diff options
| author | Kelvin Zhang <zhangkelvin@google.com> | 2023-10-03 12:21:28 -0700 |
|---|---|---|
| committer | Kelvin Zhang <zhangkelvin@google.com> | 2023-10-03 12:26:08 -0700 |
| commit | de53f7df433afbc22e8fd88cae46f0890689b081 (patch) | |
| tree | 68c93f0efae8d01ed10c68502ff05ac07a7d95be | |
| parent | d61f2efdbb6760e8ac377d95a84e52be8e279a04 (diff) | |
| download | build-de53f7df433afbc22e8fd88cae46f0890689b081.tar.gz | |
Use deterministic salt for boot image avb footer
avbtool by default generates a random salt everytime, this makes builds
less reproducible. Use sha256 checksum of kernel image as the hex to
make the build reproducible.
Test: th
Bug: 293313353
Change-Id: I959b3dee77654098ab9fde475f11eaee8d40c790
| -rw-r--r-- | core/Makefile | 1 | ||||
| -rw-r--r-- | tools/releasetools/common.py | 11 |
2 files changed, 9 insertions, 3 deletions
diff --git a/core/Makefile b/core/Makefile index fc2a132670..e77b8e718e 100644 --- a/core/Makefile +++ b/core/Makefile @@ -1233,6 +1233,7 @@ define build_boot_from_kernel_avb_enabled $(AVBTOOL) add_hash_footer \ --image $(1) \ $(call get-partition-size-argument,$(call get-bootimage-partition-size,$(1),boot)) \ + --salt `sha256sum "$(kernel)" | cut -d " " -f 1` \ --partition_name boot $(INTERNAL_AVB_BOOT_SIGNING_ARGS) \ $(BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS) endef diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py index c5a3fe777f..b16c42501e 100644 --- a/tools/releasetools/common.py +++ b/tools/releasetools/common.py @@ -1410,7 +1410,7 @@ def RunHostInitVerifier(product_out, partition_map): return RunAndCheckOutput(cmd) -def AppendAVBSigningArgs(cmd, partition): +def AppendAVBSigningArgs(cmd, partition, avb_salt=None): """Append signing arguments for avbtool.""" # e.g., "--key path/to/signing_key --algorithm SHA256_RSA4096" key_path = ResolveAVBSigningPathArgs( @@ -1418,7 +1418,8 @@ def AppendAVBSigningArgs(cmd, partition): algorithm = OPTIONS.info_dict.get("avb_" + partition + "_algorithm") if key_path and algorithm: cmd.extend(["--key", key_path, "--algorithm", algorithm]) - avb_salt = OPTIONS.info_dict.get("avb_salt") + if avb_salt is None: + avb_salt = OPTIONS.info_dict.get("avb_salt") # make_vbmeta_image doesn't like "--salt" (and it's not needed). if avb_salt and not partition.startswith("vbmeta"): cmd.extend(["--salt", avb_salt]) @@ -1825,7 +1826,11 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file, cmd = [avbtool, "add_hash_footer", "--image", img.name, "--partition_size", str(part_size), "--partition_name", partition_name] - AppendAVBSigningArgs(cmd, partition_name) + salt = None + if kernel_path is not None: + with open(kernel_path, "rb") as fp: + salt = sha256(fp.read()).hexdigest() + AppendAVBSigningArgs(cmd, partition_name, salt) args = info_dict.get("avb_" + partition_name + "_add_hash_footer_args") if args and args.strip(): split_args = ResolveAVBSigningPathArgs(shlex.split(args)) |