Merge "Support signing custom images with AVB HASH or AVB HASHTREE"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
fe7aeb1de7
4 changed files with 66 additions and 26 deletions
|
|
@ -942,9 +942,9 @@ $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "futili
|
|||
$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot_signer_cmd=$(VBOOT_SIGNER)" >> $(1))
|
||||
$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_signing_args=$(INTERNAL_AVB_SIGNING_ARGS)" >> $(1))
|
||||
$(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_avbtool=$(AVBTOOL)" >> $(1))
|
||||
$(if $(BOARD_AVB_ENABLE),$(hide) echo "system_avb_enable=$(BOARD_AVB_ENABLE)" >> $(1))
|
||||
$(if $(BOARD_AVB_ENABLE),$(hide) echo "system_avb_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))
|
||||
$(if $(BOARD_AVB_ENABLE),$(hide) echo "system_avb_add_hashtree_footer_args=$(BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))
|
||||
$(if $(BOARD_AVB_ENABLE),$(hide) echo "vendor_avb_enable=$(BOARD_AVB_ENABLE)" >> $(1))
|
||||
$(if $(BOARD_AVB_ENABLE),$(hide) echo "vendor_avb_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))
|
||||
$(if $(BOARD_AVB_ENABLE),$(hide) echo "vendor_avb_add_hashtree_footer_args=$(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))
|
||||
$(if $(filter true,$(BOARD_USES_RECOVERY_AS_BOOT)),\
|
||||
$(hide) echo "recovery_as_boot=true" >> $(1))
|
||||
|
|
|
|||
|
|
@ -37,6 +37,14 @@
|
|||
# - CUSTOM_IMAGE_SELINUX, set to "true" if the image supports selinux.
|
||||
# - CUSTOM_IMAGE_SUPPORT_VERITY, set to "true" if the product supports verity.
|
||||
# - CUSTOM_IMAGE_VERITY_BLOCK_DEVICE
|
||||
# - CUSTOM_IMAGE_AVB_HASH_ENABLE, set to "true" to add AVB HASH footer.
|
||||
# - CUSTOM_IMAGE_AVB_ADD_HASH_FOOTER_ARGS, additional args of AVB HASH footer.
|
||||
# - CUSTOM_IMAGE_AVB_HASHTREE_ENABLE, set to "true" to add AVB HASHTREE
|
||||
# footer.
|
||||
# - CUSTOM_IMAGE_AVB_ADD_HASHTREE_FOOTER_ARGS, additional args of AVB
|
||||
# HASHTREE footer.
|
||||
# - CUSTOM_IMAGE_AVB_KEY_PATH, custom AVB signing key.
|
||||
# - CUSTOM_IMAGE_AVB_ALGORITHM, custom AVB signing algorithm.
|
||||
#
|
||||
# To build all those images, run "make custom_images".
|
||||
|
||||
|
|
@ -54,8 +62,12 @@ custom_image_parameter_variables := \
|
|||
CUSTOM_IMAGE_SELINUX \
|
||||
CUSTOM_IMAGE_SUPPORT_VERITY \
|
||||
CUSTOM_IMAGE_VERITY_BLOCK_DEVICE \
|
||||
CUSTOM_IMAGE_AVB_ENABLE \
|
||||
CUSTOM_IMAGE_AVB_HASH_ENABLE \
|
||||
CUSTOM_IMAGE_AVB_ADD_HASH_FOOTER_ARGS \
|
||||
CUSTOM_IMAGE_AVB_HASHTREE_ENABLE \
|
||||
CUSTOM_IMAGE_AVB_ADD_HASHTREE_FOOTER_ARGS \
|
||||
CUSTOM_IMAGE_AVB_KEY_PATH \
|
||||
CUSTOM_IMAGE_AVB_ALGORITHM \
|
||||
|
||||
# We don't expect product makefile to inherit/override PRODUCT_CUSTOM_IMAGE_MAKEFILES,
|
||||
# so we don't put it in the _product_var_list.
|
||||
|
|
|
|||
|
|
@ -62,6 +62,14 @@ $(foreach f,$(CUSTOM_IMAGE_COPY_FILES),\
|
|||
$(eval my_image_copy_files += $(src))\
|
||||
$(eval my_copy_pairs += $(src):$(my_staging_dir)/$(word 2,$(pair))))
