| #!/usr/bin/env python |
| # |
| # Copyright (C) 2021 The Android Open Source Project |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| """sign_virt_apex is a command line tool for sign the Virt APEX file. |
| |
| Typical usage: |
| sign_virt_apex payload_key payload_dir |
| -v, --verbose |
| --verify |
| --avbtool path_to_avbtool |
| --signing_args args |
| |
| sign_virt_apex uses external tools which are assumed to be available via PATH. |
| - avbtool (--avbtool can override the tool) |
| - lpmake, lpunpack, simg2img, img2simg, initrd_bootconfig |
| """ |
| import argparse |
| import hashlib |
| import os |
| import re |
| import shlex |
| import subprocess |
| import sys |
| import tempfile |
| import traceback |
| from concurrent import futures |
| |
| # pylint: disable=line-too-long,consider-using-with |
| |
| # Use executor to parallelize the invocation of external tools |
| # If a task depends on another, pass the future object of the previous task as wait list. |
| # Every future object created by a task should be consumed with AwaitAll() |
| # so that exceptions are propagated . |
| executor = futures.ThreadPoolExecutor() |
| |
| # Temporary directory for unpacked super.img. |
| # We could put its creation/deletion into the task graph as well, but |
| # having it as a global setup is much simpler. |
| unpack_dir = tempfile.TemporaryDirectory() |
| |
| # tasks created with Async() are kept in a list so that they are awaited |
| # before exit. |
| tasks = [] |
| |
| # create an async task and return a future value of it. |
| def Async(fn, *args, wait=None, **kwargs): |
| |
| # wrap a function with AwaitAll() |
| def wrapped(): |
| AwaitAll(wait) |
| fn(*args, **kwargs) |
| |
| task = executor.submit(wrapped) |
| tasks.append(task) |
| return task |
| |
| |
| # waits for task (captured in fs as future values) with future.result() |
| # so that any exception raised during task can be raised upward. |
| def AwaitAll(fs): |
| if fs: |
| for f in fs: |
| f.result() |
| |
| |
| def ParseArgs(argv): |
| parser = argparse.ArgumentParser(description='Sign the Virt APEX') |
| parser.add_argument('--verify', action='store_true', |
| help='Verify the Virt APEX') |
| parser.add_argument( |
| '-v', '--verbose', |
| action='store_true', |
| help='verbose execution') |
| parser.add_argument( |
| '--avbtool', |
| default='avbtool', |
| help='Optional flag that specifies the AVB tool to use. Defaults to `avbtool`.') |
| parser.add_argument( |
| '--signing_args', |
| help='the extra signing arguments passed to avbtool.' |
| ) |
| parser.add_argument( |
| '--key_override', |
| metavar="filename=key", |
| action='append', |
| help='Overrides a signing key for a file e.g. microdroid_bootloader=mykey (for testing)') |
| parser.add_argument( |
| 'key', |
| help='path to the private key file.') |
| parser.add_argument( |
| 'input_dir', |
| help='the directory having files to be packaged') |
| parser.add_argument( |
| '--do_not_update_bootconfigs', |
| action='store_true', |
| help='This will NOT update the vbmeta related bootconfigs while signing the apex.\ |
| Used for testing only!!') |
| parser.add_argument('--do_not_validate_avb_version', action='store_true', help='Do not validate the avb_version when updating vbmeta bootconfig. Only use in tests!') |
| args = parser.parse_args(argv) |
| # preprocess --key_override into a map |
| args.key_overrides = {} |
| if args.key_override: |
| for pair in args.key_override: |
| name, key = pair.split('=') |
| args.key_overrides[name] = key |
| return args |
| |
| |
| def RunCommand(args, cmd, env=None, expected_return_values=None): |
