Reland "apex: use the same key for all microdroid items"

This reverts commit aea73f82a0.

Relanding with the fix for arm & x86 builds.

apex: use the same key for all microdroid items

The pubkey embedded in bootloader should match with the key signing
VBmeta. The updated build graph is to ensure bootloader and VBmeta to be
generated with the same key.

All other filesystem images are signed with the same key for
convenience even though it's not necessary.

Bug: 193504286
Bug: 203726593
Test: atest MicrodroidHostTestCases
Change-Id: Iae93934b18955e86ee6b73ad204c68a3f7456102
This commit is contained in:
Jooyung Han 2021-11-08 17:53:47 +09:00
parent 38c1390cf2
commit d35952e0f6
3 changed files with 151 additions and 29 deletions

View File

@ -109,3 +109,20 @@ python_binary_host {
"simg2img", "simg2img",
], ],
} }
// custom tool to replace bytes in a file
python_binary_host {
name: "replace_bytes",
srcs: [
"replace_bytes.py",
],
version: {
py2: {
enabled: false,
},
py3: {
enabled: true,
embedded_launcher: true,
},
},
}

72
apex/replace_bytes.py Normal file
View File

@ -0,0 +1,72 @@
#!/usr/bin/env python
#
# Copyright (C) 2021 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""replace_bytes is a command line tool to replace bytes in a file.
Typical usage: replace_bytes target_file old_file new_file
replace bytes of old_file with bytes of new_file in target_file. old_file and new_file should be
the same size.
"""
import argparse
import sys
def ParseArgs(argv):
parser = argparse.ArgumentParser(description='Replace bytes')
parser.add_argument(
'target_file',
help='path to the target file.')
parser.add_argument(
'old_file',
help='path to the file containing old bytes')
parser.add_argument(
'new_file',
help='path to the file containing new bytes')
return parser.parse_args(argv)
def ReplaceBytes(target_file, old_file, new_file):
# read old bytes
with open(old_file, 'rb') as f:
old_bytes = f.read()
# read new bytes
with open(new_file, 'rb') as f:
new_bytes = f.read()
assert len(old_bytes) == len(new_bytes), 'Pubkeys should be the same size. (%d != %d)' % (
len(old_bytes), len(new_bytes))
# replace bytes in target_file
with open(target_file, 'r+b') as f:
pos = f.read().find(old_bytes)
assert pos != -1, 'Pubkey not found'
f.seek(pos)
f.write(new_bytes)
def main(argv):
try:
args = ParseArgs(argv)
ReplaceBytes(args.target_file, args.old_file, args.new_file)
except Exception as e:
print(e)
sys.exit(1)
if __name__ == '__main__':
main(sys.argv[1:])

