def ReplaceVerityKeyId(targetfile_input_zip, targetfile_output_zip, keypath): in_cmdline = targetfile_input_zip.read("BOOT/cmdline") # copy in_cmdline to output_zip if veritykeyid is not present in in_cmdline if "veritykeyid" not in in_cmdline: common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", in_cmdline) return in_cmdline out_cmdline = [] for param in in_cmdline.split(): if "veritykeyid" in param: # extract keyid using openssl command p = common.Run(["openssl", "x509", "-in", keypath, "-text"], stdout=subprocess.PIPE) keyid, stderr = p.communicate() keyid = re.search(r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower() print "Replacing verity keyid with %s error=%s" % (keyid, stderr) out_cmdline.append("veritykeyid=id:%s" % (keyid, )) else: out_cmdline.append(param) out_cmdline = ' '.join(out_cmdline) out_cmdline = out_cmdline.strip() print "out_cmdline %s" % (out_cmdline) common.ZipWriteStr(targetfile_output_zip, "BOOT/cmdline", out_cmdline) return out_cmdline
def VerifyAbOtaPayload(cert, package): """Verifies the payload and metadata signatures in an A/B OTA payload.""" package_zip = zipfile.ZipFile(package, 'r') if 'payload.bin' not in package_zip.namelist(): common.ZipClose(package_zip) return print('Verifying A/B OTA payload signatures...') # Dump pubkey from the certificate. pubkey = common.MakeTempFile(prefix="key-", suffix=".pem") with open(pubkey, 'wb') as pubkey_fp: pubkey_fp.write(common.ExtractPublicKey(cert)) package_dir = common.MakeTempDir(prefix='package-') # Signature verification with delta_generator. payload_file = package_zip.extract('payload.bin', package_dir) cmd = ['delta_generator', '--in_file=' + payload_file, '--public_key=' + pubkey] proc = common.Run(cmd, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) stdoutdata, _ = proc.communicate() assert proc.returncode == 0, \ 'Failed to verify payload with delta_generator: %s\n%s' % (package, stdoutdata) common.ZipClose(package_zip) # Verified successfully upon reaching here. print('\nPayload signatures VERIFIED\n\n')
def _generate_system_image(self, output_file): verity_fec = True partition_size = 1024 * 1024 image_size, verity_size = verity_utils.AdjustPartitionSizeForVerity( partition_size, verity_fec) # Use an empty root directory. system_root = common.MakeTempDir() cmd = ['mkuserimg_mke2fs', '-s', system_root, output_file, 'ext4', '/system', str(image_size), '-j', '0'] proc = common.Run(cmd) stdoutdata, _ = proc.communicate() self.assertEqual( 0, proc.returncode, "Failed to create system image with mkuserimg_mke2fs: {}".format( stdoutdata)) # Append the verity metadata. prop_dict = { 'partition_size' : str(partition_size), 'image_size' : str(image_size), 'verity_block_device' : '/dev/block/system', 'verity_key' : os.path.join(self.testdata_dir, 'testkey'), 'verity_signer_cmd' : 'verity_signer', 'verity_size' : str(verity_size), } verity_utils.MakeVerityEnabledImage(output_file, verity_fec, prop_dict)
def AddVBMeta(output_zip, boot_img_path, system_img_path, vendor_img_path, dtbo_img_path, prefix="IMAGES/"): """Create a VBMeta image and store it in output_zip.""" img = OutputFile(output_zip, OPTIONS.input_tmp, prefix, "vbmeta.img") avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"] cmd = [avbtool, "make_vbmeta_image", "--output", img.name] common.AppendAVBSigningArgs(cmd, "vbmeta") public_key_dir = tempfile.mkdtemp(prefix="avbpubkey-") OPTIONS.tempfiles.append(public_key_dir) AppendVBMetaArgsForPartition(cmd, "boot", boot_img_path, public_key_dir) AppendVBMetaArgsForPartition(cmd, "system", system_img_path, public_key_dir) AppendVBMetaArgsForPartition(cmd, "vendor", vendor_img_path, public_key_dir) AppendVBMetaArgsForPartition(cmd, "dtbo", dtbo_img_path, public_key_dir) args = OPTIONS.info_dict.get("avb_vbmeta_args") if args and args.strip(): cmd.extend(shlex.split(args)) p = common.Run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.communicate() assert p.returncode == 0, "avbtool make_vbmeta_image failed" img.Write()
