releasetools: Re-enable verifying AVB-signed images.
This reverts commit 9788b4ed31e58301314d226ad8028610642a12e1. All the
blocking issues have been addressed.
Fixes: 120517892
Test: Run validate_target_files.py on crosshatch signed
target_files.zip.
Change-Id: I95de241e159998e002dedddafea65953b1a1b263
diff --git a/tools/releasetools/validate_target_files.py b/tools/releasetools/validate_target_files.py
index 275939c..1c856a8 100755
--- a/tools/releasetools/validate_target_files.py
+++ b/tools/releasetools/validate_target_files.py
@@ -318,9 +318,31 @@
if info_dict.get("avb_enable") == "true":
logging.info('Verifying Verified Boot 2.0 (AVB) images...')
- # TODO(b/120517892): Temporarily disable the verification for AVB-signed
- # images. Needing supporting changes in caller to pass in the desired keys.
- logging.info('Temporarily disabled due to b/120517892')
+ key = options['verity_key']
+ if key is None:
+ key = info_dict['avb_vbmeta_key_path']
+
+ # avbtool verifies all the images that have descriptors listed in vbmeta.
+ image = os.path.join(input_tmp, 'IMAGES', 'vbmeta.img')
+ cmd = ['avbtool', 'verify_image', '--image', image, '--key', key]
+
+ # Append the args for chained partitions if any.
+ for partition in common.AVB_PARTITIONS:
+ key_name = 'avb_' + partition + '_key_path'
+ if info_dict.get(key_name) is not None:
+ chained_partition_arg = common.GetAvbChainedPartitionArg(
+ partition, info_dict, options[key_name])
+ cmd.extend(["--expected_chain_partition", chained_partition_arg])
+
+ proc = common.Run(cmd)
+ stdoutdata, _ = proc.communicate()
+ assert proc.returncode == 0, \
+ 'Failed to verify {} with avbtool (key: {}):\n{}'.format(
+ image, key, stdoutdata)
+
+ logging.info(
+ 'Verified %s with avbtool (key: %s):\n%s', image, key,
+ stdoutdata.rstrip())
def main():