Re-land: releasetools: Deprecate GKI build rules

(Re-land of Ie882fccd864920289e48366e99a4ebd67e784d0d) We no longer build GKIs from the platform tree. These build commands were neither used nor maintained anymore, so clean them up to reduce maintenance effort. Keep the command line options as no-op, so existing scripts that still specifies the deprecated options don't break. Bug: 229701033 Test: presubmit Change-Id: I0f7d05562dbc3eed29e902d6dc9a0f2e4083aaa6
author: Yi-Yo Chiang <yochiang@google.com> 2024-01-24 14:10:17 +0800
committer: Yi-Yo Chiang <yochiang@google.com> 2024-01-25 11:21:00 +0800
commit: a4d5f4380b96b840c69cef72950aad4df2bc6a16 (patch)
tree: aaf0c88fa36711851e4e680d449560cf5478ddc8
parent: b14bf5f6e98d2f5edce68be59359419b6ba2c732 (diff)
6 files changed, 6 insertions, 197 deletions
diff --git a/tools/releasetools/Android.bp b/tools/releasetools/Android.bp
index bd8ce14738..4941c710ff 100644
--- a/tools/releasetools/Android.bp
+++ b/tools/releasetools/Android.bp
@@ -168,7 +168,6 @@ python_defaults {
         "apexd_host",
         "brillo_update_payload",
         "checkvintf",
-        "generate_gki_certificate",
         "lz4",
         "toybox",
         "unpack_bootimg",
@@ -245,7 +244,6 @@ python_library_host {
         "boot_signer",
         "brotli",
         "bsdiff",
-        "generate_gki_certificate",
         "imgdiff",
         "lz4",
         "mkbootfs",
@@ -310,7 +308,6 @@ python_defaults {
         "brotli",
         "bsdiff",
         "deapexer",
-        "generate_gki_certificate",
         "imgdiff",
         "lz4",
         "mkbootfs",
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index 7451ccc1b2..199037728d 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -1565,50 +1565,6 @@ def GetAvbChainedPartitionArg(partition, info_dict, key=None):
       pubkey_path=pubkey_path)
 
 
-def _HasGkiCertificationArgs():
-  return ("gki_signing_key_path" in OPTIONS.info_dict and
-          "gki_signing_algorithm" in OPTIONS.info_dict)
-
-
-def _GenerateGkiCertificate(image, image_name):
-  key_path = OPTIONS.info_dict.get("gki_signing_key_path")
-  algorithm = OPTIONS.info_dict.get("gki_signing_algorithm")
-
-  key_path = ResolveAVBSigningPathArgs(key_path)
-
-  # Checks key_path exists, before processing --gki_signing_* args.
-  if not os.path.exists(key_path):
-    raise ExternalError(
-        'gki_signing_key_path: "{}" not found'.format(key_path))
-
-  output_certificate = tempfile.NamedTemporaryFile()
-  cmd = [
-      "generate_gki_certificate",
-      "--name", image_name,
-      "--algorithm", algorithm,
-      "--key", key_path,
-      "--output", output_certificate.name,
-      image,
-  ]
-
-  signature_args = OPTIONS.info_dict.get("gki_signing_signature_args", "")
-  signature_args = signature_args.strip()
-  if signature_args:
-    cmd.extend(["--additional_avb_args", signature_args])
-
-  args = OPTIONS.info_dict.get("avb_boot_add_hash_footer_args", "")
-  args = args.strip()
-  if args:
-    cmd.extend(["--additional_avb_args", args])
-
-  RunAndCheckOutput(cmd)
-
-  output_certificate.seek(os.SEEK_SET, 0)
-  data = output_certificate.read()
-  output_certificate.close()
-  return data
-
-
 def BuildVBMeta(image_path, partitions, name, needed_partitions,
                 resolve_rollback_index_location_conflict=False):
   """Creates a VBMeta image.
@@ -1831,29 +1787,6 @@ def _BuildBootableImage(image_name, sourcedir, fs_config_file,
 
   RunAndCheckOutput(cmd)
 
