diff options
author | Will McVicker <willmcvicker@google.com> | 2023-10-18 12:33:14 -0700 |
---|---|---|
committer | Will McVicker <willmcvicker@google.com> | 2023-10-18 12:35:02 -0700 |
commit | 6079ecd2d225f3a2d6b4048f82a44078c80513aa (patch) | |
tree | 6d57afde8b7464c5d2d36a8276107aa9302e0bd8 | |
parent | a45afa7c6e0af6480fce14fdfe0a8eb2311d30a5 (diff) | |
download | build-6079ecd2d225f3a2d6b4048f82a44078c80513aa.tar.gz |
kleaf: Add support to boot custom kernels without wiping
The following is implemented:
* Add hashtree footer to vendor_dlkm.
* Add SPL to boot.img
This allows developers to flash a custom kernel on an unlocked device
without having to wipe the device (based on SPL) or disable verification
(based on AVB hashtree requirement).
Test: verify custom boot.img and system_dlkm.img boots without wiping on C10
Test: verify custom vendor_dlkm.img boots without wiping on C10
Bug: 274825778
Change-Id: I685199eb11bfc5a4bdf545170ec136b327f992ad
Signed-off-by: Will McVicker <willmcvicker@google.com>
-rw-r--r-- | build_utils.sh | 41 |
1 files changed, 33 insertions, 8 deletions
diff --git a/build_utils.sh b/build_utils.sh index 662cb57..093a712 100644 --- a/build_utils.sh +++ b/build_utils.sh @@ -360,6 +360,11 @@ function build_vendor_dlkm() { build_image "${VENDOR_DLKM_STAGING_DIR}" "${vendor_dlkm_props_file}" \ "${DIST_DIR}/vendor_dlkm.img" /dev/null + avbtool add_hashtree_footer \ + --partition_name vendor_dlkm \ + --hash_algorithm sha256 \ + --image "${DIST_DIR}/vendor_dlkm.img" + if [ -n "${vendor_dlkm_archive}" ]; then # Archive vendor_dlkm_staging_dir tar -czf "${DIST_DIR}/vendor_dlkm_staging_archive.tar.gz" -C "${VENDOR_DLKM_STAGING_DIR}" . @@ -612,30 +617,44 @@ function gki_get_boot_img_size() { echo "${!boot_size_var}" } -# gki_add_avb_footer <image> <partition_size> +# gki_add_avb_footer <image> <partition_size> <security_patch_month> function gki_add_avb_footer() { + local spl_month="$3" + local additional_props="" + if [ -n "${spl_month}" ]; then + additional_props="--prop com.android.build.boot.security_patch:$(date +'%Y')-${spl_month}-05" + fi + avbtool add_hash_footer --image "$1" \ - --partition_name boot --partition_size "$2" + --partition_name boot --partition_size "$2" \ + ${additional_props} } -# gki_dry_run_certify_bootimg <boot_image> <gki_artifacts_info_file> +# gki_dry_run_certify_bootimg <boot_image> <gki_artifacts_info_file> <security_patch_month> # The certify_bootimg script will be executed on a server over a GKI # boot.img during the official certification process, which embeds # a GKI certificate into the boot.img. The certificate is for Android # VTS to verify that a GKI boot.img is authentic. # Dry running the process here so we can catch related issues early. function gki_dry_run_certify_bootimg() { + local spl_month="$3" + local additional_props=() + if [ -n "${spl_month}" ]; then + additional_props+=("--extra_footer_args" \ + "--prop com.android.build.boot.security_patch:$(date +'%Y')-${spl_month}-05") + fi + certify_bootimg --boot_img "$1" \ --algorithm SHA256_RSA4096 \ --key tools/mkbootimg/gki/testdata/testkey_rsa4096.pem \ --gki_info "$2" \ - --output "$1" + --output "$1" \ + "${additional_props[@]}" } # build_gki_artifacts_info <output_gki_artifacts_info_file> function build_gki_artifacts_info() { - local artifacts_info="certify_bootimg_extra_args=--prop ARCH:${ARCH} \ ---prop BRANCH:${BRANCH}" + local artifacts_info="certify_bootimg_extra_args=--prop ARCH:${ARCH} --prop BRANCH:${BRANCH}" if [ -n "${BUILD_NUMBER}" ]; then artifacts_info="${artifacts_info} --prop BUILD_NUMBER:${BUILD_NUMBER}" @@ -694,10 +713,16 @@ function build_gki_boot_images() { "${MKBOOTIMG_PATH}" "${GKI_MKBOOTIMG_ARGS[@]}" if [[ -z "${BUILD_GKI_BOOT_SKIP_AVB}" ]]; then + local spl_month=$(date +'%m') + if [ $((${spl_month} % 3)) -gt 0 ]; then + # Round up to the closest quarterly month + spl_month=$((${spl_month} + 3 - (${spl_month} % 3))) + fi + gki_add_avb_footer "${boot_image_path}" \ - "$(gki_get_boot_img_size "${compression}")" + "$(gki_get_boot_img_size "${compression}")" "${spl_month}" gki_dry_run_certify_bootimg "${boot_image_path}" \ - "${GKI_ARTIFACTS_INFO_FILE}" + "${GKI_ARTIFACTS_INFO_FILE}" "${spl_month}" fi images_to_pack+=("${boot_image}") done |