Support verifying system_other
This commit extracts the AVB key used to sign system_other.img into
system.img, for init to verify system_other's AVB metadata.
The extracted key will locate in:
/system/etc/security/avb/system_other.avbpubkey
Bug: 123611926
Test: build and checks the following is generated
$OUT/system/etc/security/avb/system_other.avbpubkey
Change-Id: Icdc703ff5a0d50f8140bb652507b9b4cbc8a2118
diff --git a/tools/releasetools/build_image.py b/tools/releasetools/build_image.py
index d2f4e25..5e3d68a 100755
--- a/tools/releasetools/build_image.py
+++ b/tools/releasetools/build_image.py
@@ -739,6 +739,26 @@
with open(filename, "w") as f:
f.writelines(["%s=%s" % (key, value) for (key, value) in glob_dict.items()])
+def ExtractSystemOtherAvbKey(in_dir, glob_dict):
+ if glob_dict.get("avb_system_extract_system_other_key") != "true":
+ return
+
+ extract_to = os.path.join(in_dir, "etc/security/avb/system_other.avbpubkey")
+ extract_to_dir = os.path.dirname(extract_to)
+
+ if os.path.isdir(extract_to_dir):
+ shutil.rmtree(extract_to_dir)
+ elif os.path.isfile(extract_to_dir):
+ os.remove(extract_to_dir)
+ os.mkdir(extract_to_dir);
+
+ # Extracts the public key used to sign system_other.img, into system.img:
+ # /system/etc/security/avb/system_other.avbpubkey.
+ avbtool = os.getenv('AVBTOOL') or glob_dict.get("avb_avbtool")
+ extract_from = glob_dict.get("avb_system_other_key_path")
+ cmd = [avbtool, "extract_public_key", "--key", extract_from,
+ "--output", extract_to]
+ common.RunAndCheckOutput(cmd, verbose=False)
def main(argv):
if len(argv) < 4 or len(argv) > 5:
@@ -763,6 +783,7 @@
mount_point = ""
if image_filename == "system.img":
mount_point = "system"
+ ExtractSystemOtherAvbKey(in_dir, glob_dict)
elif image_filename == "system_other.img":
mount_point = "system_other"
elif image_filename == "userdata.img":