Use computed salt for AVB-signed images.
We want the generated images being identical for the same source files.
Currently the generated ext4 image (either from make_ext4fs or mke2fs)
is reproducible, but the AVB footer added by avbtool contain changes
because of the random salt being used.
This CL changes the avbtool invocation to specify "--salt <hexstring>"
(already supported by avbtool) to use reproducible salt that's computed
based on fingerprints (or thumbprints if applicable).
Bug: 67023482
Test: Regenerate images from the same source as follows:
Use a target_files.zip from an AVB-enabled target.
$ zip -d target_files.zip IMAGES/\*
$ ./build/make/tools/releasetools/add_img_to_target_files.py \
-v target_files.zip
Repeat the above commands and compare the generated images.
Change-Id: Id9db17ae0132ca3a820b4be5a5ef06ca3fef71ed
(cherry picked from commit 8f05cca1d9989ecb2e5a5d12f1410b6eca8c75b6)
diff --git a/tools/releasetools/add_img_to_target_files.py b/tools/releasetools/add_img_to_target_files.py
index 52d3918..91213ba 100755
--- a/tools/releasetools/add_img_to_target_files.py
+++ b/tools/releasetools/add_img_to_target_files.py
@@ -53,6 +53,7 @@
import datetime
import errno
+import hashlib
import os
import shlex
import shutil
@@ -532,6 +533,17 @@
has_recovery = (OPTIONS.info_dict.get("no_recovery") != "true")
+ if OPTIONS.info_dict.get("avb_enable") == "true":
+ fp = None
+ if "build.prop" in OPTIONS.info_dict:
+ build_prop = OPTIONS.info_dict["build.prop"]
+ if "ro.build.fingerprint" in build_prop:
+ fp = build_prop["ro.build.fingerprint"]
+ elif "ro.build.thumbprint" in build_prop:
+ fp = build_prop["ro.build.thumbprint"]
+ if fp:
+ OPTIONS.info_dict["avb_salt"] = hashlib.sha256(fp).hexdigest()
+
def banner(s):
print("\n\n++++ " + s + " ++++\n\n")