diff options
Diffstat (limited to 'tools/releasetools/common.py')
| -rw-r--r-- | tools/releasetools/common.py | 67 |
1 files changed, 64 insertions, 3 deletions
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py index 26cc674..32bbc68 100644 --- a/tools/releasetools/common.py +++ b/tools/releasetools/common.py @@ -338,6 +338,9 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None): ramdisk_img = tempfile.NamedTemporaryFile() img = tempfile.NamedTemporaryFile() + bootimg_key = os.getenv("PRODUCT_PRIVATE_KEY", None) + verity_key = os.getenv("PRODUCT_VERITY_KEY", None) + custom_boot_signer = os.getenv("PRODUCT_BOOT_SIGNER", None) if os.access(fs_config_file, os.F_OK): cmd = ["mkbootfs", "-f", fs_config_file, os.path.join(sourcedir, "RAMDISK")] @@ -404,8 +407,9 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None): fn = os.path.join(sourcedir, "pagesize") if os.access(fn, os.F_OK): + kernel_pagesize=open(fn).read().rstrip("\n") cmd.append("--pagesize") - cmd.append(open(fn).read().rstrip("\n")) + cmd.append(kernel_pagesize) args = info_dict.get("mkbootimg_args", None) if args and args.strip(): @@ -425,6 +429,50 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None): assert p.returncode == 0, "mkbootimg of %s image failed" % ( os.path.basename(sourcedir),) + if custom_boot_signer and bootimg_key and os.path.exists(bootimg_key): + print("Signing bootable image with custom boot signer...") + img_secure = tempfile.NamedTemporaryFile() + p = Run([custom_boot_signer, img.name, img_secure.name], stdout=subprocess.PIPE) + p.communicate() + assert p.returncode == 0, "signing of bootable image failed" + shutil.copyfile(img_secure.name, img.name) + img_secure.close() + elif bootimg_key and os.path.exists(bootimg_key) and kernel_pagesize > 0: + print("Signing bootable image...") + bootimg_key_passwords = {} + bootimg_key_passwords.update(PasswordManager().GetPasswords(bootimg_key.split())) + bootimg_key_password = bootimg_key_passwords[bootimg_key] + if bootimg_key_password is not None: + bootimg_key_password += "\n" + img_sha256 = tempfile.NamedTemporaryFile() + img_sig = tempfile.NamedTemporaryFile() + img_sig_padded = tempfile.NamedTemporaryFile() + img_secure = tempfile.NamedTemporaryFile() + p = Run(["openssl", "dgst", "-sha256", "-binary", "-out", img_sha256.name, img.name], + stdout=subprocess.PIPE) + p.communicate() + assert p.returncode == 0, "signing of bootable image failed" + p = Run(["openssl", "rsautl", "-sign", "-in", img_sha256.name, "-inkey", bootimg_key, "-out", + img_sig.name, "-passin", "stdin"], stdin=subprocess.PIPE, stdout=subprocess.PIPE) + p.communicate(bootimg_key_password) + assert p.returncode == 0, "signing of bootable image failed" + p = Run(["dd", "if=/dev/zero", "of=%s" % img_sig_padded.name, "bs=%s" % kernel_pagesize, + "count=1"], stdout=subprocess.PIPE) + p.communicate() + assert p.returncode == 0, "signing of bootable image failed" + p = Run(["dd", "if=%s" % img_sig.name, "of=%s" % img_sig_padded.name, "conv=notrunc"], + stdout=subprocess.PIPE) + p.communicate() + assert p.returncode == 0, "signing of bootable image failed" + p = Run(["cat", img.name, img_sig_padded.name], stdout=img_secure.file.fileno()) + p.communicate() + assert p.returncode == 0, "signing of bootable image failed" + shutil.copyfile(img_secure.name, img.name) + img_sha256.close() + img_sig.close() + img_sig_padded.close() + img_secure.close() + if (info_dict.get("boot_signer", None) == "true" and info_dict.get("verity_key", None)): path = "/" + os.path.basename(sourcedir).lower() @@ -433,8 +481,21 @@ def BuildBootableImage(sourcedir, fs_config_file, info_dict=None): cmd.extend([path, img.name, info_dict["verity_key"] + ".pk8", info_dict["verity_key"] + ".x509.pem", img.name]) - p = Run(cmd, stdout=subprocess.PIPE) - p.communicate() + verity_key_password = None + + if verity_key and os.path.exists(verity_key+".pk8") and kernel_pagesize > 0: + verity_key_passwords = {} + verity_key_passwords.update(PasswordManager().GetPasswords(verity_key.split())) + verity_key_password = verity_key_passwords[verity_key] + + if verity_key_password is not None: + verity_key_password += "\n" + p = Run(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE) + p.communicate(verity_key_password) + else: + p = Run(cmd) + p.communicate() + assert p.returncode == 0, "boot_signer of %s image failed" % path # Sign the image if vboot is non-empty. |