2017-02-28 00:08:36 +01:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
|
|
# Copyright (C) 2017 The Android Open Source Project
|
|
|
|
|
#
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
|
#
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
#
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
|
# limitations under the License.
|
|
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
Validate a given (signed) target_files.zip.
|
|
|
|
|
|
2018-03-11 05:41:16 +01:00
|
|
|
It performs the following checks to assert the integrity of the input zip.
|
|
|
|
|
|
2017-02-28 00:08:36 +01:00
|
|
|
- It verifies the file consistency between the ones in IMAGES/system.img (read
|
|
|
|
|
via IMAGES/system.map) and the ones under unpacked folder of SYSTEM/. The
|
|
|
|
|
same check also applies to the vendor image if present.
|
2018-03-11 05:41:16 +01:00
|
|
|
|
|
|
|
|
- It verifies the install-recovery script consistency, by comparing the
|
|
|
|
|
checksums in the script against the ones of IMAGES/{boot,recovery}.img.
|
|
|
|
|
|
|
|
|
|
- It verifies the signed Verified Boot related images, for both of Verified
|
|
|
|
|
Boot 1.0 and 2.0 (aka AVB).
|
2017-02-28 00:08:36 +01:00
|
|
|
"""
|
|
|
|
|
|
2018-03-11 05:41:16 +01:00
|
|
|
import argparse
|
|
|
|
|
import filecmp
|
2017-02-28 00:08:36 +01:00
|
|
|
import logging
|
|
|
|
|
import os.path
|
2017-06-21 02:00:55 +02:00
|
|
|
import re
|
2018-03-08 06:40:24 +01:00
|
|
|
import zipfile
|
2021-11-02 22:31:10 +01:00
|
|
|
|
2019-10-04 08:12:55 +02:00
|
|
|
from hashlib import sha1
|
2021-11-02 22:31:10 +01:00
|
|
|
from common import IsSparseImage
|
2017-02-28 00:08:36 +01:00
|
|
|
|
releasetools: Make validate_target_files.py pylint clean.
C: 73, 0: Wrong hanging indentation (add 4 spaces).
file_name, actual_sha1, expected_sha1)
^ | (bad-continuation)
C:171, 0: Wrong continued indentation (add 20 spaces).
'SYSTEM/etc/recovery.img', expected_recovery_sha1)
^ | (bad-continuation)
C:185, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/boot.img', expected_sha1=boot_info[3])
^ | (bad-continuation)
C:191, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/recovery.img',
^ | (bad-continuation)
C:192, 0: Wrong continued indentation (add 20 spaces).
expected_sha1=expected_recovery_sha1)
^ | (bad-continuation)
W: 67,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:150,17: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:153,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:194,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
C: 27, 0: standard import "import logging" comes before "import common" (wrong-import-order)
C: 28, 0: standard import "import os.path" comes before "import common" (wrong-import-order)
C: 29, 0: standard import "import re" comes before "import common" (wrong-import-order)
C: 31, 0: standard import "import sys" comes before "import common" (wrong-import-order)
Test: pylint --rcfile=pylintrc validate_target_files.py
Test: Run validate_target_files.py with a target-files.zip.
Change-Id: Ie64acdb4cee4326938c4ad5a34b575d7b82478c0
2018-02-01 21:00:19 +01:00
|
|
|
import common
|
2019-10-04 08:12:55 +02:00
|
|
|
import rangelib
|
2017-02-28 00:08:36 +01:00
|
|
|
|
|
|
|
|
|
2017-08-31 00:54:59 +02:00
|
|
|
def _ReadFile(file_name, unpacked_name, round_up=False):
|
|
|
|
|
"""Constructs and returns a File object. Rounds up its size if needed."""
|
2017-06-21 02:00:55 +02:00
|
|
|
assert os.path.exists(unpacked_name)
|
2017-12-02 01:19:46 +01:00
|
|
|
with open(unpacked_name, 'rb') as f:
|
2017-06-21 02:00:55 +02:00
|
|
|
file_data = f.read()
|
|
|
|
|
file_size = len(file_data)
|
|
|
|
|
if round_up:
|
2018-02-01 02:32:40 +01:00
|
|
|
file_size_rounded_up = common.RoundUpTo4K(file_size)
|
2019-10-04 08:12:55 +02:00
|
|
|
file_data += b'\0' * (file_size_rounded_up - file_size)
|
2017-08-31 00:54:59 +02:00
|
|
|
return common.File(file_name, file_data)
|
2017-06-21 02:00:55 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def ValidateFileAgainstSha1(input_tmp, file_name, file_path, expected_sha1):
|
|
|
|
|
"""Check if the file has the expected SHA-1."""
|
|
|
|
|
|
releasetools: Make validate_target_files.py pylint clean.
C: 73, 0: Wrong hanging indentation (add 4 spaces).
file_name, actual_sha1, expected_sha1)
^ | (bad-continuation)
C:171, 0: Wrong continued indentation (add 20 spaces).
'SYSTEM/etc/recovery.img', expected_recovery_sha1)
^ | (bad-continuation)
C:185, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/boot.img', expected_sha1=boot_info[3])
^ | (bad-continuation)
C:191, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/recovery.img',
^ | (bad-continuation)
C:192, 0: Wrong continued indentation (add 20 spaces).
expected_sha1=expected_recovery_sha1)
^ | (bad-continuation)
W: 67,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:150,17: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:153,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:194,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
C: 27, 0: standard import "import logging" comes before "import common" (wrong-import-order)
C: 28, 0: standard import "import os.path" comes before "import common" (wrong-import-order)
C: 29, 0: standard import "import re" comes before "import common" (wrong-import-order)
C: 31, 0: standard import "import sys" comes before "import common" (wrong-import-order)
Test: pylint --rcfile=pylintrc validate_target_files.py
Test: Run validate_target_files.py with a target-files.zip.
Change-Id: Ie64acdb4cee4326938c4ad5a34b575d7b82478c0
2018-02-01 21:00:19 +01:00
|
|
|
logging.info('Validating the SHA-1 of %s', file_name)
|
2017-06-21 02:00:55 +02:00
|
|
|
unpacked_name = os.path.join(input_tmp, file_path)
|
|
|
|
|
assert os.path.exists(unpacked_name)
|
2017-08-31 00:54:59 +02:00
|
|
|
actual_sha1 = _ReadFile(file_name, unpacked_name, False).sha1
|
2017-06-21 02:00:55 +02:00
|
|
|
assert actual_sha1 == expected_sha1, \
|
|
|
|
|
'SHA-1 mismatches for {}. actual {}, expected {}'.format(
|
releasetools: Make validate_target_files.py pylint clean.
C: 73, 0: Wrong hanging indentation (add 4 spaces).
file_name, actual_sha1, expected_sha1)
^ | (bad-continuation)
C:171, 0: Wrong continued indentation (add 20 spaces).
'SYSTEM/etc/recovery.img', expected_recovery_sha1)
^ | (bad-continuation)
C:185, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/boot.img', expected_sha1=boot_info[3])
^ | (bad-continuation)
C:191, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/recovery.img',
^ | (bad-continuation)
C:192, 0: Wrong continued indentation (add 20 spaces).
expected_sha1=expected_recovery_sha1)
^ | (bad-continuation)
W: 67,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:150,17: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:153,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:194,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
C: 27, 0: standard import "import logging" comes before "import common" (wrong-import-order)
C: 28, 0: standard import "import os.path" comes before "import common" (wrong-import-order)
C: 29, 0: standard import "import re" comes before "import common" (wrong-import-order)
C: 31, 0: standard import "import sys" comes before "import common" (wrong-import-order)
Test: pylint --rcfile=pylintrc validate_target_files.py
Test: Run validate_target_files.py with a target-files.zip.
