releasetools: Update T GKI certification scheme

Companion change of I143680b1cab50a6915df56c8273f8741beaf1180. Basically does the same thing as the other change. Bug: 211741246 Test: m dist Test: ./boot_signature_info.sh boot-5.10.img Change-Id: I40c4d5866c74a9a2d525f9455969b8a71f22bdbb
2022-02-22 19:51:15 +08:00 · 2022-02-22 19:51:15 +08:00 · 24da1a43bb
parent 2f7a108bf2
commit 24da1a43bb
2 changed files with 30 additions and 29 deletions
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@ -1405,7 +1405,7 @@ def _HasGkiCertificationArgs():
          "gki_signing_algorithm" in OPTIONS.info_dict)


-def _GenerateGkiCertificate(image, image_name, partition_name):
+def _GenerateGkiCertificate(image, image_name):
  key_path = OPTIONS.info_dict.get("gki_signing_key_path")
  algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")

@ -1434,8 +1434,7 @@ def _GenerateGkiCertificate(image, image_name, partition_name):
  if signature_args:
    cmd.extend(["--additional_avb_args", signature_args])

-  args = OPTIONS.info_dict.get(
-      "avb_" + partition_name + "_add_hash_footer_args", "")
+  args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "")
  args = args.strip()
  if args:
    cmd.extend(["--additional_avb_args", args])
@ -1628,27 +1627,9 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
  if args and args.strip():
    cmd.extend(shlex.split(args))

-  boot_signature = None
-  if _HasGkiCertificationArgs():
-    # Certify GKI images.
-    boot_signature_bytes = b''
-    if kernel_path is not None:
-      boot_signature_bytes += _GenerateGkiCertificate(
-          kernel_path, "generic_kernel", "boot")
-    if has_ramdisk:
-      boot_signature_bytes += _GenerateGkiCertificate(
-          ramdisk_img.name, "generic_ramdisk", "init_boot")
-
-    if len(boot_signature_bytes) > 0:
-      boot_signature = tempfile.NamedTemporaryFile()
-      boot_signature.write(boot_signature_bytes)
-      boot_signature.flush()
-      cmd.extend(["--boot_signature", boot_signature.name])
-  else:
-    # Certified GKI boot/init_boot image mustn't set 'mkbootimg_version_args'.
-    args = info_dict.get("mkbootimg_version_args")
-    if args and args.strip():
-      cmd.extend(shlex.split(args))
+  args = info_dict.get("mkbootimg_version_args")
+  if args and args.strip():
+    cmd.extend(shlex.split(args))

  if has_ramdisk:
    cmd.extend(["--ramdisk", ramdisk_img.name])
@ -1670,6 +1651,29 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,

  RunAndCheckOutput(cmd)

+  if _HasGkiCertificationArgs():
+    if not os.path.exists(img.name):
+      raise ValueError("Cannot find GKI boot.img")
+    if kernel_path is None or not os.path.exists(kernel_path):
+      raise ValueError("Cannot find GKI kernel.img")
+
+    # Certify GKI images.
+    boot_signature_bytes = b''
+    boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot")
+    boot_signature_bytes += _GenerateGkiCertificate(
+        kernel_path, "generic_kernel")
+
+    BOOT_SIGNATURE_SIZE = 16 * 1024
+    if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE:
+      raise ValueError(
+          f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}")
+    boot_signature_bytes += (
+        b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes)))
+    assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE
+
+    with open(img.name, 'ab') as f:
+      f.write(boot_signature_bytes)
+
  if (info_dict.get("boot_signer") == "true" and
          info_dict.get("verity_key")):
    # Hard-code the path as "/boot" for two-step special recovery image (which
@ -1730,9 +1734,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, info_dict=None,
    ramdisk_img.close()
  img.close()

-  if boot_signature is not None:
-    boot_signature.close()
-
  return data


--- a/tools/releasetools/test_common.py
+++ b/tools/releasetools/test_common.py
@ -1642,7 +1642,7 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
    }
    test_file = tempfile.NamedTemporaryFile()
    self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
-                      test_file.name, 'generic_kernel', 'boot')
+                      test_file.name, 'generic_kernel')

  def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):
    pubkey = 'no_testkey_gki.pem'
@ -1662,7 +1662,7 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
    }
    test_file = tempfile.NamedTemporaryFile()
    self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
-                      test_file.name, 'generic_kernel', 'boot')
+                      test_file.name, 'generic_kernel')

 class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
  """Checks the format of install-recovery.sh.