releasetools: Deprecate GKI build rules
We no longer build GKIs from the platform tree.
These build commands were neither used nor maintained anymore, so clean
them up to reduce maintenance effort.
Bug: 229701033
Fix: 229701033
Test: presubmit
Change-Id: Ie882fccd864920289e48366e99a4ebd67e784d0d
diff --git a/tools/releasetools/Android.bp b/tools/releasetools/Android.bp
index ee266b7..5f99f6c 100644
--- a/tools/releasetools/Android.bp
+++ b/tools/releasetools/Android.bp
@@ -168,7 +168,6 @@
"apexd_host",
"brillo_update_payload",
"checkvintf",
- "generate_gki_certificate",
"lz4",
"toybox",
"unpack_bootimg",
@@ -245,7 +244,6 @@
"boot_signer",
"brotli",
"bsdiff",
- "generate_gki_certificate",
"imgdiff",
"lz4",
"mkbootfs",
@@ -310,7 +308,6 @@
"brotli",
"bsdiff",
"deapexer",
- "generate_gki_certificate",
"imgdiff",
"lz4",
"mkbootfs",
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index 8ce6083..a4c92ae 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -1575,50 +1575,6 @@
pubkey_path=pubkey_path)
-def _HasGkiCertificationArgs():
- return ("gki_signing_key_path" in OPTIONS.info_dict and
- "gki_signing_algorithm" in OPTIONS.info_dict)
-
-
-def _GenerateGkiCertificate(image, image_name):
- key_path = OPTIONS.info_dict.get("gki_signing_key_path")
- algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
-
- key_path = ResolveAVBSigningPathArgs(key_path)
-
- # Checks key_path exists, before processing --gki_signing_* args.
- if not os.path.exists(key_path):
- raise ExternalError(
- 'gki_signing_key_path: "{}" not found'.format(key_path))
-
- output_certificate = tempfile.NamedTemporaryFile()
- cmd = [
- "generate_gki_certificate",
- "--name", image_name,
- "--algorithm", algorithm,
- "--key", key_path,
- "--output", output_certificate.name,
- image,
- ]
-
- signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "")
- signature_args = signature_args.strip()
- if signature_args:
- cmd.extend(["--additional_avb_args", signature_args])
-
- args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "")
- args = args.strip()
- if args:
- cmd.extend(["--additional_avb_args", args])
-
- RunAndCheckOutput(cmd)
-
- output_certificate.seek(os.SEEK_SET, 0)
- data = output_certificate.read()
- output_certificate.close()
- return data
-
-
def BuildVBMeta(image_path, partitions, name, needed_partitions,
resolve_rollback_index_location_conflict=False):
"""Creates a VBMeta image.
@@ -1841,29 +1797,6 @@
RunAndCheckOutput(cmd)
- if _HasGkiCertificationArgs():
- if not os.path.exists(img.name):
- raise ValueError("Cannot find GKI boot.img")
- if kernel_path is None or not os.path.exists(kernel_path):
- raise ValueError("Cannot find GKI kernel.img")
-
- # Certify GKI images.
- boot_signature_bytes = b''
- boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot")
- boot_signature_bytes += _GenerateGkiCertificate(
- kernel_path, "generic_kernel")
-
- BOOT_SIGNATURE_SIZE = 16 * 1024
- if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE:
- raise ValueError(
- f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}")
- boot_signature_bytes += (
- b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes)))
- assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE
-
- with open(img.name, 'ab') as f:
- f.write(boot_signature_bytes)
-
# Sign the image if vboot is non-empty.
if info_dict.get("vboot"):
path = "/" + partition_name
@@ -1977,9 +1910,6 @@
if info_dict.get("recovery_as_boot") == "true":
return True # the recovery-as-boot boot.img has a RECOVERY ramdisk.
- if info_dict.get("gki_boot_image_without_ramdisk") == "true":
- return False # A GKI boot.img has no ramdisk since Android-13.
-
if info_dict.get("system_root_image") == "true":
# The ramdisk content is merged into the system.img, so there is NO
# ramdisk in the boot.img or boot-<kernel version>.img.
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 2b45825..2fbb3b0 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -123,17 +123,6 @@
mounted on the partition (e.g. "--signing_helper /path/to/helper"). The
args will be appended to the existing ones in info dict.