View File

@ -44,7 +44,7 @@ microdroid_symlinks = [
android_system_image { android_system_image {
name: "microdroid", name: "microdroid",
use_avb: true, use_avb: true,
avb_private_key: ":avb_testkey_rsa4096", avb_private_key: ":microdroid_sign_key",
avb_algorithm: "SHA256_RSA4096", avb_algorithm: "SHA256_RSA4096",
partition_name: "system", partition_name: "system",
deps: [ deps: [
@ -193,7 +193,7 @@ android_filesystem {
], ],
}, },
}, },
avb_private_key: ":avb_testkey_rsa4096", avb_private_key: ":microdroid_sign_key",
avb_algorithm: "SHA256_RSA4096", avb_algorithm: "SHA256_RSA4096",
file_contexts: ":microdroid_vendor_file_contexts.gen", file_contexts: ":microdroid_vendor_file_contexts.gen",
} }
@ -248,7 +248,7 @@ bootimg {
header_version: "4", header_version: "4",
partition_name: "boot", partition_name: "boot",
use_avb: true, use_avb: true,
avb_private_key: ":avb_testkey_rsa4096", avb_private_key: ":microdroid_sign_key",
} }
android_filesystem { android_filesystem {
@ -285,7 +285,7 @@ bootimg {
}, },
partition_name: "vendor_boot", partition_name: "vendor_boot",
use_avb: true, use_avb: true,
avb_private_key: ":avb_testkey_rsa4096", avb_private_key: ":microdroid_sign_key",
} }
android_filesystem { android_filesystem {
@ -338,11 +338,11 @@ genrule {
vbmeta { vbmeta {
name: "microdroid_vbmeta_bootconfig", name: "microdroid_vbmeta_bootconfig",
partition_name: "vbmeta", partition_name: "vbmeta",
private_key: ":avb_testkey_rsa4096", private_key: ":microdroid_sign_key",
chained_partitions: [ chained_partitions: [
{ {
name: "bootconfig", name: "bootconfig",
private_key: ":avb_testkey_rsa4096", private_key: ":microdroid_sign_key",
}, },
], ],
} }
@ -376,14 +376,14 @@ genrule {
tools: ["avbtool"], tools: ["avbtool"],
srcs: [ srcs: [
"bootconfig.normal", "bootconfig.normal",
":avb_testkey_rsa4096", ":microdroid_sign_key",
], ],
out: ["microdroid_bootconfig.normal"], out: ["microdroid_bootconfig.normal"],
cmd: "cp $(location bootconfig.normal) $(out) && " + cmd: "cp $(location bootconfig.normal) $(out) && " +
"$(location avbtool) add_hash_footer " + "$(location avbtool) add_hash_footer " +
"--algorithm SHA256_RSA4096 " + "--algorithm SHA256_RSA4096 " +
"--partition_name bootconfig " + "--partition_name bootconfig " +
"--key $(location :avb_testkey_rsa4096) " + "--key $(location :microdroid_sign_key) " +
"--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " + "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
"--image $(out)", "--image $(out)",
} }
@ -393,14 +393,14 @@ genrule {
tools: ["avbtool"], tools: ["avbtool"],
srcs: [ srcs: [
"bootconfig.app_debuggable", "bootconfig.app_debuggable",
":avb_testkey_rsa4096", ":microdroid_sign_key",
], ],
out: ["microdroid_bootconfig.app_debuggable"], out: ["microdroid_bootconfig.app_debuggable"],
cmd: "cp $(location bootconfig.app_debuggable) $(out) && " + cmd: "cp $(location bootconfig.app_debuggable) $(out) && " +
"$(location avbtool) add_hash_footer " + "$(location avbtool) add_hash_footer " +
"--algorithm SHA256_RSA4096 " + "--algorithm SHA256_RSA4096 " +
"--partition_name bootconfig " + "--partition_name bootconfig " +
"--key $(location :avb_testkey_rsa4096) " + "--key $(location :microdroid_sign_key) " +
"--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " + "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
"--image $(out)", "--image $(out)",
} }
@ -410,14 +410,14 @@ genrule {
tools: ["avbtool"], tools: ["avbtool"],
srcs: [ srcs: [
"bootconfig.full_debuggable", "bootconfig.full_debuggable",
":avb_testkey_rsa4096", ":microdroid_sign_key",
], ],
out: ["microdroid_bootconfig.full_debuggable"], out: ["microdroid_bootconfig.full_debuggable"],
cmd: "cp $(location bootconfig.full_debuggable) $(out) && " + cmd: "cp $(location bootconfig.full_debuggable) $(out) && " +
"$(location avbtool) add_hash_footer " + "$(location avbtool) add_hash_footer " +
"--algorithm SHA256_RSA4096 " + "--algorithm SHA256_RSA4096 " +
"--partition_name bootconfig " + "--partition_name bootconfig " +
"--key $(location :avb_testkey_rsa4096) " + "--key $(location :microdroid_sign_key) " +
"--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " + "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
"--image $(out)", "--image $(out)",
} }
@ -437,19 +437,18 @@ prebuilt_etc {
// For unknown reason, the signed bootloader doesn't work on x86_64. Until the problem // For unknown reason, the signed bootloader doesn't work on x86_64. Until the problem
// is fixed, let's use the unsigned bootloader for the architecture. // is fixed, let's use the unsigned bootloader for the architecture.
// TODO(b/185115783): remove this // TODO(b/185115783): remove this
