Merge "Support signing custom images with AVB HASH or AVB HASHTREE"

This commit is contained in:
Treehugger Robot 2017-05-31 03:24:23 +00:00 committed by Gerrit Code Review
commit fe7aeb1de7
4 changed files with 66 additions and 26 deletions

View File

@ -942,9 +942,9 @@ $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "futili
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot_signer_cmd=$(VBOOT_SIGNER)" >> $(1))
$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_signing_args=$(INTERNAL_AVB_SIGNING_ARGS)" >> $(1))
$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_avbtool=$(AVBTOOL)" >> $(1))
$(if $(BOARD_AVB_ENABLE),$(hide) echo "system_avb_enable=$(BOARD_AVB_ENABLE)" >> $(1))
$(if $(BOARD_AVB_ENABLE),$(hide) echo "system_avb_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))
$(if $(BOARD_AVB_ENABLE),$(hide) echo "system_avb_add_hashtree_footer_args=$(BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))
$(if $(BOARD_AVB_ENABLE),$(hide) echo "vendor_avb_enable=$(BOARD_AVB_ENABLE)" >> $(1))
$(if $(BOARD_AVB_ENABLE),$(hide) echo "vendor_avb_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))
$(if $(BOARD_AVB_ENABLE),$(hide) echo "vendor_avb_add_hashtree_footer_args=$(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))
$(if $(filter true,$(BOARD_USES_RECOVERY_AS_BOOT)),\
$(hide) echo "recovery_as_boot=true" >> $(1))

View File

@ -37,6 +37,14 @@
# - CUSTOM_IMAGE_SELINUX, set to "true" if the image supports selinux.
# - CUSTOM_IMAGE_SUPPORT_VERITY, set to "true" if the product supports verity.
# - CUSTOM_IMAGE_VERITY_BLOCK_DEVICE
# - CUSTOM_IMAGE_AVB_HASH_ENABLE, set to "true" to add AVB HASH footer.
# - CUSTOM_IMAGE_AVB_ADD_HASH_FOOTER_ARGS, additional args of AVB HASH footer.
# - CUSTOM_IMAGE_AVB_HASHTREE_ENABLE, set to "true" to add AVB HASHTREE
# footer.
# - CUSTOM_IMAGE_AVB_ADD_HASHTREE_FOOTER_ARGS, additional args of AVB
# HASHTREE footer.
# - CUSTOM_IMAGE_AVB_KEY_PATH, custom AVB signing key.
# - CUSTOM_IMAGE_AVB_ALGORITHM, custom AVB signing algorithm.
#
# To build all those images, run "make custom_images".
@ -54,8 +62,12 @@ custom_image_parameter_variables := \
CUSTOM_IMAGE_SELINUX \
CUSTOM_IMAGE_SUPPORT_VERITY \
CUSTOM_IMAGE_VERITY_BLOCK_DEVICE \
CUSTOM_IMAGE_AVB_ENABLE \
CUSTOM_IMAGE_AVB_HASH_ENABLE \
CUSTOM_IMAGE_AVB_ADD_HASH_FOOTER_ARGS \
CUSTOM_IMAGE_AVB_HASHTREE_ENABLE \
CUSTOM_IMAGE_AVB_ADD_HASHTREE_FOOTER_ARGS \
CUSTOM_IMAGE_AVB_KEY_PATH \
CUSTOM_IMAGE_AVB_ALGORITHM \
# We don't expect product makefile to inherit/override PRODUCT_CUSTOM_IMAGE_MAKEFILES,
# so we don't put it in the _product_var_list.