|
||||
|
||||
ifndef CUSTOM_IMAGE_AVB_KEY_PATH
|
||||
# If key path isn't specified, use the default signing args.
|
||||
my_avb_signing_args := $(INTERNAL_AVB_SIGNING_ARGS)
|
||||
else
|
||||
my_avb_signing_args := \
|
||||
--algorithm $(CUSTOM_IMAGE_AVB_ALGORITHM) --key $(CUSTOM_IMAGE_AVB_KEY_PATH)
|
||||
endif
|
||||
|
||||
$(my_built_custom_image): PRIVATE_INTERMEDIATES := $(intermediates)
|
||||
$(my_built_custom_image): PRIVATE_MOUNT_POINT := $(CUSTOM_IMAGE_MOUNT_POINT)
|
||||
$(my_built_custom_image): PRIVATE_PARTITION_SIZE := $(CUSTOM_IMAGE_PARTITION_SIZE)
|
||||
|
|
@ -74,10 +82,16 @@ $(my_built_custom_image): PRIVATE_SUPPORT_VERITY := $(CUSTOM_IMAGE_SUPPORT_VERIT
|
|||
$(my_built_custom_image): PRIVATE_VERITY_KEY := $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY)
|
||||
$(my_built_custom_image): PRIVATE_VERITY_BLOCK_DEVICE := $(CUSTOM_IMAGE_VERITY_BLOCK_DEVICE)
|
||||
$(my_built_custom_image): PRIVATE_DICT_FILE := $(CUSTOM_IMAGE_DICT_FILE)
|
||||
$(my_built_custom_image): PRIVATE_AVB_ENABLE := $(CUSTOM_IMAGE_AVB_ENABLE)
|
||||
$(my_built_custom_image): PRIVATE_AVB_AVBTOOL := $(AVBTOOL)
|
||||
$(my_built_custom_image): PRIVATE_AVB_SIGNING_ARGS := $(my_avb_signing_args)
|
||||
$(my_built_custom_image): PRIVATE_AVB_HASH_ENABLE := $(CUSTOM_IMAGE_AVB_HASH_ENABLE)
|
||||
$(my_built_custom_image): PRIVATE_AVB_ADD_HASH_FOOTER_ARGS := $(CUSTOM_IMAGE_AVB_ADD_HASH_FOOTER_ARGS)
|
||||
$(my_built_custom_image): PRIVATE_AVB_HASHTREE_ENABLE := $(CUSTOM_IMAGE_AVB_HASHTREE_ENABLE)
|
||||
$(my_built_custom_image): PRIVATE_AVB_ADD_HASHTREE_FOOTER_ARGS := $(CUSTOM_IMAGE_AVB_ADD_HASHTREE_FOOTER_ARGS)
|
||||
ifeq (true,$(CUSTOM_IMAGE_AVB_ENABLE))
|
||||
ifeq (true,$(filter true, $(CUSTOM_IMAGE_AVB_HASH_ENABLE) $(CUSTOM_IMAGE_AVB_HASHTREE_ENABLE)))
|
||||
$(my_built_custom_image): $(AVBTOOL)
|
||||
else ifneq (,$(filter true, $(CUSTOM_IMAGE_AVB_HASH_ENABLE) $(CUSTOM_IMAGE_AVB_HASHTREE_ENABLE)))
|
||||
$(error Cannot set both CUSTOM_IMAGE_AVB_HASH_ENABLE and CUSTOM_IMAGE_AVB_HASHTREE_ENABLE to true)
|
||||
endif
|
||||
$(my_built_custom_image): $(INTERNAL_USERIMAGES_DEPS) $(my_built_modules) $(my_image_copy_files) \
|
||||
$(CUSTOM_IMAGE_DICT_FILE)
|
||||
|
|
@ -93,6 +107,7 @@ $(my_built_custom_image): $(INTERNAL_USERIMAGES_DEPS) $(my_built_modules) $(my_i