src: ":microdroid_crosvm_bootloader", src: ":microdroid_bootloader_pubkey_replaced",
}, },
}, },
filename: "microdroid_bootloader", filename: "microdroid_bootloader",
} }
// TODO(b/193504286) remove this when prebuilt bootloader exposes pubkey as well.
genrule { genrule {
name: "microdroid_bootloader_gen", name: "microdroid_bootloader_gen",
tools: ["avbtool"], tools: ["avbtool"],
srcs: [ srcs: [
":microdroid_crosvm_bootloader", ":microdroid_bootloader_pubkey_replaced",
":avb_testkey_rsa4096", ":microdroid_sign_key",
], ],
out: ["bootloader-signed"], out: ["bootloader-signed"],
// 1. Copy the input to the output becaise avbtool modifies --image in // 1. Copy the input to the output becaise avbtool modifies --image in
@ -458,31 +457,57 @@ genrule {
// bootloader file whose size is 1. It can't pass avbtool. // bootloader file whose size is 1. It can't pass avbtool.
// 3. Add the hash footer. The partition size is set to (image size + 68KB) // 3. Add the hash footer. The partition size is set to (image size + 68KB)
// rounded up to 4KB boundary. // rounded up to 4KB boundary.
cmd: "cp $(location :microdroid_crosvm_bootloader) $(out) && " + cmd: "cp $(location :microdroid_bootloader_pubkey_replaced) $(out) && " +
"if [ $$(stat --format=%s $(out)) -gt 4096 ]; then " + "if [ $$(stat --format=%s $(out)) -gt 4096 ]; then " +
"$(location avbtool) add_hash_footer " + "$(location avbtool) add_hash_footer " +
"--algorithm SHA256_RSA4096 " + "--algorithm SHA256_RSA4096 " +
"--partition_name bootloader " + "--partition_name bootloader " +
"--key $(location :avb_testkey_rsa4096) " + "--key $(location :microdroid_sign_key) " +
"--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " + "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
"--image $(out)" + "--image $(out)" +
"; fi", "; fi",
} }
prebuilt_etc { // Replace avbpubkey of prebuilt bootloader with the avbpubkey of the signing key
name: "microdroid_bootloader.avbpubkey", genrule {
src: ":microdroid_bootloader_pubkey_gen", name: "microdroid_bootloader_pubkey_replaced",
tools: ["replace_bytes"],
srcs: [
":microdroid_crosvm_bootloader", // input
":microdroid_bootloader_avbpubkey_gen", // new bytes
],
out: ["bootloader-pubkey-replaced"],
// 1. Copy the input to the output (replace_bytes modifies the file in-place)
// 2. Check if the file is big enough. For arm and x86 we have fake
// bootloader file whose size is 1. (replace_bytes fails if key not found)
// 3. Replace embedded pubkey with new one.
cmd: "cp $(location :microdroid_crosvm_bootloader) $(out) && " +
"if [ $$(stat --format=%s $(out)) -gt 4096 ]; then " +
"$(location replace_bytes) $(out) " +
// TODO(b/193504286) use the avbpubkey exposed from the prebuilt.
// For now, replacing it with the same key to ensure that "replace_bytes" works and
// that microdroid_crosvm_bootloader embeds the same pubkey of microdroid_sign_key.
"$(location :microdroid_bootloader_avbpubkey_gen) " +
"$(location :microdroid_bootloader_avbpubkey_gen)" +
"; fi",
} }
// Apex keeps a copy of avbpubkey embedded in bootloader so that embedded avbpubkey can be replaced
// while re-signing bootloader.
prebuilt_etc {
name: "microdroid_bootloader.avbpubkey",
src: ":microdroid_bootloader_avbpubkey_gen",
}
// Generate avbpukey from the signing key
genrule { genrule {
name: "microdroid_bootloader_pubkey_gen", name: "microdroid_bootloader_avbpubkey_gen",
tools: ["avbtool"], tools: ["avbtool"],
srcs: [ srcs: [":microdroid_sign_key"],
":microdroid_crosvm_bootloader", out: ["bootloader.pubkey"],
":avb_testkey_rsa4096", cmd: "$(location avbtool) extract_public_key " +
], "--key $(location :microdroid_sign_key) " +
out: ["bootloader-pubkey"], "--output $(out)",
cmd: "$(location avbtool) extract_public_key --key $(location :avb_testkey_rsa4096) --output $(out)",
} }
prebuilt_etc { prebuilt_etc {
@ -512,10 +537,18 @@ genrule {
cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(in)", cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(in)",
} }
// Note that keys can be different for filesystem images even though we're using the same key
// for microdroid. However, the key signing VBmeta should match with the pubkey embedded in
// bootloader.
filegroup {
name: "microdroid_sign_key",
srcs: [":avb_testkey_rsa4096"],
}
vbmeta { vbmeta {
name: "microdroid_vbmeta", name: "microdroid_vbmeta",
partition_name: "vbmeta", partition_name: "vbmeta",
private_key: ":avb_testkey_rsa4096", private_key: ":microdroid_sign_key",
partitions: [ partitions: [
"microdroid_vendor", "microdroid_vendor",
"microdroid_vendor_boot-5.10", "microdroid_vendor_boot-5.10",