def GenerateBootloaderSecbin(unpack_dir, variant): """ Generate bootloader with secpack for Non-EFI(example Sofialte); The partitions are obtained from get_bootloader_list() in GetBootloaderImagesfromFls. use tool binary_merge to generate Merged.secbin with SecureBlock.bin + LoadMap.bin """ for current_file in os.listdir(unpack_dir): if fnmatch.fnmatch(current_file, '*LoadMap0.bin'): loader_mapdatafile = current_file assert loader_mapdatafile is not None, "Error in extracting the LoadMap.bin" for current_file in os.listdir(unpack_dir): if fnmatch.fnmatch(current_file, '*SecureBlock.bin'): loader_scublockfile = current_file assert loader_scublockfile is not None, "Error in extracting the SecureBlock.bin" binary_merge = "hardware/intel/sofia_lte-fls/tools/binary_merge" cmd = [binary_merge, "-o", os.path.join(unpack_dir, "Merged.secbin"), "-b 1 -p 0"] cmd.append(os.path.join(unpack_dir, loader_scublockfile)) cmd.append(os.path.join(unpack_dir, loader_mapdatafile)) print("execute 3.command: {}".format(' '.join(cmd))) try: p = common.Run(cmd) except Exception as exc: print("Error: Unable to execute command: {}".format(' '.join(cmd))) raise exc p.communicate() assert p.returncode == 0, "binary_merge failed"
def pk8_to_pem(der_key_path, password=None, none_on_fail_convert=False): # If the key is already available in converted form, then use that # file. This is important for .pk8 files that actually contain references # to ECSS keys, because they are not fully parseable by openssl. (der_key_path_root,der_key_path_ext) = os.path.splitext(der_key_path) der_key_path_pem = der_key_path_root + ".pem" if os.path.exists(der_key_path_pem): return open(der_key_path_pem) # Defaults to 0600 permissions which is defintitely what we want! tf = tempfile.NamedTemporaryFile(prefix="pk8_to_pem") cmd = ["openssl", "pkcs8"]; if password: cmd.extend(["-passin", "stdin"]) else: cmd.append("-nocrypt") cmd.extend(["-inform", "DER", "-outform", "PEM", "-in", der_key_path, "-out", tf.name]) p = common.Run(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE) if password is not None: password += "\n" p.communicate(password) if none_on_fail_convert: if p.returncode != 0: tf.close() return None else: assert p.returncode == 0, "openssl key conversion failed" tf.seek(os.SEEK_SET, 0) return tf
def get_auth_data(timestamp, sign_pair, password, pem_cert, guid_str, name, payload = None): esl = get_efi_sig_list(pem_cert, guid_str, name) if payload: esl.write(payload) esl.seek(os.SEEK_SET, 0) pem_key = pk8_to_pem(sign_pair + common.OPTIONS.private_key_suffix, password) tf = tempfile.NamedTemporaryFile(prefix="auth_file-"+name+"-") timestampfmt = "%Y-%m-%d %I:%M:%S" cmd = ["sign-efi-sig-list", "-t", time.strftime(timestampfmt, time.strptime(time.ctime(timestamp))), "-c", sign_pair + common.OPTIONS.public_key_suffix, "-g", guid_str, "-k", pem_key.name, name, esl.name, tf.name] p = common.Run(cmd) p.communicate() assert p.returncode == 0, "sign-efi-sig-list failed" tf.seek(os.SEEK_SET, 0) pem_key.close() esl.close() data = tf.read() tf.close() return data
def process_iasimage(in_f, out_f): """ resign the iasimage with new verity key """ #get the unsigned iasimage binary #the method is to get the payload offset plus #palyload length plus the crc checksum s = struct.Struct('I I I I I I I') with open(in_f, 'rb') as fh: u = s.unpack(fh.read(struct.calcsize(s.format))) data_len = u[3] data_off = u[4] unsigned_len = data_off + data_len + crc_len fh.seek(0, 0) data = fh.read(unsigned_len) tf = tempfile.NamedTemporaryFile() tf.write(data) tf.flush() #resign the fastboot with new verity key cmd = ["ias_image_signer"] cmd.append(tf.name) cmd.extend([OPTIONS.oem_key + ".pk8", OPTIONS.oem_key + ".x509.pem"]) cmd.append(out_f) p = common.Run(cmd) p.wait() tf.close()
