commit 45db7cefb35bbdd080016c7a84a3cd27b18294e8
author Bowgo Tsai <bowgotsai@google.com> Wed Jan 30 14:53:57 2019 +0800
committer Bowgo Tsai <bowgotsai@google.com> Wed Feb 13 17:00:49 2019 +0800
tree 410c59a22c277ce33876aef54a4eeb188703ec4d
parent 95c7f58bb74a15f08a342db6ee84cb3a44e7e554

Support verifying system_other

This commit extracts the AVB key used to sign system_other.img into
system.img, for init to verify system_other's AVB metadata.

The extracted key will locate in:
    /system/etc/security/avb/system_other.avbpubkey

Bug: 123611926
Test: build and checks the following is generated
      $OUT/system/etc/security/avb/system_other.avbpubkey

Change-Id: Icdc703ff5a0d50f8140bb652507b9b4cbc8a2118

core/Makefile

diff --git a/core/Makefile b/core/Makefile
index 1846a88..3d1dd50 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -1436,7 +1436,8 @@
 $(if $(BOARD_AVB_ENABLE),\
     $(if $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH),\
         $(hide) echo "avb_system_other_key_path=$(BOARD_AVB_SYSTEM_OTHER_KEY_PATH)" >> $(1)
-        $(hide) echo "avb_system_other_algorithm=$(BOARD_AVB_SYSTEM_OTHER_ALGORITHM)" >> $(1)))
+        $(hide) echo "avb_system_other_algorithm=$(BOARD_AVB_SYSTEM_OTHER_ALGORITHM)" >> $(1)
+        $(hide) echo "avb_system_extract_system_other_key=true" >> $(1)))
 $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_hashtree_enable=$(BOARD_AVB_ENABLE)" >> $(1))
 $(if $(BOARD_AVB_ENABLE),$(hide) echo "avb_vendor_add_hashtree_footer_args=$(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS)" >> $(1))
 $(if $(BOARD_AVB_ENABLE),\
@@ -2941,6 +2942,10 @@
 BOARD_AVB_SYSTEM_OTHER_ALGORITHM := $(BOARD_AVB_ALGORITHM)
 endif
 
+# To extract the public key of SYSTEM_OTHER_KEY_PATH will into system.img:
+# /system/etc/security/avb/system_other.avbpubkey.
+FULL_SYSTEMIMAGE_DEPS += $(BOARD_AVB_SYSTEM_OTHER_KEY_PATH)
+
 ifndef BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX
 BOARD_AVB_SYSTEM_OTHER_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
 endif