Replace pvmfw embedded public key
The virt APEX payload public key needs to be embedded in pvmfw so that
is verifies the right set of images. As things are being resigned,
update that embedded key so that it matches the APEX.
Bug: 220018566
Test: sign_target_files_apks
Change-Id: I09be91275ec1d1aa6f921c54a96c5159571ddead
diff --git a/core/Makefile b/core/Makefile
index 890fc04..0fed8c2 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -3699,7 +3699,9 @@
# Protected VM firmware image
ifeq ($(BOARD_USES_PVMFWIMAGE),true)
INSTALLED_PVMFWIMAGE_TARGET := $(PRODUCT_OUT)/pvmfw.img
+INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET := $(PRODUCT_OUT)/pvmfw_embedded.avbpubkey
INTERNAL_PREBUILT_PVMFWIMAGE := packages/modules/Virtualization/pvmfw/pvmfw.img
+INTERNAL_PVMFW_EMBEDDED_AVBKEY := external/avb/test/data/testkey_rsa4096_pub.bin
ifdef BOARD_PREBUILT_PVMFWIMAGE
PREBUILT_PVMFWIMAGE_TARGET := $(BOARD_PREBUILT_PVMFWIMAGE)
@@ -3719,6 +3721,10 @@
$(eval $(call copy-one-file,$(PREBUILT_PVMFWIMAGE_TARGET),$(INSTALLED_PVMFWIMAGE_TARGET)))
endif
+$(INSTALLED_PVMFWIMAGE_TARGET): $(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET)
+
+$(eval $(call copy-one-file,$(INTERNAL_PVMFW_EMBEDDED_AVBKEY),$(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET)))
+
endif # BOARD_USES_PVMFWIMAGE
# Returns a list of image targets corresponding to the given list of partitions. For example, it
@@ -5298,6 +5304,7 @@
$(INSTALLED_CACHEIMAGE_TARGET) \
$(INSTALLED_DTBOIMAGE_TARGET) \
$(INSTALLED_PVMFWIMAGE_TARGET) \
+ $(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET) \
$(INSTALLED_CUSTOMIMAGES_TARGET) \
$(INSTALLED_ANDROID_INFO_TXT_TARGET) \
$(INSTALLED_KERNEL_TARGET) \
@@ -5635,6 +5642,7 @@
ifeq ($(BOARD_USES_PVMFWIMAGE),true)
$(hide) mkdir -p $(zip_root)/PREBUILT_IMAGES
$(hide) cp $(INSTALLED_PVMFWIMAGE_TARGET) $(zip_root)/PREBUILT_IMAGES/
+ $(hide) cp $(INSTALLED_PVMFW_EMBEDDED_AVBKEY_TARGET) $(zip_root)/PREBUILT_IMAGES/
endif
ifdef BOARD_PREBUILT_BOOTLOADER
$(hide) mkdir -p $(zip_root)/IMAGES
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index e06f4e6..054315f 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -688,6 +688,39 @@
print(" Rewriting AVB public key of system_other in /product")
common.ZipWrite(output_tf_zip, public_key, filename)
+ # Updates pvmfw embedded public key with the virt APEX payload key.
+ elif filename == "PREBUILT_IMAGES/pvmfw.img":
+ # Find the name of the virt APEX in the target files.
+ namelist = input_tf_zip.namelist()
+ apex_gen = (GetApexFilename(f) for f in namelist if IsApexFile(f))
+ virt_apex_re = re.compile("^com\.([^\.]+\.)?android\.virt\.apex$")
+ virt_apex = next((a for a in apex_gen if virt_apex_re.match(a)), None)
+ if not virt_apex:
+ print("Removing %s from ramdisk: virt APEX not found" % filename)
+ else:
+ print("Replacing %s embedded key with %s key" % (filename, virt_apex))
+ # Get the current and new embedded keys.
+ payload_key, container_key, sign_tool = apex_keys[virt_apex]
+ new_pubkey_path = common.ExtractAvbPublicKey(
+ misc_info['avb_avbtool'], payload_key)
+ with open(new_pubkey_path, 'rb') as f:
+ new_pubkey = f.read()
+ pubkey_info = copy.copy(
+ input_tf_zip.getinfo("PREBUILT_IMAGES/pvmfw_embedded.avbpubkey"))
+ old_pubkey = input_tf_zip.read(pubkey_info.filename)
+ # Validate the keys and image.
+ if len(old_pubkey) != len(new_pubkey):
+ raise common.ExternalError("pvmfw embedded public key size mismatch")
+ pos = data.find(old_pubkey)
+ if pos == -1:
+ raise common.ExternalError("pvmfw embedded public key not found")
+ # Replace the key and copy new files.
+ new_data = data[:pos] + new_pubkey + data[pos+len(old_pubkey):]
+ common.ZipWriteStr(output_tf_zip, out_info, new_data)
+ common.ZipWriteStr(output_tf_zip, pubkey_info, new_pubkey)
+ elif filename == "PREBUILT_IMAGES/pvmfw_embedded.avbpubkey":
+ pass
+
# Should NOT sign boot-debug.img.
elif filename in (
"BOOT/RAMDISK/force_debuggable",