| expected_return_values = expected_return_values or {0} |
| env = env or {} |
| env.update(os.environ.copy()) |
| |
| # TODO(b/193504286): we need a way to find other tool (cmd[0]) in various contexts |
| # e.g. sign_apex.py, sign_target_files_apk.py |
| if cmd[0] == 'avbtool': |
| cmd[0] = args.avbtool |
| |
| if args.verbose: |
| print('Running: ' + ' '.join(cmd)) |
| p = subprocess.Popen( |
| cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=env, universal_newlines=True) |
| output, _ = p.communicate() |
| |
| if args.verbose or p.returncode not in expected_return_values: |
| print(output.rstrip()) |
| |
| assert p.returncode in expected_return_values, ( |
| '%d Failed to execute: ' + ' '.join(cmd)) % p.returncode |
| return (output, p.returncode) |
| |
| |
| def ReadBytesSize(value): |
| return int(value.removesuffix(' bytes')) |
| |
| |
| def ExtractAvbPubkey(args, key, output): |
| RunCommand(args, ['avbtool', 'extract_public_key', |
| '--key', key, '--output', output]) |
| |
| |
| def AvbInfo(args, image_path): |
| """Parses avbtool --info image output |
| |
| Args: |
| args: program arguments. |
| image_path: The path to the image. |
| descriptor_name: Descriptor name of interest. |
| |
| Returns: |
| A pair of |
| - a dict that contains VBMeta info. None if there's no VBMeta info. |
| - a list of descriptors. |
| """ |
| if not os.path.exists(image_path): |
| raise ValueError(f'Failed to find image: {image_path}') |
| |
| output, ret_code = RunCommand( |
| args, ['avbtool', 'info_image', '--image', image_path], expected_return_values={0, 1}) |
| if ret_code == 1: |
| return None, None |
| |
| info, descriptors = {}, [] |
| |
| # Read `avbtool info_image` output as "key:value" lines |
| matcher = re.compile(r'^(\s*)([^:]+):\s*(.*)$') |
| |
| def IterateLine(output): |
| for line in output.split('\n'): |
| line_info = matcher.match(line) |
| if not line_info: |
| continue |
| yield line_info.group(1), line_info.group(2), line_info.group(3) |
| |
| gen = IterateLine(output) |
| |
| def ReadDescriptors(cur_indent, cur_name, cur_value): |
| descriptor = cur_value if cur_name == 'Prop' else {} |
| descriptors.append((cur_name, descriptor)) |
| for indent, key, value in gen: |
| if indent <= cur_indent: |
| # read descriptors recursively to pass the read key as descriptor name |
| ReadDescriptors(indent, key, value) |
| break |
| descriptor[key] = value |
| |
| # Read VBMeta info |
| for _, key, value in gen: |
| if key == 'Descriptors': |
| ReadDescriptors(*next(gen)) |
| break |
| info[key] = value |
| |
| return info, descriptors |
| |
| |
| # Look up a list of (key, value) with a key. Returns the list of value(s) with the matching key. |
| # The order of those values is maintained. |
| def LookUp(pairs, key): |
| return [v for (k, v) in pairs if k == key] |
| |
| |
| def AddHashFooter(args, key, image_path, partition_name, additional_descriptors=None): |
| if os.path.basename(image_path) in args.key_overrides: |
| key = args.key_overrides[os.path.basename(image_path)] |
| info, _ = AvbInfo(args, image_path) |
| if info: |
| image_size = ReadBytesSize(info['Image size']) |
| algorithm = info['Algorithm'] |
| partition_size = str(image_size) |
| |
| cmd = ['avbtool', 'add_hash_footer', |
| '--key', key, |
| '--algorithm', algorithm, |
| '--partition_name', partition_name, |
| '--partition_size', partition_size, |
| '--image', image_path] |
| if args.signing_args: |
| cmd.extend(shlex.split(args.signing_args)) |
| if additional_descriptors: |
| for image in additional_descriptors: |
