Add hashes of initrd to the kernel footer
pvmfw will then read the hashes and use them to validate the initrd
loaded.
Bug: 260821553
Test: m microdroid_kernel_signed and inspect the output using `avbtool
info_image --image <output>`
Result was:
Prop: trusted_ramdisk ->
'62e4f9c1bdcd844de0e88a6281c0ff3c43e6d8bb2deb79b3d1fecd97800b453c,e79bb3926a53729d9bc16ccf58b82567b4c7e9aeaf72ace321601e913a987443,cc7182c87ebe8d0a76250dde66fc01c57489430c8c21f64404a1a537fa5b9e9b'
Change-Id: I1a9ca51b374a991882adadddb761763977b957a8
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index af6031a..79378fe 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -567,6 +567,12 @@
enabled: true,
},
},
+ props: [
+ {
+ name: "trusted_ramdisk",
+ file: ":microdroid_initrd_hashes",
+ },
+ ],
}
prebuilt_etc {
diff --git a/microdroid/initrd/Android.bp b/microdroid/initrd/Android.bp
index d8e7069..eb761bf 100644
--- a/microdroid/initrd/Android.bp
+++ b/microdroid/initrd/Android.bp
@@ -159,3 +159,36 @@
},
filename: "microdroid_initrd_normal.img",
}
+
+genrule {
+ name: "microdroid_initrd_normal.sha256",
+ srcs: [":microdroid_initrd_normal"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+ out: ["hash"],
+}
+
+genrule {
+ name: "microdroid_initrd_app_debuggable.sha256",
+ srcs: [":microdroid_initrd_app_debuggable"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+ out: ["hash"],
+}
+
+genrule {
+ name: "microdroid_initrd_full_debuggable.sha256",
+ srcs: [":microdroid_initrd_full_debuggable"],
+ cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
+ out: ["hash"],
+}
+
+genrule {
+ name: "microdroid_initrd_hashes",
+ srcs: [
+ ":microdroid_initrd_normal.sha256",
+ ":microdroid_initrd_app_debuggable.sha256",
+ ":microdroid_initrd_full_debuggable.sha256",
+ ],
+ // join the hashes with commas
+ cmd: "cat $(in) | tr '\n' ',' > $(out) && truncate -s -1 $(out)",
+ out: ["output"],
+}