Revert "certify_bootimg: support --extra_footer_args"
This reverts commit f754a7c3b8fcff3f74ad67a7c8138d97c3d9e879.
After more thoughts, decided to use another approach: retaining
the AVB properties from the original footer. So no need to use
--extra_footer_args to add new AVB properties.
With this approach, the certify_bootimg script can focus on
boot signature generation without involving too much in the
AVB footer generation.
Bug: 232062499
Test: atest --host certify_bootimg_test
Change-Id: Ie11c2a144cf3a1f33b25fc2ad25ffe2c80b73518
diff --git a/gki/certify_bootimg.py b/gki/certify_bootimg.py
index 68a042e..39dcaeb 100755
--- a/gki/certify_bootimg.py
+++ b/gki/certify_bootimg.py
@@ -132,7 +132,7 @@
return 0
-def add_avb_footer(image, partition_size, extra_footer_args):
+def add_avb_footer(image, partition_size):
"""Appends a AVB hash footer to the image."""
avbtool_cmd = ['avbtool', 'add_hash_footer', '--image', image,
@@ -143,7 +143,6 @@
else:
avbtool_cmd.extend(['--dynamic_partition_size'])
- avbtool_cmd.extend(extra_footer_args)
subprocess.check_call(avbtool_cmd)
@@ -161,24 +160,12 @@
return d
-def load_gki_info_file(gki_info_file, extra_args, extra_footer_args):
- """Loads extra arguments from the gki info file.
-
- Args:
- gki_info_file: path to a gki-info.txt.
- extra_args: the extra arguments forwarded to avbtool when creating
- the gki certificate.
- extra_footer_args: the extra arguments forwarded to avbtool when
- creating the avb footer.
-
- """
+def load_gki_info_file(gki_info_file, extra_args):
+ """Loads extra args from |gki_info_file| into |extra_args|."""
info_dict = load_dict_from_file(gki_info_file)
if 'certify_bootimg_extra_args' in info_dict:
extra_args.extend(
shlex.split(info_dict['certify_bootimg_extra_args']))
- if 'certify_bootimg_extra_footer_args' in info_dict:
- extra_footer_args.extend(
- shlex.split(info_dict['certify_bootimg_extra_footer_args']))
def get_archive_name_and_format_for_shutil(path):
@@ -219,8 +206,6 @@
# Optional args.
parser.add_argument('--extra_args', default=[], action='append',
help='extra arguments to be forwarded to avbtool')
- parser.add_argument('--extra_footer_args', default=[], action='append',
- help='extra arguments for adding the avb footer')
args = parser.parse_args()
@@ -233,21 +218,13 @@
extra_args.extend(shlex.split(a))
args.extra_args = extra_args
- extra_footer_args = []
- for a in args.extra_footer_args:
- extra_footer_args.extend(shlex.split(a))
- args.extra_footer_args = extra_footer_args
-
if args.gki_info:
- load_gki_info_file(args.gki_info,
- args.extra_args,
- args.extra_footer_args)
+ load_gki_info_file(args.gki_info, args.extra_args)
return args
-def certify_bootimg(boot_img, output_img, algorithm, key, extra_args,
- extra_footer_args):
+def certify_bootimg(boot_img, output_img, algorithm, key, extra_args):
"""Certify a GKI boot image by generating and appending a boot_signature."""
with tempfile.TemporaryDirectory() as temp_dir:
boot_tmp = os.path.join(temp_dir, 'boot.tmp')
@@ -257,27 +234,26 @@
add_certificate(boot_tmp, algorithm, key, extra_args)
avb_partition_size = get_avb_image_size(boot_img)
- add_avb_footer(boot_tmp, avb_partition_size, extra_footer_args)
+ add_avb_footer(boot_tmp, avb_partition_size)
# We're done, copy the temp image to the final output.
shutil.copy2(boot_tmp, output_img)
def certify_bootimg_archive(boot_img_archive, output_archive,
- algorithm, key, extra_args, extra_footer_args):
+ algorithm, key, extra_args):
"""Similar to certify_bootimg(), but for an archive of boot images."""