def _generate_system_image(self, output_file): prop_dict = { 'partition_size': str(1024 * 1024), 'verity': 'true', 'verity_block_device': '/dev/block/system', 'verity_key': os.path.join(self.testdata_dir, 'testkey'), 'verity_fec': "true", 'verity_signer_cmd': 'verity_signer', } verity_image_builder = CreateVerityImageBuilder(prop_dict) image_size = verity_image_builder.CalculateMaxImageSize() # Use an empty root directory. system_root = common.MakeTempDir() cmd = [ 'mkuserimg_mke2fs', '-s', system_root, output_file, 'ext4', '/system', str(image_size), '-j', '0' ] proc = common.Run(cmd) stdoutdata, _ = proc.communicate() self.assertEqual( 0, proc.returncode, "Failed to create system image with mkuserimg_mke2fs: {}".format( stdoutdata)) # Append the verity metadata. verity_image_builder.Build(output_file)
def AppendVBMetaArgsForPartition(cmd, partition, img_path, public_key_dir): if not img_path: return # Check if chain partition is used. key_path = OPTIONS.info_dict.get("avb_" + partition + "_key_path") if key_path: # extract public key in AVB format to be included in vbmeta.img avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"] public_key_path = os.path.join(public_key_dir, "%s.avbpubkey" % partition) p = common.Run([ avbtool, "extract_public_key", "--key", key_path, "--output", public_key_path ], stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.communicate() assert p.returncode == 0, \ "avbtool extract_public_key fail for partition: %r" % partition rollback_index_location = OPTIONS.info_dict["avb_" + partition + "_rollback_index_location"] cmd.extend([ "--chain_partition", "%s:%s:%s" % (partition, rollback_index_location, public_key_path) ]) else: cmd.extend(["--include_descriptors_from_image", img_path])
def AddPartitionTable(output_zip, prefix="IMAGES/"): """Create a partition table image and store it in output_zip.""" img = OutputFile(output_zip, OPTIONS.input_tmp, prefix, "partition-table.img") bpt = OutputFile(output_zip, OPTIONS.input_tmp, prefix, "partition-table.bpt") # use BPTTOOL from environ, or "bpttool" if empty or not set. bpttool = os.getenv("BPTTOOL") or "bpttool" cmd = [ bpttool, "make_table", "--output_json", bpt.name, "--output_gpt", img.name ] input_files_str = OPTIONS.info_dict["board_bpt_input_files"] input_files = input_files_str.split(" ") for i in input_files: cmd.extend(["--input", i]) disk_size = OPTIONS.info_dict.get("board_bpt_disk_size") if disk_size: cmd.extend(["--disk_size", disk_size]) args = OPTIONS.info_dict.get("board_bpt_make_table_args") if args: cmd.extend(shlex.split(args)) p = common.Run(cmd, stdout=subprocess.PIPE) p.communicate() assert p.returncode == 0, "bpttool make_table failed" img.Write() bpt.Write()
def AddVBMeta(output_zip, boot_img_path, system_img_path, vendor_img_path, dtbo_img_path, prefix="IMAGES/"): """Create a VBMeta image and store it in output_zip.""" img = OutputFile(output_zip, OPTIONS.input_tmp, prefix, "vbmeta.img") avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"] cmd = [ avbtool, "make_vbmeta_image", "--output", img.name, "--include_descriptors_from_image", boot_img_path, "--include_descriptors_from_image", system_img_path ] if vendor_img_path is not None: cmd.extend(["--include_descriptors_from_image", vendor_img_path]) if dtbo_img_path is not None: cmd.extend(["--include_descriptors_from_image", dtbo_img_path]) if OPTIONS.info_dict.get("system_root_image") == "true": cmd.extend(["--setup_rootfs_from_kernel", system_img_path]) cmd.extend(shlex.split(OPTIONS.info_dict["avb_signing_args"])) args = OPTIONS.info_dict.get("board_avb_make_vbmeta_image_args") if args and args.strip(): cmd.extend(shlex.split(args)) p = common.Run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.communicate() assert p.returncode == 0, "avbtool make_vbmeta_image failed" img.Write()
