Snap for 8735923 from 2208a03d874255af1e4eaf6cf7c156fe1dc98943 to android13-gs-pixel-5.10-release
Change-Id: Ib65e907454605c23444fa567f69994acb43d42b4
diff --git a/BUILD.bazel b/BUILD.bazel
index e80a82a..6fc323b 100644
--- a/BUILD.bazel
+++ b/BUILD.bazel
@@ -14,4 +14,5 @@
exports_files([
"mkbootimg.py",
+ "gki/testdata/testkey_rsa4096.pem",
])
diff --git a/gki/certify_bootimg.py b/gki/certify_bootimg.py
index fc22fde..68a042e 100755
--- a/gki/certify_bootimg.py
+++ b/gki/certify_bootimg.py
@@ -132,7 +132,7 @@
return 0
-def add_avb_footer(image, partition_size):
+def add_avb_footer(image, partition_size, extra_footer_args):
"""Appends a AVB hash footer to the image."""
avbtool_cmd = ['avbtool', 'add_hash_footer', '--image', image,
@@ -143,6 +143,7 @@
else:
avbtool_cmd.extend(['--dynamic_partition_size'])
+ avbtool_cmd.extend(extra_footer_args)
subprocess.check_call(avbtool_cmd)
@@ -160,12 +161,24 @@
return d
-def load_gki_info_file(gki_info_file, extra_args):
- """Loads extra args from |gki_info_file| into |extra_args|."""
+def load_gki_info_file(gki_info_file, extra_args, extra_footer_args):
+ """Loads extra arguments from the gki info file.
+
+ Args:
+ gki_info_file: path to a gki-info.txt.
+ extra_args: the extra arguments forwarded to avbtool when creating
+ the gki certificate.
+ extra_footer_args: the extra arguments forwarded to avbtool when
+ creating the avb footer.
+
+ """
info_dict = load_dict_from_file(gki_info_file)
if 'certify_bootimg_extra_args' in info_dict:
extra_args.extend(
shlex.split(info_dict['certify_bootimg_extra_args']))
+ if 'certify_bootimg_extra_footer_args' in info_dict:
+ extra_footer_args.extend(
+ shlex.split(info_dict['certify_bootimg_extra_footer_args']))
def get_archive_name_and_format_for_shutil(path):
@@ -206,6 +219,8 @@
# Optional args.
parser.add_argument('--extra_args', default=[], action='append',
help='extra arguments to be forwarded to avbtool')
+ parser.add_argument('--extra_footer_args', default=[], action='append',
+ help='extra arguments for adding the avb footer')
args = parser.parse_args()
@@ -218,13 +233,21 @@
extra_args.extend(shlex.split(a))
args.extra_args = extra_args
+ extra_footer_args = []
+ for a in args.extra_footer_args:
+ extra_footer_args.extend(shlex.split(a))
+ args.extra_footer_args = extra_footer_args
+
if args.gki_info:
- load_gki_info_file(args.gki_info, args.extra_args)
+ load_gki_info_file(args.gki_info,
+ args.extra_args,
+ args.extra_footer_args)
return args
-def certify_bootimg(boot_img, output_img, algorithm, key, extra_args):
+def certify_bootimg(boot_img, output_img, algorithm, key, extra_args,
+ extra_footer_args):
"""Certify a GKI boot image by generating and appending a boot_signature."""
with tempfile.TemporaryDirectory() as temp_dir:
boot_tmp = os.path.join(temp_dir, 'boot.tmp')
@@ -234,26 +257,27 @@
add_certificate(boot_tmp, algorithm, key, extra_args)
avb_partition_size = get_avb_image_size(boot_img)
- add_avb_footer(boot_tmp, avb_partition_size)
+ add_avb_footer(boot_tmp, avb_partition_size, extra_footer_args)
# We're done, copy the temp image to the final output.
shutil.copy2(boot_tmp, output_img)
def certify_bootimg_archive(boot_img_archive, output_archive,
- algorithm, key, extra_args):
+ algorithm, key, extra_args, extra_footer_args):
"""Similar to certify_bootimg(), but for an archive of boot images."""
