Gitiles
Code Review Sign In
gerrit.omnirom.org / android_build / 9d28638cfcac11b3955873674ba119d4d0c995b7^! / . / target / board / BoardConfigGsiCommon.mk
commit9d28638cfcac11b3955873674ba119d4d0c995b7[log] [tgz]
authorBowgo Tsai <bowgotsai@google.com>Fri Aug 31 21:40:10 2018 +0800
committerBowgo Tsai <bowgotsai@google.com>Thu Sep 06 09:41:42 2018 +0800
treea8ecc73d7dd8473e67bcb663b1549b5efebc9c61
parent99ed1b4fbd5124f344a95a05a1f69e9a93b9d0dd [diff] [blame]
Enable AVB signing on GSI

In current GSI builds, AVB signing is not allowed.
We should allow signing GSI image, while building a vbmeta.img with
AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (flag 2).

When need to disable AVB, use the vbmeta.img above together with the
GSI. When need enable AVB on GSI, include the GSI public key into the
device-specific vbmeta.img. Note that GSI is a chain partition so the
keys used to sign GSI and vbmeta.img are different.

Bug: 112293933
Test: build aosp_arm64-userdebug, checks flag 2 is set in vbmeta.img
      and there is AVB HASHTREE in system.img
      `avbtool info_image --image $OUT/system.img`
      `avbtool info_image --image $OUT/vbmeta.img`

Change-Id: If1eff317621882994e7dcbf37cd35f5bfa16b69a

diff --git a/target/board/BoardConfigGsiCommon.mk b/target/board/BoardConfigGsiCommon.mk
index c1f3627..7319fec 100644
--- a/target/board/BoardConfigGsiCommon.mk
+++ b/target/board/BoardConfigGsiCommon.mk

@@ -14,14 +14,22 @@
 BOARD_SYSTEMIMAGE_PARTITION_RESERVED_SIZE := 67108864
 
 # Android Verified Boot (AVB):
-#   Builds a special vbmeta.img that disables AVB verification.
-#   Otherwise, AVB will prevent the device from booting the generic system.img.
-#   Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity
-#   metadata into system.img.
-ifeq ($(BOARD_AVB_ENABLE),true)
-$(error BOARD_AVB_ENABLE cannot be set for GSI)
-endif
-BOARD_BUILD_DISABLED_VBMETAIMAGE := true
+#   1) Sets BOARD_AVB_ENABLE to sign the GSI image.
+#   2) Sets AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (--flag 2) in
+#      vbmeta.img to disable AVB verification.
+#
+# To disable AVB for GSI, use the vbmeta.img and the GSI together.
+# To enable AVB for GSI, include the GSI public key into the device-specific
+# vbmeta.img.
+BOARD_AVB_ENABLE := true
+BOARD_AVB_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
+BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2
+
+# Enable chain partition for system.
+BOARD_AVB_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
+BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048
+BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
+BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1
 
 ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
 # GSI is always userdebug and needs a couple of properties taking precedence