Merge "Expose `--avb_resolve_rollback_index_location_conflict`" into main
diff --git a/tools/releasetools/Android.bp b/tools/releasetools/Android.bp
index ee266b7..5f99f6c 100644
--- a/tools/releasetools/Android.bp
+++ b/tools/releasetools/Android.bp
@@ -168,7 +168,6 @@
"apexd_host",
"brillo_update_payload",
"checkvintf",
- "generate_gki_certificate",
"lz4",
"toybox",
"unpack_bootimg",
@@ -245,7 +244,6 @@
"boot_signer",
"brotli",
"bsdiff",
- "generate_gki_certificate",
"imgdiff",
"lz4",
"mkbootfs",
@@ -310,7 +308,6 @@
"brotli",
"bsdiff",
"deapexer",
- "generate_gki_certificate",
"imgdiff",
"lz4",
"mkbootfs",
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index 8ce6083..a4c92ae 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -1575,50 +1575,6 @@
pubkey_path=pubkey_path)
-def _HasGkiCertificationArgs():
- return ("gki_signing_key_path" in OPTIONS.info_dict and
- "gki_signing_algorithm" in OPTIONS.info_dict)
-
-
-def _GenerateGkiCertificate(image, image_name):
- key_path = OPTIONS.info_dict.get("gki_signing_key_path")
- algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
-
- key_path = ResolveAVBSigningPathArgs(key_path)
-
- # Checks key_path exists, before processing --gki_signing_* args.
- if not os.path.exists(key_path):
- raise ExternalError(
- 'gki_signing_key_path: "{}" not found'.format(key_path))
-
- output_certificate = tempfile.NamedTemporaryFile()
- cmd = [
- "generate_gki_certificate",
- "--name", image_name,
- "--algorithm", algorithm,
- "--key", key_path,
- "--output", output_certificate.name,
- image,
- ]
-
- signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "")
- signature_args = signature_args.strip()
- if signature_args:
- cmd.extend(["--additional_avb_args", signature_args])
-
- args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "")
- args = args.strip()
- if args:
- cmd.extend(["--additional_avb_args", args])
-
- RunAndCheckOutput(cmd)
-
- output_certificate.seek(os.SEEK_SET, 0)
- data = output_certificate.read()
- output_certificate.close()
- return data
-
-
def BuildVBMeta(image_path, partitions, name, needed_partitions,
resolve_rollback_index_location_conflict=False):
"""Creates a VBMeta image.
@@ -1841,29 +1797,6 @@
RunAndCheckOutput(cmd)
- if _HasGkiCertificationArgs():
- if not os.path.exists(img.name):
- raise ValueError("Cannot find GKI boot.img")
- if kernel_path is None or not os.path.exists(kernel_path):
- raise ValueError("Cannot find GKI kernel.img")
-
- # Certify GKI images.
- boot_signature_bytes = b''
- boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot")
- boot_signature_bytes += _GenerateGkiCertificate(
- kernel_path, "generic_kernel")
-
- BOOT_SIGNATURE_SIZE = 16 * 1024
- if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE:
- raise ValueError(
- f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}")
- boot_signature_bytes += (
- b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes)))
- assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE
-
- with open(img.name, 'ab') as f:
- f.write(boot_signature_bytes)
-
# Sign the image if vboot is non-empty.
if info_dict.get("vboot"):
path = "/" + partition_name
@@ -1977,9 +1910,6 @@
if info_dict.get("recovery_as_boot") == "true":
return True # the recovery-as-boot boot.img has a RECOVERY ramdisk.
- if info_dict.get("gki_boot_image_without_ramdisk") == "true":
- return False # A GKI boot.img has no ramdisk since Android-13.
-
if info_dict.get("system_root_image") == "true":
# The ramdisk content is merged into the system.img, so there is NO
# ramdisk in the boot.img or boot-<kernel version>.img.
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 2b45825..2fbb3b0 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -123,17 +123,6 @@
mounted on the partition (e.g. "--signing_helper /path/to/helper"). The
args will be appended to the existing ones in info dict.
- --gki_signing_algorithm <algorithm>
- --gki_signing_key <key>
- Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate
- 'boot signature' in a v4 boot.img. Otherwise it uses the existing values
- in info dict.