with tempfile.TemporaryDirectory() as unpack_dir:
shutil.unpack_archive(boot_img_archive, unpack_dir)
gki_info_file = os.path.join(unpack_dir, 'gki-info.txt')
if os.path.exists(gki_info_file):
- load_gki_info_file(gki_info_file, extra_args, extra_footer_args)
+ load_gki_info_file(gki_info_file, extra_args)
for boot_img in glob.glob(os.path.join(unpack_dir, 'boot*.img')):
print(f'Certifying {os.path.basename(boot_img)} ...')
certify_bootimg(boot_img=boot_img, output_img=boot_img,
- algorithm=algorithm, key=key, extra_args=extra_args,
- extra_footer_args=extra_footer_args)
+ algorithm=algorithm, key=key, extra_args=extra_args)
print(f'Making certified archive: {output_archive}')
archive_file_name, archive_format = (
@@ -299,11 +275,10 @@
if args.boot_img_archive:
certify_bootimg_archive(args.boot_img_archive, args.output,
- args.algorithm, args.key, args.extra_args,
- args.extra_footer_args)
+ args.algorithm, args.key, args.extra_args)
else:
certify_bootimg(args.boot_img, args.output, args.algorithm,
- args.key, args.extra_args, args.extra_footer_args)
+ args.key, args.extra_args)
if __name__ == '__main__':
diff --git a/gki/certify_bootimg_test.py b/gki/certify_bootimg_test.py
index ec5f505..fd7473b 100644
--- a/gki/certify_bootimg_test.py
+++ b/gki/certify_bootimg_test.py
@@ -219,197 +219,6 @@
# C0103: invalid-name for maxDiff.
self.maxDiff = None # pylint: disable=C0103
- # For AVB footers, we don't sign it so the Authentication block
- # is zero bytes and the Algorithm is NONE. The footer will be
- # replaced by device-specific settings when being incorporated into
- # a device codebase. The footer here is just to pass some GKI
- # pre-release test.
- self._EXPECTED_AVB_FOOTER_BOOT_CERTIFIED = ( # pylint: disable=C0103
- 'Footer version: 1.0\n'
- 'Image size: 131072 bytes\n'
- 'Original image size: 24576 bytes\n'
- 'VBMeta offset: 24576\n'
- 'VBMeta size: 576 bytes\n'
- '--\n'
- 'Minimum libavb version: 1.0\n'
- 'Header Block: 256 bytes\n'
- 'Authentication Block: 0 bytes\n'
- 'Auxiliary Block: 320 bytes\n'
- 'Algorithm: NONE\n'
- 'Rollback Index: 0\n'
- 'Flags: 0\n'
- 'Rollback Index Location: 0\n'
- "Release String: 'avbtool 1.2.0'\n"
- 'Descriptors:\n'
- ' Hash descriptor:\n'
- ' Image Size: 24576 bytes\n'
- ' Hash Algorithm: sha256\n'
- ' Partition Name: boot\n'
- ' Salt: a11ba11b\n'
- ' Digest: '
- 'c9b4ad78fae6f72f7eff939dee6078ed'
- '8a75132e53f6c11ba1ec0f4b57f9eab0\n'
- ' Flags: 0\n'
- " Prop: avb -> 'nice'\n"
- " Prop: avb_space -> 'nice to meet you'\n"
- )
-
- self._EXPECTED_AVB_FOOTER_BOOT_CERTIFIED_2 = ( # pylint: disable=C0103
- 'Footer version: 1.0\n'
- 'Image size: 131072 bytes\n'
- 'Original image size: 24576 bytes\n'
- 'VBMeta offset: 24576\n'
- 'VBMeta size: 576 bytes\n'
- '--\n'
- 'Minimum libavb version: 1.0\n'
- 'Header Block: 256 bytes\n'
