From 8ee4a3db8c76656b0d8bfd6ce8490451e3c10620 Mon Sep 17 00:00:00 2001 From: Bowgo Tsai Date: Fri, 31 Mar 2017 15:21:26 +0800 Subject: [PATCH 1/2] AVB: support signing vendor.img Uses avbtool to sign vendor.img if BOARD_AVB_ENABLE is set. It also allows appending additional arguments to avbtool via BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS. e.g., BOARD_AVB_ENABLE := true BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS := --generate_fec Bug: 35415839 Test: "make" with the above variables and use avbtool to check vbmeta is appended to vendor.img Test: "make dist" with the above variables Change-Id: I8ada38dff3def6d34613e77c67944def8a49f464 --- core/Makefile | 117 ++++++++++-------- tools/releasetools/add_img_to_target_files.py | 7 +- 2 files changed, 67 insertions(+), 57 deletions(-) diff --git a/core/Makefile b/core/Makefile index 971f78116..359f460e6 100644 --- a/core/Makefile +++ b/core/Makefile @@ -892,6 +892,8 @@ $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_signing_args=$(INTERNAL_AVB_SIGNING_A $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_avbtool=$(AVBTOOL)" >> $(1)) $(if $(BOARD_AVB_ENABLE),$(hide) echo "system_avb_enable=$(BOARD_AVB_ENABLE)" >> $(1)) $(if $(BOARD_AVB_ENABLE),$(hide) echo "system_avb_add_hashtree_footer_args=$(BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS)" >> $(1)) +$(if $(BOARD_AVB_ENABLE),$(hide) echo "vendor_avb_enable=$(BOARD_AVB_ENABLE)" >> $(1)) +$(if $(BOARD_AVB_ENABLE),$(hide) echo "vendor_avb_add_hashtree_footer_args=$(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS)" >> $(1)) $(if $(filter true,$(BOARD_USES_RECOVERY_AS_BOOT)),\ $(hide) echo "recovery_as_boot=true" >> $(1)) $(if $(filter true,$(BOARD_BUILD_SYSTEM_ROOT_IMAGE)),\ @@ -1584,61 +1586,6 @@ else # BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE IGNORE_CACHE_LINK := --exclude=cache endif # BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE -# ----------------------------------------------------------------- -# vbmeta image -ifeq ($(BOARD_AVB_ENABLE),true) - -BUILT_VBMETAIMAGE_TARGET := $(PRODUCT_OUT)/vbmeta.img - -INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS := \ - --include_descriptors_from_image $(INSTALLED_BOOTIMAGE_TARGET) \ - --include_descriptors_from_image $(INSTALLED_SYSTEMIMAGE) \ - --generate_dm_verity_cmdline_from_hashtree $(INSTALLED_SYSTEMIMAGE) - -ifdef BOARD_AVB_ROLLBACK_INDEX -INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += --rollback_index $(BOARD_AVB_ROLLBACK_INDEX) -endif - -ifndef BOARD_AVB_KEY_PATH -# If key path isn't specified, use the 4096-bit test key. -INTERNAL_AVB_SIGNING_ARGS := \ - --algorithm SHA256_RSA4096 \ - --key external/avb/test/data/testkey_rsa4096.pem -else -INTERNAL_AVB_SIGNING_ARGS := \ - --algorithm $(BOARD_AVB_ALGORITHM) --key $(BOARD_AVB_KEY_PATH) -endif - -ifndef BOARD_BOOTIMAGE_PARTITION_SIZE - $(error BOARD_BOOTIMAGE_PARTITION_SIZE must be set for BOARD_AVB_ENABLE) -endif - -ifndef BOARD_SYSTEMIMAGE_PARTITION_SIZE - $(error BOARD_SYSTEMIMAGE_PARTITION_SIZE must be set for BOARD_AVB_ENABLE) -endif - -define build-vbmetaimage-target - $(call pretty,"Target vbmeta image: $(INSTALLED_VBMETAIMAGE_TARGET)") - $(hide) $(AVBTOOL) make_vbmeta_image \ - $(INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS) \ - $(INTERNAL_AVB_SIGNING_ARGS) \ - $(BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS) \ - --output $@ -endef - -INSTALLED_VBMETAIMAGE_TARGET := $(BUILT_VBMETAIMAGE_TARGET) -$(INSTALLED_VBMETAIMAGE_TARGET): $(AVBTOOL) $(INSTALLED_BOOTIMAGE_TARGET) $(INSTALLED_SYSTEMIMAGE) - $(build-vbmetaimage-target) - -.PHONY: vbmetaimage-nodeps -vbmetaimage-nodeps: - $(build-vbmetaimage-target) - -# We need $(AVBTOOL) for system.img generation. -FULL_SYSTEMIMAGE_DEPS += $(AVBTOOL) - -endif # BOARD_AVB_ENABLE - # ----------------------------------------------------------------- # system_other partition image ifeq ($(BOARD_USES_SYSTEM_OTHER_ODEX),true) @@ -1742,6 +1689,66 @@ INSTALLED_VENDORIMAGE_TARGET := $(PRODUCT_OUT)/vendor.img $(eval $(call copy-one-file,$(BOARD_PREBUILT_VENDORIMAGE),$(INSTALLED_VENDORIMAGE_TARGET))) endif +# ----------------------------------------------------------------- +# vbmeta image +ifeq ($(BOARD_AVB_ENABLE),true) + +BUILT_VBMETAIMAGE_TARGET := $(PRODUCT_OUT)/vbmeta.img + +INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS := \ + --include_descriptors_from_image $(INSTALLED_BOOTIMAGE_TARGET) \ + --include_descriptors_from_image $(INSTALLED_SYSTEMIMAGE) \ + --generate_dm_verity_cmdline_from_hashtree $(INSTALLED_SYSTEMIMAGE) + +ifdef INSTALLED_VENDORIMAGE_TARGET +INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += \ + --include_descriptors_from_image $(INSTALLED_VENDORIMAGE_TARGET) +endif + +ifdef BOARD_AVB_ROLLBACK_INDEX +INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += --rollback_index $(BOARD_AVB_ROLLBACK_INDEX) +endif + +ifndef BOARD_AVB_KEY_PATH +# If key path isn't specified, use the 4096-bit test key. +INTERNAL_AVB_SIGNING_ARGS := \ + --algorithm SHA256_RSA4096 \ + --key external/avb/test/data/testkey_rsa4096.pem +else +INTERNAL_AVB_SIGNING_ARGS := \ + --algorithm $(BOARD_AVB_ALGORITHM) --key $(BOARD_AVB_KEY_PATH) +endif + +ifndef BOARD_BOOTIMAGE_PARTITION_SIZE + $(error BOARD_BOOTIMAGE_PARTITION_SIZE must be set for BOARD_AVB_ENABLE) +endif + +ifndef BOARD_SYSTEMIMAGE_PARTITION_SIZE + $(error BOARD_SYSTEMIMAGE_PARTITION_SIZE must be set for BOARD_AVB_ENABLE) +endif + +define build-vbmetaimage-target + $(call pretty,"Target vbmeta image: $(INSTALLED_VBMETAIMAGE_TARGET)") + $(hide) $(AVBTOOL) make_vbmeta_image \ + $(INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS) \ + $(INTERNAL_AVB_SIGNING_ARGS) \ + $(BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS) \ + --output $@ +endef + +INSTALLED_VBMETAIMAGE_TARGET := $(BUILT_VBMETAIMAGE_TARGET) +$(INSTALLED_VBMETAIMAGE_TARGET): $(AVBTOOL) $(INSTALLED_BOOTIMAGE_TARGET) $(INSTALLED_SYSTEMIMAGE) $(INSTALLED_VENDORIMAGE_TARGET) + $(build-vbmetaimage-target) + +.PHONY: vbmetaimage-nodeps +vbmetaimage-nodeps: + $(build-vbmetaimage-target) + +# We need $(AVBTOOL) for system.img generation. +FULL_SYSTEMIMAGE_DEPS += $(AVBTOOL) + +endif # BOARD_AVB_ENABLE + # ----------------------------------------------------------------- # bring in the installer image generation defines if necessary ifeq ($(TARGET_USE_DISKINSTALLER),true) diff --git a/tools/releasetools/add_img_to_target_files.py b/tools/releasetools/add_img_to_target_files.py index 2b7aee452..abdbbbb51 100755 --- a/tools/releasetools/add_img_to_target_files.py +++ b/tools/releasetools/add_img_to_target_files.py @@ -285,7 +285,8 @@ def AddUserdata(output_zip, prefix="IMAGES/"): img.Write() -def AddVBMeta(output_zip, boot_img_path, system_img_path, prefix="IMAGES/"): +def AddVBMeta(output_zip, boot_img_path, system_img_path, vendor_img_path, + prefix="IMAGES/"): """Create a VBMeta image and store it in output_zip.""" img = OutputFile(output_zip, OPTIONS.input_tmp, prefix, "vbmeta.img") avbtool = os.getenv('AVBTOOL') or "avbtool" @@ -294,6 +295,8 @@ def AddVBMeta(output_zip, boot_img_path, system_img_path, prefix="IMAGES/"): "--include_descriptors_from_image", boot_img_path, "--include_descriptors_from_image", system_img_path, "--generate_dm_verity_cmdline_from_hashtree", system_img_path] + if vendor_img_path is not None: + cmd.extend(["--include_descriptors_from_image", vendor_img_path]) common.AppendAVBSigningArgs(cmd) args = OPTIONS.info_dict.get("board_avb_make_vbmeta_image_args", None) if args and args.strip(): @@ -477,7 +480,7 @@ def AddImagesToTargetFiles(filename): if OPTIONS.info_dict.get("board_avb_enable", None) == "true": banner("vbmeta") boot_contents = boot_image.WriteToTemp() - AddVBMeta(output_zip, boot_contents.name, system_img_path) + AddVBMeta(output_zip, boot_contents.name, system_img_path, vendor_img_path) # For devices using A/B update, copy over images from RADIO/ and/or # VENDOR_IMAGES/ to IMAGES/ and make sure we have all the needed From 9b3776017f45b9857067929dac35f4e5f8ffdf17 Mon Sep 17 00:00:00 2001 From: Bowgo Tsai Date: Fri, 14 Apr 2017 18:50:11 +0800 Subject: [PATCH 2/2] AVB: support BOARD_BUILD_SYSTEM_ROOT_IMAGE Passing --setup_rootfs_from_kernel to avbtool when BOARD_BUILD_SYSTEM_ROOT_IMAGE is true Bug: 33590159 Test: 'make' sailfish with BOARD_AVB_ENABLE := true Test: 'make dist' with BOARD_AVB_ENABLE := true Change-Id: Ieb58dd9ae6be1eceb90a33c739b85cff5cbc6e0a --- core/Makefile | 5 ++++- tools/releasetools/add_img_to_target_files.py | 5 +++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/core/Makefile b/core/Makefile index 359f460e6..0a9937665 100644 --- a/core/Makefile +++ b/core/Makefile @@ -1698,13 +1698,16 @@ BUILT_VBMETAIMAGE_TARGET := $(PRODUCT_OUT)/vbmeta.img INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS := \ --include_descriptors_from_image $(INSTALLED_BOOTIMAGE_TARGET) \ --include_descriptors_from_image $(INSTALLED_SYSTEMIMAGE) \ - --generate_dm_verity_cmdline_from_hashtree $(INSTALLED_SYSTEMIMAGE) ifdef INSTALLED_VENDORIMAGE_TARGET INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += \ --include_descriptors_from_image $(INSTALLED_VENDORIMAGE_TARGET) endif +ifeq ($(BOARD_BUILD_SYSTEM_ROOT_IMAGE),true) +INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += --setup_rootfs_from_kernel $(BUILT_SYSTEMIMAGE) +endif + ifdef BOARD_AVB_ROLLBACK_INDEX INTERNAL_AVB_MAKE_VBMETA_IMAGE_ARGS += --rollback_index $(BOARD_AVB_ROLLBACK_INDEX) endif diff --git a/tools/releasetools/add_img_to_target_files.py b/tools/releasetools/add_img_to_target_files.py index abdbbbb51..7c3679cce 100755 --- a/tools/releasetools/add_img_to_target_files.py +++ b/tools/releasetools/add_img_to_target_files.py @@ -293,10 +293,11 @@ def AddVBMeta(output_zip, boot_img_path, system_img_path, vendor_img_path, cmd = [avbtool, "make_vbmeta_image", "--output", img.name, "--include_descriptors_from_image", boot_img_path, - "--include_descriptors_from_image", system_img_path, - "--generate_dm_verity_cmdline_from_hashtree", system_img_path] + "--include_descriptors_from_image", system_img_path] if vendor_img_path is not None: cmd.extend(["--include_descriptors_from_image", vendor_img_path]) + if OPTIONS.info_dict.get("system_root_image", None) == "true": + cmd.extend(["--setup_rootfs_from_kernel", system_img_path]) common.AppendAVBSigningArgs(cmd) args = OPTIONS.info_dict.get("board_avb_make_vbmeta_image_args", None) if args and args.strip():