|
|||
# Generate the dict.
|
||||
$(hide) echo "# For all accepted properties, see BuildImage() in tools/releasetools/build_image.py" > $(PRIVATE_INTERMEDIATES)/image_info.txt
|
||||
$(hide) echo "mount_point=$(PRIVATE_MOUNT_POINT)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
|
||||
$(hide) echo "partition_name=$(PRIVATE_MOUNT_POINT)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
|
||||
$(hide) echo "fs_type=$(PRIVATE_FILE_SYSTEM_TYPE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
|
||||
$(hide) echo "partition_size=$(PRIVATE_PARTITION_SIZE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
|
||||
$(hide) echo "ext_mkuserimg=$(notdir $(MKEXTUSERIMG))" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
|
||||
|
|
@ -102,10 +117,13 @@ $(my_built_custom_image): $(INTERNAL_USERIMAGES_DEPS) $(my_built_modules) $(my_i
|
|||
echo "verity_key=$(PRIVATE_VERITY_KEY)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
|
||||
echo "verity_signer_cmd=$(VERITY_SIGNER)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
|
||||
echo "verity_block_device=$(PRIVATE_VERITY_BLOCK_DEVICE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
|
||||
$(if $(PRIVATE_AVB_ENABLE),\
|
||||
$(hide) echo "avb_enable=$(PRIVATE_AVB_ENABLE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
|
||||
echo "avb_avbtool=$(AVBTOOL)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
|
||||
echo "avb_signing_args=$(INTERNAL_AVB_SIGNING_ARGS)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
|
||||
$(hide) echo "avb_avbtool=$(PRIVATE_AVB_AVBTOOL)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
|
||||
$(hide) echo "avb_signing_args=$(PRIVATE_AVB_SIGNING_ARGS)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt
|
||||
$(if $(PRIVATE_AVB_HASH_ENABLE),\
|
||||
$(hide) echo "avb_hash_enable=$(PRIVATE_AVB_HASH_ENABLE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
|
||||
echo "avb_add_hash_footer_args=$(PRIVATE_AVB_ADD_HASH_FOOTER_ARGS)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
|
||||
$(if $(PRIVATE_AVB_HASHTREE_ENABLE),\
|
||||
$(hide) echo "avb_hashtree_enable=$(PRIVATE_AVB_HASHTREE_ENABLE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
|
||||
echo "avb_add_hashtree_footer_args=$(PRIVATE_AVB_ADD_HASHTREE_FOOTER_ARGS)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt)
|
||||
$(if $(PRIVATE_DICT_FILE),\
|
||||
$(hide) echo "# Properties from $(PRIVATE_DICT_FILE)" >> $(PRIVATE_INTERMEDIATES)/image_info.txt;\
|
||||
|
|
|
|||
|
|
@ -97,18 +97,19 @@ def ZeroPadSimg(image_file, pad_size):
|
|||
simg = sparse_img.SparseImage(image_file, mode="r+b", build_map=False)
|
||||
simg.AppendFillChunk(0, blocks)
|
||||
|
||||
def AVBCalcMaxImageSize(avbtool, partition_size, additional_args):
|
||||
def AVBCalcMaxImageSize(avbtool, footer_type, partition_size, additional_args):
|
||||
"""Calculates max image size for a given partition size.
|
||||
|
||||
Args:
|
||||
avbtool: String with path to avbtool.
|
||||
footer_type: 'hash' or 'hashtree' for generating footer.
|
||||
partition_size: The size of the partition in question.
|
||||
additional_args: Additional arguments to pass to 'avbtool
|
||||
add_hashtree_image'.
|
||||
Returns:
|
||||
The maximum image size or 0 if an error occurred.
|
||||
"""
|
||||
cmdline = "%s add_hashtree_footer " % avbtool
|
||||
cmdline = "%s add_%s_footer " % (avbtool, footer_type)
|
||||
cmdline += "--partition_size %d " % partition_size
|
||||
cmdline += "--calc_max_image_size "
|
||||
cmdline += additional_args
|
||||
|
|
@ -118,13 +119,14 @@ def AVBCalcMaxImageSize(avbtool, partition_size, additional_args):
|
|||
else:
|
||||
return int(output)
|
||||
|
||||
def AVBAddHashtree(image_path, avbtool, partition_size, partition_name,
|
||||
signing_args, additional_args):
|
||||
def AVBAddFooter(image_path, avbtool, footer_type, partition_size,
|
||||
partition_name, signing_args, additional_args):
|
||||
"""Adds dm-verity hashtree and AVB metadata to an image.
|
||||
|
||||
Args:
|
||||
image_path: Path to image to modify.
|
||||
avbtool: String with path to avbtool.
|
||||
footer_type: 'hash' or 'hashtree' for generating footer.
|
||||
partition_size: The size of the partition in question.
|
||||
partition_name: The name of the partition - will be embedded in metadata.
|
||||
signing_args: Arguments for signing the image.
|
||||
|
|
@ -133,7 +135,7 @@ def AVBAddHashtree(image_path, avbtool, partition_size, partition_name,
|
|||
Returns:
|
||||
True if the operation succeeded.
|
||||
"""
|
||||
cmdline = "%s add_hashtree_footer " % avbtool
|
||||
cmdline = "%s add_%s_footer " % (avbtool, footer_type)
|
||||
cmdline += "--partition_size %d " % partition_size
|
||||
cmdline += "--partition_name %s " % partition_name
|
||||
cmdline += "--image %s " % image_path
|
||||
|
|
@ -410,12 +412,19 @@ def BuildImage(in_dir, prop_dict, out_file, target_out=None):
|
|||
prop_dict["original_partition_size"] = str(partition_size)
|
||||
prop_dict["verity_size"] = str(verity_size)
|
||||
|
||||
# Adjust partition size for AVB.
|
||||
if prop_dict.get("avb_enable") == "true":
