1*288bf522SAndroid Build Coastguard Worker#!/usr/bin/env python3 2*288bf522SAndroid Build Coastguard Worker# 3*288bf522SAndroid Build Coastguard Worker# Copyright (C) 2013 The Android Open Source Project 4*288bf522SAndroid Build Coastguard Worker# 5*288bf522SAndroid Build Coastguard Worker# Licensed under the Apache License, Version 2.0 (the "License"); 6*288bf522SAndroid Build Coastguard Worker# you may not use this file except in compliance with the License. 7*288bf522SAndroid Build Coastguard Worker# You may obtain a copy of the License at 8*288bf522SAndroid Build Coastguard Worker# 9*288bf522SAndroid Build Coastguard Worker# http://www.apache.org/licenses/LICENSE-2.0 10*288bf522SAndroid Build Coastguard Worker# 11*288bf522SAndroid Build Coastguard Worker# Unless required by applicable law or agreed to in writing, software 12*288bf522SAndroid Build Coastguard Worker# distributed under the License is distributed on an "AS IS" BASIS, 13*288bf522SAndroid Build Coastguard Worker# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14*288bf522SAndroid Build Coastguard Worker# See the License for the specific language governing permissions and 15*288bf522SAndroid Build Coastguard Worker# limitations under the License. 16*288bf522SAndroid Build Coastguard Worker 17*288bf522SAndroid Build Coastguard Workerimport argparse 18*288bf522SAndroid Build Coastguard Workerimport os 19*288bf522SAndroid Build Coastguard Workerimport sys 20*288bf522SAndroid Build Coastguard Workerimport struct 21*288bf522SAndroid Build Coastguard Workerimport shlex 22*288bf522SAndroid Build Coastguard Workerimport subprocess 23*288bf522SAndroid Build Coastguard Workerimport tempfile 24*288bf522SAndroid Build Coastguard Worker 25*288bf522SAndroid Build Coastguard WorkerVERSION = 0 26*288bf522SAndroid Build Coastguard WorkerMAGIC_NUMBER = 0xb001b001 27*288bf522SAndroid Build Coastguard WorkerMAGIC_DISABLE = 0x46464f56 # "VOFF" 28*288bf522SAndroid Build Coastguard WorkerBLOCK_SIZE = 4096 29*288bf522SAndroid Build Coastguard WorkerMETADATA_SIZE = BLOCK_SIZE * 8 30*288bf522SAndroid Build Coastguard Worker 31*288bf522SAndroid Build Coastguard Workerdef run(cmd): 32*288bf522SAndroid Build Coastguard Worker p = subprocess.Popen(cmd, stdout=subprocess.PIPE, text=True) 33*288bf522SAndroid Build Coastguard Worker output, _ = p.communicate() 34*288bf522SAndroid Build Coastguard Worker print(output) 35*288bf522SAndroid Build Coastguard Worker if p.returncode: 36*288bf522SAndroid Build Coastguard Worker exit(-1) 37*288bf522SAndroid Build Coastguard Worker 38*288bf522SAndroid Build Coastguard Workerdef get_verity_metadata_size(data_size): 39*288bf522SAndroid Build Coastguard Worker return METADATA_SIZE 40*288bf522SAndroid Build Coastguard Worker 41*288bf522SAndroid Build Coastguard Workerdef build_metadata_block(verity_table, signature, verity_disable=False): 42*288bf522SAndroid Build Coastguard Worker table_len = len(verity_table) 43*288bf522SAndroid Build Coastguard Worker magic = MAGIC_DISABLE if verity_disable else MAGIC_NUMBER 44*288bf522SAndroid Build Coastguard Worker block = struct.pack("II256sI", magic, VERSION, signature, table_len) 45*288bf522SAndroid Build Coastguard Worker block += verity_table 46*288bf522SAndroid Build Coastguard Worker block = block.ljust(METADATA_SIZE, b'\x00') 47*288bf522SAndroid Build Coastguard Worker return block 48*288bf522SAndroid Build Coastguard Worker 49*288bf522SAndroid Build Coastguard Workerdef sign_verity_table(table, signer_path, key_path, signer_args=None): 50*288bf522SAndroid Build Coastguard Worker with tempfile.NamedTemporaryFile(mode='wb', suffix='.table') as table_file: 51*288bf522SAndroid Build Coastguard Worker with tempfile.NamedTemporaryFile(mode='rb', suffix='.sig') as signature_file: 52*288bf522SAndroid Build Coastguard Worker table_file.write(table) 53*288bf522SAndroid Build Coastguard Worker table_file.flush() 54*288bf522SAndroid Build Coastguard Worker if signer_args is None: 55*288bf522SAndroid Build Coastguard Worker cmd = [signer_path, table_file.name, key_path, signature_file.name] 56*288bf522SAndroid Build Coastguard Worker else: 57*288bf522SAndroid Build Coastguard Worker args_list = shlex.split(signer_args) 58*288bf522SAndroid Build Coastguard Worker cmd = [signer_path] + args_list + [table_file.name, key_path, signature_file.name] 59*288bf522SAndroid Build Coastguard Worker print(cmd) 60*288bf522SAndroid Build Coastguard Worker run(cmd) 61*288bf522SAndroid Build Coastguard Worker return signature_file.read() 62*288bf522SAndroid Build Coastguard Worker 63*288bf522SAndroid Build Coastguard