Revert "apex: use the same key for all microdroid items"
This reverts commit 6351310cfa.
Reason for revert: broken build b/205506708
Change-Id: Id3a283aa7cc271454b3f5d2cf5c3853aa6229332
This commit is contained in:
Ivana Chen
parent
6351310cfa
commit
aea73f82a0
|
|
@ -109,20 +109,3 @@ python_binary_host {
|
|||
"simg2img",
|
||||
],
|
||||
}
|
||||
|
||||
// custom tool to replace bytes in a file
|
||||
python_binary_host {
|
||||
name: "replace_bytes",
|
||||
srcs: [
|
||||
"replace_bytes.py",
|
||||
],
|
||||
version: {
|
||||
py2: {
|
||||
enabled: false,
|
||||
},
|
||||
py3: {
|
||||
enabled: true,
|
||||
embedded_launcher: true,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,71 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
#
|
||||
# Copyright (C) 2021 The Android Open Source Project
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
"""replace_bytes is a command line tool to replace bytes in a file.
|
||||
|
||||
Typical usage: replace_bytes target_file old_file new_file
|
||||
|
||||
replace bytes of old_file with bytes of new_file in target_file. old_file and new_file should be
|
||||
the same size.
|
||||
|
||||
"""
|
||||
import argparse
|
||||
import sys
|
||||
|
||||
|
||||
def ParseArgs(argv):
|
||||
parser = argparse.ArgumentParser(description='Replace bytes')
|
||||
parser.add_argument(
|
||||
'target_file',
|
||||
help='path to the target file.')
|
||||
parser.add_argument(
|
||||
'old_file',
|
||||
help='path to the file containing old bytes')
|
||||
parser.add_argument(
|
||||
'new_file',
|
||||
help='path to the file containing new bytes')
|
||||
return parser.parse_args(argv)
|
||||
|
||||
|
||||
def ReplaceBytes(target_file, old_file, new_file):
|
||||
# read old bytes
|
||||
with open(old_file, 'rb') as f:
|
||||
old_bytes = f.read()
|
||||
|
||||
# read new bytes
|
||||
with open(new_file, 'rb') as f:
|
||||
new_bytes = f.read()
|
||||
|
||||
assert len(old_bytes) == len(new_bytes)
|
||||
|
||||
# replace bytes in target_file
|
||||
with open(target_file, 'r+b') as f:
|
||||
pos = f.read().find(old_bytes)
|
||||
assert pos != -1
|
||||
f.seek(pos)
|
||||
f.write(new_bytes)
|
||||
|
||||
|
||||
def main(argv):
|
||||
try:
|
||||
args = ParseArgs(argv)
|
||||
ReplaceBytes(args.target_file, args.old_file, args.new_file)
|
||||
except Exception as e:
|
||||
print(e)
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main(sys.argv[1:])
|
||||
|
|
@ -44,7 +44,7 @@ microdroid_symlinks = [
|
|||
android_system_image {
|
||||
name: "microdroid",
|
||||
use_avb: true,
|
||||
avb_private_key: ":microdroid_sign_key",
|
||||
avb_private_key: ":avb_testkey_rsa4096",
|
||||
avb_algorithm: "SHA256_RSA4096",
|
||||
partition_name: "system",
|
||||
deps: [
|
||||
|
|
@ -193,7 +193,7 @@ android_filesystem {
|
|||
],
|
||||
},
|
||||
},
|
||||
avb_private_key: ":microdroid_sign_key",
|
||||
avb_private_key: ":avb_testkey_rsa4096",
|
||||
avb_algorithm: "SHA256_RSA4096",
|
||||
file_contexts: ":microdroid_vendor_file_contexts.gen",
|
||||
}
|
||||
|
|
@ -248,7 +248,7 @@ bootimg {
|
|||
header_version: "4",
|
||||
partition_name: "boot",
|
||||
use_avb: true,
|
||||
avb_private_key: ":microdroid_sign_key",
|
||||
avb_private_key: ":avb_testkey_rsa4096",
|
||||
}
|
||||
|
||||
android_filesystem {
|
||||
|
|
@ -285,7 +285,7 @@ bootimg {
|
|||
},
|
||||
partition_name: "vendor_boot",
|
||||
use_avb: true,
|
||||
avb_private_key: ":microdroid_sign_key",