| cmd.extend(['--include_descriptors_from_image', image]) |
| RunCommand(args, cmd) |
| |
| |
| def AddHashTreeFooter(args, key, image_path): |
| if os.path.basename(image_path) in args.key_overrides: |
| key = args.key_overrides[os.path.basename(image_path)] |
| info, descriptors = AvbInfo(args, image_path) |
| if info: |
| descriptor = LookUp(descriptors, 'Hashtree descriptor')[0] |
| image_size = ReadBytesSize(info['Image size']) |
| algorithm = info['Algorithm'] |
| partition_name = descriptor['Partition Name'] |
| hash_algorithm = descriptor['Hash Algorithm'] |
| partition_size = str(image_size) |
| cmd = ['avbtool', 'add_hashtree_footer', |
| '--key', key, |
| '--algorithm', algorithm, |
| '--partition_name', partition_name, |
| '--partition_size', partition_size, |
| '--do_not_generate_fec', |
| '--hash_algorithm', hash_algorithm, |
| '--image', image_path] |
| if args.signing_args: |
| cmd.extend(shlex.split(args.signing_args)) |
| RunCommand(args, cmd) |
| |
| |
| def UpdateVbmetaBootconfig(args, initrds, vbmeta_img): |
| # Update the bootconfigs in ramdisk |
| def detach_bootconfigs(initrd_bc, initrd, bc): |
| cmd = ['initrd_bootconfig', 'detach', initrd_bc, initrd, bc] |
| RunCommand(args, cmd) |
| |
| def attach_bootconfigs(initrd_bc, initrd, bc): |
| cmd = ['initrd_bootconfig', 'attach', |
| initrd, bc, '--output', initrd_bc] |
| RunCommand(args, cmd) |
| |
| # Validate that avb version used while signing the apex is the same as used by build server |
| def validate_avb_version(bootconfigs): |
| cmd = ['avbtool', 'version'] |
| stdout, _ = RunCommand(args, cmd) |
| avb_version_curr = stdout.split(" ")[1].strip() |
| avb_version_curr = avb_version_curr[0:avb_version_curr.rfind('.')] |
| |
| avb_version_bc = re.search( |
| r"androidboot.vbmeta.avb_version = \"([^\"]*)\"", bootconfigs).group(1) |
| if avb_version_curr != avb_version_bc: |
| raise Exception(f'AVB version mismatch between current & one & \ |
| used to build bootconfigs:{avb_version_curr}&{avb_version_bc}') |
| |
| def calc_vbmeta_digest(): |
| cmd = ['avbtool', 'calculate_vbmeta_digest', '--image', |
| vbmeta_img, '--hash_algorithm', 'sha256'] |
| stdout, _ = RunCommand(args, cmd) |
| return stdout.strip() |
| |
| def calc_vbmeta_size(): |
| cmd = ['avbtool', 'info_image', '--image', vbmeta_img] |
| stdout, _ = RunCommand(args, cmd) |
| size = 0 |
| for line in stdout.split("\n"): |
| line = line.split(":") |
| if line[0] in ['Header Block', 'Authentication Block', 'Auxiliary Block']: |
| size += int(line[1].strip()[0:-6]) |
| return size |
| |
| def update_vbmeta_digest(bootconfigs): |
| # Update androidboot.vbmeta.digest in bootconfigs |
| result = re.search( |
| r"androidboot.vbmeta.digest = \"[^\"]*\"", bootconfigs) |
| if not result: |
| raise ValueError("Failed to find androidboot.vbmeta.digest") |
| |
| return bootconfigs.replace(result.group(), |
| f'androidboot.vbmeta.digest = "{calc_vbmeta_digest()}"') |
| |
| def update_vbmeta_size(bootconfigs): |
| # Update androidboot.vbmeta.size in bootconfigs |
| result = re.search(r"androidboot.vbmeta.size = [0-9]+", bootconfigs) |
| if not result: |
| raise ValueError("Failed to find androidboot.vbmeta.size") |
| return bootconfigs.replace(result.group(), |
| f'androidboot.vbmeta.size = {calc_vbmeta_size()}') |
| |
| with tempfile.TemporaryDirectory() as work_dir: |
| tmp_initrd = os.path.join(work_dir, 'initrd') |
| tmp_bc = os.path.join(work_dir, 'bc') |
| |
| for initrd in initrds: |
| detach_bootconfigs(initrd, tmp_initrd, tmp_bc) |
| bc_file = open(tmp_bc, "rt", encoding="utf-8") |
| bc_data = bc_file.read() |
