ANDROID: build: Add signing/verity keys to output

Signing keys and certificates are required to sign kernel modules and dm-verity hash, but these files are not generated in the current build. Add a Bazel rule to generate them and add to the output of the VM distributions. Also add the scripts and pre-generated key required to use them. Change-Id: I1909548911b3d5742c75b3128f6b17b18ef789b4 Signed-off-by: John Moon <quic_johmoo@quicinc.com>
2023-01-31 01:59:30 -08:00 · 2023-01-31 01:59:30 -08:00 · 944f85cffc
commit 944f85cffc
parent 0ceda10f0c
3 changed files with 32 additions and 0 deletions
--- a/msm_common.bzl
+++ b/msm_common.bzl
@ -35,3 +35,28 @@ def gen_config_without_source_lines(build_config, target):

 def get_out_dir(msm_target, variant):
    return "out/msm-kernel-{}-{}".format(msm_target.replace("-", "_"), variant.replace("-", "_"))
+
+def define_signing_keys():
+    native.genrule(
+        name = "signing_key",
+        srcs = ["//msm-kernel:certs/qcom_x509.genkey"],
+        outs = ["signing_cert.pem", "signing_key.pem"],
+        tools = ["//prebuilts/build-tools:linux-x86/bin/openssl"],
+        cmd_bash = """
+          $(location //prebuilts/build-tools:linux-x86/bin/openssl) req -new -nodes -utf8 -sha256 -days 36500 \
+            -batch -x509 -config $(location //msm-kernel:certs/qcom_x509.genkey) \
+            -outform PEM -out $(location signing_cert.pem) -keyout $(location signing_key.pem)
+        """
+    )
+
+    native.genrule(
+        name = "verity_key",
+        srcs = ["//msm-kernel:certs/qcom_x509.genkey"],
+        outs = ["verity_cert.pem", "verity_key.pem"],
+        tools = ["//prebuilts/build-tools:linux-x86/bin/openssl"],
+        cmd_bash = """
+          $(location //prebuilts/build-tools:linux-x86/bin/openssl) req -new -nodes -utf8 -newkey rsa:1024 -days 36500 \
+            -batch -x509 -config $(location //msm-kernel:certs/qcom_x509.genkey) \
+            -outform PEM -out $(location verity_cert.pem) -keyout $(location verity_key.pem)
+        """
+    )
--- a/msm_kernel_vm.bzl
+++ b/msm_kernel_vm.bzl
@ -143,6 +143,8 @@ def _define_kernel_build(
        "usr/gen_init_cpio",
        "usr/initramfs_data.cpio",
        "usr/initramfs_inc_data",
+        "scripts/sign-file",
+        "certs/signing_key.x509",
    ])

    kernel_build(
@ -194,6 +196,8 @@ def _define_kernel_dist(target, msm_target, variant):
        ":{}".format(target),
        ":{}_merged_kernel_uapi_headers".format(target),
        ":{}_build_config".format(target),
+        ":signing_key",
+        ":verity_key",
    ]

    copy_to_dist_dir(
@ -209,6 +213,7 @@ def _define_kernel_dist(target, msm_target, variant):
            "**/Image": "755",
            "**/*.dtb*": "755",
            "**/gen_init_cpio": "755",
+            "**/sign-file": "755",
            "**/*": "644",
        },
        log = "info",
--- a/msm_platforms.bzl
+++ b/msm_platforms.bzl
@ -4,10 +4,12 @@ load(":kalama_oemvm.bzl", "define_kalama_oemvm")
 load(":pineapple.bzl", "define_pineapple")
 load(":pineapple_tuivm.bzl", "define_pineapple_tuivm")
 load(":pineapple_oemvm.bzl", "define_pineapple_oemvm")
+load(":msm_common.bzl", "define_signing_keys")
 load("//build:msm_kernel_extensions.bzl", "define_top_level_rules")

 def define_msm_platforms():
    define_top_level_rules()
+    define_signing_keys()
    define_kalama()
    define_kalama_tuivm()
    define_kalama_oemvm()