summaryrefslogtreecommitdiff
path: root/scripts
diff options
context:
space:
mode:
authorYury Khmel <khmel@google.com>2020-10-03 08:49:18 +0000
committerCommit Bot <commit-bot@chromium.org>2020-10-06 18:57:30 +0000
commitd8367f0d08a1af4655bfd4c5cef54dc5c79cca07 (patch)
tree47506a93ce420fc18ccd93dcfd6af6d01b93e5d5 /scripts
parent7c6bf3080a20077f1da49bc383297ac33bce35f8 (diff)
downloadvboot-d8367f0d08a1af4655bfd4c5cef54dc5c79cca07.tar.gz
arc: Fix RVC signed image does not boot.factory-test-13517.B
This supports new set of certificates plat_mac_permissions.xml and adds handling media and network_stack certificates. BRANCH=none BUG=b:169458218 TEST=Sign test image from goldeneye per instructions in bug, deploy it to device (kohaku) pass tast.arc.Optin.vm test Signed-off-by: Yury Khmel <khmel@chromium.org> Change-Id: I61c4e327eaa605ed60c0c80b3598c0f4fb6e5f5f Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2447430 Tested-by: Yury Khmel <khmel@google.com> Auto-Submit: Yury Khmel <khmel@google.com> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Yury Khmel <khmel@google.com>
Diffstat (limited to 'scripts')
-rwxr-xr-xscripts/image_signing/sign_android_image.sh46
1 files changed, 37 insertions, 9 deletions
diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh
index 06d6f2bf..f9253789 100755
--- a/scripts/image_signing/sign_android_image.sh
+++ b/scripts/image_signing/sign_android_image.sh
@@ -141,6 +141,34 @@ build flavor '${flavor_prop}'."
fi
}
+# Extracts certificate from the provided public key.
+get_cert() {
+ # Full path to public key to read and extract certificate. It must exist.
+ local public_key=$1
+ local cert=$(sed -E '/(BEGIN|END) CERTIFICATE/d' \
+ "${public_key}" | tr -d '\n' \
+ | base64 --decode | hexdump -v -e '/1 "%02x"')
+
+ if [[ -z "${cert}" ]]; then
+ die "Unable to get the public platform key"
+ fi
+ echo "${cert}"
+}
+
+# Replaces particular certificate in mac_permissions xml file with new one.
+# Note, this does not fail if particular entry is not found. For example
+# network_stack does not exist in P.
+change_cert() {
+ # Type of signer entry to process. Could be platform, media or network_stack.
+ local type=$1
+ # New certificate encoded to string. This replaces old one.
+ local cert=$2
+ # *mac_permissions xml file to modify, plat_mac_permissions.xml for example.
+ local xml=$3
+ local pattern="(<signer signature=\")\w+(\"><seinfo value=\"${type})"
+ sudo sed -i -E "s/${pattern}/\1${cert}"'\2/g' "${xml}"
+}
+
# Platform key is part of the SELinux policy. Since we are re-signing framework
# apks, we need to replace the key in the policy as well.
update_sepolicy() {
@@ -149,16 +177,14 @@ update_sepolicy() {
# Only platform is used at this time.
local public_platform_key="${key_dir}/platform.x509.pem"
+ local public_media_key="${key_dir}/media.x509.pem"
+ local public_network_stack_key="${key_dir}/releasekey.x509.pem"
info "Start updating sepolicy"
- local new_cert=$(sed -E '/(BEGIN|END) CERTIFICATE/d' \
- "${public_platform_key}" | tr -d '\n' \
- | base64 --decode | hexdump -v -e '/1 "%02x"')
-
- if [[ -z "${new_cert}" ]]; then
- die "Unable to get the public platform key"
- fi
+ local new_platform_cert=$(get_cert "${public_platform_key}")
+ local new_media_cert=$(get_cert "${public_media_key}")
+ local new_network_stack_cert=$(get_cert "${public_network_stack_key}")
shopt -s nullglob
local xml_list=( "${system_mnt}"/system/etc/**/*mac_permissions.xml )
@@ -170,9 +196,11 @@ update_sepolicy() {
local xml="${xml_list[0]}"
local orig=$(make_temp_file)
- local pattern='(<signer signature=")\w+("><seinfo value="platform)'
cp "${xml}" "${orig}"
- sudo sed -i -E "s/${pattern}/\1${new_cert}"'\2/g' "${xml}"
+
+ change_cert "platform" "${new_platform_cert}" "${xml}"
+ change_cert "media" "${new_media_cert}" "${xml}"
+ change_cert "network_stack" "${new_network_stack_cert}" "${xml}"
# Validity check.
if cmp "${xml}" "${orig}"; then