Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / android_build / b23656df314faacf2de86e310c5685f667f98b62
commitb23656df314faacf2de86e310c5685f667f98b62[log] [tgz]
authorBowgo Tsai <bowgotsai@google.com>Thu May 20 00:14:42 2021 +0800
committerBowgo Tsai <bowgotsai@google.com>Wed May 26 09:11:00 2021 +0800
treea06c9d36ce678e8b8d57f12c0fc003e5273dadaf
parent33e79ba41ecfa94ce51e99bc660261c247dca248 [diff]
Support AVB signing for BOARD_PREBUILT_BOOTIMAGE

Devices using GKI architecture will use a prebuilt boot.img.
However, we should still sign this prebuilt boot.img with
device-specific AVB keys.

Steps to test the CL.
1. In a device BoardConfig.mk:

   # Uses a prebuilt boot.img
   TARGET_NO_KERNEL := true
   BOARD_PREBUILT_BOOTIMAGE := device/google/redbull/boot.img

   # Enable chained vbmeta for the boot image.
   # The following can be absent, where the hash descriptor of the
   # 'boot' partition will be stored then signed in vbmeta.img instead.
   BOARD_AVB_BOOT_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem
   BOARD_AVB_BOOT_ALGORITHM := SHA256_RSA4096
   BOARD_AVB_BOOT_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
   BOARD_AVB_BOOT_ROLLBACK_INDEX_LOCATION := 2

2. `make bootimage`, then `avbtool info_image --image $OUT/boot.img`,
    checks the image is re-signed with a device-specific key

3. `make dist` to generate out/dist/TF.zip

4. `unzip out/dist/TF.zip IMAGES/boot.img`

5. `avbtool info_image --image out/dist/IMAGES/boot.img`,
    checks the image is re-signed with a device-specific key

6. `sign_target_files_apks \
      --avb_boot_key=external/avb/test/data/testkey_rsa8192.pem \
      --avb_boot_algorithm=SHA256_RSA8192 \
      --avb_boot_extra_args="--prop test:sign" \
      ./out/dist/*-target_files-eng.*.zip signed.zip`, resign the TF.zip

7. `unzip signed.zip IMAGES/boot.img`, then use `avbtool info_image` to
   check the boot.img is re-signed with the --avb_boot_key in step 6.

Bug: 188485657
Test: above steps
Change-Id: I7ee8b3ffe6a86aaca34bbb7a8898a97b3f8bd801
Merged-In: I7ee8b3ffe6a86aaca34bbb7a8898a97b3f8bd801
(cherry picked from commit cf9ead8972dd2b7c90772b6a1fd26bd4311a7c74)
3 files changed
tree: a06c9d36ce678e8b8d57f12c0fc003e5273dadaf
  1. common/
  2. core/
  3. packaging/
  4. target/
  5. tests/
  6. tools/
  7. .gitignore
  8. Android.bp
  9. banchanHelp.sh
  10. buildspec.mk.default
  11. Changes.md
  12. CleanSpec.mk
  13. Deprecation.md
  14. envsetup.sh
  15. help.sh
  16. METADATA
  17. navbar.md
  18. OWNERS
  19. PREUPLOAD.cfg
  20. rbesetup.sh
  21. README.md
  22. tapasHelp.sh
  23. Usage.txt
README.md

Android Make Build System

This is the Makefile-based portion of the Android Build System.

For documentation on how to run a build, see Usage.txt

For a list of behavioral changes useful for Android.mk writers see Changes.md

For an outdated reference on Android.mk files, see build-system.html. Our Android.mk files look similar, but are entirely different from the Android.mk files used by the NDK build system. When searching for documentation elsewhere, ensure that it is for the platform build system -- most are not.

This Makefile-based system is in the process of being replaced with Soong, a new build system written in Go. During the transition, all of these makefiles are read by Kati, and generate a ninja file instead of being executed directly. That's combined with a ninja file read by Soong so that the build graph of the two systems can be combined and run as one.