Merge "Add aftl inclusion proof"
diff --git a/core/Makefile b/core/Makefile
index 8e986b7..bda0b23 100644
--- a/core/Makefile
+++ b/core/Makefile
@@ -3998,6 +3998,7 @@
INTERNAL_OTATOOLS_MODULES := \
aapt2 \
add_img_to_target_files \
+ aftltool \
append2simg \
avbtool \
blk_alloc_to_base_fs \
diff --git a/tools/releasetools/common.py b/tools/releasetools/common.py
index 2030d5a..3bbf9d8 100644
--- a/tools/releasetools/common.py
+++ b/tools/releasetools/common.py
@@ -931,6 +931,37 @@
return "{}:{}:{}".format(partition, rollback_index_location, pubkey_path)
+def AddAftlInclusionProof(output_image):
+ """Appends the aftl inclusion proof to the vbmeta image."""
+
+ # Ensure the other AFTL parameters are set as well.
+ assert OPTIONS.aftl_key_path is not None, 'No AFTL key provided.'
+ assert OPTIONS.aftl_manufacturer_key_path is not None, \
+ 'No AFTL manufacturer key provided.'
+
+ vbmeta_image = MakeTempFile()
+ os.rename(output_image, vbmeta_image)
+ build_info = BuildInfo(OPTIONS.info_dict)
+ version_incremental = build_info.GetBuildProp("ro.build.version.incremental")
+ aftl_cmd = ["aftltool", "make_icp_from_vbmeta",
+ "--vbmeta_image_path", vbmeta_image,
+ "--output", output_image,
+ "--version_incremental", version_incremental,
+ "--transparency_log_servers", OPTIONS.aftl_server,
+ "--transparency_log_pub_keys", OPTIONS.aftl_key_path,
+ "--manufacturer_key", OPTIONS.aftl_manufacturer_key_path,
+ "--algorithm", "SHA256_RSA4096",
+ "--padding", "4096"]
+ if OPTIONS.aftl_signer_helper:
+ aftl_cmd.extend(shlex.split(OPTIONS.aftl_signer_helper))
+ RunAndCheckOutput(aftl_cmd)
+
+ verify_cmd = ['aftltool', 'verify_image_icp', '--vbmeta_image_path',
+ output_image, '--transparency_log_pub_keys',
+ OPTIONS.aftl_key_path]
+ RunAndCheckOutput(verify_cmd)
+
+
def BuildVBMeta(image_path, partitions, name, needed_partitions):
"""Creates a VBMeta image.
@@ -973,28 +1004,26 @@
# zip only). For such cases, we additionally scan other locations (e.g.
# IMAGES/, RADIO/, etc) before bailing out.
if arg == '--include_descriptors_from_image':
- image_path = split_args[index + 1]
- if os.path.exists(image_path):
+ chained_image = split_args[index + 1]
+ if os.path.exists(chained_image):
continue
found = False
for dir_name in ['IMAGES', 'RADIO', 'PREBUILT_IMAGES']:
alt_path = os.path.join(
- OPTIONS.input_tmp, dir_name, os.path.basename(image_path))
+ OPTIONS.input_tmp, dir_name, os.path.basename(chained_image))
if os.path.exists(alt_path):
split_args[index + 1] = alt_path
found = True
break
- assert found, 'Failed to find {}'.format(image_path)
+ assert found, 'Failed to find {}'.format(chained_image)
cmd.extend(split_args)
RunAndCheckOutput(cmd)
+ # Generate the AFTL inclusion proof.
if OPTIONS.aftl_server is not None:
- # Ensure the other AFTL parameters are set as well.
- assert OPTIONS.aftl_key_path is not None, 'No AFTL key provided.'
- assert OPTIONS.aftl_manufacturer_key_path is not None, 'No AFTL manufacturer key provided.'
- assert OPTIONS.aftl_signer_helper is not None, 'No AFTL signer helper provided.'
- # AFTL inclusion proof generation code will go here.
