diff options
| author | Tao Bao <tbao@google.com> | 2015-04-01 17:05:36 +0000 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2015-04-01 17:05:36 +0000 |
| commit | ae26f5b002de956d495c4019b365040490ff18dd (patch) | |
| tree | a7c193df02633f952f890f5fd1272c7745c9e3a1 | |
| parent | 071af0ac49ab87e4d365056a8ff764177f56b428 (diff) | |
| parent | 536029551d31d8084c444063349291781ee43ae1 (diff) | |
| download | build-ae26f5b002de956d495c4019b365040490ff18dd.zip build-ae26f5b002de956d495c4019b365040490ff18dd.tar.gz build-ae26f5b002de956d495c4019b365040490ff18dd.tar.bz2 | |
am 53602955: Merge "Add support to sign bootable images with vboot_signer"
* commit '536029551d31d8084c444063349291781ee43ae1':
Add support to sign bootable images with vboot_signer
| -rw-r--r-- | core/Makefile | 10 | ||||
| -rw-r--r-- | tools/releasetools/common.py | 22 |
2 files changed, 29 insertions, 3 deletions
diff --git a/core/Makefile b/core/Makefile index 3d22ce5..6356d62 100644 --- a/core/Makefile +++ b/core/Makefile @@ -717,6 +717,10 @@ $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verit $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),$(hide) echo "verity_signer_cmd=$(VERITY_SIGNER)" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION),$(hide) echo "system_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SYSTEM_VERITY_PARTITION)" >> $(1)) $(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION),$(hide) echo "vendor_verity_block_device=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VENDOR_VERITY_PARTITION)" >> $(1)) +$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)" >> $(1)) +$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot_key=$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_KEY)" >> $(1)) +$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "futility=$(FUTILITY)" >> $(1)) +$(if $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT),$(hide) echo "vboot_signer_cmd=$(VBOOT_SIGNER)" >> $(1)) $(if $(filter true,$(BOARD_BUILD_SYSTEM_ROOT_IMAGE)),\ $(hide) echo "system_root_image=true" >> $(1);\ echo "ramdisk_dir=$(TARGET_ROOT_OUT)" >> $(1)) @@ -847,9 +851,13 @@ define build-recoveryimage-target $(hide) cat $(INSTALLED_DEFAULT_PROP_TARGET) $(recovery_build_prop) \ > $(TARGET_RECOVERY_ROOT_OUT)/default.prop $(hide) $(MKBOOTFS) $(TARGET_RECOVERY_ROOT_OUT) | $(MINIGZIP) > $(recovery_ramdisk) - $(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1) + $(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)), \ + $(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1).unsigned, \ + $(hide) $(MKBOOTIMG) $(INTERNAL_RECOVERYIMAGE_ARGS) $(BOARD_MKBOOTIMG_ARGS) --output $(1)) $(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY)),\ $(BOOT_SIGNER) /recovery $(1) $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).pk8 $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VERITY_SIGNING_KEY).x509.pem $(1)) + $(if $(filter true,$(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VBOOT)), \ + $(VBOOT_SIGNER) $(FUTILITY) $(1).unsigned $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_KEY).vbpubk $(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_VBOOT_SIGNING_KEY).vbprivk $(1).keyblock $(1)) $(hide) $(call assert-max-image-size,$(1),$(BOARD_RECOVERYIMAGE_PARTITION_SIZE)) @echo ----- Made recovery image: $(1) -------- endef diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py index f76f812..6a5d22f 100644 --- a/tools/releasetools/common.py +++ b/tools/releasetools/common.py @@ -346,8 +346,14 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None): if args and args.strip(): cmd.extend(shlex.split(args)) - cmd.extend(["--ramdisk", ramdisk_img.name, - "--output", img.name]) + img_unsigned = None + if info_dict.get("vboot", None): + img_unsigned = tempfile.NamedTemporaryFile() + cmd.extend(["--ramdisk", ramdisk_img.name, + "--output", img_unsigned.name]) + else: + cmd.extend(["--ramdisk", ramdisk_img.name, + "--output", img.name]) p = Run(cmd, stdout=subprocess.PIPE) p.communicate() @@ -362,6 +368,18 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None): p.communicate() assert p.returncode == 0, "boot_signer of %s image failed" % path + # Sign the image if vboot is non-empty. + elif info_dict.get("vboot", None): + path = "/" + os.path.basename(sourcedir).lower() + img_keyblock = tempfile.NamedTemporaryFile() + cmd = [info_dict["vboot_signer_cmd"], info_dict["futility"], + img_unsigned.name, info_dict["vboot_key"] + ".vbpubk", + info_dict["vboot_key"] + ".vbprivk", img_keyblock.name, + img.name] + p = Run(cmd, stdout=subprocess.PIPE) + p.communicate() + assert p.returncode == 0, "vboot_signer of %s image failed" % path + img.seek(os.SEEK_SET, 0) data = img.read() |