with tempfile.TemporaryDirectory() as unpack_dir:
shutil.unpack_archive(boot_img_archive, unpack_dir)
gki_info_file = os.path.join(unpack_dir, 'gki-info.txt')
if os.path.exists(gki_info_file):
- load_gki_info_file(gki_info_file, extra_args)
+ load_gki_info_file(gki_info_file, extra_args, extra_footer_args)
- for boot_img in glob.glob(os.path.join(unpack_dir, 'boot-*.img')):
+ for boot_img in glob.glob(os.path.join(unpack_dir, 'boot*.img')):
print(f'Certifying {os.path.basename(boot_img)} ...')
certify_bootimg(boot_img=boot_img, output_img=boot_img,
- algorithm=algorithm, key=key, extra_args=extra_args)
+ algorithm=algorithm, key=key, extra_args=extra_args,
+ extra_footer_args=extra_footer_args)
print(f'Making certified archive: {output_archive}')
archive_file_name, archive_format = (
@@ -275,10 +299,11 @@
if args.boot_img_archive:
certify_bootimg_archive(args.boot_img_archive, args.output,
- args.algorithm, args.key, args.extra_args)
+ args.algorithm, args.key, args.extra_args,
+ args.extra_footer_args)
else:
certify_bootimg(args.boot_img, args.output, args.algorithm,
- args.key, args.extra_args)
+ args.key, args.extra_args, args.extra_footer_args)
if __name__ == '__main__':
diff --git a/gki/certify_bootimg_test.py b/gki/certify_bootimg_test.py
index c0de50a..ec5f505 100644
--- a/gki/certify_bootimg_test.py
+++ b/gki/certify_bootimg_test.py
@@ -82,8 +82,8 @@
e.g., 'zip', 'tar', or 'gztar', etc.
boot_img_info: a list of (boot_image_name, kernel_size,
partition_size) tuples. e.g.,
- [('boot-1.0.img', 4096, 4 * 1024),
- ('boot-2.0.img', 8192, 8 * 1024)].
+ [('boot.img', 4096, 4 * 1024),
+ ('boot-lz4.img', 8192, 8 * 1024)].
gki_info: the file content to be written into 'gki-info.txt' in the
created archive.
@@ -186,18 +186,18 @@
def extract_boot_archive_with_signatures(boot_img_archive, output_dir):
"""Extracts boot images and signatures of a boot images archive.
- Suppose there are two boot images in |boot_img_archive|: boot-1.0.img
- and boot-2.0.img. This function then extracts each boot-*.img and
+ Suppose there are two boot images in |boot_img_archive|: boot.img
+ and boot-lz4.img. This function then extracts each boot*.img and
their signatures as:
- - |output_dir|/boot-1.0.img
- - |output_dir|/boot-2.0.img
- - |output_dir|/boot-1.0/boot_signature1
- - |output_dir|/boot-1.0/boot_signature2
- - |output_dir|/boot-2.0/boot_signature1
- - |output_dir|/boot-2.0/boot_signature2
+ - |output_dir|/boot.img
+ - |output_dir|/boot-lz4.img
+ - |output_dir|/boot/boot_signature1
+ - |output_dir|/boot/boot_signature2
+ - |output_dir|/boot-lz4/boot_signature1
+ - |output_dir|/boot-lz4/boot_signature2
"""
shutil.unpack_archive(boot_img_archive, output_dir)
- for boot_img in glob.glob(os.path.join(output_dir, 'boot-*.img')):
+ for boot_img in glob.glob(os.path.join(output_dir, 'boot*.img')):
img_name = os.path.splitext(os.path.basename(boot_img))[0]
signature_output_dir = os.path.join(output_dir, img_name)
os.mkdir(signature_output_dir, 0o777)
@@ -219,6 +219,197 @@
# C0103: invalid-name for maxDiff.
self.maxDiff = None # pylint: disable=C0103
+ # For AVB footers, we don't sign it so the Authentication block
+ # is zero bytes and the Algorithm is NONE. The footer will be
+ # replaced by device-specific settings when being incorporated into
+ # a device codebase. The footer here is just to pass some GKI
+ # pre-release test.