-  if _HasGkiCertificationArgs():
-    if not os.path.exists(img.name):
-      raise ValueError("Cannot find GKI boot.img")
-    if kernel_path is None or not os.path.exists(kernel_path):
-      raise ValueError("Cannot find GKI kernel.img")
-
-    # Certify GKI images.
-    boot_signature_bytes = b''
-    boot_signature_bytes += _GenerateGkiCertificate(img.name, "boot")
-    boot_signature_bytes += _GenerateGkiCertificate(
-        kernel_path, "generic_kernel")
-
-    BOOT_SIGNATURE_SIZE = 16 * 1024
-    if len(boot_signature_bytes) > BOOT_SIGNATURE_SIZE:
-      raise ValueError(
-          f"GKI boot_signature size must be <= {BOOT_SIGNATURE_SIZE}")
-    boot_signature_bytes += (
-        b'\0' * (BOOT_SIGNATURE_SIZE - len(boot_signature_bytes)))
-    assert len(boot_signature_bytes) == BOOT_SIGNATURE_SIZE
-
-    with open(img.name, 'ab') as f:
-      f.write(boot_signature_bytes)
-
   # Sign the image if vboot is non-empty.
   if info_dict.get("vboot"):
     path = "/" + partition_name
diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index 7b497c1f93..bf69decec4 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -124,14 +124,8 @@ Usage:  sign_target_files_apks [flags] input_target_files output_target_files
 
   --gki_signing_algorithm <algorithm>
   --gki_signing_key <key>
-      Use the specified algorithm (e.g. SHA256_RSA4096) and the key to generate
-      'boot signature' in a v4 boot.img. Otherwise it uses the existing values
-      in info dict.
-
   --gki_signing_extra_args <args>
-      Specify any additional args that are needed to generate 'boot signature'
-      (e.g. --prop foo:bar). The args will be appended to the existing ones
-      in info dict.
+      DEPRECATED Does nothing.
 
   --android_jar_path <path>
       Path to the android.jar to repack the apex file.
@@ -221,9 +215,6 @@ OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys")
 OPTIONS.avb_keys = {}
 OPTIONS.avb_algorithms = {}
 OPTIONS.avb_extra_args = {}
-OPTIONS.gki_signing_key = None
-OPTIONS.gki_signing_algorithm = None
-OPTIONS.gki_signing_extra_args = None
 OPTIONS.android_jar_path = None
 OPTIONS.vendor_partitions = set()
 OPTIONS.vendor_otatools = None
@@ -595,7 +586,7 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info,
         [len(os.path.basename(i.filename)) for i in input_tf_zip.infolist()
          if GetApkFileInfo(i.filename, compressed_extension, [])[0]])
   except ValueError:
-    # Sets this to zero for targets without APK files, e.g., gki_arm64.
+    # Sets this to zero for targets without APK files.
     maxsize = 0
 
   for info in input_tf_zip.infolist():
@@ -818,9 +809,6 @@ def ProcessTargetFiles(input_tf_zip: zipfile.ZipFile, output_tf_zip, misc_info,
   if misc_info.get('avb_enable') == 'true':
     RewriteAvbProps(misc_info)
 
-  # Replace the GKI signing key for boot.img, if any.
-  ReplaceGkiSigningKey(misc_info)
-
   # Write back misc_info with the latest values.
   ReplaceMiscInfoTxt(input_tf_zip, output_tf_zip, misc_info)
 
@@ -1102,27 +1090,6 @@ def RewriteAvbProps(misc_info):
       misc_info[args_key] = result
 