Change-Id: Ie64acdb4cee4326938c4ad5a34b575d7b82478c0
2018-02-01 21:00:19 +01:00
|
|
|
file_name, actual_sha1, expected_sha1)
|
2017-06-21 02:00:55 +02:00
|
|
|
|
|
|
|
|
|
2018-05-12 08:38:46 +02:00
|
|
|
def ValidateFileConsistency(input_zip, input_tmp, info_dict):
|
2017-06-21 02:00:55 +02:00
|
|
|
"""Compare the files from image files and unpacked folders."""
|
|
|
|
|
|
2017-02-28 00:08:36 +01:00
|
|
|
def CheckAllFiles(which):
|
|
|
|
|
logging.info('Checking %s image.', which)
|
2021-11-02 22:31:10 +01:00
|
|
|
path = os.path.join(input_tmp, "IMAGES", which + ".img")
|
|
|
|
|
if not IsSparseImage(path):
|
|
|
|
|
logging.info("%s is non-sparse image", which)
|
|
|
|
|
image = common.GetNonSparseImage(which, input_tmp)
|
|
|
|
|
else:
|
|
|
|
|
logging.info("%s is sparse image", which)
|
|
|
|
|
# Allow having shared blocks when loading the sparse image, because allowing
|
|
|
|
|
# that doesn't affect the checks below (we will have all the blocks on file,
|
|
|
|
|
# unless it's skipped due to the holes).
|
|
|
|
|
image = common.GetSparseImage(which, input_tmp, input_zip, True)
|
2017-02-28 00:08:36 +01:00
|
|
|
prefix = '/' + which
|
|
|
|
|
for entry in image.file_map:
|
2018-02-01 02:32:40 +01:00
|
|
|
# Skip entries like '__NONZERO-0'.
|
2017-02-28 00:08:36 +01:00
|
|
|
if not entry.startswith(prefix):
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
# Read the blocks that the file resides. Note that it will contain the
|
|
|
|
|
# bytes past the file length, which is expected to be padded with '\0's.
|
|
|
|
|
ranges = image.file_map[entry]
|
2018-02-01 02:32:40 +01:00
|
|
|
|
2018-12-04 00:08:23 +01:00
|
|
|
# Use the original RangeSet if applicable, which includes the shared
|
|
|
|
|
# blocks. And this needs to happen before checking the monotonicity flag.
|
|
|
|
|
if ranges.extra.get('uses_shared_blocks'):
|
|
|
|
|
file_ranges = ranges.extra['uses_shared_blocks']
|
|
|
|
|
else:
|
|
|
|
|
file_ranges = ranges
|
|
|
|
|
|
2019-02-21 00:03:43 +01:00
|
|
|
incomplete = file_ranges.extra.get('incomplete', False)
|
|
|
|
|
if incomplete:
|
|
|
|
|
logging.warning('Skipping %s that has incomplete block list', entry)
|
|
|
|
|
continue
|
|
|
|
|
|
2019-10-04 08:12:55 +02:00
|
|
|
# If the file has non-monotonic ranges, read each range in order.
|
2018-12-04 00:08:23 +01:00
|
|
|
if not file_ranges.monotonic:
|
2019-10-04 08:12:55 +02:00
|
|
|
h = sha1()
|
|
|
|
|
for file_range in file_ranges.extra['text_str'].split(' '):
|
|
|
|
|
for data in image.ReadRangeSet(rangelib.RangeSet(file_range)):
|
|
|
|
|
h.update(data)
|
|
|
|
|
blocks_sha1 = h.hexdigest()
|
|
|
|
|
else:
|
|
|
|
|
blocks_sha1 = image.RangeSha1(file_ranges)
|
2017-02-28 00:08:36 +01:00
|
|
|
|
|
|
|
|
# The filename under unpacked directory, such as SYSTEM/bin/sh.
|
|
|
|
|
unpacked_name = os.path.join(
|
|
|
|
|
input_tmp, which.upper(), entry[(len(prefix) + 1):])
|
2017-08-31 00:54:59 +02:00
|
|
|
unpacked_file = _ReadFile(entry, unpacked_name, True)
|
|
|
|
|
file_sha1 = unpacked_file.sha1
|
2017-02-28 00:08:36 +01:00
|
|
|
assert blocks_sha1 == file_sha1, \
|
|
|
|
|
'file: %s, range: %s, blocks_sha1: %s, file_sha1: %s' % (
|
2018-12-04 00:08:23 +01:00
|
|
|
entry, file_ranges, blocks_sha1, file_sha1)
|
2017-02-28 00:08:36 +01:00
|
|
|
|
|
|
|
|
logging.info('Validating file consistency.')
|
|
|
|
|
|
2018-05-12 08:38:46 +02:00
|
|
|
# TODO(b/79617342): Validate non-sparse images.
|
|
|
|
|
if info_dict.get('extfs_sparse_flag') != '-s':
|
|
|
|
|
logging.warning('Skipped due to target using non-sparse images')
|
|
|
|
|
return
|
|
|
|
|
|
2022-03-09 08:12:58 +01:00
|
|
|
# Verify IMAGES/system.img if applicable.
|
|
|
|
|
# Some targets, e.g., gki_arm64, gki_x86_64, etc., are system.img-less.
|
|
|
|
|
if 'IMAGES/system.img' in input_zip.namelist():
|
|
|
|
|
CheckAllFiles('system')
|
2017-02-28 00:08:36 +01:00
|
|
|
|
|
|
|
|
# Verify IMAGES/vendor.img if applicable.
|
|
|
|
|
if 'VENDOR/' in input_zip.namelist():
|
|
|
|
|
CheckAllFiles('vendor')
|
|
|
|
|
|
|
|
|
|
# Not checking IMAGES/system_other.img since it doesn't have the map file.
|
|
|
|
|
|
|
|
|
|
|
2017-06-21 02:00:55 +02:00
|
|
|
def ValidateInstallRecoveryScript(input_tmp, info_dict):
|
|
|
|
|
"""Validate the SHA-1 embedded in install-recovery.sh.
|
|
|
|
|
|
|
|
|
|
install-recovery.sh is written in common.py and has the following format:
|
|
|
|
|
|
|
|
|
|
1. full recovery:
|
|
|
|
|
...
|
2018-07-14 01:11:16 +02:00
|
|
|
if ! applypatch --check type:device:size:sha1; then
|
Moving recovery resources from /system to /vendor
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.
The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.
* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)
This change includes the platform build system and release tools changes to
move the recovery resources from system to vendor (or /system/vendor). The
release tools need to know where to generate the recovery patch, and they
discover this from misc_info.txt variable board_uses_vendorimage, which the
platform build system generates.
We remove applypatch from PRODUCT_PACKAGES, but it is added back as a required
module in target/product/base_vendor.mk.
Several release tools rely on the misc_info.txt board_uses_vendorimage variable
to know how to generate and detect the recovery patch.
This change partially removes the --rebuild_recovery flag from the
merge_target_files.py script. The flag will be fully removed in a follow-on
change.
Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: Ia4045bd67ffb3d899efa8d20dab4c4299b87ee5f
2019-09-18 02:06:47 +02:00
|
|
|
applypatch --flash /vendor/etc/recovery.img \\
|
2018-07-14 01:11:16 +02:00
|
|
|
type:device:size:sha1 && \\
|
2017-06-21 02:00:55 +02:00
|
|
|
...
|
|
|
|
|
|
|
|
|
|
2. recovery from boot:
|
|
|
|
|
...
|
2018-07-14 01:11:16 +02:00
|
|
|
if ! applypatch --check type:recovery_device:recovery_size:recovery_sha1; then
|
|
|
|
|
applypatch [--bonus bonus_args] \\
|
Moving recovery resources from /system to /vendor
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.
The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.
* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)
This change includes the platform build system and release tools changes to
move the recovery resources from system to vendor (or /system/vendor). The
release tools need to know where to generate the recovery patch, and they
discover this from misc_info.txt variable board_uses_vendorimage, which the
platform build system generates.