+ self._EXPECTED_AVB_FOOTER_BOOT_CERTIFIED = ( # pylint: disable=C0103
+ 'Footer version: 1.0\n'
+ 'Image size: 131072 bytes\n'
+ 'Original image size: 24576 bytes\n'
+ 'VBMeta offset: 24576\n'
+ 'VBMeta size: 576 bytes\n'
+ '--\n'
+ 'Minimum libavb version: 1.0\n'
+ 'Header Block: 256 bytes\n'
+ 'Authentication Block: 0 bytes\n'
+ 'Auxiliary Block: 320 bytes\n'
+ 'Algorithm: NONE\n'
+ 'Rollback Index: 0\n'
+ 'Flags: 0\n'
+ 'Rollback Index Location: 0\n'
+ "Release String: 'avbtool 1.2.0'\n"
+ 'Descriptors:\n'
+ ' Hash descriptor:\n'
+ ' Image Size: 24576 bytes\n'
+ ' Hash Algorithm: sha256\n'
+ ' Partition Name: boot\n'
+ ' Salt: a11ba11b\n'
+ ' Digest: '
+ 'c9b4ad78fae6f72f7eff939dee6078ed'
+ '8a75132e53f6c11ba1ec0f4b57f9eab0\n'
+ ' Flags: 0\n'
+ " Prop: avb -> 'nice'\n"
+ " Prop: avb_space -> 'nice to meet you'\n"
+ )
+
+ self._EXPECTED_AVB_FOOTER_BOOT_CERTIFIED_2 = ( # pylint: disable=C0103
+ 'Footer version: 1.0\n'
+ 'Image size: 131072 bytes\n'
+ 'Original image size: 24576 bytes\n'
+ 'VBMeta offset: 24576\n'
+ 'VBMeta size: 576 bytes\n'
+ '--\n'
+ 'Minimum libavb version: 1.0\n'
+ 'Header Block: 256 bytes\n'
+ 'Authentication Block: 0 bytes\n'
+ 'Auxiliary Block: 320 bytes\n'
+ 'Algorithm: NONE\n'
+ 'Rollback Index: 0\n'
+ 'Flags: 0\n'
+ 'Rollback Index Location: 0\n'
+ "Release String: 'avbtool 1.2.0'\n"
+ 'Descriptors:\n'
+ ' Hash descriptor:\n'
+ ' Image Size: 24576 bytes\n'
+ ' Hash Algorithm: sha256\n'
+ ' Partition Name: boot\n'
+ ' Salt: a11ba11b\n'
+ ' Digest: '
+ 'ae2538e78b2a30b1112cede30d858a5f'
+ '6f8dc2a1b109dd4a7bb28124b77d2ab0\n'
+ ' Flags: 0\n'
+ " Prop: avb -> 'nice'\n"
+ " Prop: avb_space -> 'nice to meet you'\n"
+ )
+
+ self._EXPECTED_AVB_FOOTER_WITH_GKI_INFO = ( # pylint: disable=C0103
+ 'Footer version: 1.0\n'
+ 'Image size: 131072 bytes\n'
+ 'Original image size: 24576 bytes\n'
+ 'VBMeta offset: 24576\n'
+ 'VBMeta size: 704 bytes\n'
+ '--\n'
+ 'Minimum libavb version: 1.0\n'
+ 'Header Block: 256 bytes\n'
+ 'Authentication Block: 0 bytes\n'
+ 'Auxiliary Block: 448 bytes\n'
+ 'Algorithm: NONE\n'
+ 'Rollback Index: 0\n'
+ 'Flags: 0\n'
+ 'Rollback Index Location: 0\n'
+ "Release String: 'avbtool 1.2.0'\n"
+ 'Descriptors:\n'
+ ' Hash descriptor:\n'
+ ' Image Size: 24576 bytes\n'
+ ' Hash Algorithm: sha256\n'
+ ' Partition Name: boot\n'
+ ' Salt: a11ba11b\n'
+ ' Digest: '
+ '363d4f246a4a5e1bba8ba8b86f5eb0cf'
+ '9817e4e51663ba26edccf71c3861090a\n'
+ ' Flags: 0\n'
+ " Prop: avb -> 'nice'\n"
+ " Prop: avb_space -> 'nice to meet you'\n"
+ " Prop: com.android.build.boot.os_version -> '13'\n"
+ " Prop: com.android.build.boot.security_patch -> '2022-05-05'\n"
