Sign the bootloader using avbtool
The signing is effectively no op for now because nothing verifies the
bootloader. However, in the end, the pKVM firmware will verify the
bootloader and use the vbmeta footer appended to it.
Bug: 182169705
Test: atest MicrodroidTestCase
Change-Id: I459250a84969b2a6bfa207085fe267f3a78033d6
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 90d2678..8456591 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -225,6 +225,41 @@
}
prebuilt_etc {
+ name: "microdroid_bootloader",
+ src: ":microdroid_bootloader_gen",
+ filename: "microdroid_bootloader",
+}
+
+// See external/avb/avbtool.py
+// MAX_VBMETA_SIZE=64KB, MAX_FOOTER_SIZE=4KB
+avb_hash_footer_kb = "68"
+
+genrule {
+ name: "microdroid_bootloader_gen",
+ tools: ["avbtool"],
+ srcs: [
+ ":cuttlefish_crosvm_bootloader",
+ ":avb_testkey_rsa4096",
+ ],
+ out: ["bootloader-signed"],
+ // 1. Copy the input to the output becaise avbtool modifies --image in
+ // place.
+ // 2. Check if the file is big enough. For arm and x86 we have fake
+ // bootloader file whose size is 1. It can't pass avbtool.
+ // 3. Add the hash footer. The partition size is set to (image size + 68KB)
+ // rounded up to 4KB boundary.
+ cmd: "cp $(location :cuttlefish_crosvm_bootloader) $(out) && " +
+ "if [ $$(stat --format=%s $(out)) -gt 4096 ]; then " +
+ "$(location avbtool) add_hash_footer " +
+ "--algorithm SHA256_RSA4096 " +
+ "--partition_name bootloader " +
+ "--key $(location :avb_testkey_rsa4096) " +
+ "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
+ "--image $(out)" +
+ "; fi",
+}
+
+prebuilt_etc {
name: "microdroid_uboot_env",
src: ":microdroid_uboot_env_gen",
filename: "uboot_env.img",
diff --git a/microdroid/README.md b/microdroid/README.md
index 08ed35b..ffc8302 100644
--- a/microdroid/README.md
+++ b/microdroid/README.md
@@ -21,6 +21,7 @@
$ m microdroid_super
$ m microdroid_boot-5.10
$ m microdroid_vendor_boot-5.10
+$ m microdroid_bootloader
$ m microdroid_uboot_env
$ m microdroid_vbmeta
$ m microdroid_vbmeta_system
@@ -33,7 +34,7 @@
to be manually created, for now. In the future, you won't need these.
```
-$ adb push device/google/cuttlefish_prebuilts/bootloader/crosvm_aarch64/u-boot.bin /data/local/tmp/bootloader
+$ adb push $ANDROID_PRODUCT_OUT/system/etc/microdroid_bootloader /data/local/tmp/bootloader
$ adb push $ANDROID_PRODUCT_OUT/system/etc/microdroid_super.img /data/local/tmp/super.img
$ adb push $ANDROID_PRODUCT_OUT/system/etc/microdroid_boot-5.10.img /data/local/tmp/boot.img
$ adb push $ANDROID_PRODUCT_OUT/system/etc/microdroid_vendor_boot-5.10.img /data/local/tmp/vendor_boot.img
diff --git a/tests/hostside/Android.bp b/tests/hostside/Android.bp
index a1e6cbb..37a9c5b 100644
--- a/tests/hostside/Android.bp
+++ b/tests/hostside/Android.bp
@@ -13,7 +13,7 @@
":microdroid_boot-5.10",
":microdroid_vendor_boot-5.10",
":microdroid_uboot_env",
- ":cuttlefish_crosvm_bootloader",
+ ":microdroid_bootloader",
":MicrodroidHostTestCase_misc",
":microdroid_vbmeta",
":microdroid_vbmeta_system",
diff --git a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
index a521570..1f8cef5 100644
--- a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
+++ b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
@@ -70,7 +70,7 @@
public void testMicrodroidBoots() throws Exception {
// Prepare input files
pushFile("microdroid_cdisk.json", "microdroid_cdisk.json");
- pushFile("u-boot.bin", "bootloader");
+ pushFile("microdroid_bootloader", "bootloader");
pushFile("microdroid_super.img", "super.img");
pushFile("microdroid_boot-5.10.img", "boot.img");
pushFile("microdroid_vendor_boot-5.10.img", "vendor_boot.img");