363 lines
13 KiB
Python
363 lines
13 KiB
Python
#
|
|
# Copyright (C) 2018 The Android Open Source Project
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
#
|
|
|
|
"""Unittests for validate_target_files.py."""
|
|
|
|
import os
|
|
import os.path
|
|
import shutil
|
|
import zipfile
|
|
|
|
import common
|
|
import test_utils
|
|
from rangelib import RangeSet
|
|
from validate_target_files import (ValidateVerifiedBootImages,
|
|
ValidateFileConsistency, CheckBuildPropDuplicity)
|
|
from verity_utils import CreateVerityImageBuilder
|
|
|
|
class ValidateTargetFilesTest(test_utils.ReleaseToolsTestCase):
|
|
|
|
def setUp(self):
|
|
self.testdata_dir = test_utils.get_testdata_dir()
|
|
|
|
def _generate_boot_image(self, output_file):
|
|
kernel = common.MakeTempFile(prefix='kernel-')
|
|
with open(kernel, 'wb') as kernel_fp:
|
|
kernel_fp.write(os.urandom(10))
|
|
|
|
cmd = ['mkbootimg', '--kernel', kernel, '-o', output_file]
|
|
proc = common.Run(cmd)
|
|
stdoutdata, _ = proc.communicate()
|
|
self.assertEqual(
|
|
0, proc.returncode,
|
|
"Failed to run mkbootimg: {}".format(stdoutdata))
|
|
|
|
cmd = ['boot_signer', '/boot', output_file,
|
|
os.path.join(self.testdata_dir, 'testkey.pk8'),
|
|
os.path.join(self.testdata_dir, 'testkey.x509.pem'), output_file]
|
|
proc = common.Run(cmd)
|
|
stdoutdata, _ = proc.communicate()
|
|
self.assertEqual(
|
|
0, proc.returncode,
|
|
"Failed to sign boot image with boot_signer: {}".format(stdoutdata))
|
|
|
|
@test_utils.SkipIfExternalToolsUnavailable()
|
|
def test_ValidateVerifiedBootImages_bootImage(self):
|
|
input_tmp = common.MakeTempDir()
|
|
os.mkdir(os.path.join(input_tmp, 'IMAGES'))
|
|
boot_image = os.path.join(input_tmp, 'IMAGES', 'boot.img')
|
|
self._generate_boot_image(boot_image)
|
|
|
|
info_dict = {
|
|
'boot_signer' : 'true',
|
|
}
|
|
options = {
|
|
'verity_key' : os.path.join(self.testdata_dir, 'testkey.x509.pem'),
|
|
}
|
|
ValidateVerifiedBootImages(input_tmp, info_dict, options)
|
|
|
|
@test_utils.SkipIfExternalToolsUnavailable()
|
|
def test_ValidateVerifiedBootImages_bootImage_wrongKey(self):
|
|
input_tmp = common.MakeTempDir()
|
|
os.mkdir(os.path.join(input_tmp, 'IMAGES'))
|
|
boot_image = os.path.join(input_tmp, 'IMAGES', 'boot.img')
|
|
self._generate_boot_image(boot_image)
|
|
|
|
info_dict = {
|
|
'boot_signer' : 'true',
|
|
}
|
|
options = {
|
|
'verity_key' : os.path.join(self.testdata_dir, 'verity.x509.pem'),
|
|
}
|
|
self.assertRaises(
|
|
AssertionError, ValidateVerifiedBootImages, input_tmp, info_dict,
|
|
options)
|
|
|
|
@test_utils.SkipIfExternalToolsUnavailable()
|
|
def test_ValidateVerifiedBootImages_bootImage_corrupted(self):
|
|
input_tmp = common.MakeTempDir()
|
|
os.mkdir(os.path.join(input_tmp, 'IMAGES'))
|
|
boot_image = os.path.join(input_tmp, 'IMAGES', 'boot.img')
|
|
self._generate_boot_image(boot_image)