+ )
+
+ self._EXPECTED_AVB_FOOTER_BOOT = ( # pylint: disable=C0103
+ 'Footer version: 1.0\n'
+ 'Image size: 131072 bytes\n'
+ 'Original image size: 28672 bytes\n'
+ 'VBMeta offset: 28672\n'
+ 'VBMeta size: 704 bytes\n'
+ '--\n'
+ 'Minimum libavb version: 1.0\n'
+ 'Header Block: 256 bytes\n'
+ 'Authentication Block: 0 bytes\n'
+ 'Auxiliary Block: 448 bytes\n'
+ 'Algorithm: NONE\n'
+ 'Rollback Index: 0\n'
+ 'Flags: 0\n'
+ 'Rollback Index Location: 0\n'
+ "Release String: 'avbtool 1.2.0'\n"
+ 'Descriptors:\n'
+ ' Hash descriptor:\n'
+ ' Image Size: 28672 bytes\n'
+ ' Hash Algorithm: sha256\n'
+ ' Partition Name: boot\n'
+ ' Salt: a11ba11b\n'
+ ' Digest: '
+ 'b93084707ba2367120e19547f17f1073'
+ '4c7ad8e56008ec2159d5f01b950335ad\n'
+ ' Flags: 0\n'
+ " Prop: avb -> 'nice'\n"
+ " Prop: avb_space -> 'nice to meet you'\n"
+ " Prop: com.android.build.boot.os_version -> '13'\n"
+ " Prop: com.android.build.boot.security_patch -> '2022-05-05'\n"
+ )
+
+ self._EXPECTED_AVB_FOOTER_BOOT_LZ4 = ( # pylint: disable=C0103
+ 'Footer version: 1.0\n'
+ 'Image size: 262144 bytes\n'
+ 'Original image size: 36864 bytes\n'
+ 'VBMeta offset: 36864\n'
+ 'VBMeta size: 704 bytes\n'
+ '--\n'
+ 'Minimum libavb version: 1.0\n'
+ 'Header Block: 256 bytes\n'
+ 'Authentication Block: 0 bytes\n'
+ 'Auxiliary Block: 448 bytes\n'
+ 'Algorithm: NONE\n'
+ 'Rollback Index: 0\n'
+ 'Flags: 0\n'
+ 'Rollback Index Location: 0\n'
+ "Release String: 'avbtool 1.2.0'\n"
+ 'Descriptors:\n'
+ ' Hash descriptor:\n'
+ ' Image Size: 36864 bytes\n'
+ ' Hash Algorithm: sha256\n'
+ ' Partition Name: boot\n'
+ ' Salt: a11ba11b\n'
+ ' Digest: '
+ '6b3f583f1bc5fbc284102e0185d02c6b'
+ '294f675c95b9337e89ea1e6b743af2ab\n'
+ ' Flags: 0\n'
+ " Prop: avb -> 'nice'\n"
+ " Prop: avb_space -> 'nice to meet you'\n"
+ " Prop: com.android.build.boot.os_version -> '13'\n"
+ " Prop: com.android.build.boot.security_patch -> '2022-05-05'\n"
+ )
+
+ self._EXPECTED_AVB_FOOTER_BOOT_GZ = ( # pylint: disable=C0103
+ 'Footer version: 1.0\n'
+ 'Image size: 131072 bytes\n'
+ 'Original image size: 28672 bytes\n'
+ 'VBMeta offset: 28672\n'
+ 'VBMeta size: 576 bytes\n'
+ '--\n'
+ 'Minimum libavb version: 1.0\n'
+ 'Header Block: 256 bytes\n'
+ 'Authentication Block: 0 bytes\n'
+ 'Auxiliary Block: 320 bytes\n'
+ 'Algorithm: NONE\n'
+ 'Rollback Index: 0\n'
+ 'Flags: 0\n'
+ 'Rollback Index Location: 0\n'
+ "Release String: 'avbtool 1.2.0'\n"
+ 'Descriptors:\n'
+ ' Hash descriptor:\n'
+ ' Image Size: 28672 bytes\n'
+ ' Hash Algorithm: sha256\n'
+ ' Partition Name: boot\n'
+ ' Salt: a11ba11b\n'
+ ' Digest: '
+ 'd2098d507e039afc6b4d7ec3de129a8d'
