
|
|
||||||
# Writing the new cmdline to tmpdir is redundant as the bootimage
|
|
||||||
# gets build in the add_image_to_target_files and rebuild_recovery
|
|
||||||
# is not exercised while building the boot image for the A/B
|
|
||||||
# path
|
|
||||||
write_to_temp(info.filename, info.external_attr, new_cmdline)
|
|
||||||
# Sign APKs.
|
# Sign APKs.
|
||||||
if info.filename.endswith(".apk"):
|
if info.filename.endswith(".apk"):
|
||||||
name = os.path.basename(info.filename)
|
name = os.path.basename(info.filename)
|
||||||
|
|
@ -270,19 +260,20 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
||||||
"SYSTEM/etc/update_engine/update-payload-key.pub.pem")):
|
"SYSTEM/etc/update_engine/update-payload-key.pub.pem")):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
# Skip verity keys since they have been processed above.
|
# Skip META/misc_info.txt if we will replace the verity private key later.
|
||||||
# TODO: verity_key is at a wrong location (BOOT/verity_key). Will fix and
|
|
||||||
# clean up verity related lines in a separate CL.
|
|
||||||
elif (OPTIONS.replace_verity_private_key and
|
elif (OPTIONS.replace_verity_private_key and
|
||||||
info.filename == "META/misc_info.txt"):
|
info.filename == "META/misc_info.txt"):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
# Skip verity public key if we will replace it.
|
||||||
elif (OPTIONS.replace_verity_public_key and
|
elif (OPTIONS.replace_verity_public_key and
|
||||||
info.filename in ("BOOT/RAMDISK/verity_key",
|
info.filename in ("BOOT/RAMDISK/verity_key",
|
||||||
"BOOT/verity_key")):
|
"ROOT/verity_key")):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
elif (info.filename == "BOOT/cmdline" and
|
# Skip verity keyid (for system_root_image use) if we will replace it.
|
||||||
OPTIONS.replace_verity_keyid):
|
elif (OPTIONS.replace_verity_keyid and
|
||||||
|
info.filename == "BOOT/cmdline"):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
# Copy BOOT/, RECOVERY/, META/, ROOT/ to rebuild recovery patch. This case
|
# Copy BOOT/, RECOVERY/, META/, ROOT/ to rebuild recovery patch. This case
|
||||||
|
|
@ -311,6 +302,32 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
||||||
# tmpdir in case we need to regenerate the recovery-from-boot patch.
|
# tmpdir in case we need to regenerate the recovery-from-boot patch.
|
||||||
write_to_temp(recovery_keys_location, 0o755 << 16, new_recovery_keys)
|
write_to_temp(recovery_keys_location, 0o755 << 16, new_recovery_keys)
|
||||||
|
|
||||||
|
# Replace the keyid string in META/misc_info.txt.
|
||||||
|
if OPTIONS.replace_verity_private_key:
|
||||||
|
ReplaceVerityPrivateKey(input_tf_zip, output_tf_zip, misc_info,
|
||||||
|
OPTIONS.replace_verity_private_key[1])
|
||||||
|
|
||||||
|
if OPTIONS.replace_verity_public_key:
|
||||||
|
if system_root_image:
|
||||||
|
dest = "ROOT/verity_key"
|
||||||
|
else:
|
||||||
|
dest = "BOOT/RAMDISK/verity_key"
|
||||||
|
# We are replacing the one in boot image only, since the one under
|
||||||
|
# recovery won't ever be needed.
|
||||||
|
new_data = ReplaceVerityPublicKey(
|
||||||
|
output_tf_zip, dest, OPTIONS.replace_verity_public_key[1])
|
||||||
|
write_to_temp(dest, 0o755 << 16, new_data)