-
- --gki_signing_extra_args <args>
- Specify any additional args that are needed to generate 'boot signature'
- (e.g. --prop foo:bar). The args will be appended to the existing ones
- in info dict.
-
--android_jar_path <path>
Path to the android.jar to repack the apex file.
@@ -193,9 +182,6 @@
OPTIONS.avb_keys = {}
OPTIONS.avb_algorithms = {}
OPTIONS.avb_extra_args = {}
-OPTIONS.gki_signing_key = None
-OPTIONS.gki_signing_algorithm = None
-OPTIONS.gki_signing_extra_args = None
OPTIONS.android_jar_path = None
OPTIONS.vendor_partitions = set()
OPTIONS.vendor_otatools = None
@@ -552,7 +538,7 @@
[len(os.path.basename(i.filename)) for i in input_tf_zip.infolist()
if GetApkFileInfo(i.filename, compressed_extension, [])[0]])
except ValueError:
- # Sets this to zero for targets without APK files, e.g., gki_arm64.
+ # Sets this to zero for targets without APK files.
maxsize = 0
system_root_image = misc_info.get("system_root_image") == "true"
@@ -768,9 +754,6 @@
if misc_info.get('avb_enable') == 'true':
RewriteAvbProps(misc_info)
- # Replace the GKI signing key for boot.img, if any.
- ReplaceGkiSigningKey(misc_info)
-
# Write back misc_info with the latest values.
ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info)
@@ -1052,27 +1035,6 @@
misc_info[args_key] = result
-def ReplaceGkiSigningKey(misc_info):
- """Replaces the GKI signing key."""
-
- key = OPTIONS.gki_signing_key
- if not key:
- return
-
- algorithm = OPTIONS.gki_signing_algorithm
- if not algorithm:
- raise ValueError("Missing --gki_signing_algorithm")
-
- print('Replacing GKI signing key with "%s" (%s)' % (key, algorithm))
- misc_info["gki_signing_algorithm"] = algorithm
- misc_info["gki_signing_key_path"] = key
-
- extra_args = OPTIONS.gki_signing_extra_args
- if extra_args:
- print('Setting GKI signing args: "%s"' % (extra_args))
- misc_info["gki_signing_signature_args"] = extra_args
-
-
def BuildKeyMap(misc_info, key_mapping_options):
for s, d in key_mapping_options:
if s is None: # -d option
@@ -1426,12 +1388,6 @@
# 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'.
partition, extra_args = a.split("=", 1)
OPTIONS.avb_extra_args[partition] = extra_args
- elif o == "--gki_signing_key":
- OPTIONS.gki_signing_key = a
- elif o == "--gki_signing_algorithm":
- OPTIONS.gki_signing_algorithm = a
- elif o == "--gki_signing_extra_args":
- OPTIONS.gki_signing_extra_args = a
elif o == "--vendor_otatools":
OPTIONS.vendor_otatools = a
elif o == "--vendor_partitions":
@@ -1495,9 +1451,6 @@
"avb_extra_custom_image_key=",
"avb_extra_custom_image_algorithm=",
"avb_extra_custom_image_extra_args=",
- "gki_signing_key=",
- "gki_signing_algorithm=",
- "gki_signing_extra_args=",
"vendor_partitions=",
"vendor_otatools=",
"allow_gsi_debug_sepolicy",
diff --git a/tools/releasetools/test_common.py b/tools/releasetools/test_common.py
index 14f0e88..c61c290 100644
--- a/tools/releasetools/test_common.py
+++ b/tools/releasetools/test_common.py
@@ -1636,40 +1636,6 @@
self.assertEqual(3, chained_partition_args.rollback_index_location)
self.assertTrue(os.path.exists(chained_partition_args.pubkey_path))
- def test_GenerateGkiCertificate_KeyPathNotFound(self):
- pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem')
- self.assertFalse(os.path.exists(pubkey))
-
- common.OPTIONS.info_dict = {
- 'gki_signing_key_path': pubkey,
- 'gki_signing_algorithm': 'SHA256_RSA4096',
- 'gki_signing_signature_args': '--prop foo:bar',
- }
- common.OPTIONS.search_path = None
- test_file = tempfile.NamedTemporaryFile()
- self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
- test_file.name, 'generic_kernel')
-
- def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):
- pubkey = 'no_testkey_gki.pem'
- self.assertFalse(os.path.exists(pubkey))
-
- # Tests it should raise ExternalError if no key found under
- # OPTIONS.search_path.