def AddDtbo(output_zip): """Adds the DTBO image. Uses the image under IMAGES/ if it already exists. Otherwise looks for the image under PREBUILT_IMAGES/, signs it as needed, and returns the image name. """ img = OutputFile(output_zip, OPTIONS.input_tmp, "IMAGES", "dtbo.img") if os.path.exists(img.input_name): logger.info("dtbo.img already exists; no need to rebuild...") return img.input_name dtbo_prebuilt_path = os.path.join( OPTIONS.input_tmp, "PREBUILT_IMAGES", "dtbo.img") assert os.path.exists(dtbo_prebuilt_path) shutil.copy(dtbo_prebuilt_path, img.name) # AVB-sign the image as needed. if OPTIONS.info_dict.get("avb_enable") == "true": avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"] part_size = OPTIONS.info_dict["dtbo_size"] # The AVB hash footer will be replaced if already present. cmd = [avbtool, "add_hash_footer", "--image", img.name, "--partition_size", str(part_size), "--partition_name", "dtbo"] common.AppendAVBSigningArgs(cmd, "dtbo") args = OPTIONS.info_dict.get("avb_dtbo_add_hash_footer_args") if args and args.strip(): cmd.extend(shlex.split(args)) proc = common.Run(cmd) output, _ = proc.communicate() assert proc.returncode == 0, \ "Failed to call 'avbtool add_hash_footer' for {}:\n{}".format( img.name, output) img.Write() return img.name
def ReplaceVerityKeyId(input_zip, output_zip, key_path): """Replaces the veritykeyid parameter in BOOT/cmdline. Args: input_zip: The input target_files zip, which should be already open. output_zip: The output target_files zip, which should be already open and writable. key_path: The path to the PEM encoded X.509 certificate. """ in_cmdline = input_zip.read("BOOT/cmdline").decode() # Copy in_cmdline to output_zip if veritykeyid is not present. if "veritykeyid" not in in_cmdline: common.ZipWriteStr(output_zip, "BOOT/cmdline", in_cmdline) return out_buffer = [] for param in in_cmdline.split(): if "veritykeyid" not in param: out_buffer.append(param) continue # Extract keyid using openssl command. p = common.Run(["openssl", "x509", "-in", key_path, "-text"], stdout=subprocess.PIPE, stderr=subprocess.PIPE) keyid, stderr = p.communicate() assert p.returncode == 0, "Failed to dump certificate: {}".format(stderr) keyid = re.search( r'keyid:([0-9a-fA-F:]*)', keyid).group(1).replace(':', '').lower() print("Replacing verity keyid with {}".format(keyid)) out_buffer.append("veritykeyid=id:%s" % (keyid,)) out_cmdline = ' '.join(out_buffer).strip() + '\n' common.ZipWriteStr(output_zip, "BOOT/cmdline", out_cmdline)
def AddDtbo(output_zip, prefix="IMAGES/"): """Adds the DTBO image. Uses the image under prefix if it already exists. Otherwise looks for the image under PREBUILT_IMAGES/, signs it as needed, and returns the image name. """ img = OutputFile(output_zip, OPTIONS.input_tmp, prefix, "dtbo.img") if os.path.exists(img.input_name): print("dtbo.img already exists in %s, no need to rebuild..." % (prefix,)) return img.input_name dtbo_prebuilt_path = os.path.join( OPTIONS.input_tmp, "PREBUILT_IMAGES", "dtbo.img") assert os.path.exists(dtbo_prebuilt_path) shutil.copy(dtbo_prebuilt_path, img.name) # AVB-sign the image as needed. if OPTIONS.info_dict.get("avb_enable") == "true": avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"] part_size = OPTIONS.info_dict["dtbo_size"] # The AVB hash footer will be replaced if already present. cmd = [avbtool, "add_hash_footer", "--image", img.name, "--partition_size", str(part_size), "--partition_name", "dtbo"] common.AppendAVBSigningArgs(cmd, "dtbo") args = OPTIONS.info_dict.get("avb_dtbo_add_hash_footer_args") if args and args.strip(): cmd.extend(shlex.split(args)) p = common.Run(cmd, stdout=subprocess.PIPE) p.communicate() assert p.returncode == 0, \ "avbtool add_hash_footer of %s failed" % (img.name,) img.Write() return img.name