- 'Authentication Block: 0 bytes\n'
- 'Auxiliary Block: 320 bytes\n'
- 'Algorithm: NONE\n'
- 'Rollback Index: 0\n'
- 'Flags: 0\n'
- 'Rollback Index Location: 0\n'
- "Release String: 'avbtool 1.2.0'\n"
- 'Descriptors:\n'
- ' Hash descriptor:\n'
- ' Image Size: 24576 bytes\n'
- ' Hash Algorithm: sha256\n'
- ' Partition Name: boot\n'
- ' Salt: a11ba11b\n'
- ' Digest: '
- 'ae2538e78b2a30b1112cede30d858a5f'
- '6f8dc2a1b109dd4a7bb28124b77d2ab0\n'
- ' Flags: 0\n'
- " Prop: avb -> 'nice'\n"
- " Prop: avb_space -> 'nice to meet you'\n"
- )
-
- self._EXPECTED_AVB_FOOTER_WITH_GKI_INFO = ( # pylint: disable=C0103
- 'Footer version: 1.0\n'
- 'Image size: 131072 bytes\n'
- 'Original image size: 24576 bytes\n'
- 'VBMeta offset: 24576\n'
- 'VBMeta size: 704 bytes\n'
- '--\n'
- 'Minimum libavb version: 1.0\n'
- 'Header Block: 256 bytes\n'
- 'Authentication Block: 0 bytes\n'
- 'Auxiliary Block: 448 bytes\n'
- 'Algorithm: NONE\n'
- 'Rollback Index: 0\n'
- 'Flags: 0\n'
- 'Rollback Index Location: 0\n'
- "Release String: 'avbtool 1.2.0'\n"
- 'Descriptors:\n'
- ' Hash descriptor:\n'
- ' Image Size: 24576 bytes\n'
- ' Hash Algorithm: sha256\n'
- ' Partition Name: boot\n'
- ' Salt: a11ba11b\n'
- ' Digest: '
- '363d4f246a4a5e1bba8ba8b86f5eb0cf'
- '9817e4e51663ba26edccf71c3861090a\n'
- ' Flags: 0\n'
- " Prop: avb -> 'nice'\n"
- " Prop: avb_space -> 'nice to meet you'\n"
- " Prop: com.android.build.boot.os_version -> '13'\n"
- " Prop: com.android.build.boot.security_patch -> '2022-05-05'\n"
- )
-
- self._EXPECTED_AVB_FOOTER_BOOT = ( # pylint: disable=C0103
- 'Footer version: 1.0\n'
- 'Image size: 131072 bytes\n'
- 'Original image size: 28672 bytes\n'
- 'VBMeta offset: 28672\n'
- 'VBMeta size: 704 bytes\n'
- '--\n'
- 'Minimum libavb version: 1.0\n'
- 'Header Block: 256 bytes\n'
- 'Authentication Block: 0 bytes\n'
- 'Auxiliary Block: 448 bytes\n'
- 'Algorithm: NONE\n'
- 'Rollback Index: 0\n'
- 'Flags: 0\n'
- 'Rollback Index Location: 0\n'
- "Release String: 'avbtool 1.2.0'\n"
- 'Descriptors:\n'
- ' Hash descriptor:\n'
- ' Image Size: 28672 bytes\n'
- ' Hash Algorithm: sha256\n'
- ' Partition Name: boot\n'
- ' Salt: a11ba11b\n'
- ' Digest: '
- 'b93084707ba2367120e19547f17f1073'
- '4c7ad8e56008ec2159d5f01b950335ad\n'
- ' Flags: 0\n'
- " Prop: avb -> 'nice'\n"
- " Prop: avb_space -> 'nice to meet you'\n"
- " Prop: com.android.build.boot.os_version -> '13'\n"
- " Prop: com.android.build.boot.security_patch -> '2022-05-05'\n"
- )
-
- self._EXPECTED_AVB_FOOTER_BOOT_LZ4 = ( # pylint: disable=C0103
- 'Footer version: 1.0\n'
- 'Image size: 262144 bytes\n'
- 'Original image size: 36864 bytes\n'
- 'VBMeta offset: 36864\n'
- 'VBMeta size: 704 bytes\n'
- '--\n'
- 'Minimum libavb version: 1.0\n'
- 'Header Block: 256 bytes\n'
- 'Authentication Block: 0 bytes\n'
- 'Auxiliary Block: 448 bytes\n'
- 'Algorithm: NONE\n'