We remove applypatch from PRODUCT_PACKAGES, but it is added back as a required
module in target/product/base_vendor.mk.
Several release tools rely on the misc_info.txt board_uses_vendorimage variable
to know how to generate and detect the recovery patch.
This change partially removes the --rebuild_recovery flag from the
merge_target_files.py script. The flag will be fully removed in a follow-on
change.
Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: Ia4045bd67ffb3d899efa8d20dab4c4299b87ee5f
2019-09-18 02:06:47 +02:00
|
|
|
--patch /vendor/recovery-from-boot.p \\
|
2018-07-14 01:11:16 +02:00
|
|
|
--source type:boot_device:boot_size:boot_sha1 \\
|
|
|
|
|
--target type:recovery_device:recovery_size:recovery_sha1 && \\
|
2017-06-21 02:00:55 +02:00
|
|
|
...
|
|
|
|
|
|
Moving recovery resources from /system to /vendor
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.
The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.
* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)
This change includes the platform build system and release tools changes to
move the recovery resources from system to vendor (or /system/vendor). The
release tools need to know where to generate the recovery patch, and they
discover this from misc_info.txt variable board_uses_vendorimage, which the
platform build system generates.
We remove applypatch from PRODUCT_PACKAGES, but it is added back as a required
module in target/product/base_vendor.mk.
Several release tools rely on the misc_info.txt board_uses_vendorimage variable
to know how to generate and detect the recovery patch.
This change partially removes the --rebuild_recovery flag from the
merge_target_files.py script. The flag will be fully removed in a follow-on
change.
Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: Ia4045bd67ffb3d899efa8d20dab4c4299b87ee5f
2019-09-18 02:06:47 +02:00
|
|
|
For full recovery, we want to calculate the SHA-1 of /vendor/etc/recovery.img
|
2017-06-21 02:00:55 +02:00
|
|
|
and compare it against the one embedded in the script. While for recovery
|
|
|
|
|
from boot, we want to check the SHA-1 for both recovery.img and boot.img
|
|
|
|
|
under IMAGES/.
|
|
|
|
|
"""
|
|
|
|
|
|
Moving recovery resources from /system to /vendor
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.
The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.
* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)
This change includes the platform build system and release tools changes to
move the recovery resources from system to vendor (or /system/vendor). The
release tools need to know where to generate the recovery patch, and they
discover this from misc_info.txt variable board_uses_vendorimage, which the
platform build system generates.
We remove applypatch from PRODUCT_PACKAGES, but it is added back as a required
module in target/product/base_vendor.mk.
Several release tools rely on the misc_info.txt board_uses_vendorimage variable
to know how to generate and detect the recovery patch.
This change partially removes the --rebuild_recovery flag from the
merge_target_files.py script. The flag will be fully removed in a follow-on
change.
Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: Ia4045bd67ffb3d899efa8d20dab4c4299b87ee5f
2019-09-18 02:06:47 +02:00
|
|
|
board_uses_vendorimage = info_dict.get("board_uses_vendorimage") == "true"
|
|
|
|
|
|
|
|
|
|
if board_uses_vendorimage:
|
|
|
|
|
script_path = 'VENDOR/bin/install-recovery.sh'
|
|
|
|
|
recovery_img = 'VENDOR/etc/recovery.img'
|
|
|
|
|
else:
|
|
|
|
|
script_path = 'SYSTEM/vendor/bin/install-recovery.sh'
|
|
|
|
|
recovery_img = 'SYSTEM/vendor/etc/recovery.img'
|
|
|
|
|
|
2017-06-21 02:00:55 +02:00
|
|
|
if not os.path.exists(os.path.join(input_tmp, script_path)):
|
releasetools: Make validate_target_files.py pylint clean.
C: 73, 0: Wrong hanging indentation (add 4 spaces).
file_name, actual_sha1, expected_sha1)
^ | (bad-continuation)
C:171, 0: Wrong continued indentation (add 20 spaces).
'SYSTEM/etc/recovery.img', expected_recovery_sha1)
^ | (bad-continuation)
C:185, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/boot.img', expected_sha1=boot_info[3])
^ | (bad-continuation)
C:191, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/recovery.img',
^ | (bad-continuation)
C:192, 0: Wrong continued indentation (add 20 spaces).
expected_sha1=expected_recovery_sha1)
^ | (bad-continuation)
W: 67,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:150,17: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:153,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:194,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
C: 27, 0: standard import "import logging" comes before "import common" (wrong-import-order)
C: 28, 0: standard import "import os.path" comes before "import common" (wrong-import-order)
C: 29, 0: standard import "import re" comes before "import common" (wrong-import-order)
C: 31, 0: standard import "import sys" comes before "import common" (wrong-import-order)
Test: pylint --rcfile=pylintrc validate_target_files.py
Test: Run validate_target_files.py with a target-files.zip.
Change-Id: Ie64acdb4cee4326938c4ad5a34b575d7b82478c0
2018-02-01 21:00:19 +01:00
|
|
|
logging.info('%s does not exist in input_tmp', script_path)
|
2017-06-21 02:00:55 +02:00
|
|
|
return
|
|
|
|
|
|
releasetools: Make validate_target_files.py pylint clean.
C: 73, 0: Wrong hanging indentation (add 4 spaces).
file_name, actual_sha1, expected_sha1)
^ | (bad-continuation)
C:171, 0: Wrong continued indentation (add 20 spaces).
'SYSTEM/etc/recovery.img', expected_recovery_sha1)
^ | (bad-continuation)
C:185, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/boot.img', expected_sha1=boot_info[3])
^ | (bad-continuation)
C:191, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/recovery.img',
^ | (bad-continuation)
C:192, 0: Wrong continued indentation (add 20 spaces).
expected_sha1=expected_recovery_sha1)
^ | (bad-continuation)
W: 67,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:150,17: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:153,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:194,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
C: 27, 0: standard import "import logging" comes before "import common" (wrong-import-order)
C: 28, 0: standard import "import os.path" comes before "import common" (wrong-import-order)
C: 29, 0: standard import "import re" comes before "import common" (wrong-import-order)
C: 31, 0: standard import "import sys" comes before "import common" (wrong-import-order)
Test: pylint --rcfile=pylintrc validate_target_files.py
Test: Run validate_target_files.py with a target-files.zip.
Change-Id: Ie64acdb4cee4326938c4ad5a34b575d7b82478c0
2018-02-01 21:00:19 +01:00
|
|
|
logging.info('Checking %s', script_path)
|
2017-06-21 02:00:55 +02:00
|
|
|
with open(os.path.join(input_tmp, script_path), 'r') as script:
|
|
|
|
|
lines = script.read().strip().split('\n')
|
2018-07-14 01:11:16 +02:00
|
|
|
assert len(lines) >= 10
|
|
|
|
|
check_cmd = re.search(r'if ! applypatch --check (\w+:.+:\w+:\w+);',
|
2017-06-21 02:00:55 +02:00
|
|
|
lines[1].strip())
|
2018-07-14 01:11:16 +02:00
|
|
|
check_partition = check_cmd.group(1)
|
|
|
|
|
assert len(check_partition.split(':')) == 4
|
2017-06-21 02:00:55 +02:00
|
|
|
|
|
|
|
|
full_recovery_image = info_dict.get("full_recovery_image") == "true"
|
|
|
|
|
if full_recovery_image:
|
2018-07-14 01:11:16 +02:00
|
|
|
assert len(lines) == 10, "Invalid line count: {}".format(lines)
|
|
|
|
|
|
|
|
|
|
# Expect something like "EMMC:/dev/block/recovery:28:5f9c..62e3".
|
|
|
|
|
target = re.search(r'--target (.+) &&', lines[4].strip())
|
|
|
|
|
assert target is not None, \
|
|
|
|
|
"Failed to parse target line \"{}\"".format(lines[4])
|
|
|
|
|
flash_partition = target.group(1)
|
|
|
|
|
|
|
|
|
|
# Check we have the same recovery target in the check and flash commands.
|
|
|
|
|
assert check_partition == flash_partition, \
|
2021-05-25 15:17:38 +02:00
|
|
|
"Mismatching targets: {} vs {}".format(
|
|
|
|
|
check_partition, flash_partition)
|
2018-07-14 01:11:16 +02:00
|
|
|
|
|
|
|
|
# Validate the SHA-1 of the recovery image.
|
|
|
|
|
recovery_sha1 = flash_partition.split(':')[3]
|
|
|
|
|
ValidateFileAgainstSha1(
|
Moving recovery resources from /system to /vendor
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.