|
||||
# Adjust partition size for AVB hash footer or AVB hashtree footer.
|
||||
avb_footer_type = ''
|
||||
if prop_dict.get("avb_hash_enable") == "true":
|
||||
avb_footer_type = 'hash'
|
||||
elif prop_dict.get("avb_hashtree_enable") == "true":
|
||||
avb_footer_type = 'hashtree'
|
||||
|
||||
if avb_footer_type:
|
||||
avbtool = prop_dict.get("avb_avbtool")
|
||||
partition_size = int(prop_dict.get("partition_size"))
|
||||
additional_args = prop_dict["avb_add_hashtree_footer_args"]
|
||||
max_image_size = AVBCalcMaxImageSize(avbtool, partition_size,
|
||||
# avb_add_hash_footer_args or avb_add_hashtree_footer_args.
|
||||
additional_args = prop_dict["avb_add_" + avb_footer_type + "_footer_args"]
|
||||
max_image_size = AVBCalcMaxImageSize(avbtool, avb_footer_type, partition_size,
|
||||
additional_args)
|
||||
if max_image_size == 0:
|
||||
return False
|
||||
|
|
@ -561,15 +570,16 @@ def BuildImage(in_dir, prop_dict, out_file, target_out=None):
|
|||
if not MakeVerityEnabledImage(out_file, verity_fec_supported, prop_dict):
|
||||
return False
|
||||
|
||||
# Add AVB hashtree and metadata.
|
||||
if "avb_enable" in prop_dict:
|
||||
# Add AVB HASH or HASHTREE footer (metadata).
|
||||
if avb_footer_type:
|
||||
avbtool = prop_dict.get("avb_avbtool")
|
||||
original_partition_size = int(prop_dict.get("original_partition_size"))
|
||||
partition_name = prop_dict["partition_name"]
|
||||
signing_args = prop_dict["avb_signing_args"]
|
||||
additional_args = prop_dict["avb_add_hashtree_footer_args"]
|
||||
if not AVBAddHashtree(out_file, avbtool, original_partition_size,
|
||||
partition_name, signing_args, additional_args):
|
||||
# avb_add_hash_footer_args or avb_add_hashtree_footer_args
|
||||
additional_args = prop_dict["avb_add_" + avb_footer_type + "_footer_args"]
|
||||
if not AVBAddFooter(out_file, avbtool, avb_footer_type, original_partition_size,
|
||||
partition_name, signing_args, additional_args):
|
||||
return False
|
||||
|
||||
if run_fsck and prop_dict.get("skip_fsck") != "true":
|
||||
|
|
@ -639,7 +649,7 @@ def ImagePropFromGlobalDict(glob_dict, mount_point):
|
|||
copy_prop("system_squashfs_block_size", "squashfs_block_size")
|
||||
copy_prop("system_squashfs_disable_4k_align", "squashfs_disable_4k_align")
|
||||
copy_prop("system_base_fs_file", "base_fs_file")
|
||||
copy_prop("system_avb_enable", "avb_enable")
|
||||
copy_prop("system_avb_hashtree_enable", "avb_hashtree_enable")
|
||||
copy_prop("system_avb_add_hashtree_footer_args",
|
||||
"avb_add_hashtree_footer_args")
|
||||
copy_prop("system_extfs_inode_count", "extfs_inode_count")
|
||||
|
|
@ -656,7 +666,7 @@ def ImagePropFromGlobalDict(glob_dict, mount_point):
|
|||
copy_prop("system_squashfs_compressor_opt", "squashfs_compressor_opt")
|
||||
copy_prop("system_squashfs_block_size", "squashfs_block_size")
|
||||
copy_prop("system_base_fs_file", "base_fs_file")
|
||||
copy_prop("system_avb_enable", "avb_enable")
|
||||
copy_prop("system_avb_hashtree_enable", "avb_hashtree_enable")
|
||||
copy_prop("system_avb_add_hashtree_footer_args",
|
||||
"avb_add_hashtree_footer_args")
|
||||
copy_prop("system_extfs_inode_count", "extfs_inode_count")
|
||||
|
|
@ -681,7 +691,7 @@ def ImagePropFromGlobalDict(glob_dict, mount_point):
|
|||
copy_prop("vendor_squashfs_block_size", "squashfs_block_size")
|
||||
copy_prop("vendor_squashfs_disable_4k_align", "squashfs_disable_4k_align")
|
||||
copy_prop("vendor_base_fs_file", "base_fs_file")
|
||||
copy_prop("vendor_avb_enable", "avb_enable")
|
||||
copy_prop("vendor_avb_hashtree_enable", "avb_hashtree_enable")
|
||||
copy_prop("vendor_avb_add_hashtree_footer_args",
|
||||
"avb_add_hashtree_footer_args")
|
||||
copy_prop("vendor_extfs_inode_count", "extfs_inode_count")
|
||||
|
|
|
|||
Loading…
Reference in a new issue