- --gki_signing_algorithm <algorithm>
- --gki_signing_key <key>
- Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate
- 'boot signature' in a v4 boot.img. Otherwise it uses the existing values
- in info dict.
-
- --gki_signing_extra_args <args>
- Specify any additional args that are needed to generate 'boot signature'
- (e.g. --prop foo:bar). The args will be appended to the existing ones
- in info dict.
-
--android_jar_path <path>
Path to the android.jar to repack the apex file.
@@ -193,9 +182,6 @@
OPTIONS.avb_keys = {}
OPTIONS.avb_algorithms = {}
OPTIONS.avb_extra_args = {}
-OPTIONS.gki_signing_key = None
-OPTIONS.gki_signing_algorithm = None
-OPTIONS.gki_signing_extra_args = None
OPTIONS.android_jar_path = None
OPTIONS.vendor_partitions = set()
OPTIONS.vendor_otatools = None
@@ -552,7 +538,7 @@
[len(os.path.basename(i.filename)) for i in input_tf_zip.infolist()
if GetApkFileInfo(i.filename, compressed_extension, [])[0]])
except ValueError:
- # Sets this to zero for targets without APK files, e.g., gki_arm64.
+ # Sets this to zero for targets without APK files.
maxsize = 0
system_root_image = misc_info.get("system_root_image") == "true"
@@ -768,9 +754,6 @@
if misc_info.get('avb_enable') == 'true':
RewriteAvbProps(misc_info)
- # Replace the GKI signing key for boot.img, if any.
- ReplaceGkiSigningKey(misc_info)
-
# Write back misc_info with the latest values.
ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info)
@@ -1052,27 +1035,6 @@
misc_info[args_key] = result
-def ReplaceGkiSigningKey(misc_info):
- """Replaces the GKI signing key."""
-
- key = OPTIONS.gki_signing_key
- if not key:
- return
-
- algorithm = OPTIONS.gki_signing_algorithm
- if not algorithm:
- raise ValueError("Missing --gki_signing_algorithm")
-
- print('Replacing GKI signing key with "%s" (%s)' % (key, algorithm))
- misc_info["gki_signing_algorithm"] = algorithm
- misc_info["gki_signing_key_path"] = key
-
- extra_args = OPTIONS.gki_signing_extra_args
- if extra_args:
- print('Setting GKI signing args: "%s"' % (extra_args))
- misc_info["gki_signing_signature_args"] = extra_args
-
-
def BuildKeyMap(misc_info, key_mapping_options):
for s, d in key_mapping_options:
if s is None: # -d option
@@ -1426,12 +1388,6 @@
# 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'.
partition, extra_args = a.split("=", 1)
OPTIONS.avb_extra_args[partition] = extra_args
- elif o == "--gki_signing_key":
- OPTIONS.gki_signing_key = a
- elif o == "--gki_signing_algorithm":
- OPTIONS.gki_signing_algorithm = a
- elif o == "--gki_signing_extra_args":
- OPTIONS.gki_signing_extra_args = a
elif o == "--vendor_otatools":
OPTIONS.vendor_otatools = a
elif o == "--vendor_partitions":
@@ -1495,9 +1451,6 @@
"avb_extra_custom_image_key=",
"avb_extra_custom_image_algorithm=",
"avb_extra_custom_image_extra_args=",
- "gki_signing_key=",
- "gki_signing_algorithm=",
- "gki_signing_extra_args=",
"vendor_partitions=",
"vendor_otatools=",
"allow_gsi_debug_sepolicy",
diff --git a/tools/releasetools/test_common.py b/tools/releasetools/test_common.py
index 14f0e88..c61c290 100644
--- a/tools/releasetools/test_common.py
+++ b/tools/releasetools/test_common.py
@@ -1636,40 +1636,6 @@
self.assertEqual(3, chained_partition_args.rollback_index_location)
self.assertTrue(os.path.exists(chained_partition_args.pubkey_path))
- def test_GenerateGkiCertificate_KeyPathNotFound(self):
- pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem')
- self.assertFalse(os.path.exists(pubkey))
-
- common.OPTIONS.info_dict = {
- 'gki_signing_key_path': pubkey,
- 'gki_signing_algorithm': 'SHA256_RSA4096',
- 'gki_signing_signature_args': '--prop foo:bar',
- }
- common.OPTIONS.search_path = None
- test_file = tempfile.NamedTemporaryFile()
- self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
- test_file.name, 'generic_kernel')
-
- def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):
- pubkey = 'no_testkey_gki.pem'
- self.assertFalse(os.path.exists(pubkey))
-
- # Tests it should raise ExternalError if no key found under
- # OPTIONS.search_path.
