Gitiles
Code Review Sign In
gerrit.omnirom.org / android_build / 160762a27631c0f0429100225863cd66d72fb627^! / . / core
commit160762a27631c0f0429100225863cd66d72fb627[log] [tgz]
authorKelvin Zhang <zhangkelvin@google.com>Tue Oct 17 12:27:56 2023 -0700
committerKelvin Zhang <zhangkelvin@google.com>Wed Oct 25 13:28:11 2023 -0700
treebdff6c2cfdf7cc7ea3f54617cf124f3e0d2bc1c7
parent6787354f96ca0f73f3a0c7da7fe07f3be7d88ba0 [diff]
Use deterministic salt for AVB footer of prebuilt boot img

When target specified a prebuilt boot.img, current build system will add
avb hash footer to it with a random salt. Use a deterministic salt
instead for more reproducible builds. To stay consistent with
non-prebuilt boot.img code path, we extract the kernel image from
prebuilt boot.img and uses sha256sum of kernel image as the salt.

Test: th
Bug: 293313353
Change-Id: I988999ddc4f18e0b8677b05a3165c847b6a11b52

diff --git a/core/Makefile b/core/Makefile
index 37dd0f6..a190a3d 100644
--- a/core/Makefile
+++ b/core/Makefile

@@ -1444,15 +1444,19 @@
 INSTALLED_BOOTIMAGE_TARGET := $(PRODUCT_OUT)/boot.img
 
 ifeq ($(BOARD_AVB_ENABLE),true)
-$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH)
+$(INSTALLED_BOOTIMAGE_TARGET): PRIVATE_WORKING_DIR := $(call intermediates-dir-for,PACKAGING,prebuilt_bootimg)
+$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH) $(UNPACK_BOOTIMG)
 	cp $(INTERNAL_PREBUILT_BOOTIMAGE) $@
+	$(UNPACK_BOOTIMG) --boot_img $(INTERNAL_PREBUILT_BOOTIMAGE) --out $(PRIVATE_WORKING_DIR)
 	chmod +w $@
 	$(AVBTOOL) add_hash_footer \
 	    --image $@ \
+	    --salt `sha256sum $(PRIVATE_WORKING_DIR)/kernel | cut -d " " -f 1` \
 	    $(call get-partition-size-argument,$(BOARD_BOOTIMAGE_PARTITION_SIZE)) \
 	    --partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \
 	    $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)
 
+
 $(call declare-container-license-metadata,$(INSTALLED_BOOTIMAGE_TARGET),SPDX-license-identifier-GPL-2.0-only SPDX-license-identifier-Apache-2.0,restricted notice,$(BUILD_SYSTEM)/LINUX_KERNEL_COPYING build/soong/licenses/LICENSE,"Boot Image",bool)
 $(call declare-container-license-deps,$(INSTALLED_BOOTIMAGE_TARGET),$(INTERNAL_PREBUILT_BOOTIMAGE),$(PRODUCT_OUT)/:/)
 

diff --git a/core/config.mk b/core/config.mk
index 196f07c..c747fd5 100644
--- a/core/config.mk
+++ b/core/config.mk

@@ -722,6 +722,7 @@
 BUILD_SUPER_IMAGE := $(BOARD_CUSTOM_BUILD_SUPER_IMAGE)
 endif
 IMG_FROM_TARGET_FILES := $(HOST_OUT_EXECUTABLES)/img_from_target_files$(HOST_EXECUTABLE_SUFFIX)
+UNPACK_BOOTIMG := $(HOST_OUT_EXECUTABLES)/unpack_bootimg
 MAKE_RECOVERY_PATCH := $(HOST_OUT_EXECUTABLES)/make_recovery_patch$(HOST_EXECUTABLE_SUFFIX)
 OTA_FROM_TARGET_FILES := $(HOST_OUT_EXECUTABLES)/ota_from_target_files$(HOST_EXECUTABLE_SUFFIX)
 OTA_FROM_RAW_IMG := $(HOST_OUT_EXECUTABLES)/ota_from_raw_img$(HOST_EXECUTABLE_SUFFIX)