+ AddAftlInclusionProof(image_path)
+
def _MakeRamdisk(sourcedir, fs_config_file=None):
ramdisk_img = tempfile.NamedTemporaryFile()
diff --git a/tools/releasetools/test_common.py b/tools/releasetools/test_common.py
index da92163..9621de8 100644
--- a/tools/releasetools/test_common.py
+++ b/tools/releasetools/test_common.py
@@ -1404,6 +1404,46 @@
self.assertEqual('3', chained_partition_args[1])
self.assertTrue(os.path.exists(chained_partition_args[2]))
+ @test_utils.SkipIfExternalToolsUnavailable()
+ def test_BuildVBMeta_appendAftl(self):
+ testdata_dir = test_utils.get_testdata_dir()
+ common.OPTIONS.info_dict = {
+ 'ab_update': 'true',
+ 'avb_avbtool': 'avbtool',
+ 'build.prop': {
+ 'ro.build.version.incremental': '6285659',
+ 'ro.product.device': 'coral',
+ 'ro.build.fingerprint': 'google/coral/coral:R/RP1A.200311.002/'
+ '6285659:userdebug/dev-keys'
+ }
+ }
+ common.OPTIONS.aftl_server = "log.endpoints.aftl-dev.cloud.goog:9000"
+ common.OPTIONS.aftl_key_path = os.path.join(testdata_dir,
+ 'test_transparency_key.pub')
+ common.OPTIONS.aftl_manufacturer_key_path = os.path.join(
+ testdata_dir, 'test_aftl_rsa4096.pem')
+
+ input_dir = common.MakeTempDir()
+ system_image = common.MakeTempFile()
+ build_image_cmd = ['mkuserimg_mke2fs', input_dir, system_image, 'ext4',
+ '/system', str(4096 * 100), '-j', '0', '-s']
+ common.RunAndCheckOutput(build_image_cmd)
+
+ add_footer_cmd = ['avbtool', 'add_hashtree_footer',
+ '--partition_size', str(4096 * 150),
+ '--partition_name', 'system',
+ '--image', system_image]
+ common.RunAndCheckOutput(add_footer_cmd)
+
+ vbmeta_image = common.MakeTempFile()
+ common.BuildVBMeta(vbmeta_image, {'system': system_image}, 'vbmeta',
+ ['system'])
+
+ verify_cmd = ['aftltool', 'verify_image_icp', '--vbmeta_image_path',
+ vbmeta_image, '--transparency_log_pub_keys',
+ common.OPTIONS.aftl_key_path]
+ common.RunAndCheckOutput(verify_cmd)
+
class InstallRecoveryScriptFormatTest(test_utils.ReleaseToolsTestCase):
"""Checks the format of install-recovery.sh.
diff --git a/tools/releasetools/testdata/test_aftl_rsa4096.pem b/tools/releasetools/testdata/test_aftl_rsa4096.pem
new file mode 100644
index 0000000..89f1ef3
--- /dev/null