def ReadManifest(self, full_filename): p = common.Run( ["aapt", "dump", "xmltree", full_filename, "AndroidManifest.xml"], stdout=subprocess.PIPE) manifest, err = p.communicate() if err: AddProblem("failed to read manifest") return self.shared_uid = None self.package = None for line in manifest.split("\n"): line = line.strip() m = re.search(r'A: (\S*?)(?:\(0x[0-9a-f]+\))?="(.*?)" \(Raw', line) if m: name = m.group(1) if name == "android:sharedUserId": if self.shared_uid is not None: AddProblem("multiple sharedUserId declarations") self.shared_uid = m.group(2) elif name == "package": if self.package is not None: AddProblem("multiple package declarations") self.package = m.group(2) if self.package is None: AddProblem("no package declaration")
def test_CheckHeadroom_WithMke2fsOutput(self): """Tests the result parsing from actual call to mke2fs.""" input_dir = common.MakeTempDir() output_image = common.MakeTempFile(suffix='.img') command = [ 'mkuserimg_mke2fs', input_dir, output_image, 'ext4', '/system', '409600', '-j', '0' ] proc = common.Run(command) ext4fs_output, _ = proc.communicate() self.assertEqual(0, proc.returncode) prop_dict = { 'fs_type': 'ext4', 'partition_headroom': '40960', 'mount_point': 'system', } CheckHeadroom(ext4fs_output, prop_dict) prop_dict = { 'fs_type': 'ext4', 'partition_headroom': '413696', 'mount_point': 'system', } self.assertRaises(BuildImageError, CheckHeadroom, ext4fs_output, prop_dict)
def AddVBMeta(output_zip, partitions, prefix="IMAGES/"): """Creates a VBMeta image and store it in output_zip. Args: output_zip: The output zip file, which needs to be already open. partitions: A dict that's keyed by partition names with image paths as values. Only valid partition names are accepted, which include 'boot', 'recovery', 'system', 'vendor', 'dtbo'. """ img = OutputFile(output_zip, OPTIONS.input_tmp, prefix, "vbmeta.img") if os.path.exists(img.input_name): print("vbmeta.img already exists in %s; not rebuilding..." % (prefix, )) return img.input_name avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"] cmd = [avbtool, "make_vbmeta_image", "--output", img.name] common.AppendAVBSigningArgs(cmd, "vbmeta") public_key_dir = tempfile.mkdtemp(prefix="avbpubkey-") OPTIONS.tempfiles.append(public_key_dir) for partition, path in partitions.items(): assert partition in common.AVB_PARTITIONS, 'Unknown partition: %s' % ( partition, ) assert os.path.exists( path), 'Failed to find %s for partition %s' % (path, partition) AppendVBMetaArgsForPartition(cmd, partition, path, public_key_dir) args = OPTIONS.info_dict.get("avb_vbmeta_args") if args and args.strip(): split_args = shlex.split(args) for index, arg in enumerate(split_args[:-1]): # Sanity check that the image file exists. Some images might be defined # as a path relative to source tree, which may not be available at the # same location when running this script (we have the input target_files # zip only). For such cases, we additionally scan other locations (e.g. # IMAGES/, RADIO/, etc) before bailing out. if arg == '--include_descriptors_from_image': image_path = split_args[index + 1] if os.path.exists(image_path): continue found = False for dir in [ 'IMAGES', 'RADIO', 'VENDOR_IMAGES', 'PREBUILT_IMAGES' ]: alt_path = os.path.join(OPTIONS.input_tmp, dir, os.path.basename(image_path)) if os.path.exists(alt_path): split_args[index + 1] = alt_path found = True break assert found, 'failed to find %s' % (image_path, ) cmd.extend(split_args) p = common.Run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.communicate() assert p.returncode == 0, "avbtool make_vbmeta_image failed" img.Write()
