Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 9b870dad609af6750e2a5a00b5f9a7d2be9f3dee / . / apex / sign_virt_apex.py
blob: c8cb07d7ca79911e530b78b96081b2710b1fb484 [file] [log] [blame]
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]1#!/usr/bin/env python
2#
3# Copyright (C) 2021 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9# http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16"""sign_virt_apex is a command line tool for sign the Virt APEX file.
17
Jooyung Han98498f42022-02-07 15:23:08 +0900[diff] [blame]18Typical usage:
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]19 sign_virt_apex payload_key payload_dir
20 -v, --verbose
21 --verify
22 --avbtool path_to_avbtool
23 --signing_args args
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]24
25sign_virt_apex uses external tools which are assumed to be available via PATH.
26- avbtool (--avbtool can override the tool)
27- lpmake, lpunpack, simg2img, img2simg
28"""
29import argparse
Jooyung Han02dceed2021-11-08 17:50:22 +0900[diff] [blame]30import hashlib
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]31import os
32import re
Jooyung Han98498f42022-02-07 15:23:08 +0900[diff] [blame]33import shlex
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]34import subprocess
35import sys
36import tempfile
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]37import traceback
38from concurrent import futures
39
40# pylint: disable=line-too-long,consider-using-with
41
42# Use executor to parallelize the invocation of external tools
43# If a task depends on another, pass the future object of the previous task as wait list.
44# Every future object created by a task should be consumed with AwaitAll()
45# so that exceptions are propagated .
46executor = futures.ThreadPoolExecutor()
47
48# Temporary directory for unpacked super.img.
49# We could put its creation/deletion into the task graph as well, but
50# having it as a global setup is much simpler.
51unpack_dir = tempfile.TemporaryDirectory()
52
53# tasks created with Async() are kept in a list so that they are awaited
54# before exit.
55tasks = []
56
57# create an async task and return a future value of it.
58def Async(fn, *args, wait=None, **kwargs):
59
60 # wrap a function with AwaitAll()
61 def wrapped():
62 AwaitAll(wait)
63 fn(*args, **kwargs)
64
65 task = executor.submit(wrapped)
66 tasks.append(task)
67 return task
68
69
70# waits for task (captured in fs as future values) with future.result()
71# so that any exception raised during task can be raised upward.
72def AwaitAll(fs):
73 if fs:
74 for f in fs:
75 f.result()
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]76
77
78def ParseArgs(argv):
79 parser = argparse.ArgumentParser(description='Sign the Virt APEX')
Jooyung Han02dceed2021-11-08 17:50:22 +0900[diff] [blame]80 parser.add_argument('--verify', action='store_true',
81 help='Verify the Virt APEX')
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]82 parser.add_argument(
83 '-v', '--verbose',
84 action='store_true',
85 help='verbose execution')
86 parser.add_argument(
87 '--avbtool',
88 default='avbtool',
89 help='Optional flag that specifies the AVB tool to use. Defaults to `avbtool`.')
90 parser.add_argument(
Jooyung Han98498f42022-02-07 15:23:08 +0900[diff] [blame]91 '--signing_args',
92 help='the extra signing arguments passed to avbtool.'
93 )
94 parser.add_argument(
Jooyung Han1c3d2fa2022-02-24 02:35:59 +0900[diff] [blame]95 '--key_override',
96 metavar="filename=key",
97 action='append',
98 help='Overrides a signing key for a file e.g. microdroid_bootloader=mykey (for testing)')
99 parser.add_argument(
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]100 'key',
101 help='path to the private key file.')
