tequilaOS/platform_build
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Adding Android verified boot 1.0 metadata into ENG builds" am: 5f958ccad5 am: 86c4f8ed54

Browse source 
am: 08a05cd9ae

Change-Id: Ie7471976439616452b0c830b19471be1748a750a
This commit is contained in:
Bowgo Tsai 2017-10-15 03:26:24 +00:00 committed by android-build-merger
commit 0e1ada16ce
4 changed files with 20 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
core/Makefile
View file

@ -1004,6 +1004,7 @@ $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verit
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY)" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY)" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(notdir $(VERITY_SIGNER))" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(notdir $(VERITY_SIGNER))" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY_FEC),$(hide) echo "verity_fec=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY_FEC)" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY_FEC),$(hide) echo "verity_fec=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY_FEC)" >> $(1))
$(if $(filter eng, $(TARGET_BUILD_VARIANT)),$(hide) echo "verity_disable=true" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION),$(hide) echo "system_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION)" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION),$(hide) echo "system_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION)" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION),$(hide) echo "vendor_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION)" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION),$(hide) echo "vendor_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION)" >> $(1))
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)" >> $(1))

1
core/tasks/tools/build_custom_image.mk
View file

@ -135,6 +135,7 @@ $(my_built_custom_image): $(INTERNAL_USERIMAGES_DEPS) $(my_built_modules) $(my_i
echo "verity_block_device=$(PRIVATE_VERITY_BLOCK_DEVICE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt) echo "verity_block_device=$(PRIVATE_VERITY_BLOCK_DEVICE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
$(if $(PRIVATE_SUPPORT_VERITY_FEC),\ $(if $(PRIVATE_SUPPORT_VERITY_FEC),\
$(hide) echo "verity_fec=$(PRIVATE_SUPPORT_VERITY_FEC)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt) $(hide) echo "verity_fec=$(PRIVATE_SUPPORT_VERITY_FEC)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
$(if $(filter eng, $(TARGET_BUILD_VARIANT)),$(hide) echo "verity_disable=true" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
$(hide) echo "avb_avbtool=$(PRIVATE_AVB_AVBTOOL)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt $(hide) echo "avb_avbtool=$(PRIVATE_AVB_AVBTOOL)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
$(if $(PRIVATE_AVB_KEY_PATH),\ $(if $(PRIVATE_AVB_KEY_PATH),\
$(hide) echo "avb_key_path=$(PRIVATE_AVB_KEY_PATH)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\ $(hide) echo "avb_key_path=$(PRIVATE_AVB_KEY_PATH)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\

22
target/product/verity.mk
View file

@ -14,20 +14,16 @@
# limitations under the License. # limitations under the License.
# #
# Provides dependencies necessary for verified boot (only for user and # Provides dependencies necessary for verified boot.
# userdebug builds)
user_variant := $(filter user userdebug,$(TARGET_BUILD_VARIANT)) PRODUCT_SUPPORTS_BOOT_SIGNER := true
ifneq (,$(user_variant)) PRODUCT_SUPPORTS_VERITY := true
PRODUCT_SUPPORTS_BOOT_SIGNER := true PRODUCT_SUPPORTS_VERITY_FEC := true
PRODUCT_SUPPORTS_VERITY := true
PRODUCT_SUPPORTS_VERITY_FEC := true
# The dev key is used to sign boot and recovery images, and the verity # The dev key is used to sign boot and recovery images, and the verity
# metadata table. Actual product deliverables will be re-signed by hand. # metadata table. Actual product deliverables will be re-signed by hand.
# We expect this file to exist with the suffixes ".x509.pem" and ".pk8". # We expect this file to exist with the suffixes ".x509.pem" and ".pk8".
PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verity PRODUCT_VERITY_SIGNING_KEY := build/target/product/security/verity
PRODUCT_PACKAGES += \ PRODUCT_PACKAGES += \
verity_key verity_key
endif

10
tools/releasetools/build_image.py
View file

@ -225,12 +225,15 @@ def BuildVerityTree(sparse_image_path, verity_image_path, prop_dict):
return True return True
def BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt, def BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt,
block_device, signer_path, key, signer_args): block_device, signer_path, key, signer_args,
verity_disable):
cmd = ["system/extras/verity/build_verity_metadata.py", "build", cmd = ["system/extras/verity/build_verity_metadata.py", "build",
str(image_size), verity_metadata_path, root_hash, salt, block_device, str(image_size), verity_metadata_path, root_hash, salt, block_device,
signer_path, key] signer_path, key]
if signer_args: if signer_args:
cmd.append("--signer_args=\"%s\"" % (' '.join(signer_args),)) cmd.append("--signer_args=\"%s\"" % (' '.join(signer_args),))
if verity_disable:
cmd.append("--verity_disable")
output, exit_code = RunCommand(cmd) output, exit_code = RunCommand(cmd)
if exit_code != 0: if exit_code != 0:
print "Could not build verity metadata! Error: %s" % output print "Could not build verity metadata! Error: %s" % output
@ -334,8 +337,10 @@ def MakeVerityEnabledImage(out_file, fec_supported, prop_dict):
# build the metadata blocks # build the metadata blocks
root_hash = prop_dict["verity_root_hash"] root_hash = prop_dict["verity_root_hash"]
salt = prop_dict["verity_salt"] salt = prop_dict["verity_salt"]
verity_disable = "verity_disable" in prop_dict
if not BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt, if not BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt,
block_dev, signer_path, signer_key, signer_args): block_dev, signer_path, signer_key, signer_args,
verity_disable):
shutil.rmtree(tempdir_name, ignore_errors=True) shutil.rmtree(tempdir_name, ignore_errors=True)
return False return False
@ -650,6 +655,7 @@ def ImagePropFromGlobalDict(glob_dict, mount_point):
"verity_key", "verity_key",
"verity_signer_cmd", "verity_signer_cmd",
"verity_fec", "verity_fec",
"verity_disable",
"avb_enable", "avb_enable",
"avb_avbtool", "avb_avbtool",
"avb_salt", "avb_salt",