| if not args.do_not_validate_avb_version: |
| validate_avb_version(bc_data) |
| bc_data = update_vbmeta_digest(bc_data) |
| bc_data = update_vbmeta_size(bc_data) |
| bc_file.close() |
| bc_file = open(tmp_bc, "wt", encoding="utf-8") |
| bc_file.write(bc_data) |
| bc_file.flush() |
| attach_bootconfigs(initrd, tmp_initrd, tmp_bc) |
| |
| |
| def MakeVbmetaImage(args, key, vbmeta_img, images=None, chained_partitions=None): |
| if os.path.basename(vbmeta_img) in args.key_overrides: |
| key = args.key_overrides[os.path.basename(vbmeta_img)] |
| info, descriptors = AvbInfo(args, vbmeta_img) |
| if info is None: |
| return |
| |
| with tempfile.TemporaryDirectory() as work_dir: |
| algorithm = info['Algorithm'] |
| rollback_index = info['Rollback Index'] |
| rollback_index_location = info['Rollback Index Location'] |
| |
| cmd = ['avbtool', 'make_vbmeta_image', |
| '--key', key, |
| '--algorithm', algorithm, |
| '--rollback_index', rollback_index, |
| '--rollback_index_location', rollback_index_location, |
| '--output', vbmeta_img] |
| if images: |
| for img in images: |
| cmd.extend(['--include_descriptors_from_image', img]) |
| |
| # replace pubkeys of chained_partitions as well |
| for name, descriptor in descriptors: |
| if name == 'Chain Partition descriptor': |
| part_name = descriptor['Partition Name'] |
| ril = descriptor['Rollback Index Location'] |
| part_key = chained_partitions[part_name] |
| avbpubkey = os.path.join(work_dir, part_name + '.avbpubkey') |
| ExtractAvbPubkey(args, part_key, avbpubkey) |
| cmd.extend(['--chain_partition', f'{part_name}:{ril}:{avbpubkey}']) |
| |
| if args.signing_args: |
| cmd.extend(shlex.split(args.signing_args)) |
| |
| RunCommand(args, cmd) |
| # libavb expects to be able to read the maximum vbmeta size, so we must provide a partition |
| # which matches this or the read will fail. |
| with open(vbmeta_img, 'a', encoding='utf8') as f: |
| f.truncate(65536) |
| |
| |
| def UnpackSuperImg(args, super_img, work_dir): |
| tmp_super_img = os.path.join(work_dir, 'super.img') |
| RunCommand(args, ['simg2img', super_img, tmp_super_img]) |
| RunCommand(args, ['lpunpack', tmp_super_img, work_dir]) |
| |
| |
| def MakeSuperImage(args, partitions, output): |
| with tempfile.TemporaryDirectory() as work_dir: |
| cmd = ['lpmake', '--device-size=auto', '--metadata-slots=2', # A/B |
| '--metadata-size=65536', '--sparse', '--output=' + output] |
| |
| for part, img in partitions.items(): |
| tmp_img = os.path.join(work_dir, part) |
| RunCommand(args, ['img2simg', img, tmp_img]) |
| |
| image_arg = f'--image={part}={img}' |
| partition_arg = f'--partition={part}:readonly:{os.path.getsize(img)}:default' |
| cmd.extend([image_arg, partition_arg]) |
| |
| RunCommand(args, cmd) |
| |
| |
| def GenVbmetaImage(args, image, output, partition_name): |
| cmd = ['avbtool', 'add_hash_footer', '--dynamic_partition_size', |
| '--do_not_append_vbmeta_image', |
| '--partition_name', partition_name, |
| '--image', image, |
| '--output_vbmeta_image', output] |
| RunCommand(args, cmd) |
| |
| # dict of (key, file) for re-sign/verification. keys are un-versioned for readability. |
| virt_apex_files = { |
| 'kernel': 'etc/fs/microdroid_kernel', |
| 'vbmeta.img': 'etc/fs/microdroid_vbmeta.img', |
| 'super.img': 'etc/fs/microdroid_super.img', |
| 'initrd_normal.img': 'etc/microdroid_initrd_normal.img', |
| 'initrd_debuggable.img': 'etc/microdroid_initrd_debuggable.img', |
| } |
| |
| |
| def TargetFiles(input_dir): |
| return {k: os.path.join(input_dir, v) for k, v in virt_apex_files.items()} |
| |
| |
| def SignVirtApex(args): |
| key = args.key |
