Merge android13-5.15-keystone-qcom-release@6d47d064d1 into msm-5.15

https://keystone-qcom.googlesource.com/kernel/build : kleaf: Don't use hardcoded path for GKI boot.img certification key Change-Id: I53f6548998252359a1d85fd08c046239e9ba9c67 Signed-off-by: Sivasri Kumar, Vanka <quic_svanka@quicinc.com>

Merge android13-5.15-keystone-qcom-release@6d47d064d1 into msm-5.15
https://keystone-qcom.googlesource.com/kernel/build : kleaf: Don't use hardcoded path for GKI boot.img certification key Change-Id: I53f6548998252359a1d85fd08c046239e9ba9c67 Signed-off-by: Sivasri Kumar, Vanka <quic_svanka@quicinc.com>
6e39ca24 · Sivasri Kumar, Vanka · Siva sri Kumar Vanka · 385ed91f · 6d47d064 · 6e39ca24
Commit 6e39ca24 authored 3 months ago by Sivasri Kumar, Vanka Committed by Siva sri Kumar Vanka 2 months ago
--- a/build_utils.sh
+++ b/build_utils.sh
@@ -714,6 +714,17 @@ function gki_add_avb_footer() {
    ${additional_props}
 }

+function check_gki_boot_img_certification_key() {
+  if [ -z "${KLEAF_INTERNAL_GKI_BOOT_IMG_CERTIFICATION_KEY}" ]; then
+   KLEAF_INTERNAL_GKI_BOOT_IMG_CERTIFICATION_KEY="tools/mkbootimg/gki/testdata/testkey_rsa4096.pem"
+  fi
+
+  if [ ! -f "${KLEAF_INTERNAL_GKI_BOOT_IMG_CERTIFICATION_KEY}" ]; then
+    echo "GKI boot.img certification key not found. KLEAF_INTERNAL_GKI_BOOT_IMG_CERTIFICATION_KEY = ${KLEAF_INTERNAL_GKI_BOOT_IMG_CERTIFICATION_KEY}"
+    exit 1
+  fi
+}
+
 # gki_dry_run_certify_bootimg <boot_image> <gki_artifacts_info_file> <security_patch_level>
 # The certify_bootimg script will be executed on a server over a GKI
 # boot.img during the official certification process, which embeds
@@ -721,6 +732,8 @@ function gki_add_avb_footer() {
 # VTS to verify that a GKI boot.img is authentic.
 # Dry running the process here so we can catch related issues early.
 function gki_dry_run_certify_bootimg() {
+  check_gki_boot_img_certification_key
+
  local spl_date="$3"
  local additional_props=()
  if [ -n "${spl_date}" ]; then
@@ -730,7 +743,7 @@ function gki_dry_run_certify_bootimg() {

  certify_bootimg --boot_img "$1" \
    --algorithm SHA256_RSA4096 \
-    --key tools/mkbootimg/gki/testdata/testkey_rsa4096.pem \
+    --key ${KLEAF_INTERNAL_GKI_BOOT_IMG_CERTIFICATION_KEY} \
    --gki_info "$2" \
    --output "$1" \
    "${additional_props[@]}"

--- a/kleaf/impl/gki_artifacts.bzl
+++ b/kleaf/impl/gki_artifacts.bzl
@@ -78,6 +78,7 @@ def _gki_artifacts_impl(ctx):
        export DIST_DIR=$(readlink -e {dist_dir})
        export OUT_DIR=$(readlink -e {out_dir})
        export MKBOOTIMG_PATH={mkbootimg}
+        export KLEAF_INTERNAL_GKI_BOOT_IMG_CERTIFICATION_KEY={testkey}
        {size_cmd}
        build_gki_artifacts
    """.format(
@@ -89,6 +90,7 @@ def _gki_artifacts_impl(ctx):
        quoted_gki_kernel_cmdline = shell.quote(ctx.attr.gki_kernel_cmdline),
        quoted_arch = shell.quote(ctx.attr.arch),
        mkbootimg = ctx.file.mkbootimg.path,
+        testkey = ctx.file._testkey.path,
        size_cmd = size_cmd,
    )