|
||||||
|
|
||||||
|
# Replace the keyid string in BOOT/cmdline.
|
||||||
|
if OPTIONS.replace_verity_keyid:
|
||||||
|
new_cmdline = ReplaceVerityKeyId(input_tf_zip, output_tf_zip,
|
||||||
|
OPTIONS.replace_verity_keyid[1])
|
||||||
|
# Writing the new cmdline to tmpdir is redundant as the bootimage
|
||||||
|
# gets build in the add_image_to_target_files and rebuild_recovery
|
||||||
|
# is not exercised while building the boot image for the A/B
|
||||||
|
# path
|
||||||
|
write_to_temp("BOOT/cmdline", 0o755 << 16, new_cmdline)
|
||||||
|
|
||||||
if rebuild_recovery:
|
if rebuild_recovery:
|
||||||
recovery_img = common.GetBootableImage(
|
recovery_img = common.GetBootableImage(
|
||||||
"recovery.img", "recovery.img", tmpdir, "RECOVERY", info_dict=misc_info)
|
"recovery.img", "recovery.img", tmpdir, "RECOVERY", info_dict=misc_info)
|
||||||
|
|
@ -492,6 +509,7 @@ def ReplaceOtaKeys(input_tf_zip, output_tf_zip, misc_info):
|
||||||
|
|
||||||
return new_recovery_keys
|
return new_recovery_keys
|
||||||
|
|
||||||
|
|
||||||
def ReplaceVerityPublicKey(targetfile_zip, filename, key_path):
|
def ReplaceVerityPublicKey(targetfile_zip, filename, key_path):
|
||||||
print "Replacing verity public key with %s" % key_path
|
print "Replacing verity public key with %s" % key_path
|
||||||
with open(key_path) as f:
|
with open(key_path) as f:
|
||||||
|
|
@ -499,6 +517,7 @@ def ReplaceVerityPublicKey(targetfile_zip, filename, key_path):
|
||||||
common.ZipWriteStr(targetfile_zip, filename, data)
|
common.ZipWriteStr(targetfile_zip, filename, data)
|
||||||
return data
|
return data
|
||||||
|
|
||||||
|
|
||||||
def ReplaceVerityPrivateKey(targetfile_input_zip, targetfile_output_zip,
|
def ReplaceVerityPrivateKey(targetfile_input_zip, targetfile_output_zip,
|
||||||
misc_info, key_path):
|
misc_info, key_path):
|
||||||
print "Replacing verity private key with %s" % key_path
|
print "Replacing verity private key with %s" % key_path
|
||||||
|
|
@ -508,6 +527,7 @@ def ReplaceVerityPrivateKey(targetfile_input_zip, targetfile_output_zip,
|
||||||
common.ZipWriteStr(targetfile_output_zip, "META/misc_info.txt", new_misc_info)
|
common.ZipWriteStr(targetfile_output_zip, "META/misc_info.txt", new_misc_info)
|
||||||
misc_info["verity_key"] = key_path
|
misc_info["verity_key"] = key_path
|
||||||
|
|
||||||
|
|
||||||
def ReplaceVerityKeyId(targetfile_input_zip, targetfile_output_zip, keypath):
|
def ReplaceVerityKeyId(targetfile_input_zip, targetfile_output_zip, keypath):
|
||||||
in_cmdline = targetfile_input_zip.read("BOOT/cmdline")
|
in_cmdline = targetfile_input_zip.read("BOOT/cmdline")
|
||||||
# copy in_cmdline to output_zip if veritykeyid is not present in in_cmdline
|
# copy in_cmdline to output_zip if veritykeyid is not present in in_cmdline
|
||||||
|
|
@ -532,6 +552,7 @@ def ReplaceVerityKeyId(targetfile_input_zip, targetfile_output_zip, keypath):
|
||||||
common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", out_cmdline)
|
common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", out_cmdline)
|
||||||
return out_cmdline
|
return out_cmdline
|
||||||
|
|
||||||
|
|
||||||
def BuildKeyMap(misc_info, key_mapping_options):
|
def BuildKeyMap(misc_info, key_mapping_options):
|
||||||
for s, d in key_mapping_options:
|
for s, d in key_mapping_options:
|
||||||
if s is None: # -d option
|
if s is None: # -d option
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue