diff options
| author | 2019-09-16 12:10:43 -0700 | |
|---|---|---|
| committer | 2019-09-17 08:53:16 -0700 | |
| commit | c99819311c0124dc6f6a0f0f6db74cae7cf570fb (patch) | |
| tree | 725bcca1820726b442adde70b570542702f61c38 /tools/warn/cpp_warn_patterns.py | |
| parent | 0b67e41f3fdb2a6257f5e25050c7bd4fa43a778d (diff) | |
Also install verity_key to ramdisk for non-system-as-root target.
The commit in d14b895665f9fb122f93edb16655fd3a49510032
(https://android-review.googlesource.com/c/platform/build/+/728287)
changed partition layout, to always build the root dir into system.img,
even for devices not using system-as-root (i.e. the ones with separate
boot ramdisk).
With the new layout, there will be two root dirs for non-system-as-root
targets during the boot. If such a device uses Verified Boot 1.0,
/verity_key needs to be available in both roots, to establish the chain
of trust.
- bootloader uses the baked-in key to verify boot.img; it then loads
the ramdisk from the verified boot.img
- First stage init uses /verity_key (in ramdisk) to verify and mount
system.img at /system, then chroot's to it
- Second stage init uses /verity_key (in system.img) to verify and
mount other partitions
This CL adds rules to additionally install verity_key into ramdisk for
such targets.
Bug: 139770257
Test: Set up a target to use non-system-as-root
(BOARD_BUILD_SYSTEM_ROOT_IMAGE != true). `m dist`.
Test: Check that both ROOT/verity_key and BOOT/RAMDISK/verity_key exist
in the built target_files.zip.
Test: Run validate_target_files to validate the above target_files.zip.
$ validate_target_files \
--verity_key_mincrypt /path/to/verity_key \
target_files.zip
Test: Run sign_target_files_apks to sign the above target. Re-run
validate_target_files on the signed target_files.zip.
Test: python -m unittest test_validate_target_files
Change-Id: Ibe7e771c8c376429add85851ac86055564765d3c
Diffstat (limited to 'tools/warn/cpp_warn_patterns.py')
0 files changed, 0 insertions, 0 deletions