The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.
* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)
This change includes the platform build system and release tools changes to
move the recovery resources from system to vendor (or /system/vendor). The
release tools need to know where to generate the recovery patch, and they
discover this from misc_info.txt variable board_uses_vendorimage, which the
platform build system generates.
We remove applypatch from PRODUCT_PACKAGES, but it is added back as a required
module in target/product/base_vendor.mk.
Several release tools rely on the misc_info.txt board_uses_vendorimage variable
to know how to generate and detect the recovery patch.
This change partially removes the --rebuild_recovery flag from the
merge_target_files.py script. The flag will be fully removed in a follow-on
change.
Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: Ia4045bd67ffb3d899efa8d20dab4c4299b87ee5f
2019-09-18 02:06:47 +02:00
|
|
|
input_tmp, 'recovery.img', recovery_img, recovery_sha1)
|
2017-06-21 02:00:55 +02:00
|
|
|
else:
|
2018-07-14 01:11:16 +02:00
|
|
|
assert len(lines) == 11, "Invalid line count: {}".format(lines)
|
|
|
|
|
|
|
|
|
|
# --source boot_type:boot_device:boot_size:boot_sha1
|
|
|
|
|
source = re.search(r'--source (\w+:.+:\w+:\w+) \\', lines[4].strip())
|
|
|
|
|
assert source is not None, \
|
|
|
|
|
"Failed to parse source line \"{}\"".format(lines[4])
|
|
|
|
|
|
|
|
|
|
source_partition = source.group(1)
|
|
|
|
|
source_info = source_partition.split(':')
|
|
|
|
|
assert len(source_info) == 4, \
|
|
|
|
|
"Invalid source partition: {}".format(source_partition)
|
2017-06-21 02:00:55 +02:00
|
|
|
ValidateFileAgainstSha1(input_tmp, file_name='boot.img',
|
releasetools: Make validate_target_files.py pylint clean.
C: 73, 0: Wrong hanging indentation (add 4 spaces).
file_name, actual_sha1, expected_sha1)
^ | (bad-continuation)
C:171, 0: Wrong continued indentation (add 20 spaces).
'SYSTEM/etc/recovery.img', expected_recovery_sha1)
^ | (bad-continuation)
C:185, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/boot.img', expected_sha1=boot_info[3])
^ | (bad-continuation)
C:191, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/recovery.img',
^ | (bad-continuation)
C:192, 0: Wrong continued indentation (add 20 spaces).
expected_sha1=expected_recovery_sha1)
^ | (bad-continuation)
W: 67,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:150,17: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:153,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:194,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
C: 27, 0: standard import "import logging" comes before "import common" (wrong-import-order)
C: 28, 0: standard import "import os.path" comes before "import common" (wrong-import-order)
C: 29, 0: standard import "import re" comes before "import common" (wrong-import-order)
C: 31, 0: standard import "import sys" comes before "import common" (wrong-import-order)
Test: pylint --rcfile=pylintrc validate_target_files.py
Test: Run validate_target_files.py with a target-files.zip.
Change-Id: Ie64acdb4cee4326938c4ad5a34b575d7b82478c0
2018-02-01 21:00:19 +01:00
|
|
|
file_path='IMAGES/boot.img',
|
2018-07-14 01:11:16 +02:00
|
|
|
expected_sha1=source_info[3])
|
|
|
|
|
|
|
|
|
|
# --target recovery_type:recovery_device:recovery_size:recovery_sha1
|
|
|
|
|
target = re.search(r'--target (\w+:.+:\w+:\w+) && \\', lines[5].strip())
|
|
|
|
|
assert target is not None, \
|
|
|
|
|
"Failed to parse target line \"{}\"".format(lines[5])
|
|
|
|
|
target_partition = target.group(1)
|
|
|
|
|
|
|
|
|
|
# Check we have the same recovery target in the check and patch commands.
|
|
|
|
|
assert check_partition == target_partition, \
|
|
|
|
|
"Mismatching targets: {} vs {}".format(
|
|
|
|
|
check_partition, target_partition)
|
|
|
|
|
|
|
|
|
|
recovery_info = target_partition.split(':')
|
|
|
|
|
assert len(recovery_info) == 4, \
|
|
|
|
|
"Invalid target partition: {}".format(target_partition)
|
2017-06-21 02:00:55 +02:00
|
|
|
ValidateFileAgainstSha1(input_tmp, file_name='recovery.img',
|
releasetools: Make validate_target_files.py pylint clean.
C: 73, 0: Wrong hanging indentation (add 4 spaces).
file_name, actual_sha1, expected_sha1)
^ | (bad-continuation)
C:171, 0: Wrong continued indentation (add 20 spaces).
'SYSTEM/etc/recovery.img', expected_recovery_sha1)
^ | (bad-continuation)
C:185, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/boot.img', expected_sha1=boot_info[3])
^ | (bad-continuation)
C:191, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/recovery.img',
^ | (bad-continuation)
C:192, 0: Wrong continued indentation (add 20 spaces).
expected_sha1=expected_recovery_sha1)
^ | (bad-continuation)
W: 67,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:150,17: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:153,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:194,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
C: 27, 0: standard import "import logging" comes before "import common" (wrong-import-order)
C: 28, 0: standard import "import os.path" comes before "import common" (wrong-import-order)
C: 29, 0: standard import "import re" comes before "import common" (wrong-import-order)
C: 31, 0: standard import "import sys" comes before "import common" (wrong-import-order)
Test: pylint --rcfile=pylintrc validate_target_files.py
Test: Run validate_target_files.py with a target-files.zip.
Change-Id: Ie64acdb4cee4326938c4ad5a34b575d7b82478c0
2018-02-01 21:00:19 +01:00
|
|
|
file_path='IMAGES/recovery.img',
|
2018-07-14 01:11:16 +02:00
|
|
|
expected_sha1=recovery_info[3])
|
2017-06-21 02:00:55 +02:00
|
|
|
|
releasetools: Make validate_target_files.py pylint clean.
C: 73, 0: Wrong hanging indentation (add 4 spaces).
file_name, actual_sha1, expected_sha1)
^ | (bad-continuation)
C:171, 0: Wrong continued indentation (add 20 spaces).
'SYSTEM/etc/recovery.img', expected_recovery_sha1)
^ | (bad-continuation)
C:185, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/boot.img', expected_sha1=boot_info[3])
^ | (bad-continuation)
C:191, 0: Wrong continued indentation (add 20 spaces).
file_path='IMAGES/recovery.img',
^ | (bad-continuation)
C:192, 0: Wrong continued indentation (add 20 spaces).
expected_sha1=expected_recovery_sha1)
^ | (bad-continuation)
W: 67,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:150,17: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:153,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
W:194,15: Use % formatting in logging functions and pass the % parameters as arguments (logging-format-interpolation)
C: 27, 0: standard import "import logging" comes before "import common" (wrong-import-order)
C: 28, 0: standard import "import os.path" comes before "import common" (wrong-import-order)
C: 29, 0: standard import "import re" comes before "import common" (wrong-import-order)
C: 31, 0: standard import "import sys" comes before "import common" (wrong-import-order)
Test: pylint --rcfile=pylintrc validate_target_files.py
Test: Run validate_target_files.py with a target-files.zip.
Change-Id: Ie64acdb4cee4326938c4ad5a34b575d7b82478c0
2018-02-01 21:00:19 +01:00
|
|
|
logging.info('Done checking %s', script_path)
|
2017-06-21 02:00:55 +02:00
|
|
|
|
2021-01-12 23:04:58 +01:00
|
|
|
|
2020-06-26 17:37:28 +02:00
|
|
|
# Symlink files in `src` to `dst`, if the files do not
|
|
|
|
|
# already exists in `dst` directory.
|
|
|
|
|
def symlinkIfNotExists(src, dst):
|
|
|
|
|
if not os.path.isdir(src):
|
|
|
|
|
return
|
|
|
|
|
for filename in os.listdir(src):
|
|
|
|
|
if os.path.exists(os.path.join(dst, filename)):
|
|
|
|
|
continue
|
|
|
|
|
os.symlink(os.path.join(src, filename), os.path.join(dst, filename))
|
2017-06-21 02:00:55 +02:00
|
|
|
|
2021-01-12 23:04:58 +01:00
|
|
|
|
2021-05-25 15:17:38 +02:00
|
|
|
def ValidatePartitionFingerprints(input_tmp, info_dict):
|
|
|
|
|
build_info = common.BuildInfo(info_dict)
|
|
|
|
|
# Expected format:
|
|
|
|
|
# Prop: com.android.build.vendor.fingerprint -> 'generic/aosp_cf_x86_64_phone/vsoc_x86_64:S/AOSP.MASTER/7335886:userdebug/test-keys'
|
|
|
|
|
# Prop: com.android.build.vendor_boot.fingerprint -> 'generic/aosp_cf_x86_64_phone/vsoc_x86_64:S/AOSP.MASTER/7335886:userdebug/test-keys'
|
|
|
|
|
p = re.compile(
|
|
|
|
|
r"Prop: com.android.build.(?P<partition>\w+).fingerprint -> '(?P<fingerprint>[\w\/:\.-]+)'")
|
|
|
|
|
for vbmeta_partition in ["vbmeta", "vbmeta_system"]:
|
|
|
|
|
image = os.path.join(input_tmp, "IMAGES", vbmeta_partition + ".img")
|
2021-07-26 20:05:02 +02:00
|
|
|
if not os.path.exists(image):
|
|
|
|
|
assert vbmeta_partition != "vbmeta",\
|
|
|
|
|
"{} is a required partition for AVB.".format(
|
|
|
|
|
vbmeta_partition)
|
|
|
|
|
logging.info("vb partition %s not present, skipping", vbmeta_partition)
|
|
|
|
|
continue
|
|
|
|
|
|
2021-05-25 15:17:38 +02:00
|
|
|
output = common.RunAndCheckOutput(
|
|
|
|
|
[info_dict["avb_avbtool"], "info_image", "--image", image])
|
|
|
|
|
matches = p.findall(output)
|
|
|
|
|
for (partition, fingerprint) in matches:
|
|
|
|
|
actual_fingerprint = build_info.GetPartitionFingerprint(
|
|
|
|
|
partition)
|
|
|
|
|
if actual_fingerprint is None:
|
|
|
|
|
logging.warning(
|
|
|
|
|
"Failed to get fingerprint for partition %s", partition)
|
|
|
|
|
continue
|
|
|
|
|
assert fingerprint == actual_fingerprint, "Fingerprint mismatch for partition {}, expected: {} actual: {}".format(
|
|
|
|
|
partition, fingerprint, actual_fingerprint)
|
|
|
|
|
|
|
|
|
|
|
2018-03-11 05:41:16 +01:00
|
|
|
def ValidateVerifiedBootImages(input_tmp, info_dict, options):
|
|
|
|
|
"""Validates the Verified Boot related images.
|
|
|
|
|
|
|
|
|
|
For Verified Boot 1.0, it verifies the signatures of the bootable images
|
|
|
|
|
(boot/recovery etc), as well as the dm-verity metadata in system images
|
|
|
|
|
(system/vendor/product). For Verified Boot 2.0, it calls avbtool to verify
|
|
|
|
|
vbmeta.img, which in turn verifies all the descriptors listed in vbmeta.
|
|
|
|
|
|
|
|
|
|
Args:
|
|
|
|
|
input_tmp: The top-level directory of unpacked target-files.zip.
|
|
|
|
|
info_dict: The loaded info dict.
|
|
|
|
|
options: A dict that contains the user-supplied public keys to be used for
|
|
|
|
|
image verification. In particular, 'verity_key' is used to verify the
|
|
|
|
|
bootable images in VB 1.0, and the vbmeta image in VB 2.0, where
|
|
|
|
|
applicable. 'verity_key_mincrypt' will be used to verify the system
|
|
|
|
|
images in VB 1.0.
|
|
|
|
|
|
|
|
|
|
Raises:
|
|
|
|
|
AssertionError: On any verification failure.
|
|
|
|
|
"""
|
2020-06-26 17:37:28 +02:00
|
|
|
# See bug 159299583
|
|
|
|
|
# After commit 5277d1015, some images (e.g. acpio.img and tos.img) are no
|
|
|
|
|
# longer copied from RADIO to the IMAGES folder. But avbtool assumes that
|
|
|
|
|
# images are in IMAGES folder. So we symlink them.
|
|
|
|
|
symlinkIfNotExists(os.path.join(input_tmp, "RADIO"),
|
2021-05-25 15:17:38 +02:00
|
|
|
os.path.join(input_tmp, "IMAGES"))
|
2018-03-11 05:41:16 +01:00
|
|
|
# Verified boot 1.0 (images signed with boot_signer and verity_signer).
|
|
|
|
|
if info_dict.get('boot_signer') == 'true':
|
|
|
|
|
logging.info('Verifying Verified Boot images...')
|
|
|
|
|
|
|
|
|
|
# Verify the boot/recovery images (signed with boot_signer), against the
|
|
|
|
|
# given X.509 encoded pubkey (or falling back to the one in the info_dict if
|
|
|
|
|
# none given).
|
|
|
|
|
verity_key = options['verity_key']
|
|
|
|
|
if verity_key is None:
|
|
|
|
|
verity_key = info_dict['verity_key'] + '.x509.pem'
|
|
|
|
|
for image in ('boot.img', 'recovery.img', 'recovery-two-step.img'):
|
2019-07-26 08:11:41 +02:00
|
|
|
if image == 'recovery-two-step.img':
|
|
|
|
|
image_path = os.path.join(input_tmp, 'OTA', image)
|
|
|
|
|
else:
|
|
|
|
|
image_path = os.path.join(input_tmp, 'IMAGES', image)
|
2018-03-11 05:41:16 +01:00
|
|
|
if not os.path.exists(image_path):
|
|
|
|
|
continue
|
2017-02-28 00:08:36 +01:00
|
|
|
|
2018-03-11 05:41:16 +01:00
|
|
|
cmd = ['boot_signer', '-verify', image_path, '-certificate', verity_key]
|
2018-10-05 01:25:33 +02:00
|
|
|
proc = common.Run(cmd)
|
2018-03-11 05:41:16 +01:00
|
|
|
stdoutdata, _ = proc.communicate()
|
|
|
|
|
assert proc.returncode == 0, \
|
|
|
|
|
'Failed to verify {} with boot_signer:\n{}'.format(image, stdoutdata)
|
|
|
|
|
logging.info(
|
|
|
|
|
'Verified %s with boot_signer (key: %s):\n%s', image, verity_key,
|
|
|
|
|
stdoutdata.rstrip())
|
|
|
|
|
|
|
|
|
|
# Verify verity signed system images in Verified Boot 1.0. Note that not using
|
|
|
|
|
# 'elif' here, since 'boot_signer' and 'verity' are not bundled in VB 1.0.
|
|
|
|
|
if info_dict.get('verity') == 'true':
|
2019-09-16 21:10:43 +02:00
|
|
|
# First verify that the verity key is built into the root image (regardless
|
|
|
|
|
# of system-as-root).
|
|
|
|
|
verity_key_mincrypt = os.path.join(input_tmp, 'ROOT', 'verity_key')
|
2018-03-11 05:41:16 +01:00
|
|
|
assert os.path.exists(verity_key_mincrypt), 'Missing verity_key'
|
|
|
|
|
|
2019-09-16 21:10:43 +02:00
|
|
|
# Verify /verity_key matches the one given via command line, if any.
|
2018-03-11 05:41:16 +01:00
|
|
|
if options['verity_key_mincrypt'] is None:
|
|
|
|
|
logging.warn(
|
|
|
|
|
'Skipped checking the content of /verity_key, as the key file not '
|
|
|
|
|
'provided. Use --verity_key_mincrypt to specify.')