|
|
|
|
# Corrupt the late byte of the image.
|
|
with open(boot_image, 'r+b') as boot_fp:
|
|
boot_fp.seek(-1, os.SEEK_END)
|
|
last_byte = boot_fp.read(1)
|
|
last_byte = bytes([255 - ord(last_byte)])
|
|
boot_fp.seek(-1, os.SEEK_END)
|
|
boot_fp.write(last_byte)
|
|
|
|
info_dict = {
|
|
'boot_signer' : 'true',
|
|
}
|
|
options = {
|
|
'verity_key' : os.path.join(self.testdata_dir, 'testkey.x509.pem'),
|
|
}
|
|
self.assertRaises(
|
|
AssertionError, ValidateVerifiedBootImages, input_tmp, info_dict,
|
|
options)
|
|
|
|
def _generate_system_image(self, output_file, system_root=None,
|
|
file_map=None):
|
|
prop_dict = {
|
|
'partition_size': str(1024 * 1024),
|
|
'verity': 'true',
|
|
'verity_block_device': '/dev/block/system',
|
|
'verity_key' : os.path.join(self.testdata_dir, 'testkey'),
|
|
'verity_fec': "true",
|
|
'verity_signer_cmd': 'verity_signer',
|
|
}
|
|
verity_image_builder = CreateVerityImageBuilder(prop_dict)
|
|
image_size = verity_image_builder.CalculateMaxImageSize()
|
|
|
|
# Use an empty root directory.
|
|
if not system_root:
|
|
system_root = common.MakeTempDir()
|
|
cmd = ['mkuserimg_mke2fs', '-s', system_root, output_file, 'ext4',
|
|
'/system', str(image_size), '-j', '0']
|
|
if file_map:
|
|
cmd.extend(['-B', file_map])
|
|
proc = common.Run(cmd)
|
|
stdoutdata, _ = proc.communicate()
|
|
self.assertEqual(
|
|
0, proc.returncode,
|
|
"Failed to create system image with mkuserimg_mke2fs: {}".format(
|
|
stdoutdata))
|
|
|
|
# Append the verity metadata.
|
|
verity_image_builder.Build(output_file)
|
|
|
|
@test_utils.SkipIfExternalToolsUnavailable()
|
|
def test_ValidateVerifiedBootImages_systemRootImage(self):
|
|
input_tmp = common.MakeTempDir()
|
|
os.mkdir(os.path.join(input_tmp, 'IMAGES'))
|
|
system_image = os.path.join(input_tmp, 'IMAGES', 'system.img')
|
|
self._generate_system_image(system_image)
|
|
|
|
# Pack the verity key.
|
|
verity_key_mincrypt = os.path.join(input_tmp, 'ROOT', 'verity_key')
|
|
os.makedirs(os.path.dirname(verity_key_mincrypt))
|
|
shutil.copyfile(
|
|
os.path.join(self.testdata_dir, 'testkey_mincrypt'),
|
|
verity_key_mincrypt)
|
|
|
|
info_dict = {
|
|
'system_root_image' : 'true',
|
|
'verity' : 'true',
|
|
}
|
|
options = {
|
|
'verity_key' : os.path.join(self.testdata_dir, 'testkey.x509.pem'),
|
|
'verity_key_mincrypt' : verity_key_mincrypt,
|
|
}
|
|
ValidateVerifiedBootImages(input_tmp, info_dict, options)
|
|
|
|
@test_utils.SkipIfExternalToolsUnavailable()
|
|
def test_ValidateVerifiedBootImages_nonSystemRootImage(self):
|
|
input_tmp = common.MakeTempDir()
|
|
os.mkdir(os.path.join(input_tmp, 'IMAGES'))
|
|
system_image = os.path.join(input_tmp, 'IMAGES', 'system.img')
|
|
self._generate_system_image(system_image)
|
|
|
|
# Pack the verity key into the root dir in system.img.
|
|
verity_key_mincrypt = os.path.join(input_tmp, 'ROOT', 'verity_key')
|
|
os.makedirs(os.path.dirname(verity_key_mincrypt))
|
|
shutil.copyfile(
|
|
os.path.join(self.testdata_dir, 'testkey_mincrypt'),
|
|
verity_key_mincrypt)
|
|
|
|
# And a copy in ramdisk.
|
|
verity_key_ramdisk = os.path.join(
|
|
input_tmp, 'BOOT', 'RAMDISK', 'verity_key')
|
|
os.makedirs(os.path.dirname(verity_key_ramdisk))
|
|
shutil.copyfile(
|
|
os.path.join(self.testdata_dir, 'testkey_mincrypt'),
|
|
verity_key_ramdisk)
|
|
|
|
info_dict = {
|
|
'verity' : 'true',
|
|
}
|
|
options = {
|
|
'verity_key' : os.path.join(self.testdata_dir, 'testkey.x509.pem'),
|
|
'verity_key_mincrypt' : verity_key_mincrypt,
|
|
}
|
|
ValidateVerifiedBootImages(input_tmp, info_dict, options)
|
|
|
|
@test_utils.SkipIfExternalToolsUnavailable()
|
|
def test_ValidateVerifiedBootImages_nonSystemRootImage_mismatchingKeys(self):
|
|
input_tmp = common.MakeTempDir()
|
|
os.mkdir(os.path.join(input_tmp, 'IMAGES'))
|
|
system_image = os.path.join(input_tmp, 'IMAGES', 'system.img')
|
|
self._generate_system_image(system_image)
