Skip to content

Commit fc98457

Browse files
SirRGBSirRGB
committed
WIP: enable bl relock
* if you set up your dt like this: SirRGB/android_device_sony_sm8250-common@b5cd0fa you can use ROM_BUILD_FLAGS=BOARD_AVB_KEY_PATH="${KEYS_DIR}" to set up signing like intended
1 parent 70a3ed8 commit fc98457

6 files changed

Lines changed: 39 additions & 3 deletions

File tree

Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@ ENV BUILD_TYPE=''
3535
ENV ROM_MANIFEST=''
3636
ENV ROM_BRANCH=''
3737
ENV ROM_BUILD_FLAGS=''
38+
ENV BL_RELOCK=''
3839

3940
# Fallbacks (required for non-standard naming and conflicts)
4041
ENV LUNCH_PREFIX_FALLBACK=''

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,3 +151,4 @@ You can further speed up build times by using tmpfs as described [here](https://
151151
- [LineageOS4MicroG](https://github.com/lineageos4microg/docker-lineage-cicd)
152152
- [amyROM](https://github.com/amyROM/vendor_amy/blob/207d5e32c3fba38b9fe1ab9cd12c71ca6b81d653/scripts/generate_json_build_info.sh)
153153
- [LineageOS Infra](https://github.com/lineageos-infra/build-config/tree/main/android)
154+
- [Halogen OS](https://github.com/halogenOS/android_external_xos/blob/fb9a58362b930807766100d1288ff809df6b7c51/xostools/xostools.sh)

scripts/packaging.sh

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,11 @@ _packaging() {
5252
then
5353
_cleanup_fail
5454
fi
55+
56+
# Extract AVB key
57+
if [[ -n "${BL_RELOCK}" ]]; then
58+
avbtool extract_public_key --key "${KEYS_DIR}"/avbkey_4096.pem --output "${OUT}"/"${PACKAGE_NAME//.zip/-pkmd.bin}"
59+
fi
5560
set -eu
5661
}
5762

scripts/setup.sh

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,15 @@ _keysgen() {
100100
openssl pkcs8 -in "${KEYS_DIR}"/"${apex}".pk8 -inform DER -nocrypt -out "${KEYS_DIR}"/"${apex}".pem
101101
fi
102102
done
103+
104+
if [[ -n "${BL_RELOCK}" ]]; then
105+
if [[ ! -f "${KEYS_DIR}"/avbkey_4096.x509.pem ]] || [[ ! -f "${KEYS_DIR}"/avbkey_4096.pem ]] ; then
106+
subject="${KEYS_SUBJECT//CN=Android/CN=\$\{apex\}}"
107+
make_key "${KEYS_DIR}"/"${apex}" "${subject}"
108+
openssl pkcs8 -in "${KEYS_DIR}"/avbkey_4096.pk8 -inform DER -nocrypt -out "${KEYS_DIR}"/avbkey_4096.pem
109+
fi
110+
fi
111+
103112
unset KEYS_SUBJECT
104113
}
105114

scripts/sign.sh

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -55,11 +55,15 @@ _sign_old() {
5555

5656
# New signing process (APEX), A12/up
5757
_sign_new() {
58-
local apex_args
58+
local sign_args
5959
for apex_key in "${APEX_KEYS[@]}"; do
60-
apex_args+=('--extra_apks' "${apex_key}.apex=${KEYS_DIR}/${apex_key}" '--extra_apex_payload_key' "${apex_key}.apex=${KEYS_DIR}/${apex_key}.pem")
60+
sign_args+=('--extra_apks' "${apex_key}.apex=${KEYS_DIR}/${apex_key}" '--extra_apex_payload_key' "${apex_key}.apex=${KEYS_DIR}/${apex_key}.pem")
6161
done
6262

63+
if [[ -n "${BL_RELOCK}" ]]; then
64+
sign_args+=('--avb_vbmeta_key' "${KEYS_DIR}"/avbkey_4096.pem '--avb_vbmeta_algorithm' 'SHA256_RSA4096')
65+
fi
66+
6367
set +eu
6468
if ! sign_target_files_apks -o -d "${KEYS_DIR}" \
6569
--extra_apks AdServicesApk.apk="${KEYS_DIR}"/releasekey \
@@ -73,7 +77,7 @@ _sign_new() {
7377
--extra_apks ServiceUwbResources.apk="${KEYS_DIR}"/releasekey \
7478
--extra_apks ServiceWifiResources.apk="${KEYS_DIR}"/releasekey \
7579
--extra_apks WifiDialog.apk="${KEYS_DIR}"/releasekey \
76-
"${apex_args[@]}" \
80+
"${sign_args[@]}" \
7781
"${OUT}"/obj/PACKAGING/target_files_intermediates/*-target_files*.zip \
7882
"${OUT}"/signed-target_files.zip 2>&1 | tee --append "${LOGS_DIR}"/"${BUILD_DATE}"/sign.txt
7983
then

scripts/upload.sh

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,11 +57,27 @@ _upload_gh() {
5757
--header "Content-Type: $(file -b --mime-type "${OUT}"/"${PACKAGE_NAME//.zip/-recovery.img}")" \
5858
--upload-file "${OUT}"/"${PACKAGE_NAME//.zip/-recovery.img}" \
5959
"${upload_url}"?name="${PACKAGE_NAME//.zip/-recovery.img}"
60+
61+
62+
# Upload Recovery
63+
if [[ -n "${BL_RELOCK}" ]]; then
64+
curl_cmd \
65+
--header 'Accept: application/vnd.github.v3+json' \
66+
--header "Content-Length: $(stat -c%s "${OUT}"/"${PACKAGE_NAME//.zip/-pkmd.bin}")" \
67+
--header "Authorization: token ${GITHUB_TOKEN}" \
68+
--header "Content-Type: $(file -b --mime-type "${OUT}"/"${PACKAGE_NAME//.zip/-pkmd.bin}")" \
69+
--upload-file "${OUT}"/"${PACKAGE_NAME//.zip/-pkmd.bin}" \
70+
"${upload_url}"?name="${PACKAGE_NAME//.zip/-pkmd.bin}"
71+
fi
6072
}
6173

6274
_upload_ssh() {
6375
scp "${OUT}"/"${PACKAGE_NAME}" "${1}"@"${2}"
6476
scp "${OUT}"/"${PACKAGE_NAME//.zip/-recovery.img}" "${1}"@"${2}"
77+
if [[ -n "${BL_RELOCK}" ]]; then
78+
scp "${OUT}"/"${PACKAGE_NAME//.zip/-pkmd.bin}" "${1}"@"${2}"
79+
fi
80+
6581
DL_OTA_URL="${3}"
6682
}
6783

0 commit comments

Comments
 (0)