Fix (pvmfw.img) Embed correct public key for Microdroid verification
The previous commit (I551e14fa6a0c63e3cef334b953f670cf9c465e10)
incorrectly embedded the APEX public key ('apex_pubkey') into
pvmfw.img. This key is used to verify `apex_payload.img`
within `com.android.virt.apex`, not the Microdroid image.
This commit embeds the correct public key, which verifies
`microdroid_vbmeta.img` inside `apex_payload.img`.
Bug: 384813199
Test: m sign_target_files_apks
Test: sign_target_files_apks --allow_gsi_debug_sepolicy \
--extra_apex_payload_key com.android.virt.apex= \
-e com.android.virt.apex= \
gsi_arm64-target_files-${build_id}.zip signed.zip
Test: unzip signed.zip IMAGES/pvmfw.img
Test: avbtool extract_public_key --key external/avb/test/data/testkey_rsa4096.pem --out key.pub
Test: grep -U -F -f key.pub IMAGES/pvmfw.img => grep: IMAGES/pvmfw.img: binary file matches
Change-Id: Ic8ae72898b8ab6067402b26eef9ed1b876a778f7
Merged-In: Ic8ae72898b8ab6067402b26eef9ed1b876a778f7
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index a4c7726..ef90085 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -374,6 +374,37 @@
return keys_info
+def GetMicrodroidVbmetaKey(virt_apex_path, avbtool_path):
+ """Extracts the AVB public key from microdroid_vbmeta.img within a virt apex.
+
+ Args:
+ virt_apex_path: The path to the com.android.virt.apex file.
+ avbtool_path: The path to the avbtool executable.
+
+ Returns:
+ The AVB public key (bytes).
+ """
+ # Creates an ApexApkSigner to extract microdroid_vbmeta.img.
+ # No need to set key_passwords/codename_to_api_level_map since
+ # we won't do signing here.
+ apex_signer = apex_utils.ApexApkSigner(
+ virt_apex_path,
+ None, # key_passwords
+ None) # codename_to_api_level_map
+ payload_dir = apex_signer.ExtractApexPayload(virt_apex_path)
+ microdroid_vbmeta_image = os.path.join(
+ payload_dir, 'etc', 'fs', 'microdroid_vbmeta.img')
+
+ # Extracts the avb public key from microdroid_vbmeta.img.
+ with tempfile.NamedTemporaryFile() as microdroid_pubkey:
+ common.RunAndCheckOutput([
+ avbtool_path, 'info_image',
+ '--image', microdroid_vbmeta_image,
+ '--output_pubkey', microdroid_pubkey.name])
+ with open(microdroid_pubkey.name, 'rb') as f:
+ return f.read()
+
+
def GetApkFileInfo(filename, compressed_extension, skipped_prefixes):
"""Returns the APK info based on the given filename.
@@ -769,9 +800,8 @@
# b/384813199: handles the pre-signed com.android.virt.apex in GSI.
if payload_key == 'PRESIGNED':
- with input_tf_zip.open(virt_apex_path) as apex_fp:
- with zipfile.ZipFile(apex_fp) as apex_zip:
- new_pubkey = apex_zip.read('apex_pubkey')
+ new_pubkey = GetMicrodroidVbmetaKey(virt_apex_path,
+ misc_info['avb_avbtool'])
else:
new_pubkey_path = common.ExtractAvbPublicKey(
misc_info['avb_avbtool'], payload_key)