102 parser.add_argument(
103 'input_dir',
104 help='the directory having files to be packaged')
Jooyung Han1c3d2fa2022-02-24 02:35:59 +0900[diff] [blame]105 args = parser.parse_args(argv)
106 # preprocess --key_override into a map
Jiyong Park40bf2dc2022-05-23 23:41:25 +0900[diff] [blame]107 args.key_overrides = {}
Jooyung Han1c3d2fa2022-02-24 02:35:59 +0900[diff] [blame]108 if args.key_override:
109 for pair in args.key_override:
110 name, key = pair.split('=')
111 args.key_overrides[name] = key
112 return args
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]113
114
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]115def RunCommand(args, cmd, env=None, expected_return_values=None):
116 expected_return_values = expected_return_values or {0}
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]117 env = env or {}
118 env.update(os.environ.copy())
119
120 # TODO(b/193504286): we need a way to find other tool (cmd[0]) in various contexts
121 # e.g. sign_apex.py, sign_target_files_apk.py
122 if cmd[0] == 'avbtool':
123 cmd[0] = args.avbtool
124
125 if args.verbose:
126 print('Running: ' + ' '.join(cmd))
127 p = subprocess.Popen(
128 cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=env, universal_newlines=True)
129 output, _ = p.communicate()
130
131 if args.verbose or p.returncode not in expected_return_values:
132 print(output.rstrip())
133
134 assert p.returncode in expected_return_values, (
135 '%d Failed to execute: ' + ' '.join(cmd)) % p.returncode
136 return (output, p.returncode)
137
138
139def ReadBytesSize(value):
140 return int(value.removesuffix(' bytes'))
141
142
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]143def ExtractAvbPubkey(args, key, output):
144 RunCommand(args, ['avbtool', 'extract_public_key',
145 '--key', key, '--output', output])
146
147
148def AvbInfo(args, image_path):
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]149 """Parses avbtool --info image output
150
151 Args:
152 args: program arguments.
153 image_path: The path to the image.
154 descriptor_name: Descriptor name of interest.
155
156 Returns:
157 A pair of
158 - a dict that contains VBMeta info. None if there's no VBMeta info.
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]159 - a list of descriptors.
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]160 """
161 if not os.path.exists(image_path):
Jiyong Park40bf2dc2022-05-23 23:41:25 +0900[diff] [blame]162 raise ValueError(f'Failed to find image: {image_path}')
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]163
164 output, ret_code = RunCommand(
165 args, ['avbtool', 'info_image', '--image', image_path], expected_return_values={0, 1})
166 if ret_code == 1:
167 return None, None
168
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]169 info, descriptors = {}, []
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]170
171 # Read `avbtool info_image` output as "key:value" lines
172 matcher = re.compile(r'^(\s*)([^:]+):\s*(.*)$')
173
174 def IterateLine(output):
175 for line in output.split('\n'):
176 line_info = matcher.match(line)
177 if not line_info:
178 continue
179 yield line_info.group(1), line_info.group(2), line_info.group(3)
180
181 gen = IterateLine(output)
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]182
183 def ReadDescriptors(cur_indent, cur_name, cur_value):
184 descriptor = cur_value if cur_name == 'Prop' else {}
185 descriptors.append((cur_name, descriptor))
186 for indent, key, value in gen:
187 if indent <= cur_indent:
188 # read descriptors recursively to pass the read key as descriptor name
189 ReadDescriptors(indent, key, value)
190 break
191 descriptor[key] = value
192
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]193 # Read VBMeta info
194 for _, key, value in gen:
195 if key == 'Descriptors':
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]196 ReadDescriptors(*next(gen))
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]197 break
198 info[key] = value
199
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]200 return info, descriptors
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]201
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]202
203# Look up a list of (key, value) with a key. Returns the value of the first matching pair.
