build: Use the password manager for the verity key if possible

If we're operating with a password dict, try to use it for verity

Change-Id: Ie0e8e33c873fc9f1ae9bd6da559f9cbbced183e9
Ref: CYNGNOS-3156

2 files changed, 30 insertions, 3 deletions

diff --git a/tools/releasetools/build_image.py b/tools/releasetools/build_image.py
index 81ab64f..d712083 100755
--- a/tools/releasetools/build_image.py
+++ b/tools/releasetools/build_image.py
@@ -106,13 +106,26 @@ def BuildVerityTree(sparse_image_path, verity_image_path, prop_dict):
 
 def BuildVerityMetadata(image_size, verity_metadata_path, root_hash, salt,
                         block_device, signer_path, key):
+  verity_key = os.getenv("PRODUCT_VERITY_KEY", None)
+  verity_key_password = None
+
+  if verity_key and os.path.exists(verity_key+".pk8"):
+    verity_key_passwords = {}
+    verity_key_passwords.update(common.PasswordManager().GetPasswords(verity_key.split()))
+    verity_key_password = verity_key_passwords[verity_key]
+
   cmd_template = (
       "system/extras/verity/build_verity_metadata.py %s %s %s %s %s %s %s")
   cmd = cmd_template % (image_size, verity_metadata_path, root_hash, salt,
                         block_device, signer_path, key)
   print(cmd)
   runcmd = ["system/extras/verity/build_verity_metadata.py", image_size, verity_metadata_path, root_hash, salt, block_device, signer_path, key];
-  sp = subprocess.Popen(runcmd)
+  if verity_key_password is not None:
+    sp = subprocess.Popen(runcmd, stdin=subprocess.PIPE)
+    sp.communicate(verity_key_password)
+  else:
+    sp = subprocess.Popen(runcmd)
+
   sp.wait()
 
   if sp.returncode != 0:
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index df06b15..32bbc68 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -339,6 +339,7 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None):
   ramdisk_img = tempfile.NamedTemporaryFile()
   img = tempfile.NamedTemporaryFile()
   bootimg_key = os.getenv("PRODUCT_PRIVATE_KEY", None)
+  verity_key = os.getenv("PRODUCT_VERITY_KEY", None)
   custom_boot_signer = os.getenv("PRODUCT_BOOT_SIGNER", None)
 
   if os.access(fs_config_file, os.F_OK):
@@ -480,8 +481,21 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None):
     cmd.extend([path, img.name,
                 info_dict["verity_key"] + ".pk8",
                 info_dict["verity_key"] + ".x509.pem", img.name])
-    p = Run(cmd)
-    p.communicate()
+    verity_key_password = None
+
+    if verity_key and os.path.exists(verity_key+".pk8") and kernel_pagesize > 0:
+      verity_key_passwords = {}
+      verity_key_passwords.update(PasswordManager().GetPasswords(verity_key.split()))
+      verity_key_password = verity_key_passwords[verity_key]
+
+    if verity_key_password is not None:
+      verity_key_password += "\n"
+      p = Run(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
+      p.communicate(verity_key_password)
+    else:
+      p = Run(cmd)
+      p.communicate()
+
     assert p.returncode == 0, "boot_signer of %s image failed" % path
 
   # Sign the image if vboot is non-empty.