diff options
author | Treehugger Robot <treehugger-gerrit@google.com> | 2020-02-26 00:09:17 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2020-02-26 00:09:17 +0000 |
commit | b5aad1b937c465f7c6ffbb7d37ae79a20574b27d (patch) | |
tree | f46f62224b644fa0d80971c5dabba7253cfe024a | |
parent | 5832bf1f5a949bc32a9b8f57ed46cb7f06606fe6 (diff) | |
parent | 2fe786a528433dfaa9812eb910fde13d5b04aeed (diff) | |
download | build-b5aad1b937c465f7c6ffbb7d37ae79a20574b27d.tar.gz |
Merge "Support removing AVB public keys"
-rwxr-xr-x | tools/releasetools/sign_target_files_apks.py | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py index cce771c27a..5b7c2ac676 100755 --- a/tools/releasetools/sign_target_files_apks.py +++ b/tools/releasetools/sign_target_files_apks.py @@ -91,6 +91,14 @@ Usage: sign_target_files_apks [flags] input_target_files output_target_files Replace the veritykeyid in BOOT/cmdline of input_target_file_zip with keyid of the cert pointed by <path_to_X509_PEM_cert_file>. + --remove_avb_public_keys <key1>,<key2>,... + Remove AVB public keys from the first-stage ramdisk. The key file to + remove is located at either of the following dirs: + - BOOT/RAMDISK/avb/ or + - BOOT/RAMDISK/first_stage_ramdisk/avb/ + The second dir will be used for lookup if BOARD_USES_RECOVERY_AS_BOOT is + set to true. + --avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system, vbmeta_vendor}_algorithm <algorithm> --avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system, @@ -150,6 +158,7 @@ OPTIONS.replace_ota_keys = False OPTIONS.replace_verity_public_key = False OPTIONS.replace_verity_private_key = False OPTIONS.replace_verity_keyid = False +OPTIONS.remove_avb_public_keys = None OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys") OPTIONS.avb_keys = {} OPTIONS.avb_algorithms = {} @@ -585,6 +594,18 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, filename in ("BOOT/RAMDISK/verity_key", "ROOT/verity_key")): pass + elif (OPTIONS.remove_avb_public_keys and + (filename.startswith("BOOT/RAMDISK/avb/") or + filename.startswith("BOOT/RAMDISK/first_stage_ramdisk/avb/"))): + matched_removal = False + for key_to_remove in OPTIONS.remove_avb_public_keys: + if filename.endswith(key_to_remove): + matched_removal = True + print("Removing AVB public key from ramdisk: %s" % filename) + break + if not matched_removal: + # Copy it verbatim if we don't want to remove it. + common.ZipWriteStr(output_tf_zip, out_info, data) # Skip verity keyid (for system_root_image use) if we will replace it. elif OPTIONS.replace_verity_keyid and filename == "BOOT/cmdline": @@ -610,8 +631,7 @@ def ProcessTargetFiles(input_tf_zip, output_tf_zip, misc_info, # Should NOT sign boot-debug.img. elif filename in ( "BOOT/RAMDISK/force_debuggable", - "RECOVERY/RAMDISK/force_debuggable" - "RECOVERY/RAMDISK/first_stage_ramdisk/force_debuggable"): + "BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"): raise common.ExternalError("debuggable boot.img cannot be signed") # A non-APK file; copy it verbatim. @@ -1135,6 +1155,8 @@ def main(argv): OPTIONS.replace_verity_private_key = (True, a) elif o == "--replace_verity_keyid": OPTIONS.replace_verity_keyid = (True, a) + elif o == "--remove_avb_public_keys": + OPTIONS.remove_avb_public_keys = a.split(",") elif o == "--avb_vbmeta_key": OPTIONS.avb_keys['vbmeta'] = a elif o == "--avb_vbmeta_algorithm": @@ -1203,6 +1225,7 @@ def main(argv): "replace_verity_public_key=", "replace_verity_private_key=", "replace_verity_keyid=", + "remove_avb_public_keys=", "avb_apex_extra_args=", "avb_vbmeta_algorithm=", "avb_vbmeta_key=", |