def der_pub_from_pem_cert(cert_path): tf = tempfile.NamedTemporaryFile(prefix="der_pub_from_pem_cert") cmd1 = ["openssl", "x509", "-in", cert_path, "-noout", "-pubkey"] cmd2 = [ "openssl", "rsa", "-inform", "PEM", "-pubin", "-outform", "DER", "-out", tf.name ] p1 = common.Run(cmd1, stdout=subprocess.PIPE) p2 = common.Run(cmd2, stdin=p1.stdout) p2.communicate() p1.wait() assert p1.returncode == 0, "extracting verity public key failed" assert p2.returncode == 0, "verity public key conversion failed" tf.seek(os.SEEK_SET, 0) return tf
def files_from_path(target_path, extra_args=None): """Gets files under the given path and return a sorted list.""" find_command = ['find', target_path] + (extra_args or []) find_process = common.Run( find_command, stdout=subprocess.PIPE, verbose=False) return common.RunAndCheckOutput(['sort'], stdin=find_process.stdout, verbose=False)
def MakeBlob(): print 'TF common: Generating blob...' blobpath = os.path.join(OUTDIR, "boot.blob") cmdblob = ["blobpack", blobpath, "LNX", os.path.join(OUTDIR, "boot.img")] pblob = common.Run(cmdblob, stdout=subprocess.PIPE) pblob.communicate() assert pblob.returncode == 0, "blobpack of %s image failed" % (os.path.basename(OUTDIR),) return open(blobpath).read()
def run_cmd(cmd): try: p = common.Run(cmd) except Exception as exc: print "Error: Unable to execute command: {}".format(' '.join(cmd)) raise exc p.communicate() assert p.returncode == 0, "Command failed: {}".format(' '.join(cmd))
def MakeVFATFilesystem(root_zip, filename, title="ANDROIDIA", size=0, block_size=None, extra_size=0, extra_files=[], zipped=True): """Create a VFAT filesystem image with all the files in the provided root zipfile. The size of the filesystem, if not provided by the caller, will be 101% the size of the containing files""" if zipped: root = common.UnzipTemp(root_zip) root_zip = zipfile.ZipFile(root_zip, "r") else: root = root_zip for fn_src, fn_dest in extra_files: fn_dest = os.path.join(root, fn_dest) if not os.path.exists(os.path.dirname(fn_dest)): os.makedirs(os.path.dirname(fn_dest)) shutil.copy(fn_src, fn_dest) if size == 0: for dpath, dnames, fnames in os.walk(root): for f in fnames: size += os.path.getsize(os.path.join(dpath, f)) # Add 1% extra space, minimum 32K extra = size / 100 if extra < (32 * 1024): extra = 32 * 1024 size += extra size += extra_size # Round the size of the disk up to 32K so that total sectors is # a multiple of sectors per track (mtools complains otherwise) mod = size % (32 * 1024) if mod != 0: size = size + (32 * 1024) - mod # mtools freaks out otherwise if os.path.exists(filename): os.unlink(filename) add_dir_to_path("/sbin") cmd = ["mkdosfs"] if block_size: cmd.extend(["-S", str(block_size)]) cmd.extend(["-n", title, "-C", filename, str(size / 1024)]) try: p = common.Run(cmd) except Exception as exc: print("Error: Unable to execute command: {}".format(' '.join(cmd))) raise exc p.wait() assert p.returncode == 0, "mkdosfs failed" for f in os.listdir(root): in_p = os.path.join(root, f) out_p = os.path.relpath(in_p, root) PutFatFile(filename, in_p, out_p)
def get_efi_sig_list(pem_cert, guid_str, name): tf = tempfile.NamedTemporaryFile(prefix="pem_cert_to_esl-" + name + "-") if pem_cert: cmd = ["cert-to-efi-sig-list", "-g", guid_str, pem_cert, tf.name] p = common.Run(cmd) p.communicate() assert p.returncode == 0, "cert-to-efi-sig-list failed" tf.seek(os.SEEK_SET, 0) return tf
def PutFatFile(fat_img, in_path, out_path): cmd = ["mcopy", "-s", "-Q", "-i", fat_img, in_path, "::" + out_path] try: p = common.Run(cmd) except Exception as exc: print "Error: Unable to execute command: {}".format(' '.join(cmd)) raise exc p.wait() assert p.returncode == 0, "couldn't insert %s into FAT image" % (in_path, )