204def LookUp(pairs, key):
205 for k, v in pairs:
206 if key == k:
207 return v
208 return None
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]209
210
211def AddHashFooter(args, key, image_path):
Jooyung Han1c3d2fa2022-02-24 02:35:59 +0900[diff] [blame]212 if os.path.basename(image_path) in args.key_overrides:
213 key = args.key_overrides[os.path.basename(image_path)]
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]214 info, descriptors = AvbInfo(args, image_path)
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]215 if info:
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]216 descriptor = LookUp(descriptors, 'Hash descriptor')
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]217 image_size = ReadBytesSize(info['Image size'])
218 algorithm = info['Algorithm']
219 partition_name = descriptor['Partition Name']
220 partition_size = str(image_size)
221
222 cmd = ['avbtool', 'add_hash_footer',
223 '--key', key,
224 '--algorithm', algorithm,
225 '--partition_name', partition_name,
226 '--partition_size', partition_size,
227 '--image', image_path]
Jooyung Han98498f42022-02-07 15:23:08 +0900[diff] [blame]228 if args.signing_args:
229 cmd.extend(shlex.split(args.signing_args))
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]230 RunCommand(args, cmd)
231
232
233def AddHashTreeFooter(args, key, image_path):
Jooyung Han1c3d2fa2022-02-24 02:35:59 +0900[diff] [blame]234 if os.path.basename(image_path) in args.key_overrides:
235 key = args.key_overrides[os.path.basename(image_path)]
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]236 info, descriptors = AvbInfo(args, image_path)
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]237 if info:
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]238 descriptor = LookUp(descriptors, 'Hashtree descriptor')
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]239 image_size = ReadBytesSize(info['Image size'])
240 algorithm = info['Algorithm']
241 partition_name = descriptor['Partition Name']
242 partition_size = str(image_size)
243
244 cmd = ['avbtool', 'add_hashtree_footer',
245 '--key', key,
246 '--algorithm', algorithm,
247 '--partition_name', partition_name,
248 '--partition_size', partition_size,
249 '--do_not_generate_fec',
250 '--image', image_path]
Jooyung Han98498f42022-02-07 15:23:08 +0900[diff] [blame]251 if args.signing_args:
252 cmd.extend(shlex.split(args.signing_args))
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]253 RunCommand(args, cmd)
254
255
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]256def MakeVbmetaImage(args, key, vbmeta_img, images=None, chained_partitions=None):
Jooyung Han1c3d2fa2022-02-24 02:35:59 +0900[diff] [blame]257 if os.path.basename(vbmeta_img) in args.key_overrides:
258 key = args.key_overrides[os.path.basename(vbmeta_img)]
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]259 info, descriptors = AvbInfo(args, vbmeta_img)
260 if info is None:
261 return
262
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]263 with tempfile.TemporaryDirectory() as work_dir:
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]264 algorithm = info['Algorithm']
265 rollback_index = info['Rollback Index']
266 rollback_index_location = info['Rollback Index Location']
267
268 cmd = ['avbtool', 'make_vbmeta_image',
269 '--key', key,
270 '--algorithm', algorithm,
271 '--rollback_index', rollback_index,
272 '--rollback_index_location', rollback_index_location,
273 '--output', vbmeta_img]
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]274 if images:
275 for img in images:
276 cmd.extend(['--include_descriptors_from_image', img])
277
278 # replace pubkeys of chained_partitions as well
279 for name, descriptor in descriptors:
280 if name == 'Chain Partition descriptor':
281 part_name = descriptor['Partition Name']
282 ril = descriptor['Rollback Index Location']
283 part_key = chained_partitions[part_name]
284 avbpubkey = os.path.join(work_dir, part_name + '.avbpubkey')
285 ExtractAvbPubkey(args, part_key, avbpubkey)
Jiyong Park40bf2dc2022-05-23 23:41:25 +0900[diff] [blame]286 cmd.extend(['--chain_partition', f'{part_name}:{ril}:{avbpubkey}'])
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]287
Jooyung Han98498f42022-02-07 15:23:08 +0900[diff] [blame]288 if args.signing_args:
289 cmd.extend(shlex.split(args.signing_args))
290
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]291 RunCommand(args, cmd)
292 # libavb expects to be able to read the maximum vbmeta size, so we must provide a partition
293 # which matches this or the read will fail.
