Sign the bootloader using avbtool

The signing is effectively no op for now because nothing verifies the
bootloader. However, in the end, the pKVM firmware will verify the
bootloader and use the vbmeta footer appended to it.

Bug: 182169705
Test: atest MicrodroidTestCase
Change-Id: I459250a84969b2a6bfa207085fe267f3a78033d6

microdroid/Android.bp

@@ -224,6 +224,41 @@ prebuilt_etc {
     installable: false,
 }
 
+prebuilt_etc {
+    name: "microdroid_bootloader",
+    src: ":microdroid_bootloader_gen",
+    filename: "microdroid_bootloader",
+}
+
+// See external/avb/avbtool.py
+// MAX_VBMETA_SIZE=64KB, MAX_FOOTER_SIZE=4KB
+avb_hash_footer_kb = "68"
+
+genrule {
+    name: "microdroid_bootloader_gen",
+    tools: ["avbtool"],
+    srcs: [
+        ":cuttlefish_crosvm_bootloader",
+        ":avb_testkey_rsa4096",
+    ],
+    out: ["bootloader-signed"],
+    // 1. Copy the input to the output becaise avbtool modifies --image in
+    // place.
+    // 2. Check if the file is big enough. For arm and x86 we have fake
+    // bootloader file whose size is 1. It can't pass avbtool.
+    // 3. Add the hash footer. The partition size is set to (image size + 68KB)
+    // rounded up to 4KB boundary.
+    cmd: "cp $(location :cuttlefish_crosvm_bootloader) $(out) && " +
+        "if [ $$(stat --format=%s $(out)) -gt 4096 ]; then " +
+        "$(location avbtool) add_hash_footer " +
+        "--algorithm SHA256_RSA4096 " +
+        "--partition_name bootloader " +
+        "--key $(location :avb_testkey_rsa4096) " +
+        "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
+        "--image $(out)" +
+        "; fi",
+}
+
 prebuilt_etc {
     name: "microdroid_uboot_env",
     src: ":microdroid_uboot_env_gen",

microdroid/README.md

@@ -21,6 +21,7 @@ $ choosecombo 1 aosp_arm64 userdebug // actually, any arm64-based target is ok
 $ m microdroid_super
 $ m microdroid_boot-5.10
 $ m microdroid_vendor_boot-5.10
+$ m microdroid_bootloader
 $ m microdroid_uboot_env
 $ m microdroid_vbmeta
 $ m microdroid_vbmeta_system
@@ -33,7 +34,7 @@ Push the built files to the device. In addition to that, some other files have
 to be manually created, for now. In the future, you won't need these.
 
 ```
-$ adb push device/google/cuttlefish_prebuilts/bootloader/crosvm_aarch64/u-boot.bin /data/local/tmp/bootloader
+$ adb push $ANDROID_PRODUCT_OUT/system/etc/microdroid_bootloader /data/local/tmp/bootloader
 $ adb push $ANDROID_PRODUCT_OUT/system/etc/microdroid_super.img /data/local/tmp/super.img
 $ adb push $ANDROID_PRODUCT_OUT/system/etc/microdroid_boot-5.10.img /data/local/tmp/boot.img
 $ adb push $ANDROID_PRODUCT_OUT/system/etc/microdroid_vendor_boot-5.10.img /data/local/tmp/vendor_boot.img

tests/hostside/Android.bp

@@ -13,7 +13,7 @@ java_test_host {
         ":microdroid_boot-5.10",
         ":microdroid_vendor_boot-5.10",
         ":microdroid_uboot_env",
-        ":cuttlefish_crosvm_bootloader",
+        ":microdroid_bootloader",
         ":MicrodroidHostTestCase_misc",
         ":microdroid_vbmeta",
         ":microdroid_vbmeta_system",

tests/hostside/java/android/virt/test/MicrodroidTestCase.java

@@ -70,7 +70,7 @@ public class MicrodroidTestCase extends BaseHostJUnit4Test {
     public void testMicrodroidBoots() throws Exception {
         // Prepare input files
         pushFile("microdroid_cdisk.json", "microdroid_cdisk.json");
-        pushFile("u-boot.bin", "bootloader");
+        pushFile("microdroid_bootloader", "bootloader");
         pushFile("microdroid_super.img", "super.img");
         pushFile("microdroid_boot-5.10.img", "boot.img");
         pushFile("microdroid_vendor_boot-5.10.img", "vendor_boot.img");