- search_path_dir = common.MakeTempDir()
- search_pubkey = os.path.join(search_path_dir, pubkey)
- self.assertFalse(os.path.exists(search_pubkey))
-
- common.OPTIONS.search_path = search_path_dir
- common.OPTIONS.info_dict = {
- 'gki_signing_key_path': pubkey,
- 'gki_signing_algorithm': 'SHA256_RSA4096',
- 'gki_signing_signature_args': '--prop foo:bar',
- }
- test_file = tempfile.NamedTemporaryFile()
- self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
- test_file.name, 'generic_kernel')
-
class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
"""Checks the format of install-recovery.sh.
diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py
index 0cd7dac..9cc6df4 100644
--- a/tools/releasetools/test_sign_target_files_apks.py
+++ b/tools/releasetools/test_sign_target_files_apks.py
@@ -23,8 +23,7 @@
import test_utils
from sign_target_files_apks import (
CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo,
- ReplaceCerts, ReplaceGkiSigningKey, RewriteAvbProps, RewriteProps,
- WriteOtacerts)
+ ReplaceCerts, RewriteAvbProps, RewriteProps, WriteOtacerts)
class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase):
@@ -536,52 +535,3 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
-
- def test_ReplaceGkiSigningKey(self):
- common.OPTIONS.gki_signing_key = 'release_gki_key'
- common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'
- common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
-
- misc_info = {
- 'gki_signing_key_path': 'default_gki_key',
- 'gki_signing_algorithm': 'default_gki_algorithm',
- 'gki_signing_signature_args': 'default_gki_signature_args',
- }
- expected_dict = {
- 'gki_signing_key_path': 'release_gki_key',
- 'gki_signing_algorithm': 'release_gki_algorithm',
- 'gki_signing_signature_args': 'release_gki_signature_extra_args',
- }
- ReplaceGkiSigningKey(misc_info)
- self.assertDictEqual(expected_dict, misc_info)
-
- def test_ReplaceGkiSigningKey_MissingSigningAlgorithm(self):
- common.OPTIONS.gki_signing_key = 'release_gki_key'
- common.OPTIONS.gki_signing_algorithm = None
- common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
-
- misc_info = {
- 'gki_signing_key_path': 'default_gki_key',
- 'gki_signing_algorithm': 'default_gki_algorithm',
- 'gki_signing_signature_args': 'default_gki_signature_args',
- }
- self.assertRaises(ValueError, ReplaceGkiSigningKey, misc_info)
-
- def test_ReplaceGkiSigningKey_MissingSigningKeyNop(self):
- common.OPTIONS.gki_signing_key = None
- common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'
- common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
-
- # No change to misc_info if common.OPTIONS.gki_signing_key is missing.
- misc_info = {
- 'gki_signing_key_path': 'default_gki_key',
- 'gki_signing_algorithm': 'default_gki_algorithm',
- 'gki_signing_signature_args': 'default_gki_signature_args',
- }
- expected_dict = {
- 'gki_signing_key_path': 'default_gki_key',
- 'gki_signing_algorithm': 'default_gki_algorithm',
- 'gki_signing_signature_args': 'default_gki_signature_args',
- }
- ReplaceGkiSigningKey(misc_info)
- self.assertDictEqual(expected_dict, misc_info)
diff --git a/tools/releasetools/validate_target_files.py b/tools/releasetools/validate_target_files.py
index 82b3107..84a2f7e 100755
--- a/tools/releasetools/validate_target_files.py
+++ b/tools/releasetools/validate_target_files.py
@@ -132,7 +132,7 @@
return
# Verify IMAGES/system.img if applicable.
- # Some targets, e.g., gki_arm64, gki_x86_64, etc., are system.img-less.
+ # Some targets are system.img-less.
if 'IMAGES/system.img' in input_zip.namelist():
CheckAllFiles('system')