Jiyong Park40bf2dc2022-05-23 23:41:25 +0900[diff] [blame]294 with open(vbmeta_img, 'a', encoding='utf8') as f:
Jooyung Handcb0b492022-02-26 09:04:17 +0900[diff] [blame]295 f.truncate(65536)
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]296
297
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]298def UnpackSuperImg(args, super_img, work_dir):
299 tmp_super_img = os.path.join(work_dir, 'super.img')
300 RunCommand(args, ['simg2img', super_img, tmp_super_img])
301 RunCommand(args, ['lpunpack', tmp_super_img, work_dir])
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]302
303
304def MakeSuperImage(args, partitions, output):
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]305 with tempfile.TemporaryDirectory() as work_dir:
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]306 cmd = ['lpmake', '--device-size=auto', '--metadata-slots=2', # A/B
307 '--metadata-size=65536', '--sparse', '--output=' + output]
308
309 for part, img in partitions.items():
310 tmp_img = os.path.join(work_dir, part)
311 RunCommand(args, ['img2simg', img, tmp_img])
312
Jiyong Park40bf2dc2022-05-23 23:41:25 +0900[diff] [blame]313 image_arg = f'--image={part}={img}'
314 partition_arg = f'--partition={part}:readonly:{os.path.getsize(img)}:default'
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]315 cmd.extend([image_arg, partition_arg])
316
317 RunCommand(args, cmd)
318
319
Jooyung Han31b1c2b2021-10-27 03:35:42 +0900[diff] [blame]320def ReplaceBootloaderPubkey(args, key, bootloader, bootloader_pubkey):
Jooyung Han1c3d2fa2022-02-24 02:35:59 +0900[diff] [blame]321 if os.path.basename(bootloader) in args.key_overrides:
322 key = args.key_overrides[os.path.basename(bootloader)]
Jooyung Han31b1c2b2021-10-27 03:35:42 +0900[diff] [blame]323 # read old pubkey before replacement
324 with open(bootloader_pubkey, 'rb') as f:
325 old_pubkey = f.read()
326
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]327 # replace bootloader pubkey (overwrite the old one with the new one)
328 ExtractAvbPubkey(args, key, bootloader_pubkey)
Jooyung Han31b1c2b2021-10-27 03:35:42 +0900[diff] [blame]329
330 # read new pubkey
331 with open(bootloader_pubkey, 'rb') as f:
332 new_pubkey = f.read()
333
334 assert len(old_pubkey) == len(new_pubkey)
335
336 # replace pubkey embedded in bootloader
337 with open(bootloader, 'r+b') as bl_f:
338 pos = bl_f.read().find(old_pubkey)
339 assert pos != -1
340 bl_f.seek(pos)
341 bl_f.write(new_pubkey)
342
343
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]344# dict of (key, file) for re-sign/verification. keys are un-versioned for readability.
345virt_apex_files = {
346 'bootloader.pubkey': 'etc/microdroid_bootloader.avbpubkey',
Andrew Sculld6267ae2022-06-13 13:47:59 +0000[diff] [blame]347 'bootloader': 'etc/fs/microdroid_bootloader',
Jiyong Park09a2bda2022-06-13 16:44:45 +0900[diff] [blame]348 'boot.img': 'etc/fs/microdroid_boot.img',
349 'vendor_boot.img': 'etc/fs/microdroid_vendor_boot.img',
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]350 'init_boot.img': 'etc/fs/microdroid_init_boot.img',
351 'super.img': 'etc/fs/microdroid_super.img',
352 'vbmeta.img': 'etc/fs/microdroid_vbmeta.img',
353 'vbmeta_bootconfig.img': 'etc/fs/microdroid_vbmeta_bootconfig.img',
Andrew Sculld6267ae2022-06-13 13:47:59 +0000[diff] [blame]354 'bootconfig.normal': 'etc/fs/microdroid_bootconfig.normal',
355 'bootconfig.app_debuggable': 'etc/fs/microdroid_bootconfig.app_debuggable',
356 'bootconfig.full_debuggable': 'etc/fs/microdroid_bootconfig.full_debuggable',
357 'uboot_env.img': 'etc/fs/uboot_env.img'
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]358}
359
360
361def TargetFiles(input_dir):
362 return {k: os.path.join(input_dir, v) for k, v in virt_apex_files.items()}
363
364
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]365def SignVirtApex(args):
366 key = args.key
367 input_dir = args.input_dir
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]368 files = TargetFiles(input_dir)
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]369
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]370 # unpacked files (will be unpacked from super.img below)
371 system_a_img = os.path.join(unpack_dir.name, 'system_a.img')
372 vendor_a_img = os.path.join(unpack_dir.name, 'vendor_a.img')
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]373
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]374 # Key(pubkey) embedded in bootloader should match with the one used to make VBmeta below
Jooyung Han31b1c2b2021-10-27 03:35:42 +0900[diff] [blame]375 # while it's okay to use different keys for other image files.
