Use computed salt for AVB-signed images.
We want the generated images being identical for the same source files.
Currently the generated ext4 image (either from make_ext4fs or mke2fs)
is reproducible, but the AVB footer added by avbtool contain changes
because of the random salt being used.
This CL changes the avbtool invocation to specify "--salt <hexstring>"
(already supported by avbtool) to use reproducible salt that's computed
based on fingerprints (or thumbprints if applicable).
Bug: 67023482
Test: Regenerate images from the same source as follows:
Use a target_files.zip from an AVB-enabled target.
$ zip -d target_files.zip IMAGES/\*
$ ./build/make/tools/releasetools/add_img_to_target_files.py \
-v target_files.zip
Repeat the above commands and compare the generated images.
Change-Id: Id9db17ae0132ca3a820b4be5a5ef06ca3fef71ed
Merged-In: Id9db17ae0132ca3a820b4be5a5ef06ca3fef71ed
(cherry picked from commit 8f05cca1d9989ecb2e5a5d12f1410b6eca8c75b6)
diff --git a/tools/releasetools/add_img_to_target_files.py b/tools/releasetools/add_img_to_target_files.py
index 02f2000..1a08cb6 100755
--- a/tools/releasetools/add_img_to_target_files.py
+++ b/tools/releasetools/add_img_to_target_files.py
@@ -53,6 +53,7 @@
import datetime
import errno
+import hashlib
import os
import shlex
import shutil
@@ -546,6 +547,17 @@
has_recovery = (OPTIONS.info_dict.get("no_recovery") != "true")
+ if OPTIONS.info_dict.get("avb_enable") == "true":
+ fp = None
+ if "build.prop" in OPTIONS.info_dict:
+ build_prop = OPTIONS.info_dict["build.prop"]
+ if "ro.build.fingerprint" in build_prop:
+ fp = build_prop["ro.build.fingerprint"]
+ elif "ro.build.thumbprint" in build_prop:
+ fp = build_prop["ro.build.thumbprint"]
+ if fp:
+ OPTIONS.info_dict["avb_salt"] = hashlib.sha256(fp).hexdigest()
+
def banner(s):
print("\n\n++++ " + s + " ++++\n\n")
diff --git a/tools/releasetools/build_image.py b/tools/releasetools/build_image.py
index 1b9bb04..ccfa35f 100755
--- a/tools/releasetools/build_image.py
+++ b/tools/releasetools/build_image.py
@@ -120,7 +120,7 @@
return int(output)
def AVBAddFooter(image_path, avbtool, footer_type, partition_size,
- partition_name, key_path, algorithm,
+ partition_name, key_path, algorithm, salt,
additional_args):
"""Adds dm-verity hashtree and AVB metadata to an image.
@@ -132,6 +132,7 @@
partition_name: The name of the partition - will be embedded in metadata.
key_path: Path to key to use or None.
algorithm: Name of algorithm to use or None.
+ salt: The salt to use (a hexadecimal string) or None.
additional_args: Additional arguments to pass to 'avbtool
add_hashtree_image'.
Returns:
@@ -144,6 +145,8 @@
if key_path and algorithm:
cmd.extend(["--key", key_path, "--algorithm", algorithm])
+ if salt:
+ cmd.extend(["--salt", salt])
cmd.extend(shlex.split(additional_args))
@@ -590,10 +593,11 @@
# key_path and algorithm are only available when chain partition is used.
key_path = prop_dict.get("avb_key_path")
algorithm = prop_dict.get("avb_algorithm")
+ salt = prop_dict.get("avb_salt")
# avb_add_hash_footer_args or avb_add_hashtree_footer_args
additional_args = prop_dict["avb_add_" + avb_footer_type + "_footer_args"]
if not AVBAddFooter(out_file, avbtool, avb_footer_type, original_partition_size,
- partition_name, key_path, algorithm, additional_args):
+ partition_name, key_path, algorithm, salt, additional_args):
return False
if run_fsck and prop_dict.get("skip_fsck") != "true":
@@ -639,8 +643,9 @@
"verity_signer_cmd",
"verity_fec",
"avb_enable",
- "avb_avbtool"
- )
+ "avb_avbtool",
+ "avb_salt",
+ )
for p in common_props:
copy_prop(p, p)
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index 34c334e..f3096c9 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -353,6 +353,10 @@
algorithm = OPTIONS.info_dict.get("avb_" + partition + "_algorithm")
if key_path and algorithm:
cmd.extend(["--key", key_path, "--algorithm", algorithm])
+ avb_salt = OPTIONS.info_dict.get("avb_salt")
+ # make_vbmeta_image doesn't like "--salt" (and it's not needed).
+ if avb_salt and partition != "vbmeta":
+ cmd.extend(["--salt", avb_salt])
def _BuildBootableImage(sourcedir, fs_config_file, info_dict=None,
