sign_virt_apex: replace bootloader pubkey
VBmeta's key should match with pubkey embedded in bootloader. The
bootloader pubkey is added to the APEX so that sign_virt_apex can
replace it with a new pubkey.
Bug: 193504286
Test: sign_apex --sign_tool sign_virt_apex ...
& install & run a VM
Change-Id: Ic8e5ec9cb45434691c8dce0ca09243e181dc59cc
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 4d7c218..274b7ed 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -379,6 +379,7 @@
// MAX_VBMETA_SIZE=64KB, MAX_FOOTER_SIZE=4KB
avb_hash_footer_kb = "68"
+// TODO(b/193504286) remove this when prebuilt bootloader exposes pubkey as well.
genrule {
name: "microdroid_bootloader_gen",
tools: ["avbtool"],
@@ -405,6 +406,22 @@
}
prebuilt_etc {
+ name: "microdroid_bootloader.avbpubkey",
+ src: ":microdroid_bootloader_pubkey_gen",
+}
+
+genrule {
+ name: "microdroid_bootloader_pubkey_gen",
+ tools: ["avbtool"],
+ srcs: [
+ ":microdroid_crosvm_bootloader",
+ ":avb_testkey_rsa4096",
+ ],
+ out: ["bootloader-pubkey"],
+ cmd: "$(location avbtool) extract_public_key --key $(location :avb_testkey_rsa4096) --output $(out)",
+}
+
+prebuilt_etc {
name: "microdroid_uboot_env",
src: ":microdroid_uboot_env_gen",
arch: {