Merge "Replace pvmfw embedded public key"
diff --git a/core/Makefile b/core/Makefile
index 0d47e63..8914869 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -3699,7 +3699,9 @@
# Protected VM firmware image
ifeq ($(BOARD_USES_PVMFWIMAGE),true)
INSTALLED_PVMFWIMAGE_TARGET := $(PRODUCT_OUT)/pvmfw.img
+INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET := $(PRODUCT_OUT)/pvmfw_embedded.avbpubkey
INTERNAL_PREBUILT_PVMFWIMAGE := packages/modules/Virtualization/pvmfw/pvmfw.img
+INTERNAL_PVMFW_EMBEDDED_AVBKEY := external/avb/test/data/testkey_rsa4096_pub.bin
ifdef BOARD_PREBUILT_PVMFWIMAGE
PREBUILT_PVMFWIMAGE_TARGET := $(BOARD_PREBUILT_PVMFWIMAGE)
@@ -3719,6 +3721,10 @@
$(eval $(call copy-one-file,$(PREBUILT_PVMFWIMAGE_TARGET),$(INSTALLED_PVMFWIMAGE_TARGET)))
endif
+$(INSTALLED_PVMFWIMAGE_TARGET): $(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET)
+
+$(eval $(call copy-one-file,$(INTERNAL_PVMFW_EMBEDDED_AVBKEY),$(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET)))
+
endif # BOARD_USES_PVMFWIMAGE
# Returns a list of image targets corresponding to the given list of partitions. For example, it
@@ -5305,6 +5311,7 @@
$(INSTALLED_CACHEIMAGE_TARGET) \
$(INSTALLED_DTBOIMAGE_TARGET) \
$(INSTALLED_PVMFWIMAGE_TARGET) \
+ $(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET) \
$(INSTALLED_CUSTOMIMAGES_TARGET) \
$(INSTALLED_ANDROID_INFO_TXT_TARGET) \
$(INSTALLED_KERNEL_TARGET) \
@@ -5642,6 +5649,7 @@
ifeq ($(BOARD_USES_PVMFWIMAGE),true)
$(hide) mkdir -p $(zip_root)/PREBUILT_IMAGES
$(hide) cp $(INSTALLED_PVMFWIMAGE_TARGET) $(zip_root)/PREBUILT_IMAGES/
+ $(hide) cp $(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET) $(zip_root)/PREBUILT_IMAGES/
endif
ifdef BOARD_PREBUILT_BOOTLOADER
$(hide) mkdir -p $(zip_root)/IMAGES
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index e06f4e6..054315f 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -688,6 +688,39 @@
print(" Rewriting AVB public key of system_other in /product")
common.ZipWrite(output_tf_zip, public_key, filename)
+ # Updates pvmfw embedded public key with the virt APEX payload key.
+ elif filename == "PREBUILT_IMAGES/pvmfw.img":
+ # Find the name of the virt APEX in the target files.
+ namelist = input_tf_zip.namelist()
+ apex_gen = (GetApexFilename(f) for f in namelist if IsApexFile(f))
+ virt_apex_re = re.compile("^com\.([^\.]+\.)?android\.virt\.apex$")
+ virt_apex = next((a for a in apex_gen if virt_apex_re.match(a)), None)
+ if not virt_apex:
+ print("Removing %s from ramdisk: virt APEX not found" % filename)
+ else:
+ print("Replacing %s embedded key with %s key" % (filename, virt_apex))
+ # Get the current and new embedded keys.
+ payload_key, container_key, sign_tool = apex_keys[virt_apex]
+ new_pubkey_path = common.ExtractAvbPublicKey(
+ misc_info['avb_avbtool'], payload_key)
+ with open(new_pubkey_path, 'rb') as f:
+ new_pubkey = f.read()
+ pubkey_info = copy.copy(
+ input_tf_zip.getinfo("PREBUILT_IMAGES/pvmfw_embedded.avbpubkey"))
+ old_pubkey = input_tf_zip.read(pubkey_info.filename)
+ # Validate the keys and image.
+ if len(old_pubkey) != len(new_pubkey):
+ raise common.ExternalError("pvmfw embedded public key size mismatch")
+ pos = data.find(old_pubkey)
+ if pos == -1:
+ raise common.ExternalError("pvmfw embedded public key not found")
+ # Replace the key and copy new files.
+ new_data = data[:pos] + new_pubkey + data[pos+len(old_pubkey):]
+ common.ZipWriteStr(output_tf_zip, out_info, new_data)
+ common.ZipWriteStr(output_tf_zip, pubkey_info, new_pubkey)
+ elif filename == "PREBUILT_IMAGES/pvmfw_embedded.avbpubkey":
+ pass
+
# Should NOT sign boot-debug.img.
elif filename in (
"BOOT/RAMDISK/force_debuggable",