+++ b/tools/releasetools/testdata/test_aftl_rsa4096.pem
@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDDlhUPUgtWL6LB
+Wybp6wsEJeioV1aRLPGSA2/xIpTiJUK46cb/MD5eBTWjKENoIgX23eL/ePy2I68e
++WvcZ5ITGOTRQqNVZIdc5qvr03wkV0BsJQMHSMAHacePpB/4xM5MzN/6Ku1wA8Dw
+uK+v/Cw4hqq8H/gP0oPVQ1bwcIePzRPX4YkkyXusoyzTIm5DJ9reVtyFucKqANCN
+aFmGxcaEc2nADtARQWJpO95joFsMvr68+JBxpCt8aWbxuSz/rLJ9Y8Z46V/++XG+
+E4QEob/WVY5pUD/RyogLrfhIf+zO7R3wJklXElSFacIX9+RzR9dgkQVbqxLfBKIP
+XWLCsF4I4EnvqUtaVjIMl8UpZpoq8pDLRqZ71Os5xZYq06x9E02M6DnvFbZEdaOX
+MCz2mmNX3g5FahvJayBhCuNhyTkd79MFR71Wp48TvWxKz3S7q0T0cWHNhtPkHSCa
+KwD93AQnqtLKYDGkHIZBzJPcs+QxbzdHyGzhXZb+qh5KmQvNA9HRBQY1RkMmzIbI
+8pzYTwpOkbCEhVoCWcRaaF1Pgl+zcpgJOMbBBUabx/dConFIhMDW/I5fHgKgwGqm
+tWUibrMPdnfS6W5MXi8jC0eDuZl0VwmdE+4dLujiOofUYnb7D+GXojf3PrSLcTw1
+PmG0f7l5xDKN9a0N+IXqvD2oAANTsQIDAQABAoICAQCW5HXw8OogHvYg2HMIKrbA
+B4McRO1baWIhtRcq4PQeGIMGaA2HmS+0l65O5uRCNWWGlJ7pW+0TlCop6mHFk/4F
+T8JQk2mxmrI4ARqIAQwYeVwRUuioOP81eO1mK0gjQ6qpY7I0reOq9KpozQN18UYo
+gfS82Kkng9EDukUbkKV1UtFJTw3gXLVWdjlB1qFcnCXmPPs7DBpbz+8V+XiAWpsS
+WnwumP77IQeMiozDLdaw2YQMBHRjyDVocWTjfmpyAkleJZjcdagC7W1MKIBElomL
+EUyigTALaYZWBGy1ekQ3TIY5XUBdtZ2RpAsDNNOCAN3v+VI565zOhCOHWRO1gh24
+vyhBFR0HYqBRoLbLAqo8bM5iLPz1EWGyaTnfxt38J8Va0TD7KihcBnphiA+dkhEF
+oc0yIp/8S2o3CfkNok7Ju8Amb7M4JJuKhuP8wxn86fAHpjjd3Y4SlZp0NrTrd7T2
+msLIneb1OUZZxFxyJG1XQGEZplLPalnGadIF4p3q/3nd1rVb491qCNl/A5QwhI9r
+ZV62O90M9fu3+cAynBLbMT09IZecNwP1gXmunlY6YH+ymM+3NFqC8q2tnzomiz8/
+Fee0ftZ2C/jK62fET0Y8LPWGkVQGHtvZH0FPg4suA0GMmYAe0tQl93A+jFltfKKZ
+RgCDrYs6Wv76E9gnWVnEdQKCAQEA8L76LjZUTKOg83Bra+hP+cXnwGsgwOwJfGBp
+OM++5HzlpYjtbD38esBZVJtwb/8xJGdsHtP2n7ZgbSDuAnRj5S50QHIApvRkz1Y+
+1hL8tAdgVP2JkYjpyG3bPk4QVKyXkKvBcp2BCidXs75+HzfOxqkazumaYOYo2guh
+azHdka2xSqxcZqo4yyORc/oue25RU4skmuNDOlP0+OTxU/uXnl7QZmlaOfT5TqO4
+s7uER4BXt/87j44mnOBdXmtqrsL49+R9bzVskx76aeuaBbwf7jnpR058E71OZwSd
+F1P3fx6hl0yLOZF/5Jnq+14rEna6jH50XtzlhB6deSZFTOw2gwKCAQEAz/qXRzwH
+I0YWISgkUG2zBJseHmfHqV4CDzb5+tTJ3B2I8cXE0m2sQJXi2s7oMhWSc1cQOHCX
+txpgWaD59uBz2lcwnGRNp27TRXv8Wo+X0+O+lGWU2cO+j8AB2Vtb7F7rCySp0+Uu
+z+dBfoQ2zhKEQlkX0YldVILGzCL3QBHVvPC4iDlwkMRbcejDoh9NsBtHL8lG+MAw
+ZXbwJjhaJkhTXJFpJpejq70naS8VVlLt8Os80iuBXe5JK/ecAHtsNcJlXO02sMNZ
+Fbcy8WosGyvRKQ/tHtTjAlxZ7Ey8usWE8BvWBdUgiIBkIcjLtE2GrA8eOGNb3v1I