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]376 replace_f = Async(ReplaceBootloaderPubkey, args,
377 key, files['bootloader'], files['bootloader.pubkey'])
Jooyung Han31b1c2b2021-10-27 03:35:42 +0900[diff] [blame]378
Devin Mooredc9158e2022-01-10 18:51:12 +0000[diff] [blame]379 # re-sign bootloader, boot.img, vendor_boot.img, and init_boot.img
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]380 Async(AddHashFooter, args, key, files['bootloader'], wait=[replace_f])
Shikha Panwar9b870da2022-09-28 12:52:16 +0000[diff] [blame^]381 Async(AddHashFooter, args, key, files['boot.img'])
382 Async(AddHashFooter, args, key, files['vendor_boot.img'])
383 Async(AddHashFooter, args, key, files['init_boot.img'])
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]384
385 # re-sign super.img
Jooyung Hanbae6ce42022-09-13 15:15:18 +0900[diff] [blame]386 # 1. unpack super.img
387 # 2. resign system and vendor
388 # 3. repack super.img out of resigned system and vendor
389 UnpackSuperImg(args, files['super.img'], unpack_dir.name)
390 system_a_f = Async(AddHashTreeFooter, args, key, system_a_img)
391 vendor_a_f = Async(AddHashTreeFooter, args, key, vendor_a_img)
392 partitions = {"system_a": system_a_img, "vendor_a": vendor_a_img}
393 Async(MakeSuperImage, args, partitions, files['super.img'], wait=[system_a_f, vendor_a_f])
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]394
Shikha Panwar9b870da2022-09-28 12:52:16 +0000[diff] [blame^]395 # re-generate vbmeta from re-signed {system_a, vendor_a}.img
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]396 Async(MakeVbmetaImage, args, key, files['vbmeta.img'],
Shikha Panwar9b870da2022-09-28 12:52:16 +0000[diff] [blame^]397 images=[system_a_img, vendor_a_img],
398 wait=[system_a_f, vendor_a_f])
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]399
Jiyong Park34ad9182022-01-28 21:29:48 +0900[diff] [blame]400 # Re-sign bootconfigs and the uboot_env with the same key
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]401 bootconfig_sign_key = key
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]402 Async(AddHashFooter, args, bootconfig_sign_key, files['bootconfig.normal'])
403 Async(AddHashFooter, args, bootconfig_sign_key, files['bootconfig.app_debuggable'])
404 Async(AddHashFooter, args, bootconfig_sign_key, files['bootconfig.full_debuggable'])
405 Async(AddHashFooter, args, bootconfig_sign_key, files['uboot_env.img'])
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]406
Jiyong Park34ad9182022-01-28 21:29:48 +0900[diff] [blame]407 # Re-sign vbmeta_bootconfig with chained_partitions to "bootconfig" and
408 # "uboot_env". Note that, for now, `key` and `bootconfig_sign_key` are the
409 # same, but technically they can be different. Vbmeta records pubkeys which
410 # signed chained partitions.