+ 'd0e0cf889c9181ebee65ce2fb25de3f5\n'
+ ' Flags: 0\n'
+ " Prop: avb -> 'nice'\n"
+ " Prop: avb_space -> 'nice to meet you'\n"
+ )
+
self._EXPECTED_BOOT_SIGNATURE_RSA2048 = ( # pylint: disable=C0103
'Minimum libavb version: 1.0\n'
'Header Block: 256 bytes\n'
@@ -385,7 +576,7 @@
" Prop: GKI_INFO -> 'added here'\n"
)
- self._EXPECTED_BOOT_1_0_SIGNATURE1_RSA4096 = ( # pylint: disable=C0103
+ self._EXPECTED_BOOT_SIGNATURE1_RSA4096 = ( # pylint: disable=C0103
'Minimum libavb version: 1.0\n'
'Header Block: 256 bytes\n'
'Authentication Block: 576 bytes\n'
@@ -404,8 +595,8 @@
' Partition Name: boot\n' # boot
' Salt: d00df00d\n'
' Digest: '
- '88465e463bffb9f7dfc0c1f46d01bcf3'
- '15f7693e19bd188a0ca1feca2ed7b9df\n'
+ '30208b4d0a6d16db47fc13c9527bfe81'
+ 'a168d3b3940325d1ca8d3439792bfe18\n'
' Flags: 0\n'
" Prop: gki -> 'nice'\n"
" Prop: space -> 'nice to meet you'\n"
@@ -416,7 +607,7 @@
" Prop: SPACE -> 'nice to meet you'\n"
)
- self._EXPECTED_BOOT_1_0_SIGNATURE2_RSA4096 = ( # pylint: disable=C0103
+ self._EXPECTED_BOOT_SIGNATURE2_RSA4096 = ( # pylint: disable=C0103
'Minimum libavb version: 1.0\n'
'Header Block: 256 bytes\n'
'Authentication Block: 576 bytes\n'
@@ -435,8 +626,8 @@
' Partition Name: generic_kernel\n' # generic_kernel
' Salt: d00df00d\n'
' Digest: '
- '14ac8d0d233e57a317acd05cd458f2bb'
- 'cc78725ef9f66c1b38e90697fb09d943\n'
+ 'd4c8847e7d9900a98f77e1f0b5272854'
+ '7bf9c1e428fea500d419275f72ec5bd6\n'
' Flags: 0\n'
" Prop: gki -> 'nice'\n"
" Prop: space -> 'nice to meet you'\n"
@@ -447,7 +638,7 @@
" Prop: SPACE -> 'nice to meet you'\n"
)
- self._EXPECTED_BOOT_2_0_SIGNATURE1_RSA4096 = ( # pylint: disable=C0103
+ self._EXPECTED_BOOT_LZ4_SIGNATURE1_RSA4096 = ( # pylint: disable=C0103
'Minimum libavb version: 1.0\n'
'Header Block: 256 bytes\n'
'Authentication Block: 576 bytes\n'
@@ -466,8 +657,8 @@
' Partition Name: boot\n' # boot
' Salt: d00df00d\n'
' Digest: '
- '3e6a9854a9d2350a7071083bc3f37376'
- '37573fd87b1c72b146cb4870ac6af36f\n'
+ '9d3a0670a9fd3de66e940117ef97700f'
+ 'ed5fd1c6fb90798fd3873af45fc91cb4\n'
' Flags: 0\n'
" Prop: gki -> 'nice'\n"
" Prop: space -> 'nice to meet you'\n"
@@ -478,7 +669,7 @@
" Prop: SPACE -> 'nice to meet you'\n"
)
- self._EXPECTED_BOOT_2_0_SIGNATURE2_RSA4096 = ( # pylint: disable=C0103
+ self._EXPECTED_BOOT_LZ4_SIGNATURE2_RSA4096 = ( # pylint: disable=C0103
'Minimum libavb version: 1.0\n'
'Header Block: 256 bytes\n'
'Authentication Block: 576 bytes\n'
@@ -497,8 +688,8 @@
' Partition Name: generic_kernel\n' # generic_kernel
' Salt: d00df00d\n'
' Digest: '
- '92fb8443cd284b67a4cbf5ce00348b50'
- '1c657e0aedf4e2181c92ad7fc8b5224f\n'
+ '7d109e3dccca9e30e04249162d07e58c'
