build: Use the password manager for the verity key if possible

If we're operating with a password dict, try to use it for verity

Change-Id: Ie0e8e33c873fc9f1ae9bd6da559f9cbbced183e9
Ref: CYNGNOS-3156

1 files changed, 16 insertions, 2 deletions

diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index df06b15..32bbc68 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -339,6 +339,7 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None):
   ramdisk_img = tempfile.NamedTemporaryFile()
   img = tempfile.NamedTemporaryFile()
   bootimg_key = os.getenv("PRODUCT_PRIVATE_KEY", None)
+  verity_key = os.getenv("PRODUCT_VERITY_KEY", None)
   custom_boot_signer = os.getenv("PRODUCT_BOOT_SIGNER", None)
 
   if os.access(fs_config_file, os.F_OK):
@@ -480,8 +481,21 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None):
     cmd.extend([path, img.name,
                 info_dict["verity_key"] + ".pk8",
                 info_dict["verity_key"] + ".x509.pem", img.name])
-    p = Run(cmd)
-    p.communicate()
+    verity_key_password = None
+
+    if verity_key and os.path.exists(verity_key+".pk8") and kernel_pagesize > 0:
+      verity_key_passwords = {}
+      verity_key_passwords.update(PasswordManager().GetPasswords(verity_key.split()))
+      verity_key_password = verity_key_passwords[verity_key]
+
+    if verity_key_password is not None:
+      verity_key_password += "\n"
+      p = Run(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
+      p.communicate(verity_key_password)
+    else:
+      p = Run(cmd)
+      p.communicate()
+
     assert p.returncode == 0, "boot_signer of %s image failed" % path
 
   # Sign the image if vboot is non-empty.