releasetools: Update T GKI certification scheme
Companion change of I143680b1cab50a6915df56c8273f8741beaf1180.
Basically does the same thing as the other change.
Bug: 211741246
Test: m dist
Test: ./boot_signature_info.sh boot-5.10.img
Change-Id: I40c4d5866c74a9a2d525f9455969b8a71f22bdbb
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index 107fad1..9feb8af 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -1405,7 +1405,7 @@
"gki_signing_algorithm" in OPTIONS.info_dict)
-def _GenerateGkiCertificate(image, image_name, partition_name):
+def _GenerateGkiCertificate(image, image_name):
key_path = OPTIONS.info_dict.get("gki_signing_key_path")
algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
@@ -1434,8 +1434,7 @@
if signature_args:
cmd.extend(["--additional_avb_args", signature_args])
- args = OPTIONS.info_dict.get(
- "avb_" + partition_name + "_add_hash_footer_args", "")
+ args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "")
args = args.strip()
if args:
cmd.extend(["--additional_avb_args", args])
@@ -1628,27 +1627,9 @@
if args and args.strip():
cmd.extend(shlex.split(args))
- boot_signature = None
- if _HasGkiCertificationArgs():
- # Certify GKI images.
- boot_signature_bytes = b''
- if kernel_path is not None:
- boot_signature_bytes += _GenerateGkiCertificate(
- kernel_path, "generic_kernel", "boot")
- if has_ramdisk:
- boot_signature_bytes += _GenerateGkiCertificate(
- ramdisk_img.name, "generic_ramdisk", "init_boot")
-
- if len(boot_signature_bytes) > 0:
- boot_signature = tempfile.NamedTemporaryFile()
- boot_signature.write(boot_signature_bytes)
- boot_signature.flush()
- cmd.extend(["--boot_signature", boot_signature.name])
- else:
- # Certified GKI boot/init_boot image mustn't set 'mkbootimg_version_args'.
- args = info_dict.get("mkbootimg_version_args")
- if args and args.strip():
- cmd.extend(shlex.split(args))
+ args = info_dict.get("mkbootimg_version_args")
+ if args and args.strip():
+ cmd.extend(shlex.split(args))
if has_ramdisk:
cmd.extend(["--ramdisk", ramdisk_img.name])
@@ -1670,6 +1651,29 @@
RunAndCheckOutput(cmd)
+ if _HasGkiCertificationArgs():
+ if not os.path.exists(img.name):
+ raise ValueError("Cannot find GKI boot.img")
+ if kernel_path is None or not os.path.exists(kernel_path):
+ raise ValueError("Cannot find GKI kernel.img")
+
+ # Certify GKI images.
+ boot_signature_bytes = b''
+ boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot")
+ boot_signature_bytes += _GenerateGkiCertificate(
+ kernel_path, "generic_kernel")
+
+ BOOT_SIGNATURE_SIZE = 16 * 1024
+ if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE:
+ raise ValueError(
+ f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}")
+ boot_signature_bytes += (
+ b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes)))
+ assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE
+
+ with open(img.name, 'ab') as f:
+ f.write(boot_signature_bytes)
+
if (info_dict.get("boot_signer") == "true" and
info_dict.get("verity_key")):
# Hard-code the path as "/boot" for two-step special recovery image (which
@@ -1730,9 +1734,6 @@
ramdisk_img.close()
img.close()
- if boot_signature is not None:
- boot_signature.close()
-
return data