|
||||
avb_private_key: ":avb_testkey_rsa4096",
|
||||
}
|
||||
|
||||
android_filesystem {
|
||||
|
|
@ -338,11 +338,11 @@ genrule {
|
|||
vbmeta {
|
||||
name: "microdroid_vbmeta_bootconfig",
|
||||
partition_name: "vbmeta",
|
||||
private_key: ":microdroid_sign_key",
|
||||
private_key: ":avb_testkey_rsa4096",
|
||||
chained_partitions: [
|
||||
{
|
||||
name: "bootconfig",
|
||||
private_key: ":microdroid_sign_key",
|
||||
private_key: ":avb_testkey_rsa4096",
|
||||
},
|
||||
],
|
||||
}
|
||||
|
|
@ -376,14 +376,14 @@ genrule {
|
|||
tools: ["avbtool"],
|
||||
srcs: [
|
||||
"bootconfig.normal",
|
||||
":microdroid_sign_key",
|
||||
":avb_testkey_rsa4096",
|
||||
],
|
||||
out: ["microdroid_bootconfig.normal"],
|
||||
cmd: "cp $(location bootconfig.normal) $(out) && " +
|
||||
"$(location avbtool) add_hash_footer " +
|
||||
"--algorithm SHA256_RSA4096 " +
|
||||
"--partition_name bootconfig " +
|
||||
"--key $(location :microdroid_sign_key) " +
|
||||
"--key $(location :avb_testkey_rsa4096) " +
|
||||
"--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
|
||||
"--image $(out)",
|
||||
}
|
||||
|
|
@ -393,14 +393,14 @@ genrule {
|
|||
tools: ["avbtool"],
|
||||
srcs: [
|
||||
"bootconfig.app_debuggable",
|
||||
":microdroid_sign_key",
|
||||
":avb_testkey_rsa4096",
|
||||
],
|
||||
out: ["microdroid_bootconfig.app_debuggable"],
|
||||
cmd: "cp $(location bootconfig.app_debuggable) $(out) && " +
|
||||
"$(location avbtool) add_hash_footer " +
|
||||
"--algorithm SHA256_RSA4096 " +
|
||||
"--partition_name bootconfig " +
|
||||
"--key $(location :microdroid_sign_key) " +
|
||||
"--key $(location :avb_testkey_rsa4096) " +
|
||||
"--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
|
||||
"--image $(out)",
|
||||
}
|
||||
|
|
@ -410,14 +410,14 @@ genrule {
|
|||
tools: ["avbtool"],
|
||||
srcs: [
|
||||
"bootconfig.full_debuggable",
|
||||
":microdroid_sign_key",
|
||||
":avb_testkey_rsa4096",
|
||||
],
|
||||
out: ["microdroid_bootconfig.full_debuggable"],
|
||||
cmd: "cp $(location bootconfig.full_debuggable) $(out) && " +
|
||||
"$(location avbtool) add_hash_footer " +
|
||||
"--algorithm SHA256_RSA4096 " +
|
||||
"--partition_name bootconfig " +
|
||||
"--key $(location :microdroid_sign_key) " +
|
||||
"--key $(location :avb_testkey_rsa4096) " +
|
||||
"--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
|
||||
"--image $(out)",
|
||||
}
|
||||
|
|
@ -437,18 +437,19 @@ prebuilt_etc {
|
|||
// For unknown reason, the signed bootloader doesn't work on x86_64. Until the problem
|
||||
// is fixed, let's use the unsigned bootloader for the architecture.
|
||||
// TODO(b/185115783): remove this
|
||||
src: ":microdroid_bootloader_pubkey_replaced",
|
||||
src: ":microdroid_crosvm_bootloader",
|
||||
},
|
||||
},
|
||||
filename: "microdroid_bootloader",
|
||||
}
|
||||
|
||||
// TODO(b/193504286) remove this when prebuilt bootloader exposes pubkey as well.
|
||||
genrule {
|
||||
name: "microdroid_bootloader_gen",
|
||||
tools: ["avbtool"],
|
||||
srcs: [
|
||||
":microdroid_bootloader_pubkey_replaced",
|
||||
":microdroid_sign_key",
|
||||
":microdroid_crosvm_bootloader",
|
||||
":avb_testkey_rsa4096",
|
||||
],
|
||||
out: ["bootloader-signed"],
|
||||
// 1. Copy the input to the output becaise avbtool modifies --image in
|
||||
|
|
@ -457,51 +458,31 @@ genrule {
|
|||
// bootloader file whose size is 1. It can't pass avbtool.