View File

@ -62,6 +62,14 @@ $(foreach f,$(CUSTOM_IMAGE_COPY_FILES),\
$(eval my_image_copy_files += $(src))\
$(eval my_copy_pairs += $(src):$(my_staging_dir)/$(word 2,$(pair))))
ifndef CUSTOM_IMAGE_AVB_KEY_PATH
# If key path isn't specified, use the default signing args.
my_avb_signing_args := $(INTERNAL_AVB_SIGNING_ARGS)
else
my_avb_signing_args := \
--algorithm $(CUSTOM_IMAGE_AVB_ALGORITHM) --key $(CUSTOM_IMAGE_AVB_KEY_PATH)
endif
$(my_built_custom_image): PRIVATE_INTERMEDIATES := $(intermediates)
$(my_built_custom_image): PRIVATE_MOUNT_POINT := $(CUSTOM_IMAGE_MOUNT_POINT)
$(my_built_custom_image): PRIVATE_PARTITION_SIZE := $(CUSTOM_IMAGE_PARTITION_SIZE)
@ -74,10 +82,16 @@ $(my_built_custom_image): PRIVATE_SUPPORT_VERITY := $(CUSTOM_IMAGE_SUPPORT_VERIT
$(my_built_custom_image): PRIVATE_VERITY_KEY := $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY)
$(my_built_custom_image): PRIVATE_VERITY_BLOCK_DEVICE := $(CUSTOM_IMAGE_VERITY_BLOCK_DEVICE)
$(my_built_custom_image): PRIVATE_DICT_FILE := $(CUSTOM_IMAGE_DICT_FILE)
$(my_built_custom_image): PRIVATE_AVB_ENABLE := $(CUSTOM_IMAGE_AVB_ENABLE)
$(my_built_custom_image): PRIVATE_AVB_AVBTOOL := $(AVBTOOL)
$(my_built_custom_image): PRIVATE_AVB_SIGNING_ARGS := $(my_avb_signing_args)
$(my_built_custom_image): PRIVATE_AVB_HASH_ENABLE := $(CUSTOM_IMAGE_AVB_HASH_ENABLE)
$(my_built_custom_image): PRIVATE_AVB_ADD_HASH_FOOTER_ARGS := $(CUSTOM_IMAGE_AVB_ADD_HASH_FOOTER_ARGS)
$(my_built_custom_image): PRIVATE_AVB_HASHTREE_ENABLE := $(CUSTOM_IMAGE_AVB_HASHTREE_ENABLE)
$(my_built_custom_image): PRIVATE_AVB_ADD_HASHTREE_FOOTER_ARGS := $(CUSTOM_IMAGE_AVB_ADD_HASHTREE_FOOTER_ARGS)
ifeq (true,$(CUSTOM_IMAGE_AVB_ENABLE))
ifeq (true,$(filter true, $(CUSTOM_IMAGE_AVB_HASH_ENABLE) $(CUSTOM_IMAGE_AVB_HASHTREE_ENABLE)))
$(my_built_custom_image): $(AVBTOOL)
else ifneq (,$(filter true, $(CUSTOM_IMAGE_AVB_HASH_ENABLE) $(CUSTOM_IMAGE_AVB_HASHTREE_ENABLE)))
$(error Cannot set both CUSTOM_IMAGE_AVB_HASH_ENABLE and CUSTOM_IMAGE_AVB_HASHTREE_ENABLE to true)
endif
$(my_built_custom_image): $(INTERNAL_USERIMAGES_DEPS) $(my_built_modules) $(my_image_copy_files) \
$(CUSTOM_IMAGE_DICT_FILE)
@ -93,6 +107,7 @@ $(my_built_custom_image): $(INTERNAL_USERIMAGES_DEPS) $(my_built_modules) $(my_i
# Generate the dict.
$(hide) echo "# For all accepted properties, see BuildImage() in tools/releasetools/build_image.py" > $(PRIVATE_INTERMEDIATES)/image_info.txt
$(hide) echo "mount_point=$(PRIVATE_MOUNT_POINT)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
$(hide) echo "partition_name=$(PRIVATE_MOUNT_POINT)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
$(hide) echo "fs_type=$(PRIVATE_FILE_SYSTEM_TYPE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
$(hide) echo "partition_size=$(PRIVATE_PARTITION_SIZE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
$(hide) echo "ext_mkuserimg=$(notdir $(MKEXTUSERIMG))" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
@ -102,10 +117,13 @@ $(my_built_custom_image): $(INTERNAL_USERIMAGES_DEPS) $(my_built_modules) $(my_i
echo "verity_key=$(PRIVATE_VERITY_KEY)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
echo "verity_signer_cmd=$(VERITY_SIGNER)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
echo "verity_block_device=$(PRIVATE_VERITY_BLOCK_DEVICE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
$(if $(PRIVATE_AVB_ENABLE),\
$(hide) echo "avb_enable=$(PRIVATE_AVB_ENABLE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
echo "avb_avbtool=$(AVBTOOL)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
echo "avb_signing_args=$(INTERNAL_AVB_SIGNING_ARGS)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
$(hide) echo "avb_avbtool=$(PRIVATE_AVB_AVBTOOL)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
$(hide) echo "avb_signing_args=$(PRIVATE_AVB_SIGNING_ARGS)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
$(if $(PRIVATE_AVB_HASH_ENABLE),\
$(hide) echo "avb_hash_enable=$(PRIVATE_AVB_HASH_ENABLE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
echo "avb_add_hash_footer_args=$(PRIVATE_AVB_ADD_HASH_FOOTER_ARGS)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
$(if $(PRIVATE_AVB_HASHTREE_ENABLE),\
$(hide) echo "avb_hashtree_enable=$(PRIVATE_AVB_HASHTREE_ENABLE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
echo "avb_add_hashtree_footer_args=$(PRIVATE_AVB_ADD_HASHTREE_FOOTER_ARGS)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
$(if $(PRIVATE_DICT_FILE),\
$(hide) echo "# Properties from $(PRIVATE_DICT_FILE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\

