forked from openkylin/platform_build
Moving system_other key into product.img
Currently system_other AVB public key is placed in system.img.
However, this makes it's harder to have a *generic* system.img
across different product configs. Moving the key to /product
partition to allow more product-specific AVB keys.
Device board config can add /product/etc/fstab.postinstall,
to mount system_other with this key in /product. It can specify
different mount options, file systems, verity settings, etc., in
this product-specific fstab as well.
Bug: 123611926
Test: `make productimage` checks the following is generated.
$OUT/product/etc/security/avb/system_other.avbpubkey
Also checks it's included in $OUT/installed-files-product.{json, txt}
Test: run the following command and checks that
PRODUCT/etc/security/avb/system_other.avbpubkey is updated:
./build/tools/releasetools/sign_target_files_apks \
--avb_system_other_algorithm SHA256_RSA2048 \
--avb_system_other_key external/avb/test/data/testkey_rsa2048.pem \
out/dist/*-target_files-*.zip signed-target_files.zip
Change-Id: I6804f29941bec54375d80bd68a5aedb5c23b842e
This commit is contained in:
Bowgo Tsai
parent
995c632cdc
commit
e4544b1c02
|
|
@ -610,6 +610,9 @@ $(call add-clean-step, rm -rf $(HOST_CROSS_OUT_TESTCASES)/*)
|
|||
$(call add-clean-step, rm -rf $(TARGET_OUT_DATA)/*)
|
||||
$(call add-clean-step, rm -rf $(HOST_OUT)/vts/*)
|
||||
$(call add-clean-step, rm -rf $(HOST_OUT)/framework/vts-tradefed.jar)
|
||||
|
||||
# Clean up old location of system_other.avbpubkey
|
||||
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/security/avb/)
|
||||
# ************************************************
|
||||
# NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST
|
||||
# ************************************************
|
||||
|
|
|
|||
|
|
@ -717,6 +717,13 @@ $(BUILD_SYSTEM_STATS):
|
|||
@$(foreach s,$(STATS.SOONG_MODULE_TYPE),echo "modules_type_soong,$(s),$(STATS.SOONG_MODULE_TYPE.$(s))" >>$@;)
|
||||
$(call dist-for-goals,droidcore,$(BUILD_SYSTEM_STATS))
|
||||
|
||||
# -----------------------------------------------------------------
|
||||
# build /product/etc/security/avb/system_other.avbpubkey if needed
|
||||
ifdef BUILDING_SYSTEM_OTHER_IMAGE
|
||||
INSTALLED_PRODUCT_SYSTEM_OTHER_AVBKEY_TARGET := $(TARGET_OUT_PRODUCT_ETC)/security/avb/system_other.avbpubkey
|
||||
ALL_DEFAULT_INSTALLED_MODULES += $(INSTALLED_PRODUCT_SYSTEM_OTHER_AVBKEY_TARGET)
|
||||
endif # BUILDING_SYSTEM_OTHER_IMAGE
|
||||
|
||||
# -----------------------------------------------------------------
|
||||
# Modules ready to be converted to Soong, ordered by how many
|
||||
# modules depend on them.
|
||||
|
|
@ -1451,8 +1458,7 @@ $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_system_other_add_hashtree_footer_args
|
|||
$(if $(BOARD_AVB_ENABLE),\
|
||||
$(if $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH),\
|
||||
$(hide) echo "avb_system_other_key_path=$(BOARD_AVB_SYSTEM_OTHER_KEY_PATH)" >> $(1)
|
||||
$(hide) echo "avb_system_other_algorithm=$(BOARD_AVB_SYSTEM_OTHER_ALGORITHM)" >> $(1)
|
||||
$(hide) echo "avb_system_extract_system_other_key=true" >> $(1)))
|
||||
$(hide) echo "avb_system_other_algorithm=$(BOARD_AVB_SYSTEM_OTHER_ALGORITHM)" >> $(1)))
|
||||
$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))
|
||||
$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_add_hashtree_footer_args=$(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))
|
||||
$(if $(BOARD_AVB_ENABLE),\
|
||||
|
|
@ -2968,9 +2974,11 @@ BOARD_AVB_SYSTEM_OTHER_KEY_PATH := $(BOARD_AVB_KEY_PATH)
|
|||
BOARD_AVB_SYSTEM_OTHER_ALGORITHM := $(BOARD_AVB_ALGORITHM)
|
||||
endif
|
||||
|
||||
# To extract the public key of SYSTEM_OTHER_KEY_PATH will into system.img:
|
||||
# /system/etc/security/avb/system_other.avbpubkey.
|
||||
FULL_SYSTEMIMAGE_DEPS += $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH)
|
||||
$(INSTALLED_PRODUCT_SYSTEM_OTHER_AVBKEY_TARGET): $(AVBTOOL) $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH)
|
||||
@echo Extracting system_other avb key: $@
|
||||
@rm -f $@
|
||||
@mkdir -p $(dir $@)
|
||||
$(AVBTOOL) extract_public_key --key $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH) --output $@
|
||||
|
||||
ifndef BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX
|
||||
BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
|
||||
|
|
|
|||
|
|
@ -740,28 +740,6 @@ def SaveGlobalDict(filename, glob_dict):
|
|||
f.writelines(["%s=%s" % (key, value) for (key, value) in glob_dict.items()])
|
||||
|
||||
|
||||
def ExtractSystemOtherAvbKey(in_dir, glob_dict):
|
||||
if glob_dict.get("avb_system_extract_system_other_key") != "true":
|
||||
return
|
||||
|
||||
extract_to = os.path.join(in_dir, "etc/security/avb/system_other.avbpubkey")
|
||||
extract_to_dir = os.path.dirname(extract_to)
|
||||
|
||||
if os.path.isdir(extract_to_dir):
|
||||
shutil.rmtree(extract_to_dir)
|
||||
elif os.path.isfile(extract_to_dir):
|
||||
os.remove(extract_to_dir)
|
||||
os.mkdir(extract_to_dir);
