| #!/usr/bin/env python3 |
| # |
| # Copyright 2021, The Android Open Source Project |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| |
| """Generate a Generic Boot Image certificate suitable for VTS verification.""" |
| |
| from argparse import ArgumentParser |
| import shlex |
| import subprocess |
| |
| |
| def generate_gki_certificate(image, avbtool, name, algorithm, key, salt, |
| additional_avb_args, output): |
| """Shell out to avbtool to generate a GKI certificate.""" |
| |
| # Need to specify a value of --partition_size for avbtool to work. |
| # We use 64 MB below, but avbtool will not resize the boot image to |
| # this size because --do_not_append_vbmeta_image is also specified. |
| avbtool_cmd = [ |
| avbtool, 'add_hash_footer', |
| '--partition_name', name, |
| '--partition_size', str(64 * 1024 * 1024), |
| '--image', image, |
| '--algorithm', algorithm, |
| '--key', key, |
| '--do_not_append_vbmeta_image', |
| '--output_vbmeta_image', output, |
| ] |
| |
| if salt is not None: |
| avbtool_cmd += ['--salt', salt] |
| |
| avbtool_cmd += additional_avb_args |
| |
| subprocess.check_call(avbtool_cmd) |
| |
| |
| def parse_cmdline(): |
| parser = ArgumentParser(add_help=True) |
| |
| # Required args. |
| parser.add_argument('image', help='path to the image') |
| parser.add_argument('-o', '--output', required=True, |
| help='output certificate file name') |
| parser.add_argument('--name', required=True, |
| choices=['boot', 'generic_kernel'], |
| help='name of the image to be certified') |
| parser.add_argument('--algorithm', required=True, |
| help='AVB signing algorithm') |
| parser.add_argument('--key', required=True, |
| help='path to the RSA private key') |
| |
| # Optional args. |
| parser.add_argument('--avbtool', default='avbtool', |
| help='path to the avbtool executable') |
| parser.add_argument('--salt', help='salt to use when computing image hash') |
| parser.add_argument('--additional_avb_args', default=[], action='append', |
| help='additional arguments to be forwarded to avbtool') |
| |
| args = parser.parse_args() |
| |
| additional_avb_args = [] |
| for a in args.additional_avb_args: |
| additional_avb_args.extend(shlex.split(a)) |
| args.additional_avb_args = additional_avb_args |
| |
| return args |
| |
| |
| def main(): |
| args = parse_cmdline() |
| generate_gki_certificate( |
| image=args.image, avbtool=args.avbtool, name=args.name, |
| algorithm=args.algorithm, key=args.key, salt=args.salt, |
| additional_avb_args=args.additional_avb_args, |
| output=args.output, |
| ) |
| |
| |
| if __name__ == '__main__': |
| main() |