+HRt8NsV8yaLWuwKCAQAR7SaT6le8nTKO7gARuOq7npDzMwbtVqYeLM+o+08rlGFF
+QjzronH6cfg05J4quMXgABN8+CuVGO91MM6IQEJv/lWJtvN1ex1GkxV6u0812JbD
+vV1RCPDfi86XhRiSNYfTrfZponDJYMSXDcg2auFqyYzFe3+TV5ATLGqIoN3uyxA4
+jz0SJ/qypaNfD3IGnuBPaD0Bi4ql/TpwjhuqNUHE+SprdczSI/usb2SBfaUL7fKa
+MNcuiVc2tz48maMIAFypmMn+TewXyGa9HF4Lr0ZxZr6IIL/8eEwuP5my8v2q6Yz+
+xyRW1Q7A5vUoYoqyhUS+0Wu45JnyjJUNQFxIrg4hAoIBAF1uBIGSvN4iwRQ6FT4w
+WahrCre8BVzXh3NQTjJZXylL91YtcwLZE/Wbn+KN6o99U2IPLZE9O1qdNcVt5Hz8
+Te87FfJbuOrLhYuEbFQ+h4U/nUDK9XhyT+wB5JLBUOU5qrtByC0Rmtr411o/iONA
+PDwWC/YskEnDygywdIRKvsr3FN7VdvUB0Na2KxRsnZjMWElmUUS0Ccm7CZ0R2aWy
+/gfqpuMYYgVnnwnIhfxWmt+MvbDorGAHCMYAoQsyZuUrpB9/zP7RcvanavI6sP+v
+ynF43xvnpOdNl3Po8SuyScsXpijOmqPXkaP/sUsZPLOUww2vzPi6raetzjpIs4td
+ZLsCggEAe42Zj3FEbruJZeDgmd9lSc0j8UF90mNw8KH44IbuA6R9fGv3WkrNHEVd
+XZOwjWqAxhOj6pFoJk8n6h5d8iS/yXFZ0AfBMc21XMecu9mnfx9E9LFAIWmv7Wut
+vy3h2BqY+crglpg5RAw+3J97HAGMYCvp+hH2il+9zzjpmCtTD21LRMkw34szY7RR
+CDy9G5FTmKVlxw5eegvyj164olQRLurEdUIfSr5UnBjrWftJHy9JW8KWCeFDSmm9
+xCl3nGDyQuZmOTngxPtrOYAhb5LoKR9BeGcy6jlom7V4nYYqm3t1IDBgMqjYGT9c
+vqQgxO2OFsQOJQ/4PRYEKd1neTlZrw==
+-----END PRIVATE KEY-----
diff --git a/tools/releasetools/testdata/test_transparency_key.pub b/tools/releasetools/testdata/test_transparency_key.pub
new file mode 100644
index 0000000..8bfd816
--- /dev/null
+++ b/tools/releasetools/testdata/test_transparency_key.pub
@@ -0,0 +1,15 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4ilqCNsenNA013iCdwgD
+YPxZ853nbHG9lMBp9boXiwRcqT/8bUKHIL7YX5z7s+QoRYVY3rkMKppRabclXzyx
+H59YnPMaU4uv7NqwWzjgaZo7E+vo7IF+KBjV3cJulId5Av0yIYUCsrwd7MpGtWdC
+Q3S+7Vd4zwzCKEhcvliNIhnNlp1U3wNkPCxOyCAsMEn6k8O5ar12ke5TvxDv15db
+rPDeHh8G2OYWoCkWL+lSN35L2kOJqKqVbLKWrrOd96RCYrrtbPCi580OADJRcUlG
+lgcjwmNwmypBWvQMZ6ITj0P0ksHnl1zZz1DE2rXe1goLI1doghb5KxLaezlR8c2C
+E3w/uo9KJgNmNgUVzzqZZ6FE0moyIDNOpP7KtZAL0DvEZj6jqLbB0ccPQElrg52m
+Dv2/A3nYSr0mYBKeskT4+Bg7PGgoC8p7WyLSxMyzJEDYdtrj9OFx6eZaA23oqTQx
+k3Qq5H8RfNBeeSUEeKF7pKH/7gyqZ2bNzBFMA2EBZgBozwRfaeN/HCv3qbaCnwvu
+6caacmAsK+RxiYxSL1QsJqyhCWWGxVyenmxdc1KG/u5ypi7OIioztyzR3t2tAzD3
+Nb+2t8lgHBRxbV24yiPlnvPmB1ZYEctXnlRR9Evpl1o9xA9NnybPHKr9rozN39CZ
+V/USB8K6ao1y5xPZxa8CZksCAwEAAQ==
+-----END PUBLIC KEY-----
+