def CheckVintfFromExtractedTargetFiles(input_tmp, info_dict=None): """ Checks VINTF metadata of an extracted target files directory. Args: inp: path to the directory that contains the extracted target files archive. info_dict: The build-time info dict. If None, it will be loaded from inp. Returns: True if VINTF check is skipped or compatible, False if incompatible. Raise a RuntimeError if any error occurs. """ if info_dict is None: info_dict = common.LoadInfoDict(input_tmp) if info_dict.get('vintf_enforce') != 'true': logger.warning( 'PRODUCT_ENFORCE_VINTF_MANIFEST is not set, skipping checks') return True dirmap = GetDirmap(input_tmp) args_for_skus = GetArgsForSkus(info_dict) shipping_api_level_args = GetArgsForShippingApiLevel(info_dict) kernel_args = GetArgsForKernel(input_tmp) common_command = [ 'checkvintf', '--check-compat', ] for device_path, real_path in dirmap.items(): common_command += ['--dirmap', '{}:{}'.format(device_path, real_path)] common_command += kernel_args common_command += shipping_api_level_args success = True for sku_args in args_for_skus: command = common_command + sku_args proc = common.Run(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE) out, err = proc.communicate() if proc.returncode == 0: logger.info("Command `%s` returns 'compatible'", ' '.join(command)) elif out.strip() == "INCOMPATIBLE": logger.info("Command `%s` returns 'incompatible'", ' '.join(command)) success = False else: raise common.ExternalError( "Failed to run command '{}' (exit code {}):\nstdout:{}\nstderr:{}" .format(' '.join(command), proc.returncode, out, err)) logger.info("stdout: %s", out) logger.info("stderr: %s", err) return success
def pem_cert_to_der_cert(pem_cert_path): tf = tempfile.NamedTemporaryFile(prefix="pem_cert_to_der_cert") cmd = ["openssl", "x509", "-inform", "PEM", "-outform", "DER", "-in", pem_cert_path, "-out", tf.name] p = common.Run(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE) p.communicate() assert p.returncode == 0, "openssl cert conversion failed" tf.seek(os.SEEK_SET, 0) return tf
def AddDisabledVBMeta(output_zip, prefix="IMAGES/"): """Create a VBMeta image and store it in output_zip.""" img = OutputFile(output_zip, OPTIONS.input_tmp, prefix, "vbmeta.img") avbtool = os.getenv('AVBTOOL') or OPTIONS.info_dict["avb_avbtool"] cmd = [avbtool, "make_vbmeta_image", "--flag", "2", "--padding_size", "4096", "--output", img.name] p = common.Run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) p.communicate() assert p.returncode == 0, "avbtool make_vbmeta_image failed" img.Write()
def _generate_boot_image(self, output_file): kernel = common.MakeTempFile(prefix='kernel-') with open(kernel, 'wb') as kernel_fp: kernel_fp.write(os.urandom(10)) cmd = ['mkbootimg', '--kernel', kernel, '-o', output_file] proc = common.Run(cmd) stdoutdata, _ = proc.communicate() self.assertEqual( 0, proc.returncode, "Failed to run mkbootimg: {}".format(stdoutdata)) cmd = ['boot_signer', '/boot', output_file, os.path.join(self.testdata_dir, 'testkey.pk8'), os.path.join(self.testdata_dir, 'testkey.x509.pem'), output_file] proc = common.Run(cmd) stdoutdata, _ = proc.communicate() self.assertEqual( 0, proc.returncode, "Failed to sign boot image with boot_signer: {}".format(stdoutdata))
def test_ParseCertificate(self): cert = os.path.join(self.testdata_dir, 'testkey.x509.pem') cmd = ['openssl', 'x509', '-in', cert, '-outform', 'DER'] proc = common.Run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) expected, _ = proc.communicate() self.assertEqual(0, proc.returncode) with open(cert) as cert_fp: actual = common.ParseCertificate(cert_fp.read()) self.assertEqual(expected, actual)