commit 34ad9183d057f3b90eb4a6f397436e4ce052f922
author Jiyong Park <jiyong@google.com> Fri Jan 28 21:29:48 2022 +0900
committer Jiyong Park <jiyong@google.com> Fri Jan 28 21:29:48 2022 +0900
tree 55782c8907a65f55873f6224b73e570ce8eb3d68
parent 579cb0e2357776e8129af23c8d118f692150a125

Sign uboot_env with AVB

The partition determines the behavior of u-boot, thus it has to be
verified before u-boot uses it. To make it possible, we sign uboot_env
using AVB. Hash footer is appended to the partition and it is registered
as a chained partition to the vbmeta partition, which is in the same
disk as uboot_env and bootconfig partitions are in.

Bug: 216304872
Test: run microdroid
Change-Id: Ida6353aff80aec485d73344eba18608a6bc659f8

microdroid/Android.bp

diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index e078108..29175a4 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -355,6 +355,10 @@
             name: "bootconfig",
             private_key: ":microdroid_sign_key",
         },
+        {
+            name: "uboot_env",
+            private_key: ":microdroid_sign_key",
+        },
     ],
 }
 
@@ -531,18 +535,42 @@
 
 genrule {
     name: "microdroid_uboot_env_gen",
-    tools: ["mkenvimage_host"],
-    srcs: ["uboot-env.txt"],
+    tools: [
+        "mkenvimage_host",
+        "avbtool",
+    ],
+    srcs: [
+        "uboot-env.txt",
+        ":microdroid_sign_key",
+    ],
     out: ["output.img"],
-    cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(in)",
+    cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(location uboot-env.txt) && " +
+        "$(location avbtool) add_hash_footer " +
+        "--algorithm SHA256_RSA4096 " +
+        "--partition_name uboot_env " +
+        "--key $(location :microdroid_sign_key) " +
+        "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
+        "--image $(out)",
 }
 
 genrule {
     name: "microdroid_uboot_env_gen_x86_64",
-    tools: ["mkenvimage_host"],
-    srcs: ["uboot-env-x86_64.txt"],
+    tools: [
+        "mkenvimage_host",
+        "avbtool",
+    ],
+    srcs: [
+        "uboot-env-x86_64.txt",
+        ":microdroid_sign_key",
+    ],
     out: ["output.img"],
-    cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(in)",
+    cmd: "$(location mkenvimage_host) -s 4096 -o $(out) $(location uboot-env-x86_64.txt) && " +
+        "$(location avbtool) add_hash_footer " +
+        "--algorithm SHA256_RSA4096 " +
+        "--partition_name uboot_env " +
+        "--key $(location :microdroid_sign_key) " +
+        "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
+        "--image $(out)",
 }
 
 // Note that keys can be different for filesystem images even though we're using the same key