- 'Rollback Index: 0\n'
- 'Flags: 0\n'
- 'Rollback Index Location: 0\n'
- "Release String: 'avbtool 1.2.0'\n"
- 'Descriptors:\n'
- ' Hash descriptor:\n'
- ' Image Size: 36864 bytes\n'
- ' Hash Algorithm: sha256\n'
- ' Partition Name: boot\n'
- ' Salt: a11ba11b\n'
- ' Digest: '
- '6b3f583f1bc5fbc284102e0185d02c6b'
- '294f675c95b9337e89ea1e6b743af2ab\n'
- ' Flags: 0\n'
- " Prop: avb -> 'nice'\n"
- " Prop: avb_space -> 'nice to meet you'\n"
- " Prop: com.android.build.boot.os_version -> '13'\n"
- " Prop: com.android.build.boot.security_patch -> '2022-05-05'\n"
- )
-
- self._EXPECTED_AVB_FOOTER_BOOT_GZ = ( # pylint: disable=C0103
- 'Footer version: 1.0\n'
- 'Image size: 131072 bytes\n'
- 'Original image size: 28672 bytes\n'
- 'VBMeta offset: 28672\n'
- 'VBMeta size: 576 bytes\n'
- '--\n'
- 'Minimum libavb version: 1.0\n'
- 'Header Block: 256 bytes\n'
- 'Authentication Block: 0 bytes\n'
- 'Auxiliary Block: 320 bytes\n'
- 'Algorithm: NONE\n'
- 'Rollback Index: 0\n'
- 'Flags: 0\n'
- 'Rollback Index Location: 0\n'
- "Release String: 'avbtool 1.2.0'\n"
- 'Descriptors:\n'
- ' Hash descriptor:\n'
- ' Image Size: 28672 bytes\n'
- ' Hash Algorithm: sha256\n'
- ' Partition Name: boot\n'
- ' Salt: a11ba11b\n'
- ' Digest: '
- 'd2098d507e039afc6b4d7ec3de129a8d'
- 'd0e0cf889c9181ebee65ce2fb25de3f5\n'
- ' Flags: 0\n'
- " Prop: avb -> 'nice'\n"
- " Prop: avb_space -> 'nice to meet you'\n"
- )
-
self._EXPECTED_BOOT_SIGNATURE_RSA2048 = ( # pylint: disable=C0103
'Minimum libavb version: 1.0\n'
'Header Block: 256 bytes\n'
@@ -838,8 +647,6 @@
'--key', './testdata/testkey_rsa2048.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
- '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
- '--prop avb_space:"nice to meet you"',
'--output', boot_certified_img,
]
subprocess.run(certify_bootimg_cmds, check=True, cwd=self._exec_dir)
@@ -848,13 +655,7 @@
self.assertTrue(has_avb_footer(boot_certified_img))
self.assertEqual(os.path.getsize(boot_img),
os.path.getsize(boot_certified_img))
- # Checks the content in the AVB footer.
- self._test_boot_signatures(
- temp_out_dir,
- {'boot-certified.img':
- self._EXPECTED_AVB_FOOTER_BOOT_CERTIFIED})
- # Checks the content in the GKI certificate.
extract_boot_signatures(boot_certified_img, temp_out_dir)
self._test_boot_signatures(
temp_out_dir,
@@ -871,8 +672,6 @@
'--key', './testdata/testkey_rsa4096.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
- '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
- '--prop avb_space:"nice to meet you"',
'--output', boot_certified2_img,
]
subprocess.run(certify_bootimg_cmds, check=True, cwd=self._exec_dir)
@@ -881,13 +680,7 @@
self.assertTrue(has_avb_footer(boot_certified2_img))
self.assertEqual(os.path.getsize(boot_certified_img),
os.path.getsize(boot_certified2_img))
- # Checks the content in the AVB footer.
