commit cf9ead8972dd2b7c90772b6a1fd26bd4311a7c74
author Bowgo Tsai <bowgotsai@google.com> Thu May 20 00:14:42 2021 +0800
committer Bowgo Tsai <bowgotsai@google.com> Fri May 21 08:44:37 2021 +0000
tree c39cdae3b637e357fbb7c92b7a231d7915c56169
parent 3ff3f1088d264510ba081623c4215a7bc205675d

Support AVB signing for BOARD_PREBUILT_BOOTIMAGE

Devices using GKI architecture will use a prebuilt boot.img.
However, we should still sign this prebuilt boot.img with
device-specific AVB keys.

Steps to test the CL.
1. In a device BoardConfig.mk:

   # Uses a prebuilt boot.img
   TARGET_NO_KERNEL := true
   BOARD_PREBUILT_BOOTIMAGE := device/google/redbull/boot.img

   # Enable chained vbmeta for the boot image.
   # The following can be absent, where the hash descriptor of the
   # 'boot' partition will be stored then signed in vbmeta.img instead.
   BOARD_AVB_BOOT_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem
   BOARD_AVB_BOOT_ALGORITHM := SHA256_RSA4096
   BOARD_AVB_BOOT_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
   BOARD_AVB_BOOT_ROLLBACK_INDEX_LOCATION := 2

2. `make bootimage`, then `avbtool info_image --image $OUT/boot.img`,
    checks the image is re-signed with a device-specific key

3. `make dist` to generate out/dist/TF.zip

4. `unzip out/dist/TF.zip IMAGES/boot.img`

5. `avbtool info_image --image out/dist/IMAGES/boot.img`,
    checks the image is re-signed with a device-specific key

6. `sign_target_files_apks \
      --avb_boot_key=external/avb/test/data/testkey_rsa8192.pem \
      --avb_boot_algorithm=SHA256_RSA8192 \
      --avb_boot_extra_args="--prop test:sign" \
      ./out/dist/*-target_files-eng.*.zip signed.zip`, resign the TF.zip

7. `unzip signed.zip IMAGES/boot.img`, then use `avbtool info_image` to
   check the boot.img is re-signed with the --avb_boot_key in step 6.

Bug: 188485657
Test: above steps
Change-Id: I7ee8b3ffe6a86aaca34bbb7a8898a97b3f8bd801

core/Makefile

diff --git a/core/Makefile b/core/Makefile
index fbce430..c64532f 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -1036,7 +1036,20 @@
 ifdef BOARD_PREBUILT_BOOTIMAGE
 INTERNAL_PREBUILT_BOOTIMAGE := $(BOARD_PREBUILT_BOOTIMAGE)
 INSTALLED_BOOTIMAGE_TARGET := $(PRODUCT_OUT)/boot.img
-$(eval $(call copy-one-file,$(INTERNAL_PREBUILT_BOOTIMAGE),$(INSTALLED_BOOTIMAGE_TARGET)))
+
+ifeq ($(BOARD_AVB_ENABLE),true)
+$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE) $(AVBTOOL) $(BOARD_AVB_BOOT_KEY_PATH)
+	cp $(INTERNAL_PREBUILT_BOOTIMAGE) $@
+	$(AVBTOOL) add_hash_footer \
+	    --image $@ \
+	    --partition_size $(BOARD_BOOTIMAGE_PARTITION_SIZE) \
+	    --partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \
+	    $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS)
+else
+$(INSTALLED_BOOTIMAGE_TARGET): $(INTERNAL_PREBUILT_BOOTIMAGE)
+	cp $(INTERNAL_PREBUILT_BOOTIMAGE) $@
+endif # BOARD_AVB_ENABLE
+
 else # BOARD_PREBUILT_BOOTIMAGE not defined
 INSTALLED_BOOTIMAGE_TARGET :=
 endif # BOARD_PREBUILT_BOOTIMAGE
@@ -5107,12 +5120,17 @@
 	$(hide) mkdir -p $(zip_root)/IMAGES
 	$(hide) cp $(INSTALLED_SYSTEM_EXTIMAGE_TARGET) $(zip_root)/IMAGES/
 endif
+ifndef BOARD_PREBUILT_BOOTIMAGE
 ifneq (,$(INTERNAL_PREBUILT_BOOTIMAGE) $(filter true,$(BOARD_COPY_BOOT_IMAGE_TO_TARGET_FILES)))
 ifdef INSTALLED_BOOTIMAGE_TARGET
 	$(hide) mkdir -p $(zip_root)/IMAGES
 	$(hide) cp $(INSTALLED_BOOTIMAGE_TARGET) $(zip_root)/IMAGES/
 endif # INSTALLED_BOOTIMAGE_TARGET
 endif # INTERNAL_PREBUILT_BOOTIMAGE != "" || BOARD_COPY_BOOT_IMAGE_TO_TARGET_FILES == true
+else # BOARD_PREBUILT_BOOTIMAGE is defined
+	$(hide) mkdir -p $(zip_root)/PREBUILT_IMAGES
+	$(hide) cp $(INSTALLED_BOOTIMAGE_TARGET) $(zip_root)/PREBUILT_IMAGES/
+endif # BOARD_PREBUILT_BOOTIMAGE
 ifdef BOARD_PREBUILT_ODMIMAGE
 	$(hide) mkdir -p $(zip_root)/IMAGES
 	$(hide) cp $(INSTALLED_ODMIMAGE_TARGET) $(zip_root)/IMAGES/