commit b5aad1b937c465f7c6ffbb7d37ae79a20574b27d
author Treehugger Robot <treehugger-gerrit@google.com> Wed Feb 26 00:09:17 2020 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Feb 26 00:09:17 2020 +0000
tree f46f62224b644fa0d80971c5dabba7253cfe024a
parent 5832bf1f5a949bc32a9b8f57ed46cb7f06606fe6
parent 2fe786a528433dfaa9812eb910fde13d5b04aeed

Merge "Support removing AVB public keys"

tools/releasetools/sign_target_files_apks.py

diff --git a/tools/releasetools/sign_target_files_apks.py b/tools/releasetools/sign_target_files_apks.py
index cce771c..5b7c2ac 100755
--- a/tools/releasetools/sign_target_files_apks.py
+++ b/tools/releasetools/sign_target_files_apks.py
@@ -91,6 +91,14 @@
       Replace the veritykeyid in BOOT/cmdline of input_target_file_zip
       with keyid of the cert pointed by <path_to_X509_PEM_cert_file>.
 
+  --remove_avb_public_keys <key1>,<key2>,...
+      Remove AVB public keys from the first-stage ramdisk. The key file to
+      remove is located at either of the following dirs:
+        - BOOT/RAMDISK/avb/ or
+        - BOOT/RAMDISK/first_stage_ramdisk/avb/
+      The second dir will be used for lookup if BOARD_USES_RECOVERY_AS_BOOT is
+      set to true.
+
   --avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system,
          vbmeta_vendor}_algorithm <algorithm>
   --avb_{boot,system,system_other,vendor,dtbo,vbmeta,vbmeta_system,
@@ -150,6 +158,7 @@
 OPTIONS.replace_verity_public_key = False
 OPTIONS.replace_verity_private_key = False
 OPTIONS.replace_verity_keyid = False
+OPTIONS.remove_avb_public_keys = None
 OPTIONS.tag_changes = ("-test-keys", "-dev-keys", "+release-keys")
 OPTIONS.avb_keys = {}
 OPTIONS.avb_algorithms = {}
@@ -585,6 +594,18 @@
           filename in ("BOOT/RAMDISK/verity_key",
                        "ROOT/verity_key")):
       pass
+    elif (OPTIONS.remove_avb_public_keys and
+          (filename.startswith("BOOT/RAMDISK/avb/") or
+           filename.startswith("BOOT/RAMDISK/first_stage_ramdisk/avb/"))):
+        matched_removal = False
+        for key_to_remove in OPTIONS.remove_avb_public_keys:
+          if filename.endswith(key_to_remove):
+            matched_removal = True
+            print("Removing AVB public key from ramdisk: %s" % filename)
+            break
+        if not matched_removal:
+          # Copy it verbatim if we don't want to remove it.
+          common.ZipWriteStr(output_tf_zip, out_info, data)
 
     # Skip verity keyid (for system_root_image use) if we will replace it.
     elif OPTIONS.replace_verity_keyid and filename == "BOOT/cmdline":
@@ -610,8 +631,7 @@
     # Should NOT sign boot-debug.img.
     elif filename in (
         "BOOT/RAMDISK/force_debuggable",
-        "RECOVERY/RAMDISK/force_debuggable"
-        "RECOVERY/RAMDISK/first_stage_ramdisk/force_debuggable"):
+        "BOOT/RAMDISK/first_stage_ramdisk/force_debuggable"):
       raise common.ExternalError("debuggable boot.img cannot be signed")
 
     # A non-APK file; copy it verbatim.
@@ -1135,6 +1155,8 @@
       OPTIONS.replace_verity_private_key = (True, a)
     elif o == "--replace_verity_keyid":
       OPTIONS.replace_verity_keyid = (True, a)
+    elif o == "--remove_avb_public_keys":
+      OPTIONS.remove_avb_public_keys = a.split(",")
     elif o == "--avb_vbmeta_key":
       OPTIONS.avb_keys['vbmeta'] = a
     elif o == "--avb_vbmeta_algorithm":
@@ -1203,6 +1225,7 @@
           "replace_verity_public_key=",
           "replace_verity_private_key=",
           "replace_verity_keyid=",
+          "remove_avb_public_keys=",
           "avb_apex_extra_args=",
           "avb_vbmeta_algorithm=",
           "avb_vbmeta_key=",