+ '62fdf269804b35857b956fba339b2679\n'
' Flags: 0\n'
" Prop: gki -> 'nice'\n"
" Prop: space -> 'nice to meet you'\n"
@@ -509,7 +700,7 @@
" Prop: SPACE -> 'nice to meet you'\n"
)
- self._EXPECTED_BOOT_3_0_SIGNATURE1_RSA4096 = ( # pylint: disable=C0103
+ self._EXPECTED_BOOT_GZ_SIGNATURE1_RSA4096 = ( # pylint: disable=C0103
'Minimum libavb version: 1.0\n'
'Header Block: 256 bytes\n'
'Authentication Block: 576 bytes\n'
@@ -528,14 +719,14 @@
' Partition Name: boot\n' # boot
' Salt: d00df00d\n'
' Digest: '
- '9b9cd845a367d7fc9b61d6ac02b0e7c9'
- 'dc3d3b219abf60dd6e19359f0353c917\n'
+ '6fcddc6167ae3c2037b424d35c3ef107'
+ 'f586510dbb2d652d7c08b88e6ea52fc6\n'
' Flags: 0\n'
" Prop: gki -> 'nice'\n"
" Prop: space -> 'nice to meet you'\n"
)
- self._EXPECTED_BOOT_3_0_SIGNATURE2_RSA4096 = ( # pylint: disable=C0103
+ self._EXPECTED_BOOT_GZ_SIGNATURE2_RSA4096 = ( # pylint: disable=C0103
'Minimum libavb version: 1.0\n'
'Header Block: 256 bytes\n'
'Authentication Block: 576 bytes\n'
@@ -554,8 +745,8 @@
' Partition Name: generic_kernel\n' # generic_kernel
' Salt: d00df00d\n'
' Digest: '
- '0cd7d331ed9b32dcd92f00e2cac75595'
- '52199170afe788a8fcf1954f9ea072d0\n'
+ '7a6a43eb4048b783346fb6d039103647'
+ '6c4313146da521467af282dff1838d0e\n'
' Flags: 0\n'
" Prop: gki -> 'nice'\n"
" Prop: space -> 'nice to meet you'\n"
@@ -647,6 +838,8 @@
'--key', './testdata/testkey_rsa2048.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
+ '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
+ '--prop avb_space:"nice to meet you"',
'--output', boot_certified_img,
]
subprocess.run(certify_bootimg_cmds, check=True, cwd=self._exec_dir)
@@ -655,7 +848,13 @@
self.assertTrue(has_avb_footer(boot_certified_img))
self.assertEqual(os.path.getsize(boot_img),
os.path.getsize(boot_certified_img))
+ # Checks the content in the AVB footer.
+ self._test_boot_signatures(
+ temp_out_dir,
+ {'boot-certified.img':
+ self._EXPECTED_AVB_FOOTER_BOOT_CERTIFIED})
+ # Checks the content in the GKI certificate.
extract_boot_signatures(boot_certified_img, temp_out_dir)
self._test_boot_signatures(
temp_out_dir,
@@ -672,6 +871,8 @@
'--key', './testdata/testkey_rsa4096.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
+ '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
+ '--prop avb_space:"nice to meet you"',
'--output', boot_certified2_img,
]
subprocess.run(certify_bootimg_cmds, check=True, cwd=self._exec_dir)
@@ -680,7 +881,13 @@
self.assertTrue(has_avb_footer(boot_certified2_img))
self.assertEqual(os.path.getsize(boot_certified_img),
os.path.getsize(boot_certified2_img))
+ # Checks the content in the AVB footer.