|
||||
|
||||
# Extracts the public key used to sign system_other.img, into system.img:
|
||||
# /system/etc/security/avb/system_other.avbpubkey.
|
||||
avbtool = glob_dict.get("avb_avbtool")
|
||||
extract_from = glob_dict.get("avb_system_other_key_path")
|
||||
cmd = [avbtool, "extract_public_key", "--key", extract_from,
|
||||
"--output", extract_to]
|
||||
common.RunAndCheckOutput(cmd, verbose=False)
|
||||
|
||||
|
||||
def main(argv):
|
||||
if len(argv) < 4 or len(argv) > 5:
|
||||
print(__doc__)
|
||||
|
|
@ -785,7 +763,6 @@ def main(argv):
|
|||
mount_point = ""
|
||||
if image_filename == "system.img":
|
||||
mount_point = "system"
|
||||
ExtractSystemOtherAvbKey(in_dir, glob_dict)
|
||||
elif image_filename == "system_other.img":
|
||||
mount_point = "system_other"
|
||||
elif image_filename == "userdata.img":
|
||||
|
|
|
|||
|
|
@ -91,12 +91,12 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files
|
|||
Replace the veritykeyid in BOOT/cmdline of input_target_file_zip
|
||||
with keyid of the cert pointed by <path_to_X509_PEM_cert_file>.
|
||||
|
||||
--avb_{boot,system,vendor,dtbo,vbmeta}_algorithm <algorithm>
|
||||
--avb_{boot,system,vendor,dtbo,vbmeta}_key <key>
|
||||
--avb_{boot,system,system_other,vendor,dtbo,vbmeta}_algorithm <algorithm>
|
||||
--avb_{boot,system,system_other,vendor,dtbo,vbmeta}_key <key>
|
||||
Use the specified algorithm (e.g. SHA256_RSA4096) and the key to AVB-sign
|
||||
the specified image. Otherwise it uses the existing values in info dict.
|
||||
|
||||
--avb_{apex,boot,system,vendor,dtbo,vbmeta}_extra_args <args>
|
||||
--avb_{apex,boot,system,system_other,vendor,dtbo,vbmeta}_extra_args <args>
|
||||
Specify any additional args that are needed to AVB-sign the image
|
||||
(e.g. "--signing_helper /path/to/helper"). The args will be appended to
|
||||
the existing ones in info dict.
|
||||
|
|
@ -584,6 +584,18 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info,
|
|||
elif filename == "META/care_map.pb" or filename == "META/care_map.txt":
|
||||
pass
|
||||
|
||||
# Updates system_other.avbpubkey in /product/etc/.
|
||||
elif filename in (
|
||||
"PRODUCT/etc/security/avb/system_other.avbpubkey",
|
||||
"SYSTEM/product/etc/security/avb/system_other.avbpubkey"):
|
||||
# Only update system_other's public key, if the corresponding signing
|
||||
# key is specified via --avb_system_other_key.
|
||||
signing_key = OPTIONS.avb_keys.get("system_other")
|
||||
if signing_key:
|
||||
public_key = common.ExtractAvbPublicKey(signing_key)
|
||||
print(" Rewriting AVB public key of system_other in /product")
|
||||
common.ZipWrite(output_tf_zip, public_key, filename)
|
||||
|
||||
# A non-APK file; copy it verbatim.
|
||||
else:
|
||||
common.ZipWriteStr(output_tf_zip, out_info, data)
|
||||
|
|
@ -934,6 +946,7 @@ def ReplaceAvbSigningKeys(misc_info):
|
|||
'dtbo' : 'avb_dtbo_add_hash_footer_args',
|
||||
'recovery' : 'avb_recovery_add_hash_footer_args',
|
||||
'system' : 'avb_system_add_hashtree_footer_args',
|
||||
'system_other' : 'avb_system_other_add_hashtree_footer_args',
|
||||
'vendor' : 'avb_vendor_add_hashtree_footer_args',
|
||||
'vbmeta' : 'avb_vbmeta_args',
|
||||
}
|
||||
|
|
@ -1153,6 +1166,12 @@ def main(argv):
|
|||
OPTIONS.avb_algorithms['system'] = a
|
||||
elif o == "--avb_system_extra_args":
|
||||
OPTIONS.avb_extra_args['system'] = a
|
||||
elif o == "--avb_system_other_key":
|
||||
OPTIONS.avb_keys['system_other'] = a
|
||||
elif o == "--avb_system_other_algorithm":
|
||||
OPTIONS.avb_algorithms['system_other'] = a
|
||||
elif o == "--avb_system_other_extra_args":
|
||||
OPTIONS.avb_extra_args['system_other'] = a
|
||||
elif o == "--avb_vendor_key":
|
||||
OPTIONS.avb_keys['vendor'] = a
|
||||
elif o == "--avb_vendor_algorithm":
|
||||
|
|
@ -1192,6 +1211,9 @@ def main(argv):
|
|||
"avb_system_algorithm=",
|
||||
"avb_system_key=",
|
||||
"avb_system_extra_args=",
|
||||
"avb_system_other_algorithm=",
|
||||
"avb_system_other_key=",
|
||||
"avb_system_other_extra_args=",
|
||||
"avb_vendor_algorithm=",
|
||||
"avb_vendor_key=",
|
||||
"avb_vendor_extra_args=",
|
||||
|
|
|
|||
Loading…
Reference in New Issue