|
|
|
|
|
else:
|
|
|
|
|
expected_key = options['verity_key_mincrypt']
|
|
|
|
|
assert filecmp.cmp(expected_key, verity_key_mincrypt, shallow=False), \
|
|
|
|
|
"Mismatching mincrypt verity key files"
|
|
|
|
|
logging.info('Verified the content of /verity_key')
|
|
|
|
|
|
2019-09-16 21:10:43 +02:00
|
|
|
# For devices with a separate ramdisk (i.e. non-system-as-root), there must
|
|
|
|
|
# be a copy in ramdisk.
|
|
|
|
|
if info_dict.get("system_root_image") != "true":
|
|
|
|
|
verity_key_ramdisk = os.path.join(
|
|
|
|
|
input_tmp, 'BOOT', 'RAMDISK', 'verity_key')
|
2021-05-25 15:17:38 +02:00
|
|
|
assert os.path.exists(
|
|
|
|
|
verity_key_ramdisk), 'Missing verity_key in ramdisk'
|
2019-09-16 21:10:43 +02:00
|
|
|
|
|
|
|
|
assert filecmp.cmp(
|
|
|
|
|
verity_key_mincrypt, verity_key_ramdisk, shallow=False), \
|
2021-05-25 15:17:38 +02:00
|
|
|
'Mismatching verity_key files in root and ramdisk'
|
2019-09-16 21:10:43 +02:00
|
|
|
logging.info('Verified the content of /verity_key in ramdisk')
|
|
|
|
|
|
2018-03-11 05:41:16 +01:00
|
|
|
# Then verify the verity signed system/vendor/product images, against the
|
|
|
|
|
# verity pubkey in mincrypt format.
|
|
|
|
|
for image in ('system.img', 'vendor.img', 'product.img'):
|
|
|
|
|
image_path = os.path.join(input_tmp, 'IMAGES', image)
|
|
|
|
|
|
|
|
|
|
# We are not checking if the image is actually enabled via info_dict (e.g.
|
|
|
|
|
# 'system_verity_block_device=...'). Because it's most likely a bug that
|
|
|
|
|
# skips signing some of the images in signed target-files.zip, while
|
|
|
|
|
# having the top-level verity flag enabled.
|
|
|
|
|
if not os.path.exists(image_path):
|
|
|
|
|
continue
|
2017-02-28 00:08:36 +01:00
|
|
|
|
2018-03-11 05:41:16 +01:00
|
|
|
cmd = ['verity_verifier', image_path, '-mincrypt', verity_key_mincrypt]
|
2018-10-05 01:25:33 +02:00
|
|
|
proc = common.Run(cmd)
|
2018-03-11 05:41:16 +01:00
|
|
|
stdoutdata, _ = proc.communicate()
|
|
|
|
|
assert proc.returncode == 0, \
|
|
|
|
|
'Failed to verify {} with verity_verifier (key: {}):\n{}'.format(
|
|
|
|
|
image, verity_key_mincrypt, stdoutdata)
|
|
|
|
|
logging.info(
|
|
|
|
|
'Verified %s with verity_verifier (key: %s):\n%s', image,
|
|
|
|
|
verity_key_mincrypt, stdoutdata.rstrip())
|
|
|
|
|
|
|
|
|
|
# Handle the case of Verified Boot 2.0 (AVB).
|
2022-03-09 08:12:58 +01:00
|
|
|
if info_dict.get("avb_building_vbmeta_image") == "true":
|
2018-03-11 05:41:16 +01:00
|
|
|
logging.info('Verifying Verified Boot 2.0 (AVB) images...')
|
|
|
|
|
|
2019-03-26 20:13:04 +01:00
|
|
|
key = options['verity_key']
|
|
|
|
|
if key is None:
|
|
|
|
|
key = info_dict['avb_vbmeta_key_path']
|
|
|
|
|
|
2021-05-25 15:17:38 +02:00
|
|
|
ValidatePartitionFingerprints(input_tmp, info_dict)
|
|
|
|
|
|
2019-03-26 20:13:04 +01:00
|
|
|
# avbtool verifies all the images that have descriptors listed in vbmeta.
|
2019-09-20 16:45:06 +02:00
|
|
|
# Using `--follow_chain_partitions` so it would additionally verify chained
|
|
|
|
|
# vbmeta partitions (e.g. vbmeta_system).
|
2019-03-26 20:13:04 +01:00
|
|
|
image = os.path.join(input_tmp, 'IMAGES', 'vbmeta.img')
|
2019-06-26 20:58:22 +02:00
|
|
|
cmd = [info_dict['avb_avbtool'], 'verify_image', '--image', image,
|
2020-02-06 22:12:56 +01:00
|
|
|
'--follow_chain_partitions']
|
2019-03-26 20:13:04 +01:00
|
|
|
|
Add options to sign the prebuilt custom images.
The custom images are any images owned by OEMs and SoCs, oem images
mounted on /oem is an example. The oem images can be used to customize
devices for different carriers, like wallpaper, ringtones, and
carrier-specific apks. OEMs can generate multiple oem images, like
oem.img, oem-carrier1.img and oem-carrier2.img and flash different oem
images for different carriers. The oem images are only one case, OEMs
and SoCs can add more custom images and mount them to custom partitions.
This change enables custom images to be vbmeta.img chained partitions.
The following configuration in BoardConfig.mk is an exmaple. It has two
custom partitions: oem and test. They will be signed by different keys.
And they will be chained by vbmeta.img. The custom images here are
prebuilts, which can be built by `make custom_images` separately.
BOARD_AVB_<CUSTOM_PARTITION>_IMAGE_LIST should include all custom images
to apply AVB signing. And to every custom partition, one image whose
name is partition name must be added in its
BOARD_AVB_<CUSTOM_PARTITION>_IMAGE_LIST.
BOARD_CUSTOMIMAGES_PARTITION_LIST := oem test
BOARD_AVB_OEM_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem
BOARD_AVB_OEM_ALGORITHM := SHA256_RSA4096
BOARD_AVB_OEM_ADD_HASHTREE_FOOTER_ARGS :=
BOARD_AVB_OEM_ROLLBACK_INDEX_LOCATION := 1
BOARD_AVB_OEM_PARTITION_SIZE := 5242880
BOARD_AVB_OEM_IMAGE_LIST := \
device/xxxx/yyyy/oem/oem.img \
device/xxxx/yyyy/oem/oem1.img
BOARD_AVB_TEST_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_AVB_TEST_ALGORITHM := SHA256_RSA2048
BOARD_AVB_TEST_ADD_HASHTREE_FOOTER_ARGS :=
BOARD_AVB_TEST_ROLLBACK_INDEX_LOCATION := 2
BOARD_AVB_TEST_PARTITION_SIZE := 10485760
BOARD_AVB_TEST_IMAGE_LIST := \
device/xxxx/yyyy/test/test.img \
device/xxxx/yyyy/test/test1.img
To resign the custom images in the target zip file, the
avb_extra_custom_image_key, avb_extra_custom_image_algorithms and
avb_extra_custom_image_extra_args options are added to the
sign_target_files_apks tool too. The following test cases list some
examples about how to use them.