+ self._test_boot_signatures(
+ temp_out_dir,
+ {'boot-certified2.img':
+ self._EXPECTED_AVB_FOOTER_BOOT_CERTIFIED_2})
+ # Checks the content in the GKI certificate.
extract_boot_signatures(boot_certified2_img, temp_out_dir)
self._test_boot_signatures(
temp_out_dir,
@@ -700,7 +907,11 @@
'-android13-0-00544-ged21d463f856 '
'--prop BRANCH:android13-5.10-2022-05 '
'--prop BUILD_NUMBER:ab8295296 '
- '--prop GKI_INFO:"added here"\n')
+ '--prop GKI_INFO:"added here"\n'
+ 'certify_bootimg_extra_footer_args='
+ '--prop com.android.build.boot.os_version:13 '
+ '--prop com.android.build.boot.security_patch:'
+ '2022-05-05\n')
gki_info_path = os.path.join(temp_out_dir, 'gki-info.txt')
with open(gki_info_path, 'w', encoding='utf-8') as f:
f.write(gki_info)
@@ -715,6 +926,8 @@
'--key', './testdata/testkey_rsa4096.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
+ '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
+ '--prop avb_space:"nice to meet you"',
'--gki_info', gki_info_path,
'--output', boot_certified_img,
]
@@ -725,6 +938,12 @@
self.assertEqual(os.path.getsize(boot_img),
os.path.getsize(boot_certified_img))
+ # Checks the content in the AVB footer.
+ self._test_boot_signatures(
+ temp_out_dir,
+ {'boot-certified.img': self._EXPECTED_AVB_FOOTER_WITH_GKI_INFO})
+
+ # Checks the content in the GKI certificate.
extract_boot_signatures(boot_certified_img, temp_out_dir)
self._test_boot_signatures(
temp_out_dir,
@@ -771,13 +990,17 @@
'-android13-0-00544-ged21d463f856 '
'--prop BRANCH:android13-5.10-2022-05 '
'--prop BUILD_NUMBER:ab8295296 '
- '--prop SPACE:"nice to meet you"\n')
+ '--prop SPACE:"nice to meet you"\n'
+ 'certify_bootimg_extra_footer_args='
+ '--prop com.android.build.boot.os_version:13 '
+ '--prop com.android.build.boot.security_patch:'
+ '2022-05-05\n')
boot_img_archive_path = generate_test_boot_image_archive(
boot_img_archive_name,
'gztar',
# A list of (boot_img_name, kernel_size, partition_size).
- [('boot-1.0.img', 8 * 1024, 128 * 1024),
- ('boot-2.0.img', 16 * 1024, 256 * 1024)],
+ [('boot.img', 8 * 1024, 128 * 1024),
+ ('boot-lz4.img', 16 * 1024, 256 * 1024)],
gki_info)
# Certify the boot image archive, with a RSA4096 key.
@@ -790,6 +1013,8 @@
'--key', './testdata/testkey_rsa4096.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
+ '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
+ '--prop avb_space:"nice to meet you"',
'--output', boot_certified_img_archive,
]
subprocess.run(certify_bootimg_cmds, check=True, cwd=self._exec_dir)
@@ -798,24 +1023,31 @@
temp_out_dir)
# Checks an AVB footer exists and the image size remains.
- boot_1_img = os.path.join(temp_out_dir, 'boot-1.0.img')
- self.assertTrue(has_avb_footer(boot_1_img))
- self.assertEqual(os.path.getsize(boot_1_img), 128 * 1024)
+ boot_img = os.path.join(temp_out_dir, 'boot.img')
+ self.assertTrue(has_avb_footer(boot_img))
+ self.assertEqual(os.path.getsize(boot_img), 128 * 1024)
- boot_2_img = os.path.join(temp_out_dir, 'boot-2.0.img')
- self.assertTrue(has_avb_footer(boot_2_img))
- self.assertEqual(os.path.getsize(boot_2_img), 256 * 1024)
+ boot_lz4_img = os.path.join(temp_out_dir, 'boot-lz4.img')
+ self.assertTrue(has_avb_footer(boot_lz4_img))
+ self.assertEqual(os.path.getsize(boot_lz4_img), 256 * 1024)
+ # Checks the content in the AVB footer.