- search_path_dir = common.MakeTempDir()
- search_pubkey = os.path.join(search_path_dir, pubkey)
- self.assertFalse(os.path.exists(search_pubkey))
-
- common.OPTIONS.search_path = search_path_dir
- common.OPTIONS.info_dict = {
- 'gki_signing_key_path': pubkey,
- 'gki_signing_algorithm': 'SHA256_RSA4096',
- 'gki_signing_signature_args': '--prop foo:bar',
- }
- test_file = tempfile.NamedTemporaryFile()
- self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
- test_file.name, 'generic_kernel')
-
class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
"""Checks the format of install-recovery.sh.
diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py
index 0cd7dac..9cc6df4 100644
--- a/tools/releasetools/test_sign_target_files_apks.py
+++ b/tools/releasetools/test_sign_target_files_apks.py
@@ -23,8 +23,7 @@
import test_utils
from sign_target_files_apks import (
CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo,
- ReplaceCerts, ReplaceGkiSigningKey, RewriteAvbProps, RewriteProps,
- WriteOtacerts)
+ ReplaceCerts, RewriteAvbProps, RewriteProps, WriteOtacerts)
class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase):
@@ -536,52 +535,3 @@
'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
'build/make/target/product/security/testkey', None),
}, keys_info)
-
- def test_ReplaceGkiSigningKey(self):
- common.OPTIONS.gki_signing_key = 'release_gki_key'
- common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'
- common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
-
- misc_info = {
- 'gki_signing_key_path': 'default_gki_key',
- 'gki_signing_algorithm': 'default_gki_algorithm',
- 'gki_signing_signature_args': 'default_gki_signature_args',
- }
- expected_dict = {
- 'gki_signing_key_path': 'release_gki_key',
- 'gki_signing_algorithm': 'release_gki_algorithm',
- 'gki_signing_signature_args': 'release_gki_signature_extra_args',
- }
- ReplaceGkiSigningKey(misc_info)
- self.assertDictEqual(expected_dict, misc_info)
-
- def test_ReplaceGkiSigningKey_MissingSigningAlgorithm(self):
- common.OPTIONS.gki_signing_key = 'release_gki_key'
- common.OPTIONS.gki_signing_algorithm = None
- common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
-
- misc_info = {
- 'gki_signing_key_path': 'default_gki_key',
- 'gki_signing_algorithm': 'default_gki_algorithm',
- 'gki_signing_signature_args': 'default_gki_signature_args',
- }
- self.assertRaises(ValueError, ReplaceGkiSigningKey, misc_info)
-
- def test_ReplaceGkiSigningKey_MissingSigningKeyNop(self):
- common.OPTIONS.gki_signing_key = None
- common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'
- common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
-
- # No change to misc_info if common.OPTIONS.gki_signing_key is missing.
- misc_info = {
- 'gki_signing_key_path': 'default_gki_key',
- 'gki_signing_algorithm': 'default_gki_algorithm',
- 'gki_signing_signature_args': 'default_gki_signature_args',
- }
- expected_dict = {
- 'gki_signing_key_path': 'default_gki_key',
- 'gki_signing_algorithm': 'default_gki_algorithm',
- 'gki_signing_signature_args': 'default_gki_signature_args',
- }
- ReplaceGkiSigningKey(misc_info)
- self.assertDictEqual(expected_dict, misc_info)
diff --git a/tools/releasetools/validate_target_files.py b/tools/releasetools/validate_target_files.py
index 82b3107..84a2f7e 100755
--- a/tools/releasetools/validate_target_files.py
+++ b/tools/releasetools/validate_target_files.py
@@ -132,7 +132,7 @@
return
# Verify IMAGES/system.img if applicable.
- # Some targets, e.g., gki_arm64, gki_x86_64, etc., are system.img-less.
+ # Some targets are system.img-less.
if 'IMAGES/system.img' in input_zip.namelist():
CheckAllFiles('system')