BUG: 154171021
Test: 1) "atest --host releasetools_test releasetools_py3_test -c"
2) Build images by 'make dist', sign and validate target files.
a) Test on dist w/ chained vbmeta_system and ome custom images
sign_target_files_apks -d certs \
--avb_extra_custom_image_key oem=oem_rsa4096.pem \
--avb_extra_custom_image_algorithm oem=SHA256_RSA4096 \
xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Flash image and boot up.
Verify the oem images and vbmeta images in OUT and target zips by
avbtool.
b) Test on dist w/ chained vbmeta_system and oem and test custom images
sign_target_files_apks -d certs \
--avb_extra_custom_image_key oem=oem_rsa4096.pem \
--avb_extra_custom_image_algorithm oem=SHA256_RSA4096 \
--avb_extra_custom_image_extra_args oem=--do_not_generate_fec \
--avb_extra_custom_image_key test=test_rsa4096.pem \
--avb_extra_custom_image_algorithm test=SHA256_RSA4096 \
xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Verify the oem, test images and vbmeta images in OUT and target zips
by avbtool.
c) Test on dist w/o chained partition.
sign_target_files_apks -d certs xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Flash image and boot up.
Verify the vbmeta images in OUT and target zips by avbtool.
Change-Id: Ifccfee5e8909697eef6ccda0cc352fa16a9f6db6
2020-04-28 03:36:36 +02:00
|
|
|
# Custom images.
|
|
|
|
|
custom_partitions = info_dict.get(
|
|
|
|
|
"avb_custom_images_partition_list", "").strip().split()
|
|
|
|
|
|
2019-03-26 20:13:04 +01:00
|
|
|
# Append the args for chained partitions if any.
|
Add options to sign the prebuilt custom images.
The custom images are any images owned by OEMs and SoCs, oem images
mounted on /oem is an example. The oem images can be used to customize
devices for different carriers, like wallpaper, ringtones, and
carrier-specific apks. OEMs can generate multiple oem images, like
oem.img, oem-carrier1.img and oem-carrier2.img and flash different oem
images for different carriers. The oem images are only one case, OEMs
and SoCs can add more custom images and mount them to custom partitions.
This change enables custom images to be vbmeta.img chained partitions.
The following configuration in BoardConfig.mk is an exmaple. It has two
custom partitions: oem and test. They will be signed by different keys.
And they will be chained by vbmeta.img. The custom images here are
prebuilts, which can be built by `make custom_images` separately.
BOARD_AVB_<CUSTOM_PARTITION>_IMAGE_LIST should include all custom images
to apply AVB signing. And to every custom partition, one image whose
name is partition name must be added in its
BOARD_AVB_<CUSTOM_PARTITION>_IMAGE_LIST.
BOARD_CUSTOMIMAGES_PARTITION_LIST := oem test
BOARD_AVB_OEM_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem
BOARD_AVB_OEM_ALGORITHM := SHA256_RSA4096
BOARD_AVB_OEM_ADD_HASHTREE_FOOTER_ARGS :=
BOARD_AVB_OEM_ROLLBACK_INDEX_LOCATION := 1
BOARD_AVB_OEM_PARTITION_SIZE := 5242880
BOARD_AVB_OEM_IMAGE_LIST := \
device/xxxx/yyyy/oem/oem.img \
device/xxxx/yyyy/oem/oem1.img
BOARD_AVB_TEST_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_AVB_TEST_ALGORITHM := SHA256_RSA2048
BOARD_AVB_TEST_ADD_HASHTREE_FOOTER_ARGS :=
BOARD_AVB_TEST_ROLLBACK_INDEX_LOCATION := 2
BOARD_AVB_TEST_PARTITION_SIZE := 10485760
BOARD_AVB_TEST_IMAGE_LIST := \
device/xxxx/yyyy/test/test.img \
device/xxxx/yyyy/test/test1.img
To resign the custom images in the target zip file, the
avb_extra_custom_image_key, avb_extra_custom_image_algorithms and
avb_extra_custom_image_extra_args options are added to the
sign_target_files_apks tool too. The following test cases list some
examples about how to use them.
BUG: 154171021
Test: 1) "atest --host releasetools_test releasetools_py3_test -c"
2) Build images by 'make dist', sign and validate target files.
a) Test on dist w/ chained vbmeta_system and ome custom images
sign_target_files_apks -d certs \
--avb_extra_custom_image_key oem=oem_rsa4096.pem \
--avb_extra_custom_image_algorithm oem=SHA256_RSA4096 \
xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Flash image and boot up.
Verify the oem images and vbmeta images in OUT and target zips by
avbtool.
b) Test on dist w/ chained vbmeta_system and oem and test custom images
sign_target_files_apks -d certs \
--avb_extra_custom_image_key oem=oem_rsa4096.pem \
--avb_extra_custom_image_algorithm oem=SHA256_RSA4096 \
--avb_extra_custom_image_extra_args oem=--do_not_generate_fec \
--avb_extra_custom_image_key test=test_rsa4096.pem \
--avb_extra_custom_image_algorithm test=SHA256_RSA4096 \
xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Verify the oem, test images and vbmeta images in OUT and target zips
by avbtool.
c) Test on dist w/o chained partition.
sign_target_files_apks -d certs xxx-target_xxx.zip signed.zip
validate_target_files.py signed.zip
Flash image and boot up.
Verify the vbmeta images in OUT and target zips by avbtool.
Change-Id: Ifccfee5e8909697eef6ccda0cc352fa16a9f6db6
2020-04-28 03:36:36 +02:00
|
|
|
for partition in (common.AVB_PARTITIONS + common.AVB_VBMETA_PARTITIONS +
|
|
|
|
|
tuple(custom_partitions)):
|
2019-03-26 20:13:04 +01:00
|
|
|
key_name = 'avb_' + partition + '_key_path'
|
|
|
|
|
if info_dict.get(key_name) is not None:
|
2019-09-20 16:45:06 +02:00
|
|
|
if info_dict.get('ab_update') != 'true' and partition == 'recovery':
|
|
|
|
|
continue
|
|
|
|
|
|
2019-06-04 08:07:58 +02:00
|
|
|
# Use the key file from command line if specified; otherwise fall back
|
|
|
|
|
# to the one in info dict.
|
|
|
|
|
key_file = options.get(key_name, info_dict[key_name])
|
2019-03-26 20:13:04 +01:00
|
|
|
chained_partition_arg = common.GetAvbChainedPartitionArg(
|
2019-06-04 08:07:58 +02:00
|
|
|
partition, info_dict, key_file)
|
2019-09-20 16:45:06 +02:00
|
|
|
cmd.extend(['--expected_chain_partition', chained_partition_arg])
|
2019-03-26 20:13:04 +01:00
|
|
|
|
2020-06-26 07:59:54 +02:00
|
|
|
# Handle the boot image with a non-default name, e.g. boot-5.4.img
|
|
|
|
|
boot_images = info_dict.get("boot_images")
|
|
|
|
|
if boot_images:
|
|
|
|
|
# we used the 1st boot image to generate the vbmeta. Rename the filename
|
|
|
|
|
# to boot.img so that avbtool can find it correctly.
|
|
|
|
|
first_image_name = boot_images.split()[0]
|
|
|
|
|
first_image_path = os.path.join(input_tmp, 'IMAGES', first_image_name)
|
|
|
|
|
assert os.path.isfile(first_image_path)
|
|
|
|
|
renamed_boot_image_path = os.path.join(input_tmp, 'IMAGES', 'boot.img')
|
|
|
|
|
os.rename(first_image_path, renamed_boot_image_path)
|
|
|
|
|
|
2019-03-26 20:13:04 +01:00
|
|
|
proc = common.Run(cmd)
|
|
|
|
|
stdoutdata, _ = proc.communicate()
|
|
|
|
|
assert proc.returncode == 0, \
|
|
|
|
|
'Failed to verify {} with avbtool (key: {}):\n{}'.format(
|
|
|
|
|
image, key, stdoutdata)
|
|
|
|
|
|
|
|
|
|
logging.info(
|
|
|
|
|
'Verified %s with avbtool (key: %s):\n%s', image, key,
|
|
|
|
|
stdoutdata.rstrip())