self._test_boot_signatures(
temp_out_dir,
- {'boot-1.0/boot_signature1':
- self._EXPECTED_BOOT_1_0_SIGNATURE1_RSA4096,
- 'boot-1.0/boot_signature2':
- self._EXPECTED_BOOT_1_0_SIGNATURE2_RSA4096,
- 'boot-2.0/boot_signature1':
- self._EXPECTED_BOOT_2_0_SIGNATURE1_RSA4096,
- 'boot-2.0/boot_signature2':
- self._EXPECTED_BOOT_2_0_SIGNATURE2_RSA4096})
+ {'boot.img': self._EXPECTED_AVB_FOOTER_BOOT,
+ 'boot-lz4.img': self._EXPECTED_AVB_FOOTER_BOOT_LZ4})
+
+ # Checks the content in the GKI certificate.
+ self._test_boot_signatures(
+ temp_out_dir,
+ {'boot/boot_signature1':
+ self._EXPECTED_BOOT_SIGNATURE1_RSA4096,
+ 'boot/boot_signature2':
+ self._EXPECTED_BOOT_SIGNATURE2_RSA4096,
+ 'boot-lz4/boot_signature1':
+ self._EXPECTED_BOOT_LZ4_SIGNATURE1_RSA4096,
+ 'boot-lz4/boot_signature2':
+ self._EXPECTED_BOOT_LZ4_SIGNATURE2_RSA4096})
def test_certify_bootimg_archive_without_gki_info(self):
"""Tests certify_bootimg for a boot images archive."""
@@ -828,7 +1060,7 @@
boot_img_archive_name,
'zip',
# A list of (boot_img_name, kernel_size, partition_size).
- [('boot-3.0.img', 8 * 1024, 128 * 1024)],
+ [('boot-gz.img', 8 * 1024, 128 * 1024)],
gki_info=None)
# Certify the boot image archive, with a RSA4096 key.
boot_certified_img_archive = os.path.join(
@@ -840,6 +1072,8 @@
'--key', './testdata/testkey_rsa4096.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
+ '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
+ '--prop avb_space:"nice to meet you"',
'--output', boot_certified_img_archive,
]
subprocess.run(certify_bootimg_cmds, check=True, cwd=self._exec_dir)
@@ -850,7 +1084,7 @@
boot_img_archive_name,
'tar',
# A list of (boot_img_name, kernel_size, partition_size).
- [('boot-3.0.img', 8 * 1024, 128 * 1024)],
+ [('boot-gz.img', 8 * 1024, 128 * 1024)],
gki_info='a=b\n'
'c=d\n')
# Certify the boot image archive, with a RSA4096 key.
@@ -863,6 +1097,8 @@
'--key', './testdata/testkey_rsa4096.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
+ '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
+ '--prop avb_space:"nice to meet you"',
'--output', boot_certified_img_archive2,
]
subprocess.run(certify_bootimg_cmds, check=True, cwd=self._exec_dir)
@@ -871,16 +1107,22 @@
temp_out_dir)
# Checks an AVB footer exists and the image size remains.
- boot_3_img = os.path.join(temp_out_dir, 'boot-3.0.img')
+ boot_3_img = os.path.join(temp_out_dir, 'boot-gz.img')
self.assertTrue(has_avb_footer(boot_3_img))
self.assertEqual(os.path.getsize(boot_3_img), 128 * 1024)
+ # Checks the content in the AVB footer.
self._test_boot_signatures(
temp_out_dir,
- {'boot-3.0/boot_signature1':
- self._EXPECTED_BOOT_3_0_SIGNATURE1_RSA4096,
- 'boot-3.0/boot_signature2':
- self._EXPECTED_BOOT_3_0_SIGNATURE2_RSA4096})
+ {'boot-gz.img': self._EXPECTED_AVB_FOOTER_BOOT_GZ})
+
+ # Checks the content in the GKI certificate.
+ self._test_boot_signatures(
+ temp_out_dir,
+ {'boot-gz/boot_signature1':
+ self._EXPECTED_BOOT_GZ_SIGNATURE1_RSA4096,
+ 'boot-gz/boot_signature2':
+ self._EXPECTED_BOOT_GZ_SIGNATURE2_RSA4096})
# I don't know how, but we need both the logger configuration and verbosity