diff --git a/avb_boot_img.bzl b/avb_boot_img.bzl
index ca8a5204476e..e8cbe4f32dd1 100644
--- a/avb_boot_img.bzl
+++ b/avb_boot_img.bzl
@@ -1,3 +1,5 @@
+load("//build/kernel/kleaf:hermetic_tools.bzl", "hermetic_toolchain")
+
 def sign_boot_img(ctx):
     inputs = []
     inputs += ctx.files.artifacts
@@ -6,6 +8,8 @@ def sign_boot_img(ctx):
 
     outputs = ctx.actions.declare_file("{}/boot.img".format(ctx.label.name))
 
+    hermetic_tools = hermetic_toolchain.get(ctx)
+
     for artifact in ctx.files.artifacts:
         if artifact.basename == "boot.img":
             boot_img = artifact
@@ -16,7 +20,8 @@ def sign_boot_img(ctx):
 
     proplist = " ".join(["--prop {}".format(x) for x in ctx.attr.props])
 
-    command = """
+    command = hermetic_tools.setup
+    command += """
     cp {boot_img} {boot_dir}/{boot_name}
     {tool} add_hash_footer --image {boot_dir}/{boot_name} --algorithm SHA256_RSA4096 \
             --key {key} --partition_size {boot_partition_size} --partition_name boot \
@@ -36,6 +41,7 @@ def sign_boot_img(ctx):
         inputs = inputs,
         outputs = [outputs],
         command = command,
+        tools = hermetic_tools.deps,
         progress_message = "Signing boot image from artifacts",
     )
 
@@ -72,4 +78,7 @@ avb_sign_boot_image = rule(
             doc = "List of key:value pairs",
         ),
     },
+    toolchains = [
+        hermetic_toolchain.type,
+    ],
 )