 
-def ReplaceGkiSigningKey(misc_info):
-  """Replaces the GKI signing key."""
-
-  key = OPTIONS.gki_signing_key
-  if not key:
-    return
-
-  algorithm = OPTIONS.gki_signing_algorithm
-  if not algorithm:
-    raise ValueError("Missing --gki_signing_algorithm")
-
-  print('Replacing GKI signing key with "%s" (%s)' % (key, algorithm))
-  misc_info["gki_signing_algorithm"] = algorithm
-  misc_info["gki_signing_key_path"] = key
-
-  extra_args = OPTIONS.gki_signing_extra_args
-  if extra_args:
-    print('Setting GKI signing args: "%s"' % (extra_args))
-    misc_info["gki_signing_signature_args"] = extra_args
-
-
 def BuildKeyMap(misc_info, key_mapping_options):
   for s, d in key_mapping_options:
     if s is None:   # -d option
@@ -1477,12 +1444,6 @@ def main(argv):
       # 'oem=--signing_helper_with_files=/tmp/avbsigner.sh'.
       partition, extra_args = a.split("=", 1)
       OPTIONS.avb_extra_args[partition] = extra_args
-    elif o == "--gki_signing_key":
-      OPTIONS.gki_signing_key = a
-    elif o == "--gki_signing_algorithm":
-      OPTIONS.gki_signing_algorithm = a
-    elif o == "--gki_signing_extra_args":
-      OPTIONS.gki_signing_extra_args = a
     elif o == "--vendor_otatools":
       OPTIONS.vendor_otatools = a
     elif o == "--vendor_partitions":
@@ -1493,6 +1454,8 @@ def main(argv):
       OPTIONS.override_apk_keys = a
     elif o == "--override_apex_keys":
       OPTIONS.override_apex_keys = a
+    elif o in ("--gki_signing_key",  "--gki_signing_algorithm",  "--gki_signing_extra_args"):
+      print(f"{o} is deprecated and does nothing")
     else:
       return False
     return True
diff --git a/tools/releasetools/test_common.py b/tools/releasetools/test_common.py
index 9b2e66791d..2989338fe8 100644
--- a/tools/releasetools/test_common.py
+++ b/tools/releasetools/test_common.py
@@ -1605,40 +1605,6 @@ class CommonUtilsTest(test_utils.ReleaseToolsTestCase):
     self.assertEqual(3, chained_partition_args.rollback_index_location)
     self.assertTrue(os.path.exists(chained_partition_args.pubkey_path))
 
-  def test_GenerateGkiCertificate_KeyPathNotFound(self):
-    pubkey = os.path.join(self.testdata_dir, 'no_testkey_gki.pem')
-    self.assertFalse(os.path.exists(pubkey))
-
-    common.OPTIONS.info_dict = {
-        'gki_signing_key_path': pubkey,
-        'gki_signing_algorithm': 'SHA256_RSA4096',
-        'gki_signing_signature_args': '--prop foo:bar',
-    }
-    common.OPTIONS.search_path = None
-    test_file = tempfile.NamedTemporaryFile()
-    self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
-                      test_file.name, 'generic_kernel')
-
-  def test_GenerateGkiCertificate_SearchKeyPathNotFound(self):
-    pubkey = 'no_testkey_gki.pem'
-    self.assertFalse(os.path.exists(pubkey))
-
-    # Tests it should raise ExternalError if no key found under
-    # OPTIONS.search_path.
-    search_path_dir = common.MakeTempDir()
-    search_pubkey = os.path.join(search_path_dir, pubkey)
-    self.assertFalse(os.path.exists(search_pubkey))
-
-    common.OPTIONS.search_path = search_path_dir
-    common.OPTIONS.info_dict = {
-        'gki_signing_key_path': pubkey,
-        'gki_signing_algorithm': 'SHA256_RSA4096',
-        'gki_signing_signature_args': '--prop foo:bar',
-    }
-    test_file = tempfile.NamedTemporaryFile()
-    self.assertRaises(common.ExternalError, common._GenerateGkiCertificate,
-                      test_file.name, 'generic_kernel')
-
 
 class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
   """Checks the format of install-recovery.sh.
diff --git a/tools/releasetools/test_sign_target_files_apks.py b/tools/releasetools/test_sign_target_files_apks.py
index 0cd7dac184..9cc6df428c 100644
--- a/tools/releasetools/test_sign_target_files_apks.py
+++ b/tools/releasetools/test_sign_target_files_apks.py
@@ -23,8 +23,7 @@ import common
 import test_utils
 from sign_target_files_apks import (
     CheckApkAndApexKeysAvailable, EditTags, GetApkFileInfo, ReadApexKeysInfo,
-    ReplaceCerts, ReplaceGkiSigningKey, RewriteAvbProps, RewriteProps,
-    WriteOtacerts)
+    ReplaceCerts, RewriteAvbProps, RewriteProps, WriteOtacerts)
 
