ANDROID: build: Set module signing keys in VM config

Currently, modules are not signed by the VM config. In legacy build.sh, the signing keys/certs would be generated in the POST_DEFCONFIG phase of the build, but now, the keys are generated by Bazel in a separate rule. Take the key generation step out and use the new Bazel attributes instead. Change-Id: Ibbe3e98eab9d6d6a8dafc05582b3f17f83a226db Signed-off-by: John Moon <quic_johmoo@quicinc.com>
2023-02-10 18:43:10 -08:00 · 2023-02-10 18:43:10 -08:00 · 315568a798
commit 315568a798
parent f8139aa839
3 changed files with 4 additions and 32 deletions
--- a/build.config.msm.vm
+++ b/build.config.msm.vm
@ -1,36 +1,6 @@
 ################################################################################
 # Common configuration for building kernel for Virtual Machines
 DEFCONFIG="generic_vm_defconfig"
-OPENSSL_DIR=${KERNEL_DIR}/../build/build-tools/path/linux-x86/openssl
-
-append_cmd POST_DEFCONFIG_CMDS 'update_signing_keys_config'
-
-function update_signing_keys_config() {
-	if test -f "${OPENSSL_DIR}"; then
-		${OPENSSL_DIR} req -new -nodes -utf8 -newkey rsa:1024 -days 36500 \
-		             -batch -x509 -config ${KERNEL_DIR}/certs/qcom_x509.genkey \
-		             -outform PEM -out ${OUT_DIR}/verity_cert.pem -keyout ${OUT_DIR}/verity_key.pem
-
-		${OPENSSL_DIR} req -new -nodes -utf8 -sha256 -days 36500 \
-		             -batch -x509 -config ${KERNEL_DIR}/certs/qcom_x509.genkey \
-		             -outform PEM -out ${OUT_DIR}/signing_key.pem -keyout ${OUT_DIR}/signing_key.pem
-
-		${KERNEL_DIR}/scripts/config --file ${OUT_DIR}/.config \
-		--set-str CONFIG_MODULE_SIG_KEY "${OUT_DIR}/signing_key.pem" \
-		--set-str CONFIG_SYSTEM_TRUSTED_KEYS "${OUT_DIR}/verity_cert.pem"
-
-		(cd ${OUT_DIR} && \
-		make ${CC_LD_ARG} O=${OUT_DIR} ${MAKE_ARGS} olddefconfig)
-	fi
-}
-
-append_cmd POST_KERNEL_BUILD_CMDS 'move_signing_keys'
-
-function move_signing_keys() {
-  cp ${OUT_DIR}/signing_key.pem ${OUT_DIR}/certs
-  cp ${OUT_DIR}/verity_key.pem ${OUT_DIR}/certs
-  cp ${OUT_DIR}/verity_cert.pem ${OUT_DIR}/certs
-}

 function build_defconfig_fragments() {
 	if [[ "${VARIANT}" =~ ^(defconfig|debug_defconfig)$ ]]; then
--- a/msm_common.bzl
+++ b/msm_common.bzl
@ -40,12 +40,12 @@ def define_signing_keys():
    native.genrule(
        name = "signing_key",
        srcs = ["//msm-kernel:certs/qcom_x509.genkey"],
-        outs = ["signing_cert.pem", "signing_key.pem"],
+        outs = ["signing_key.pem"],
        tools = ["//prebuilts/build-tools:linux-x86/bin/openssl"],
        cmd_bash = """
          $(location //prebuilts/build-tools:linux-x86/bin/openssl) req -new -nodes -utf8 -sha256 -days 36500 \
            -batch -x509 -config $(location //msm-kernel:certs/qcom_x509.genkey) \
-            -outform PEM -out $(location signing_cert.pem) -keyout $(location signing_key.pem)
+            -outform PEM -out "$@" -keyout "$@"
        """
    )

--- a/msm_kernel_vm.bzl
+++ b/msm_kernel_vm.bzl
@ -154,6 +154,8 @@ def _define_kernel_build(
        dtstree = dtstree,
        kmi_symbol_list = None,
        additional_kmi_symbol_lists = None,
+        module_signing_key = ":signing_key",
+        system_trusted_key = ":verity_cert.pem",
        abi_definition = None,
        enable_interceptor = define_compile_commands,
        visibility = ["//visibility:public"],