platform_build

History

Tao Bao c99819311c Also install verity_key to ramdisk for non-system-as-root target. The commit in `d14b895665` (https://android-review.googlesource.com/c/platform/build/+/728287) changed partition layout, to always build the root dir into system.img, even for devices not using system-as-root (i.e. the ones with separate boot ramdisk). With the new layout, there will be two root dirs for non-system-as-root targets during the boot. If such a device uses Verified Boot 1.0, /verity_key needs to be available in both roots, to establish the chain of trust. - bootloader uses the baked-in key to verify boot.img; it then loads the ramdisk from the verified boot.img - First stage init uses /verity_key (in ramdisk) to verify and mount system.img at /system, then chroot's to it - Second stage init uses /verity_key (in system.img) to verify and mount other partitions This CL adds rules to additionally install verity_key into ramdisk for such targets. Bug: 139770257 Test: Set up a target to use non-system-as-root (BOARD_BUILD_SYSTEM_ROOT_IMAGE != true). `m dist`. Test: Check that both ROOT/verity_key and BOOT/RAMDISK/verity_key exist in the built target_files.zip. Test: Run validate_target_files to validate the above target_files.zip. $ validate_target_files \ --verity_key_mincrypt /path/to/verity_key \ target_files.zip Test: Run sign_target_files_apks to sign the above target. Re-run validate_target_files on the signed target_files.zip. Test: python -m unittest test_validate_target_files Change-Id: Ibe7e771c8c376429add85851ac86055564765d3c		2019-09-17 08:53:16 -07:00
..
Android.bp	Provide android_app_certificate module that always points to AOSP	2019-05-02 22:22:47 -07:00
Android.mk	Also install verity_key to ramdisk for non-system-as-root target.	2019-09-17 08:53:16 -07:00
media.pk8	auto import from //depot/cupcake/@135843	2009-03-03 19:28:42 -08:00
media.x509.pem	auto import from //depot/cupcake/@135843	2009-03-03 19:28:42 -08:00
networkstack.pk8	Add test keys for networkstack	2019-02-13 00:57:41 +09:00
networkstack.x509.pem	Add test keys for networkstack	2019-02-13 00:57:41 +09:00
platform.pk8	auto import from //depot/cupcake/@135843	2009-03-03 19:28:42 -08:00
platform.x509.pem	auto import from //depot/cupcake/@135843	2009-03-03 19:28:42 -08:00
README	Stop using build/target -> build/make/target symlink	2019-04-09 21:35:37 -07:00
shared.pk8	auto import from //depot/cupcake/@135843	2009-03-03 19:28:42 -08:00
shared.x509.pem	auto import from //depot/cupcake/@135843	2009-03-03 19:28:42 -08:00
testkey.pk8	auto import from //depot/cupcake/@135843	2009-03-03 19:28:42 -08:00
testkey.x509.pem	auto import from //depot/cupcake/@135843	2009-03-03 19:28:42 -08:00
verity.pk8	DO NOT MERGE: Change verity key formats	2014-11-13 23:23:31 +00:00
verity.x509.pem	DO NOT MERGE: Change verity key formats	2014-11-13 23:23:31 +00:00
verity_key	DO NOT MERGE: Change verity key formats	2014-11-13 23:23:31 +00:00

README

For detailed information on key types and image signing, please see:

https://source.android.com/devices/tech/ota/sign_builds.html

The test keys in this directory are used in development only and should
NEVER be used to sign packages in publicly released images (as that would
open a major security hole).

key generation
--------------

The following commands were used to generate the test key pairs:

  development/tools/make_key testkey  '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key platform '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key shared   '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'
  development/tools/make_key media    '/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com'

signing using the openssl commandline (for boot/system images)
--------------------------------------------------------------

1. convert pk8 format key to pem format
   % openssl pkcs8 -inform DER -nocrypt -in testkey.pk8 -out testkey.pem

2. create a signature using the pem format key
   % openssl dgst -binary -sha1 -sign testkey.pem FILE > FILE.sig

extracting public keys for embedding
------------------------------------

dumpkey.jar is a Java tool that takes an x.509 certificate in PEM format as
input and prints a C structure to standard output:

    $ java -jar out/host/linux-x86/framework/dumpkey.jar build/make/target/product/security/testkey.x509.pem
    {64,0xc926ad21,{1795090719,2141396315,950055447,2581568430,4268923165,1920809988,546586521,3498997798,1776797858,3740060814,1805317999,1429410244,129622599,1422441418,1783893377,1222374759,2563319927,323993566,28517732,609753416,1826472888,215237850,4261642700,4049082591,3228462402,774857746,154822455,2497198897,2758199418,3019015328,2794777644,87251430,2534927978,120774784,571297800,3695899472,2479925187,3811625450,3401832990,2394869647,3267246207,950095497,555058928,414729973,1136544882,3044590084,465547824,4058146728,2731796054,1689838846,3890756939,1048029507,895090649,247140249,178744550,3547885223,3165179243,109881576,3944604415,1044303212,3772373029,2985150306,3737520932,3599964420},{3437017481,3784475129,2800224972,3086222688,251333580,2131931323,512774938,325948880,2657486437,2102694287,3820568226,792812816,1026422502,2053275343,2800889200,3113586810,165549746,4273519969,4065247892,1902789247,772932719,3941848426,3652744109,216871947,3164400649,1942378755,3996765851,1055777370,964047799,629391717,2232744317,3910558992,191868569,2758883837,3682816752,2997714732,2702529250,3570700455,3776873832,3924067546,3555689545,2758825434,1323144535,61311905,1997411085,376844204,213777604,4077323584,9135381,1625809335,2804742137,2952293945,1117190829,4237312782,1825108855,3013147971,1111251351,2568837572,1684324211,2520978805,367251975,810756730,2353784344,1175080310}}

This is called by build/make/core/Makefile to incorporate the OTA signing keys
into the recovery image.