|
2018-03-11 05:41:16 +01:00
|
|
|
|
2019-09-20 16:45:06 +02:00
|
|
|
# avbtool verifies recovery image for non-A/B devices.
|
|
|
|
|
if (info_dict.get('ab_update') != 'true' and
|
2021-05-25 15:17:38 +02:00
|
|
|
info_dict.get('no_recovery') != 'true'):
|
2019-09-20 16:45:06 +02:00
|
|
|
image = os.path.join(input_tmp, 'IMAGES', 'recovery.img')
|
|
|
|
|
key = info_dict['avb_recovery_key_path']
|
|
|
|
|
cmd = [info_dict['avb_avbtool'], 'verify_image', '--image', image,
|
|
|
|
|
'--key', key]
|
|
|
|
|
proc = common.Run(cmd)
|
|
|
|
|
stdoutdata, _ = proc.communicate()
|
|
|
|
|
assert proc.returncode == 0, \
|
|
|
|
|
'Failed to verify {} with avbtool (key: {}):\n{}'.format(
|
|
|
|
|
image, key, stdoutdata)
|
|
|
|
|
logging.info(
|
|
|
|
|
'Verified %s with avbtool (key: %s):\n%s', image, key,
|
|
|
|
|
stdoutdata.rstrip())
|
|
|
|
|
|
2021-01-12 23:04:58 +01:00
|
|
|
|
|
|
|
|
def CheckDataInconsistency(lines):
|
2021-05-25 15:17:38 +02:00
|
|
|
build_prop = {}
|
|
|
|
|
for line in lines:
|
|
|
|
|
if line.startswith("import") or line.startswith("#"):
|
|
|
|
|
continue
|
|
|
|
|
if "=" not in line:
|
|
|
|
|
continue
|
2021-01-12 23:04:58 +01:00
|
|
|
|
2021-05-25 15:17:38 +02:00
|
|
|
key, value = line.rstrip().split("=", 1)
|
|
|
|
|
if key in build_prop:
|
|
|
|
|
logging.info("Duplicated key found for {}".format(key))
|
|
|
|
|
if value != build_prop[key]:
|
|
|
|
|
logging.error("Key {} is defined twice with different values {} vs {}"
|
|
|
|
|
.format(key, value, build_prop[key]))
|
|
|
|
|
return key
|
|
|
|
|
build_prop[key] = value
|
2020-06-29 22:04:51 +02:00
|
|
|
|
2021-01-12 23:04:58 +01:00
|
|
|
|
2020-06-29 22:04:51 +02:00
|
|
|
def CheckBuildPropDuplicity(input_tmp):
|
|
|
|
|
"""Check all buld.prop files inside directory input_tmp, raise error
|
|
|
|
|
if they contain duplicates"""
|
|
|
|
|
|
|
|
|
|
if not os.path.isdir(input_tmp):
|
|
|
|
|
raise ValueError("Expect {} to be a directory".format(input_tmp))
|
|
|
|
|
for name in os.listdir(input_tmp):
|
|
|
|
|
if not name.isupper():
|
|
|
|
|
continue
|
|
|
|
|
for prop_file in ['build.prop', 'etc/build.prop']:
|
|
|
|
|
path = os.path.join(input_tmp, name, prop_file)
|
|
|
|
|
if not os.path.exists(path):
|
|
|
|
|
continue
|
|
|
|
|
logging.info("Checking {}".format(path))
|
|
|
|
|
with open(path, 'r') as fp:
|
2021-01-12 23:04:58 +01:00
|
|
|
dupKey = CheckDataInconsistency(fp.readlines())
|
2020-06-29 22:04:51 +02:00
|
|
|
if dupKey:
|
2021-01-12 23:04:58 +01:00
|
|
|
raise ValueError("{} contains duplicate keys for {}".format(
|
|
|
|
|
path, dupKey))
|
|
|
|
|
|
2018-03-11 05:41:16 +01:00
|
|
|
|
|
|
|
|
def main():
|
|
|
|
|
parser = argparse.ArgumentParser(
|
|
|
|
|
description=__doc__,
|
|
|
|
|
formatter_class=argparse.RawDescriptionHelpFormatter)
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
'target_files',
|
|
|
|
|
help='the input target_files.zip to be validated')
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
'--verity_key',
|
|
|
|
|
help='the verity public key to verify the bootable images (Verified '
|
2018-07-22 21:40:45 +02:00
|
|
|
'Boot 1.0), or the vbmeta image (Verified Boot 2.0, aka AVB), where '
|
2018-03-11 05:41:16 +01:00
|
|
|
'applicable')
|
2019-06-04 08:07:58 +02:00
|
|
|
for partition in common.AVB_PARTITIONS + common.AVB_VBMETA_PARTITIONS:
|
2018-07-22 21:40:45 +02:00
|
|
|
parser.add_argument(
|
|
|
|
|
'--avb_' + partition + '_key_path',
|
|
|
|
|
help='the public or private key in PEM format to verify AVB chained '
|
|
|
|
|
'partition of {}'.format(partition))
|
2018-03-11 05:41:16 +01:00
|
|
|
parser.add_argument(
|
|
|
|
|
'--verity_key_mincrypt',
|
|
|
|
|
help='the verity public key in mincrypt format to verify the system '
|
|
|
|
|
'images, if target using Verified Boot 1.0')
|
|
|
|
|
args = parser.parse_args()
|
|
|
|
|
|
|
|
|
|
# Unprovided args will have 'None' as the value.
|
|
|
|
|
options = vars(args)
|
2017-02-28 00:08:36 +01:00
|
|
|
|
|
|
|
|
logging_format = '%(asctime)s - %(filename)s - %(levelname)-8s: %(message)s'
|
|
|
|
|
date_format = '%Y/%m/%d %H:%M:%S'
|
|
|
|
|
logging.basicConfig(level=logging.INFO, format=logging_format,
|
|
|
|
|
datefmt=date_format)
|
|
|
|
|
|
2018-03-11 05:41:16 +01:00
|
|
|
logging.info("Unzipping the input target_files.zip: %s", args.target_files)
|
|
|
|
|
input_tmp = common.UnzipTemp(args.target_files)
|
2017-02-28 00:08:36 +01:00
|
|
|
|
2018-05-12 08:38:46 +02:00
|
|
|
info_dict = common.LoadInfoDict(input_tmp)
|
2020-09-22 22:15:57 +02:00
|
|
|
with zipfile.ZipFile(args.target_files, 'r', allowZip64=True) as input_zip:
|
2018-05-12 08:38:46 +02:00
|
|
|
ValidateFileConsistency(input_zip, input_tmp, info_dict)
|
2017-02-28 00:08:36 +01:00
|
|
|
|
2020-06-29 22:04:51 +02:00
|
|
|
CheckBuildPropDuplicity(input_tmp)
|
|
|
|
|
|
2017-06-21 02:00:55 +02:00
|
|
|
ValidateInstallRecoveryScript(input_tmp, info_dict)
|
|
|
|
|
|
2018-03-11 05:41:16 +01:00
|
|
|
ValidateVerifiedBootImages(input_tmp, info_dict, options)
|
|
|
|
|
|
2017-02-28 00:08:36 +01:00
|
|
|
# TODO: Check if the OTA keys have been properly updated (the ones on /system,
|
|
|
|
|
# in recovery image).
|
|
|
|
|
|
|
|
|
|
logging.info("Done.")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
try:
|
2018-03-11 05:41:16 +01:00
|
|
|
main()
|
2017-02-28 00:08:36 +01:00
|
|
|
finally:
|
|
|
|
|
common.Cleanup()
|