View File

@ -97,18 +97,19 @@ def ZeroPadSimg(image_file, pad_size):
simg = sparse_img.SparseImage(image_file, mode="r+b", build_map=False)
simg.AppendFillChunk(0, blocks)
def AVBCalcMaxImageSize(avbtool, partition_size, additional_args):
def AVBCalcMaxImageSize(avbtool, footer_type, partition_size, additional_args):
"""Calculates max image size for a given partition size.
Args:
avbtool: String with path to avbtool.
footer_type: 'hash' or 'hashtree' for generating footer.
partition_size: The size of the partition in question.
additional_args: Additional arguments to pass to 'avbtool
add_hashtree_image'.
Returns:
The maximum image size or 0 if an error occurred.
"""
cmdline = "%s add_hashtree_footer " % avbtool
cmdline = "%s add_%s_footer " % (avbtool, footer_type)
cmdline += "--partition_size %d " % partition_size
cmdline += "--calc_max_image_size "
cmdline += additional_args
@ -118,13 +119,14 @@ def AVBCalcMaxImageSize(avbtool, partition_size, additional_args):
else:
return int(output)
def AVBAddHashtree(image_path, avbtool, partition_size, partition_name,
signing_args, additional_args):
def AVBAddFooter(image_path, avbtool, footer_type, partition_size,
partition_name, signing_args, additional_args):
"""Adds dm-verity hashtree and AVB metadata to an image.
Args:
image_path: Path to image to modify.
avbtool: String with path to avbtool.
footer_type: 'hash' or 'hashtree' for generating footer.
partition_size: The size of the partition in question.
partition_name: The name of the partition - will be embedded in metadata.
signing_args: Arguments for signing the image.
@ -133,7 +135,7 @@ def AVBAddHashtree(image_path, avbtool, partition_size, partition_name,
Returns:
True if the operation succeeded.
"""
cmdline = "%s add_hashtree_footer " % avbtool
cmdline = "%s add_%s_footer " % (avbtool, footer_type)
cmdline += "--partition_size %d " % partition_size
cmdline += "--partition_name %s " % partition_name
cmdline += "--image %s " % image_path
@ -410,12 +412,19 @@ def BuildImage(in_dir, prop_dict, out_file, target_out=None):
prop_dict["original_partition_size"] = str(partition_size)
prop_dict["verity_size"] = str(verity_size)
# Adjust partition size for AVB.
if prop_dict.get("avb_enable") == "true":
# Adjust partition size for AVB hash footer or AVB hashtree footer.
avb_footer_type = ''
if prop_dict.get("avb_hash_enable") == "true":
avb_footer_type = 'hash'
elif prop_dict.get("avb_hashtree_enable") == "true":
avb_footer_type = 'hashtree'
if avb_footer_type:
avbtool = prop_dict.get("avb_avbtool")
partition_size = int(prop_dict.get("partition_size"))
additional_args = prop_dict["avb_add_hashtree_footer_args"]
max_image_size = AVBCalcMaxImageSize(avbtool, partition_size,
