diff options
| author | Yury Khmel <khmel@google.com> | 2020-10-03 08:49:18 +0000 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2020-10-06 18:57:30 +0000 |
| commit | d8367f0d08a1af4655bfd4c5cef54dc5c79cca07 (patch) | |
| tree | 47506a93ce420fc18ccd93dcfd6af6d01b93e5d5 /scripts | |
| parent | 7c6bf3080a20077f1da49bc383297ac33bce35f8 (diff) | |
| download | vboot-d8367f0d08a1af4655bfd4c5cef54dc5c79cca07.tar.gz | |
arc: Fix RVC signed image does not boot.factory-test-13517.B
This supports new set of certificates plat_mac_permissions.xml and adds
handling media and network_stack certificates.
BRANCH=none
BUG=b:169458218
TEST=Sign test image from goldeneye per instructions in bug, deploy
it to device (kohaku) pass tast.arc.Optin.vm test
Signed-off-by: Yury Khmel <khmel@chromium.org>
Change-Id: I61c4e327eaa605ed60c0c80b3598c0f4fb6e5f5f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2447430
Tested-by: Yury Khmel <khmel@google.com>
Auto-Submit: Yury Khmel <khmel@google.com>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: Yury Khmel <khmel@google.com>
Diffstat (limited to 'scripts')
| -rwxr-xr-x | scripts/image_signing/sign_android_image.sh | 46 |
1 files changed, 37 insertions, 9 deletions
diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh index 06d6f2bf..f9253789 100755 --- a/scripts/image_signing/sign_android_image.sh +++ b/scripts/image_signing/sign_android_image.sh @@ -141,6 +141,34 @@ build flavor '${flavor_prop}'." fi } +# Extracts certificate from the provided public key. +get_cert() { + # Full path to public key to read and extract certificate. It must exist. + local public_key=$1 + local cert=$(sed -E '/(BEGIN|END) CERTIFICATE/d' \ + "${public_key}" | tr -d '\n' \ + | base64 --decode | hexdump -v -e '/1 "%02x"') + + if [[ -z "${cert}" ]]; then + die "Unable to get the public platform key" + fi + echo "${cert}" +} + +# Replaces particular certificate in mac_permissions xml file with new one. +# Note, this does not fail if particular entry is not found. For example +# network_stack does not exist in P. +change_cert() { + # Type of signer entry to process. Could be platform, media or network_stack. + local type=$1 + # New certificate encoded to string. This replaces old one. + local cert=$2 + # *mac_permissions xml file to modify, plat_mac_permissions.xml for example. + local xml=$3 + local pattern="(<signer signature=\")\w+(\"><seinfo value=\"${type})" + sudo sed -i -E "s/${pattern}/\1${cert}"'\2/g' "${xml}" +} + # Platform key is part of the SELinux policy. Since we are re-signing framework # apks, we need to replace the key in the policy as well. update_sepolicy() { @@ -149,16 +177,14 @@ update_sepolicy() { # Only platform is used at this time. local public_platform_key="${key_dir}/platform.x509.pem" + local public_media_key="${key_dir}/media.x509.pem" + local public_network_stack_key="${key_dir}/releasekey.x509.pem" info "Start updating sepolicy" - local new_cert=$(sed -E '/(BEGIN|END) CERTIFICATE/d' \ - "${public_platform_key}" | tr -d '\n' \ - | base64 --decode | hexdump -v -e '/1 "%02x"') - - if [[ -z "${new_cert}" ]]; then - die "Unable to get the public platform key" - fi + local new_platform_cert=$(get_cert "${public_platform_key}") + local new_media_cert=$(get_cert "${public_media_key}") + local new_network_stack_cert=$(get_cert "${public_network_stack_key}") shopt -s nullglob local xml_list=( "${system_mnt}"/system/etc/**/*mac_permissions.xml ) @@ -170,9 +196,11 @@ update_sepolicy() { local xml="${xml_list[0]}" local orig=$(make_temp_file) - local pattern='(<signer signature=")\w+("><seinfo value="platform)' cp "${xml}" "${orig}" - sudo sed -i -E "s/${pattern}/\1${new_cert}"'\2/g' "${xml}" + + change_cert "platform" "${new_platform_cert}" "${xml}" + change_cert "media" "${new_media_cert}" "${xml}" + change_cert "network_stack" "${new_network_stack_cert}" "${xml}" # Validity check. if cmp "${xml}" "${orig}"; then |