diff options
| author | Tao Bao <tbao@google.com> | 2015-04-01 17:33:36 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-04-01 17:33:36 +0000 |
| commit | 521a8dbd186710d8e68ce8853822edc44ecaa0d9 (patch) | |
| tree | b75c2e8b6afffb4dfc6ea3cef078617139b09cdf | |
| parent | cb8436b78f8688737bc69a6992aca824e3f11988 (diff) | |
| parent | 93d46584170a9aae1728cdb9010eef41e25b4d4a (diff) | |
| download | build-521a8dbd186710d8e68ce8853822edc44ecaa0d9.zip build-521a8dbd186710d8e68ce8853822edc44ecaa0d9.tar.gz build-521a8dbd186710d8e68ce8853822edc44ecaa0d9.tar.bz2 | |
am 93d46584: am ae26f5b0: am 53602955: Merge "Add support to sign bootable images with vboot_signer"
* commit '93d46584170a9aae1728cdb9010eef41e25b4d4a':
Add support to sign bootable images with vboot_signer
| -rw-r--r-- | core/Makefile | 10 | ||||
| -rw-r--r-- | tools/releasetools/common.py | 22 |
2 files changed, 29 insertions, 3 deletions
diff --git a/core/Makefile b/core/Makefile index aab2563..27e444b 100644 --- a/core/Makefile +++ b/core/Makefile @@ -732,6 +732,10 @@ $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verit $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(VERITY_SIGNER)" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION),$(hide) echo "system_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION)" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION),$(hide) echo "vendor_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION)" >> $(1)) +$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)" >> $(1)) +$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_KEY)" >> $(1)) +$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "futility=$(FUTILITY)" >> $(1)) +$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot_signer_cmd=$(VBOOT_SIGNER)" >> $(1)) $(if $(filter true,$(BOARD_BUILD_SYSTEM_ROOT_IMAGE)),\ $(hide) echo "system_root_image=true" >> $(1);\ echo "ramdisk_dir=$(TARGET_ROOT_OUT)" >> $(1)) @@ -862,9 +866,13 @@ define build-recoveryimage-target $(hide) cat $(INSTALLED_DEFAULT_PROP_TARGET) $(recovery_build_prop) \ > $(TARGET_RECOVERY_ROOT_OUT)/default.prop $(hide) $(MKBOOTFS) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk) - $(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1) + $(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)), \ + $(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1).unsigned, \ + $(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1)) $(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY)),\ $(BOOT_SIGNER) /recovery $(1) $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).x509.pem $(1)) + $(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)), \ + $(VBOOT_SIGNER) $(FUTILITY) $(1).unsigned $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_KEY).vbpubk $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_KEY).vbprivk $(1).keyblock $(1)) $(hide) $(call assert-max-image-size,$(1),$(BOARD_RECOVERYIMAGE_PARTITION_SIZE)) @echo ----- Made recovery image: $(1) -------- endef diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py index 1fd9f76..59e81c1 100644 --- a/tools/releasetools/common.py +++ b/tools/releasetools/common.py @@ -348,8 +348,14 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None): if args and args.strip(): cmd.extend(shlex.split(args)) - cmd.extend(["--ramdisk", ramdisk_img.name, - "--output", img.name]) + img_unsigned = None + if info_dict.get("vboot", None): + img_unsigned = tempfile.NamedTemporaryFile() + cmd.extend(["--ramdisk", ramdisk_img.name, + "--output", img_unsigned.name]) + else: + cmd.extend(["--ramdisk", ramdisk_img.name, + "--output", img.name]) p = Run(cmd, stdout=subprocess.PIPE) p.communicate() @@ -365,6 +371,18 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None): p.communicate() assert p.returncode == 0, "boot_signer of %s image failed" % path + # Sign the image if vboot is non-empty. + elif info_dict.get("vboot", None): + path = "/" + os.path.basename(sourcedir).lower() + img_keyblock = tempfile.NamedTemporaryFile() + cmd = [info_dict["vboot_signer_cmd"], info_dict["futility"], + img_unsigned.name, info_dict["vboot_key"] + ".vbpubk", + info_dict["vboot_key"] + ".vbprivk", img_keyblock.name, + img.name] + p = Run(cmd, stdout=subprocess.PIPE) + p.communicate() + assert p.returncode == 0, "vboot_signer of %s image failed" % path + img.seek(os.SEEK_SET, 0) data = img.read() |