Workerdef build_verity_table(block_device, data_blocks, root_hash, salt): 64*288bf522SAndroid Build Coastguard Worker table = "1 %s %s %s %s %s %s sha256 %s %s" 65*288bf522SAndroid Build Coastguard Worker table %= ( block_device, 66*288bf522SAndroid Build Coastguard Worker block_device, 67*288bf522SAndroid Build Coastguard Worker BLOCK_SIZE, 68*288bf522SAndroid Build Coastguard Worker BLOCK_SIZE, 69*288bf522SAndroid Build Coastguard Worker data_blocks, 70*288bf522SAndroid Build Coastguard Worker data_blocks, 71*288bf522SAndroid Build Coastguard Worker root_hash, 72*288bf522SAndroid Build Coastguard Worker salt) 73*288bf522SAndroid Build Coastguard Worker return table.encode() 74*288bf522SAndroid Build Coastguard Worker 75*288bf522SAndroid Build Coastguard Workerdef build_verity_metadata(data_blocks, metadata_image, root_hash, salt, 76*288bf522SAndroid Build Coastguard Worker block_device, signer_path, signing_key, signer_args=None, 77*288bf522SAndroid Build Coastguard Worker verity_disable=False): 78*288bf522SAndroid Build Coastguard Worker # build the verity table 79*288bf522SAndroid Build Coastguard Worker verity_table = build_verity_table(block_device, data_blocks, root_hash, salt) 80*288bf522SAndroid Build Coastguard Worker # build the verity table signature 81*288bf522SAndroid Build Coastguard Worker signature = sign_verity_table(verity_table, signer_path, signing_key, signer_args) 82*288bf522SAndroid Build Coastguard Worker # build the metadata block 83*288bf522SAndroid Build Coastguard Worker metadata_block = build_metadata_block(verity_table, signature, verity_disable) 84*288bf522SAndroid Build Coastguard Worker # write it to the outfile 85*288bf522SAndroid Build Coastguard Worker with open(metadata_image, "wb") as f: 86*288bf522SAndroid Build Coastguard Worker f.write(metadata_block) 87*288bf522SAndroid Build Coastguard Worker 88*288bf522SAndroid Build Coastguard Workerif __name__ == "__main__": 89*288bf522SAndroid Build Coastguard Worker parser = argparse.ArgumentParser() 90*288bf522SAndroid Build Coastguard Worker subparsers = parser.add_subparsers() 91*288bf522SAndroid Build Coastguard Worker 92*288bf522SAndroid Build Coastguard Worker parser_size = subparsers.add_parser('size') 93*288bf522SAndroid Build Coastguard Worker parser_size.add_argument('partition_size', type=int, action='store', help='partition size') 94*288bf522SAndroid Build Coastguard Worker parser_size.set_defaults(dest='size') 95*288bf522SAndroid Build Coastguard Worker 96*288bf522SAndroid Build Coastguard Worker parser_build = subparsers.add_parser('build') 97*288bf522SAndroid Build Coastguard Worker parser_build.add_argument('blocks', type=int, help='data image blocks') 98*288bf522SAndroid Build Coastguard Worker parser_build.add_argument('metadata_image', action='store', help='metadata image') 99*288bf522SAndroid Build Coastguard Worker parser_build.add_argument('root_hash', action='store', help='root hash') 100*288bf522SAndroid Build Coastguard Worker parser_build.add_argument('salt', action='store', help='salt') 101*288bf522SAndroid Build Coastguard Worker parser_build.add_argument('block_device', action='store', help='block device') 102*288bf522SAndroid Build Coastguard Worker parser_build.add_argument('signer_path', action='store', help='verity signer path') 103*288bf522SAndroid Build Coastguard Worker parser_build.add_argument('signing_key', action='store', help='verity signing key') 104*288bf522SAndroid Build Coastguard Worker parser_build.add_argument('--signer_args', action='store', help='verity signer args') 105*288bf522SAndroid Build Coastguard Worker parser_build.add_argument('--verity_disable', action='store_true', 106*288bf522SAndroid Build Coastguard Worker default=False, help='disable verity') 107*288bf522SAndroid Build Coastguard Worker parser_build.set_defaults(dest='build') 108*288bf522SAndroid Build Coastguard Worker 109*288bf522SAndroid Build Coastguard Worker args = parser.parse_args() 110*288bf522SAndroid Build Coastguard Worker 111*288bf522SAndroid Build Coastguard Worker if args.dest == 'size': 112*288bf522SAndroid Build Coastguard Worker print(get_verity_metadata_size(args.partition_size)) 113*288bf522SAndroid Build Coastguard Worker else: 114*288bf522SAndroid Build Coastguard Worker build_verity_metadata(args.blocks // 4096, args.metadata_image, 115*288bf522SAndroid Build Coastguard Worker args.root_hash, args.salt, args.block_device, 116*288bf522SAndroid Build Coastguard Worker args.signer_path, args.signing_key, 117*288bf522SAndroid Build Coastguard Worker args.signer_args, args.verity_disable) 118