|
|
|
|
# Pack the verity key into the root dir in system.img.
|
|
verity_key_mincrypt = os.path.join(input_tmp, 'ROOT', 'verity_key')
|
|
os.makedirs(os.path.dirname(verity_key_mincrypt))
|
|
shutil.copyfile(
|
|
os.path.join(self.testdata_dir, 'testkey_mincrypt'),
|
|
verity_key_mincrypt)
|
|
|
|
# And an invalid copy in ramdisk.
|
|
verity_key_ramdisk = os.path.join(
|
|
input_tmp, 'BOOT', 'RAMDISK', 'verity_key')
|
|
os.makedirs(os.path.dirname(verity_key_ramdisk))
|
|
shutil.copyfile(
|
|
os.path.join(self.testdata_dir, 'verity_mincrypt'),
|
|
verity_key_ramdisk)
|
|
|
|
info_dict = {
|
|
'verity' : 'true',
|
|
}
|
|
options = {
|
|
'verity_key' : os.path.join(self.testdata_dir, 'testkey.x509.pem'),
|
|
'verity_key_mincrypt' : verity_key_mincrypt,
|
|
}
|
|
self.assertRaises(
|
|
AssertionError, ValidateVerifiedBootImages, input_tmp, info_dict,
|
|
options)
|
|
|
|
@test_utils.SkipIfExternalToolsUnavailable()
|
|
def test_ValidateFileConsistency_incompleteRange(self):
|
|
input_tmp = common.MakeTempDir()
|
|
os.mkdir(os.path.join(input_tmp, 'IMAGES'))
|
|
system_image = os.path.join(input_tmp, 'IMAGES', 'system.img')
|
|
system_root = os.path.join(input_tmp, "SYSTEM")
|
|
os.mkdir(system_root)
|
|
|
|
# Write test files that contain multiple blocks of zeros, and these zero
|
|
# blocks will be omitted by kernel. Each test file will occupy one block in
|
|
# the final system image.
|
|
with open(os.path.join(system_root, 'a'), 'w') as f:
|
|
f.write('aaa')
|
|
f.write('\0' * 4096 * 3)
|
|
with open(os.path.join(system_root, 'b'), 'w') as f:
|
|
f.write('bbb')
|
|
f.write('\0' * 4096 * 3)
|
|
|
|
raw_file_map = os.path.join(input_tmp, 'IMAGES', 'raw_system.map')
|
|
self._generate_system_image(system_image, system_root, raw_file_map)
|
|
|
|
# Parse the generated file map and update the block ranges for each file.
|
|
file_map_list = {}
|
|
image_ranges = RangeSet()
|
|
with open(raw_file_map) as f:
|
|
for line in f.readlines():
|
|
info = line.split()
|
|
self.assertEqual(2, len(info))
|
|
image_ranges = image_ranges.union(RangeSet(info[1]))
|
|
file_map_list[info[0]] = RangeSet(info[1])
|
|
|
|
# Add one unoccupied block as the shared block for all test files.
|
|
mock_shared_block = RangeSet("10-20").subtract(image_ranges).first(1)
|
|
with open(os.path.join(input_tmp, 'IMAGES', 'system.map'), 'w') as f:
|
|
for key in sorted(file_map_list.keys()):
|
|
line = '{} {}\n'.format(
|
|
key, file_map_list[key].union(mock_shared_block))
|
|
f.write(line)
|
|
|
|
# Prepare for the target zip file
|
|
input_file = common.MakeTempFile()
|
|
all_entries = ['SYSTEM/', 'SYSTEM/b', 'SYSTEM/a', 'IMAGES/',
|
|
'IMAGES/system.map', 'IMAGES/system.img']
|
|
with zipfile.ZipFile(input_file, 'w', allowZip64=True) as input_zip:
|
|
for name in all_entries:
|
|
input_zip.write(os.path.join(input_tmp, name), arcname=name)
