Enable AVB signing on GSI
In current GSI builds, AVB signing is not allowed.
We should allow signing GSI image, while building a vbmeta.img with
AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (flag 2).
When need to disable AVB, use the vbmeta.img above together with the
GSI. When need enable AVB on GSI, include the GSI public key into the
device-specific vbmeta.img. Note that GSI is a chain partition so the
keys used to sign GSI and vbmeta.img are different.
Bug: 112293933
Test: build aosp_arm64-userdebug, checks flag 2 is set in vbmeta.img
and there is AVB HASHTREE in system.img
`avbtool info_image --image $OUT/system.img`
`avbtool info_image --image $OUT/vbmeta.img`
Change-Id: If1eff317621882994e7dcbf37cd35f5bfa16b69a
diff --git a/core/Makefile b/core/Makefile
index 0a112f8..3d45498 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -2795,14 +2795,6 @@
vbmetaimage-nodeps:
$(build-vbmetaimage-target)
-else ifeq (true,$(BOARD_BUILD_DISABLED_VBMETAIMAGE))
-BUILT_DISABLED_VBMETAIMAGE := $(PRODUCT_OUT)/vbmeta.img
-
-INSTALLED_VBMETAIMAGE_TARGET := $(BUILT_DISABLED_VBMETAIMAGE)
-$(INSTALLED_VBMETAIMAGE_TARGET): $(AVBTOOL)
- $(hide) $(AVBTOOL) make_vbmeta_image \
- --flag 2 --padding_size 4096 --output $@
-
endif # BOARD_AVB_ENABLE
# -----------------------------------------------------------------
@@ -3406,14 +3398,6 @@
@# If breakpad symbols have been generated, add them to the zip.
$(hide) $(ACP) -r $(TARGET_OUT_BREAKPAD) $(zip_root)/BREAKPAD
endif
-# BOARD_BUILD_DISABLED_VBMETAIMAGE is used to build a special vbmeta.img
-# that disables AVB verification. The content is fixed and we can just copy
-# it to $(zip_root)/IMAGES without passing some info into misc_info.txt for
-# regeneration.
-ifeq (true,$(BOARD_BUILD_DISABLED_VBMETAIMAGE))
- $(hide) mkdir -p $(zip_root)/IMAGES
- $(hide) cp $(INSTALLED_VBMETAIMAGE_TARGET) $(zip_root)/IMAGES/
-endif
ifdef BOARD_PREBUILT_VENDORIMAGE
$(hide) mkdir -p $(zip_root)/IMAGES
$(hide) cp $(INSTALLED_VENDORIMAGE_TARGET) $(zip_root)/IMAGES/
diff --git a/target/board/BoardConfigEmuCommon.mk b/target/board/BoardConfigEmuCommon.mk
index ca2176c..a1d5cde 100644
--- a/target/board/BoardConfigEmuCommon.mk
+++ b/target/board/BoardConfigEmuCommon.mk
@@ -28,8 +28,9 @@
TARGET_COPY_OUT_VENDOR := vendor
# ~100 MB vendor image. Please adjust system image / vendor image sizes
-# when finalizing them.
-BOARD_VENDORIMAGE_PARTITION_SIZE := 100000000
+# when finalizing them. The partition size needs to be a multiple of image
+# block size: 4096.
+BOARD_VENDORIMAGE_PARTITION_SIZE := 100003840
BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE := ext4
BOARD_FLASH_BLOCK_SIZE := 512
DEVICE_MATRIX_FILE := device/generic/goldfish/compatibility_matrix.xml
diff --git a/target/board/BoardConfigGsiCommon.mk b/target/board/BoardConfigGsiCommon.mk
index c1f3627..7319fec 100644
--- a/target/board/BoardConfigGsiCommon.mk
+++ b/target/board/BoardConfigGsiCommon.mk
@@ -14,14 +14,22 @@
BOARD_SYSTEMIMAGE_PARTITION_RESERVED_SIZE := 67108864
# Android Verified Boot (AVB):
-# Builds a special vbmeta.img that disables AVB verification.
-# Otherwise, AVB will prevent the device from booting the generic system.img.
-# Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity
-# metadata into system.img.
-ifeq ($(BOARD_AVB_ENABLE),true)
-$(error BOARD_AVB_ENABLE cannot be set for GSI)
-endif
-BOARD_BUILD_DISABLED_VBMETAIMAGE := true
+# 1) Sets BOARD_AVB_ENABLE to sign the GSI image.
+# 2) Sets AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (--flag 2) in
+# vbmeta.img to disable AVB verification.
+#
+# To disable AVB for GSI, use the vbmeta.img and the GSI together.
+# To enable AVB for GSI, include the GSI public key into the device-specific
+# vbmeta.img.
+BOARD_AVB_ENABLE := true
+BOARD_AVB_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
+BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2
+
+# Enable chain partition for system.
+BOARD_AVB_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
+BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048
+BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
+BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
# GSI is always userdebug and needs a couple of properties taking precedence
diff --git a/target/board/treble_common.mk b/target/board/treble_common.mk
index daa0f4c..ccb69f2 100644
--- a/target/board/treble_common.mk
+++ b/target/board/treble_common.mk
@@ -53,11 +53,19 @@
USE_XML_AUDIO_POLICY_CONF := 1
# Android Verified Boot (AVB):
-# Builds a special vbmeta.img that disables AVB verification.
-# Otherwise, AVB will prevent the device from booting the generic system.img.
-# Also checks that BOARD_AVB_ENABLE is not set, to prevent adding verity
-# metadata into system.img.
-ifeq ($(BOARD_AVB_ENABLE),true)
-$(error BOARD_AVB_ENABLE cannot be set for Treble GSI)
-endif
-BOARD_BUILD_DISABLED_VBMETAIMAGE := true
+# 1) Sets BOARD_AVB_ENABLE to sign the GSI image.
+# 2) Sets AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED (--flag 2) in
+# vbmeta.img to disable AVB verification.
+#
+# To disable AVB for GSI, use the vbmeta.img and the GSI together.
+# To enable AVB for GSI, include the GSI public key into the device-specific
+# vbmeta.img.
+BOARD_AVB_ENABLE := true
+BOARD_AVB_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
+BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2
+
+# Enable chain partition for system.
+BOARD_AVB_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
+BOARD_AVB_SYSTEM_ALGORITHM := SHA256_RSA2048
+BOARD_AVB_SYSTEM_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP)
+BOARD_AVB_SYSTEM_ROLLBACK_INDEX_LOCATION := 1