# avb_add_hash_footer_args or avb_add_hashtree_footer_args.
additional_args = prop_dict["avb_add_" + avb_footer_type + "_footer_args"]
max_image_size = AVBCalcMaxImageSize(avbtool, avb_footer_type, partition_size,
additional_args)
if max_image_size == 0:
return False
@ -561,15 +570,16 @@ def BuildImage(in_dir, prop_dict, out_file, target_out=None):
if not MakeVerityEnabledImage(out_file, verity_fec_supported, prop_dict):
return False
# Add AVB hashtree and metadata.
if "avb_enable" in prop_dict:
# Add AVB HASH or HASHTREE footer (metadata).
if avb_footer_type:
avbtool = prop_dict.get("avb_avbtool")
original_partition_size = int(prop_dict.get("original_partition_size"))
partition_name = prop_dict["partition_name"]
signing_args = prop_dict["avb_signing_args"]
additional_args = prop_dict["avb_add_hashtree_footer_args"]
if not AVBAddHashtree(out_file, avbtool, original_partition_size,
partition_name, signing_args, additional_args):
# avb_add_hash_footer_args or avb_add_hashtree_footer_args
additional_args = prop_dict["avb_add_" + avb_footer_type + "_footer_args"]
if not AVBAddFooter(out_file, avbtool, avb_footer_type, original_partition_size,
partition_name, signing_args, additional_args):
return False
if run_fsck and prop_dict.get("skip_fsck") != "true":
@ -639,7 +649,7 @@ def ImagePropFromGlobalDict(glob_dict, mount_point):
copy_prop("system_squashfs_block_size", "squashfs_block_size")
copy_prop("system_squashfs_disable_4k_align", "squashfs_disable_4k_align")
copy_prop("system_base_fs_file", "base_fs_file")
copy_prop("system_avb_enable", "avb_enable")
copy_prop("system_avb_hashtree_enable", "avb_hashtree_enable")
copy_prop("system_avb_add_hashtree_footer_args",
"avb_add_hashtree_footer_args")
copy_prop("system_extfs_inode_count", "extfs_inode_count")
@ -656,7 +666,7 @@ def ImagePropFromGlobalDict(glob_dict, mount_point):
copy_prop("system_squashfs_compressor_opt", "squashfs_compressor_opt")
copy_prop("system_squashfs_block_size", "squashfs_block_size")
copy_prop("system_base_fs_file", "base_fs_file")
copy_prop("system_avb_enable", "avb_enable")
copy_prop("system_avb_hashtree_enable", "avb_hashtree_enable")
copy_prop("system_avb_add_hashtree_footer_args",
"avb_add_hashtree_footer_args")
copy_prop("system_extfs_inode_count", "extfs_inode_count")
@ -681,7 +691,7 @@ def ImagePropFromGlobalDict(glob_dict, mount_point):
copy_prop("vendor_squashfs_block_size", "squashfs_block_size")
copy_prop("vendor_squashfs_disable_4k_align", "squashfs_disable_4k_align")
copy_prop("vendor_base_fs_file", "base_fs_file")
copy_prop("vendor_avb_enable", "avb_enable")
copy_prop("vendor_avb_hashtree_enable", "avb_hashtree_enable")
copy_prop("vendor_avb_add_hashtree_footer_args",
"avb_add_hashtree_footer_args")
copy_prop("vendor_extfs_inode_count", "extfs_inode_count")