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]411 Async(MakeVbmetaImage, args, key, files['vbmeta_bootconfig.img'], chained_partitions={
412 'bootconfig': bootconfig_sign_key,
413 'uboot_env': bootconfig_sign_key,
Jiyong Park34ad9182022-01-28 21:29:48 +0900[diff] [blame]414 })
Jooyung Han832d11d2021-11-08 12:51:47 +0900[diff] [blame]415
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]416
Jooyung Han02dceed2021-11-08 17:50:22 +0900[diff] [blame]417def VerifyVirtApex(args):
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]418 key = args.key
419 input_dir = args.input_dir
420 files = TargetFiles(input_dir)
Jooyung Han02dceed2021-11-08 17:50:22 +0900[diff] [blame]421
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]422 # unpacked files
423 UnpackSuperImg(args, files['super.img'], unpack_dir.name)
424 system_a_img = os.path.join(unpack_dir.name, 'system_a.img')
425 vendor_a_img = os.path.join(unpack_dir.name, 'vendor_a.img')
Jooyung Han02dceed2021-11-08 17:50:22 +0900[diff] [blame]426
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]427 # Read pubkey digest from the input key
428 with tempfile.NamedTemporaryFile() as pubkey_file:
429 ExtractAvbPubkey(args, key, pubkey_file.name)
430 with open(pubkey_file.name, 'rb') as f:
431 pubkey = f.read()
432 pubkey_digest = hashlib.sha1(pubkey).hexdigest()
Jooyung Han02dceed2021-11-08 17:50:22 +0900[diff] [blame]433
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]434 def contents(file):
435 with open(file, 'rb') as f:
436 return f.read()
Jooyung Han02dceed2021-11-08 17:50:22 +0900[diff] [blame]437
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]438 def check_equals_pubkey(file):
Jiyong Park40bf2dc2022-05-23 23:41:25 +0900[diff] [blame]439 assert contents(file) == pubkey, f'pubkey mismatch: {file}'
Jooyung Han02dceed2021-11-08 17:50:22 +0900[diff] [blame]440
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]441 def check_contains_pubkey(file):
Jiyong Park40bf2dc2022-05-23 23:41:25 +0900[diff] [blame]442 assert contents(file).find(pubkey) != -1, f'pubkey missing: {file}'
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]443
444 def check_avb_pubkey(file):
445 info, _ = AvbInfo(args, file)
Jiyong Park40bf2dc2022-05-23 23:41:25 +0900[diff] [blame]446 assert info is not None, f'no avbinfo: {file}'
447 assert info['Public key (sha1)'] == pubkey_digest, f'pubkey mismatch: {file}'
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]448
449 for f in files.values():
450 if f == files['bootloader.pubkey']:
451 Async(check_equals_pubkey, f)
452 elif f == files['bootloader']:
453 Async(check_contains_pubkey, f)
454 elif f == files['super.img']:
455 Async(check_avb_pubkey, system_a_img)
456 Async(check_avb_pubkey, vendor_a_img)
457 else:
458 # Check pubkey for other files using avbtool
459 Async(check_avb_pubkey, f)
Jooyung Han02dceed2021-11-08 17:50:22 +0900[diff] [blame]460
461
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]462def main(argv):
463 try:
464 args = ParseArgs(argv)
Jooyung Han02dceed2021-11-08 17:50:22 +0900[diff] [blame]465 if args.verify:
466 VerifyVirtApex(args)
467 else:
468 SignVirtApex(args)
Jooyung Han486609f2022-04-20 11:38:00 +0900[diff] [blame]469 # ensure all tasks are completed without exceptions
470 AwaitAll(tasks)
471 except: # pylint: disable=bare-except
472 traceback.print_exc()
Jooyung Han504105f2021-10-26 15:54:50 +0900[diff] [blame]473 sys.exit(1)
474
475
476if __name__ == '__main__':
477 main(sys.argv[1:])