| input_dir = args.input_dir |
| files = TargetFiles(input_dir) |
| |
| # unpacked files (will be unpacked from super.img below) |
| system_a_img = os.path.join(unpack_dir.name, 'system_a.img') |
| vendor_a_img = os.path.join(unpack_dir.name, 'vendor_a.img') |
| |
| # re-sign super.img |
| # 1. unpack super.img |
| # 2. resign system and vendor |
| # 3. repack super.img out of resigned system and vendor |
| UnpackSuperImg(args, files['super.img'], unpack_dir.name) |
| system_a_f = Async(AddHashTreeFooter, args, key, system_a_img) |
| vendor_a_f = Async(AddHashTreeFooter, args, key, vendor_a_img) |
| partitions = {"system_a": system_a_img, "vendor_a": vendor_a_img} |
| Async(MakeSuperImage, args, partitions, |
| files['super.img'], wait=[system_a_f, vendor_a_f]) |
| |
| # re-generate vbmeta from re-signed {system_a, vendor_a}.img |
| vbmeta_f = Async(MakeVbmetaImage, args, key, files['vbmeta.img'], |
| images=[system_a_img, vendor_a_img], |
| wait=[system_a_f, vendor_a_f]) |
| |
| vbmeta_bc_f = None |
| if not args.do_not_update_bootconfigs: |
| vbmeta_bc_f = Async(UpdateVbmetaBootconfig, args, |
| [files['initrd_normal.img'], |
| files['initrd_debuggable.img']], files['vbmeta.img'], |
| wait=[vbmeta_f]) |
| |
| # Re-sign kernel. Note kernel's vbmeta contain addition descriptor from ramdisk(s) |
| initrd_normal_hashdesc = tempfile.NamedTemporaryFile(delete=False).name |
| initrd_debug_hashdesc = tempfile.NamedTemporaryFile(delete=False).name |
| initrd_n_f = Async(GenVbmetaImage, args, files['initrd_normal.img'], |
| initrd_normal_hashdesc, "initrd_normal", |
| wait=[vbmeta_bc_f] if vbmeta_bc_f is not None else []) |
| initrd_d_f = Async(GenVbmetaImage, args, files['initrd_debuggable.img'], |
| initrd_debug_hashdesc, "initrd_debug", |
| wait=[vbmeta_bc_f] if vbmeta_bc_f is not None else []) |
| Async(AddHashFooter, args, key, files['kernel'], partition_name="boot", |
| additional_descriptors=[ |
| initrd_normal_hashdesc, initrd_debug_hashdesc], |
| wait=[initrd_n_f, initrd_d_f]) |
| |
| |
| def VerifyVirtApex(args): |
| key = args.key |
| input_dir = args.input_dir |
| files = TargetFiles(input_dir) |
| |
| # unpacked files |
| UnpackSuperImg(args, files['super.img'], unpack_dir.name) |
| system_a_img = os.path.join(unpack_dir.name, 'system_a.img') |
| vendor_a_img = os.path.join(unpack_dir.name, 'vendor_a.img') |
| |
| # Read pubkey digest from the input key |
| with tempfile.NamedTemporaryFile() as pubkey_file: |
| ExtractAvbPubkey(args, key, pubkey_file.name) |
| with open(pubkey_file.name, 'rb') as f: |
| pubkey = f.read() |
| pubkey_digest = hashlib.sha1(pubkey).hexdigest() |
| |
| def check_avb_pubkey(file): |
| info, _ = AvbInfo(args, file) |
| assert info is not None, f'no avbinfo: {file}' |
| assert info['Public key (sha1)'] == pubkey_digest, f'pubkey mismatch: {file}' |
| |
| for f in files.values(): |
| if f in (files['initrd_normal.img'], files['initrd_debuggable.img']): |
| # TODO(b/245277660): Verify that ramdisks contain the correct vbmeta digest |
| continue |
| if f == files['super.img']: |
| Async(check_avb_pubkey, system_a_img) |
| Async(check_avb_pubkey, vendor_a_img) |
| else: |
| # Check pubkey for other files using avbtool |
| Async(check_avb_pubkey, f) |
| |
| |
| def main(argv): |
| try: |
| args = ParseArgs(argv) |
| if args.verify: |
| VerifyVirtApex(args) |
| else: |
| SignVirtApex(args) |
| # ensure all tasks are completed without exceptions |
| AwaitAll(tasks) |
| except: # pylint: disable=bare-except |
| traceback.print_exc() |
| sys.exit(1) |
| |
| |
| if __name__ == '__main__': |
| main(sys.argv[1:]) |