|
||||
// 3. Add the hash footer. The partition size is set to (image size + 68KB)
|
||||
// rounded up to 4KB boundary.
|
||||
cmd: "cp $(location :microdroid_bootloader_pubkey_replaced) $(out) && " +
|
||||
cmd: "cp $(location :microdroid_crosvm_bootloader) $(out) && " +
|
||||
"if [ $$(stat --format=%s $(out)) -gt 4096 ]; then " +
|
||||
"$(location avbtool) add_hash_footer " +
|
||||
"--algorithm SHA256_RSA4096 " +
|
||||
"--partition_name bootloader " +
|
||||
"--key $(location :microdroid_sign_key) " +
|
||||
"--key $(location :avb_testkey_rsa4096) " +
|
||||
"--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
|
||||
"--image $(out)" +
|
||||
"; fi",
|
||||
}
|
||||
|
||||
// Replace avbpubkey of prebuilt bootloader with the avbpubkey of the signing key
|
||||
genrule {
|
||||
name: "microdroid_bootloader_pubkey_replaced",
|
||||
tools: ["replace_bytes"],
|
||||
srcs: [
|
||||
":microdroid_crosvm_bootloader", // input
|
||||
":microdroid_bootloader_avbpubkey_gen", // new bytes
|
||||
],
|
||||
out: ["bootloader-pubkey-replaced"],
|
||||
cmd: "cp $(location :microdroid_crosvm_bootloader) $(out) && " +
|
||||
"$(location replace_bytes) $(out) " +
|
||||
// TODO(b/193504286) use the avbpubkey exposed from the prebuilt.
|
||||
// For now, replacing it with the same key to ensure that "replace_bytes" works and
|
||||
// that microdroid_crosvm_bootloader embeds the same pubkey of microdroid_sign_key.
|
||||
"$(location :microdroid_bootloader_avbpubkey_gen) " +
|
||||
"$(location :microdroid_bootloader_avbpubkey_gen)",
|
||||
}
|
||||
|
||||
// Apex keeps a copy of avbpubkey embedded in bootloader so that embedded avbpubkey can be replaced
|
||||
// while re-signing bootloader.
|
||||
prebuilt_etc {
|
||||
name: "microdroid_bootloader.avbpubkey",
|
||||
src: ":microdroid_bootloader_avbpubkey_gen",
|
||||
src: ":microdroid_bootloader_pubkey_gen",
|
||||
}
|
||||
|
||||
// Generate avbpukey from the signing key
|
||||
genrule {
|
||||
name: "microdroid_bootloader_avbpubkey_gen",
|
||||
name: "microdroid_bootloader_pubkey_gen",
|
||||
tools: ["avbtool"],
|
||||
srcs: [":microdroid_sign_key"],
|
||||
out: ["bootloader.pubkey"],
|
||||
cmd: "$(location avbtool) extract_public_key " +
|
||||
"--key $(location :microdroid_sign_key) " +
|
||||
"--output $(out)",
|
||||
srcs: [
|
||||
":microdroid_crosvm_bootloader",
|
||||
":avb_testkey_rsa4096",
|
||||
],
|
||||
out: ["bootloader-pubkey"],
|
||||
cmd: "$(location avbtool) extract_public_key --key $(location :avb_testkey_rsa4096) --output $(out)",
|
||||
}
|
||||
|
||||
prebuilt_etc {
|
||||
|
|
@ -531,18 +512,10 @@ genrule {
|
|||
cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(in)",
|
||||
}
|
||||
|
||||
// Note that keys can be different for filesystem images even though we're using the same key
|
||||
// for microdroid. However, the key signing VBmeta should match with the pubkey embedded in
|
||||
// bootloader.
|
||||
filegroup {
|
||||
name: "microdroid_sign_key",
|
||||
srcs: [":avb_testkey_rsa4096"],
|
||||
}
|
||||
|
||||
vbmeta {
|
||||
name: "microdroid_vbmeta",
|
||||
partition_name: "vbmeta",
|
||||
private_key: ":microdroid_sign_key",
|
||||
private_key: ":avb_testkey_rsa4096",
|
||||
partitions: [
|
||||
"microdroid_vendor",
|
||||
"microdroid_vendor_boot-5.10",
|
||||
|
|
|
|||
Loading…
Reference in New Issue