- self._test_boot_signatures(
- temp_out_dir,
- {'boot-certified2.img':
- self._EXPECTED_AVB_FOOTER_BOOT_CERTIFIED_2})
- # Checks the content in the GKI certificate.
extract_boot_signatures(boot_certified2_img, temp_out_dir)
self._test_boot_signatures(
temp_out_dir,
@@ -907,11 +700,7 @@
'-android13-0-00544-ged21d463f856 '
'--prop BRANCH:android13-5.10-2022-05 '
'--prop BUILD_NUMBER:ab8295296 '
- '--prop GKI_INFO:"added here"\n'
- 'certify_bootimg_extra_footer_args='
- '--prop com.android.build.boot.os_version:13 '
- '--prop com.android.build.boot.security_patch:'
- '2022-05-05\n')
+ '--prop GKI_INFO:"added here"\n')
gki_info_path = os.path.join(temp_out_dir, 'gki-info.txt')
with open(gki_info_path, 'w', encoding='utf-8') as f:
f.write(gki_info)
@@ -926,8 +715,6 @@
'--key', './testdata/testkey_rsa4096.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
- '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
- '--prop avb_space:"nice to meet you"',
'--gki_info', gki_info_path,
'--output', boot_certified_img,
]
@@ -938,12 +725,6 @@
self.assertEqual(os.path.getsize(boot_img),
os.path.getsize(boot_certified_img))
- # Checks the content in the AVB footer.
- self._test_boot_signatures(
- temp_out_dir,
- {'boot-certified.img': self._EXPECTED_AVB_FOOTER_WITH_GKI_INFO})
-
- # Checks the content in the GKI certificate.
extract_boot_signatures(boot_certified_img, temp_out_dir)
self._test_boot_signatures(
temp_out_dir,
@@ -990,11 +771,7 @@
'-android13-0-00544-ged21d463f856 '
'--prop BRANCH:android13-5.10-2022-05 '
'--prop BUILD_NUMBER:ab8295296 '
- '--prop SPACE:"nice to meet you"\n'
- 'certify_bootimg_extra_footer_args='
- '--prop com.android.build.boot.os_version:13 '
- '--prop com.android.build.boot.security_patch:'
- '2022-05-05\n')
+ '--prop SPACE:"nice to meet you"\n')
boot_img_archive_path = generate_test_boot_image_archive(
boot_img_archive_name,
'gztar',
@@ -1013,8 +790,6 @@
'--key', './testdata/testkey_rsa4096.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
- '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
- '--prop avb_space:"nice to meet you"',
'--output', boot_certified_img_archive,
]
subprocess.run(certify_bootimg_cmds, check=True, cwd=self._exec_dir)
@@ -1031,13 +806,6 @@
self.assertTrue(has_avb_footer(boot_lz4_img))
self.assertEqual(os.path.getsize(boot_lz4_img), 256 * 1024)
- # Checks the content in the AVB footer.
- self._test_boot_signatures(
- temp_out_dir,
- {'boot.img': self._EXPECTED_AVB_FOOTER_BOOT,
- 'boot-lz4.img': self._EXPECTED_AVB_FOOTER_BOOT_LZ4})
-
- # Checks the content in the GKI certificate.
self._test_boot_signatures(
temp_out_dir,
{'boot/boot_signature1':
@@ -1072,8 +840,6 @@
'--key', './testdata/testkey_rsa4096.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
- '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
- '--prop avb_space:"nice to meet you"',
'--output', boot_certified_img_archive,
]
subprocess.run(certify_bootimg_cmds, check=True, cwd=self._exec_dir)
@@ -1097,8 +863,6 @@
'--key', './testdata/testkey_rsa4096.pem',
'--extra_args', '--prop gki:nice '
'--prop space:"nice to meet you"',
- '--extra_footer_args', '--salt a11ba11b --prop avb:nice '
- '--prop avb_space:"nice to meet you"',
'--output', boot_certified_img_archive2,
]
subprocess.run(certify_bootimg_cmds, check=True, cwd=self._exec_dir)
@@ -1111,12 +875,6 @@
self.assertTrue(has_avb_footer(boot_3_img))
self.assertEqual(os.path.getsize(boot_3_img), 128 * 1024)
- # Checks the content in the AVB footer.
- self._test_boot_signatures(
- temp_out_dir,
- {'boot-gz.img': self._EXPECTED_AVB_FOOTER_BOOT_GZ})
-
- # Checks the content in the GKI certificate.
self._test_boot_signatures(
temp_out_dir,
{'boot-gz/boot_signature1':