|
|
|
|
# Expect the validation to pass and both files are skipped due to
|
|
# 'incomplete' block range.
|
|
with zipfile.ZipFile(input_file) as input_zip:
|
|
info_dict = {'extfs_sparse_flag': '-s'}
|
|
ValidateFileConsistency(input_zip, input_tmp, info_dict)
|
|
|
|
@test_utils.SkipIfExternalToolsUnavailable()
|
|
def test_ValidateFileConsistency_nonMonotonicRanges(self):
|
|
input_tmp = common.MakeTempDir()
|
|
os.mkdir(os.path.join(input_tmp, 'IMAGES'))
|
|
system_image = os.path.join(input_tmp, 'IMAGES', 'system.img')
|
|
system_root = os.path.join(input_tmp, "SYSTEM")
|
|
os.mkdir(system_root)
|
|
|
|
# Write the test file that contain three blocks of 'a', 'b', 'c'.
|
|
with open(os.path.join(system_root, 'abc'), 'w') as f:
|
|
f.write('a' * 4096 + 'b' * 4096 + 'c' * 4096)
|
|
raw_file_map = os.path.join(input_tmp, 'IMAGES', 'raw_system.map')
|
|
self._generate_system_image(system_image, system_root, raw_file_map)
|
|
|
|
# Parse the generated file map and manipulate the block ranges of 'abc' to
|
|
# be 'cba'.
|
|
file_map_list = {}
|
|
with open(raw_file_map) as f:
|
|
for line in f.readlines():
|
|
info = line.split()
|
|
self.assertEqual(2, len(info))
|
|
ranges = RangeSet(info[1])
|
|
self.assertTrue(ranges.monotonic)
|
|
blocks = reversed(list(ranges.next_item()))
|
|
file_map_list[info[0]] = ' '.join([str(block) for block in blocks])
|
|
|
|
# Update the contents of 'abc' to be 'cba'.
|
|
with open(os.path.join(system_root, 'abc'), 'w') as f:
|
|
f.write('c' * 4096 + 'b' * 4096 + 'a' * 4096)
|
|
|
|
# Update the system.map.
|
|
with open(os.path.join(input_tmp, 'IMAGES', 'system.map'), 'w') as f:
|
|
for key in sorted(file_map_list.keys()):
|
|
f.write('{} {}\n'.format(key, file_map_list[key]))
|
|
|
|
# Get the target zip file.
|
|
input_file = common.MakeTempFile()
|
|
all_entries = ['SYSTEM/', 'SYSTEM/abc', 'IMAGES/',
|
|
'IMAGES/system.map', 'IMAGES/system.img']
|
|
with zipfile.ZipFile(input_file, 'w', allowZip64=True) as input_zip:
|
|
for name in all_entries:
|
|
input_zip.write(os.path.join(input_tmp, name), arcname=name)
|
|
|
|
with zipfile.ZipFile(input_file) as input_zip:
|
|
info_dict = {'extfs_sparse_flag': '-s'}
|
|
ValidateFileConsistency(input_zip, input_tmp, info_dict)
|
|
|
|
@staticmethod
|
|
def make_build_prop(build_prop):
|
|
input_tmp = common.MakeTempDir()
|
|
system_dir = os.path.join(input_tmp, 'SYSTEM')
|
|
os.makedirs(system_dir)
|
|
prop_file = os.path.join(system_dir, 'build.prop')
|
|
with open(prop_file, 'w') as output_file:
|
|
output_file.write("\n".join(build_prop))
|
|
return input_tmp
|
|
|
|
def test_checkDuplicateProps_noDuplicate(self):
|
|
build_prop = [
|
|
'ro.odm.build.date.utc=1578430045',
|
|
'ro.odm.build.fingerprint='
|
|
'google/coral/coral:10/RP1A.200325.001/6337676:user/dev-keys',
|
|
'ro.product.odm.device=coral',
|
|
]
|
|
input_tmp = ValidateTargetFilesTest.make_build_prop(build_prop)
|
|
CheckBuildPropDuplicity(input_tmp)
|
|
|
|
def test_checkDuplicateProps_withDuplicate(self):
|
|
build_prop = [
|
|
'ro.odm.build.date.utc=1578430045',
|
|
'ro.odm.build.date.utc=1578430049',
|
|
'ro.odm.build.fingerprint='
|
|
'google/coral/coral:10/RP1A.200325.001/6337676:user/dev-keys',
|
|
'ro.product.odm.device=coral',
|
|
]
|
|
input_tmp = ValidateTargetFilesTest.make_build_prop(build_prop)
|
|
|
|
self.assertRaises(ValueError, CheckBuildPropDuplicity, input_tmp)
|