 
 class SignTargetFilesApksTest(test_utils.ReleaseToolsTestCase):
@@ -536,52 +535,3 @@ name="apex.apexd_test_different_app.apex" public_key="system/apex/apexd/apexd_te
             'system/apex/apexd/apexd_testdata/com.android.apex.test_package_2.pem',
             'build/make/target/product/security/testkey', None),
         }, keys_info)
-
-  def test_ReplaceGkiSigningKey(self):
-    common.OPTIONS.gki_signing_key = 'release_gki_key'
-    common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'
-    common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
-
-    misc_info = {
-        'gki_signing_key_path': 'default_gki_key',
-        'gki_signing_algorithm': 'default_gki_algorithm',
-        'gki_signing_signature_args': 'default_gki_signature_args',
-    }
-    expected_dict = {
-        'gki_signing_key_path': 'release_gki_key',
-        'gki_signing_algorithm': 'release_gki_algorithm',
-        'gki_signing_signature_args': 'release_gki_signature_extra_args',
-    }
-    ReplaceGkiSigningKey(misc_info)
-    self.assertDictEqual(expected_dict, misc_info)
-
-  def test_ReplaceGkiSigningKey_MissingSigningAlgorithm(self):
-    common.OPTIONS.gki_signing_key = 'release_gki_key'
-    common.OPTIONS.gki_signing_algorithm = None
-    common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
-
-    misc_info = {
-        'gki_signing_key_path': 'default_gki_key',
-        'gki_signing_algorithm': 'default_gki_algorithm',
-        'gki_signing_signature_args': 'default_gki_signature_args',
-    }
-    self.assertRaises(ValueError, ReplaceGkiSigningKey, misc_info)
-
-  def test_ReplaceGkiSigningKey_MissingSigningKeyNop(self):
-    common.OPTIONS.gki_signing_key = None
-    common.OPTIONS.gki_signing_algorithm = 'release_gki_algorithm'
-    common.OPTIONS.gki_signing_extra_args = 'release_gki_signature_extra_args'
-
-    # No change to misc_info if common.OPTIONS.gki_signing_key is missing.
-    misc_info = {
-        'gki_signing_key_path': 'default_gki_key',
-        'gki_signing_algorithm': 'default_gki_algorithm',
-        'gki_signing_signature_args': 'default_gki_signature_args',
-    }
-    expected_dict = {
-        'gki_signing_key_path': 'default_gki_key',
-        'gki_signing_algorithm': 'default_gki_algorithm',
-        'gki_signing_signature_args': 'default_gki_signature_args',
-    }
-    ReplaceGkiSigningKey(misc_info)
-    self.assertDictEqual(expected_dict, misc_info)
diff --git a/tools/releasetools/validate_target_files.py b/tools/releasetools/validate_target_files.py
index 8da4fa2e8a..88fd8929e5 100755
--- a/tools/releasetools/validate_target_files.py
+++ b/tools/releasetools/validate_target_files.py
@@ -132,7 +132,7 @@ def ValidateFileConsistency(input_zip, input_tmp, info_dict):
     return
 
   # Verify IMAGES/system.img if applicable.
-  # Some targets, e.g., gki_arm64, gki_x86_64, etc., are system.img-less.
+  # Some targets are system.img-less.
   if 'IMAGES/system.img' in input_zip.namelist():
     CheckAllFiles('system')
author	Yi-Yo Chiang <yochiang@google.com>	2024-01-24 14:10:17 +0800
committer	Yi-Yo Chiang <yochiang@google.com>	2024-01-25 11:21:00 +0800
commit	a4d5f4380b96b840c69cef72950aad4df2bc6a16 (patch)
tree	aaf0c88fa36711851e4e680d449560cf5478ddc8
parent	b14bf5f6e98d2f5edce68be59359419b6ba2c732 (diff)