diff --git a/README.md b/README.md index 95d1aa7..f879886 100644 --- a/README.md +++ b/README.md @@ -385,6 +385,12 @@ Note that avbroot will validate that the prepatched image is compatible with the avbroot can be used for just re-signing an OTA by specifying `--rootless` instead of `--magisk`/`--prepatched`. With this option, the patched OTA will not be rooted. The only modification applied is the replacement of the OTA verification certificate so that the OS can be upgraded with future (patched) OTAs. +### Skipping recovery OTA certificate patches + +avbroot can skip modifying `otacerts.zip` in the recovery image with the `--skip-recovery-ota-certs` option. **Do not do this unless you have a good reason to do so.** (For example, if you've already manually inserted the OTA certificate into a boot image specified with `--prepatched` or `--replace`.) When this option is used with `--rootless` (and `--dsu` is not specified), then no modifications are performed on any boot image besides ensuring they are properly signed. + +When manually adding the OTA certificate to a boot image, [verifying the patched OTA](#verifying-otas) afterwards is recommended to ensure that it was properly done. + ### Replacing partitions avbroot supports replacing entire partitions in the OTA, even partitions that are not boot images (eg. `vendor_dlkm`). A partition can be replaced by passing in `--replace /path/to/partition.img`. diff --git a/avbroot/src/cli/ota.rs b/avbroot/src/cli/ota.rs index 54c777c..92ab162 100644 --- a/avbroot/src/cli/ota.rs +++ b/avbroot/src/cli/ota.rs @@ -201,7 +201,7 @@ fn patch_boot_images<'a, 'b: 'a>( let boot_partitions = required_images.iter_boot().collect::>(); info!( - "Patching boot images: {}", + "Candidate boot images: {}", joined(sorted(boot_partitions.iter())), ); @@ -1304,7 +1304,11 @@ pub fn patch_subcommand(cli: &PatchCli, cancel_signal: &AtomicBool) -> Result<() assert!(cli.root.rootless); }; - boot_patchers.push(Box::new(OtaCertPatcher::new(cert_ota.clone()))); + if cli.skip_recovery_ota_certs { + warn!("Not inserting OTA certs into recovery image; sideloading further updates may fail"); + } else { + boot_patchers.push(Box::new(OtaCertPatcher::new(cert_ota.clone()))); + } if cli.dsu { boot_patchers.push(Box::new(DsuPubKeyPatcher::new(key_avb.to_public_key()))); @@ -1922,6 +1926,17 @@ pub struct PatchCli { )] pub ignore_prepatched_compat: u8, + /// Skip adding OTA certificate to recovery image. + /// + /// DO NOT USE THIS unless you've manually added the certificate to the + /// recovery image already. Otherwise, sideloading further updates will not + /// be possible. + /// + /// When this option is used with --rootless, the boot images in the OTA + /// will not be modified. + #[arg(long, help_heading = HEADING_OTHER)] + pub skip_recovery_ota_certs: bool, + /// Add AVB public key to trusted keys for DSU. #[arg(long, help_heading = HEADING_OTHER)] pub dsu: bool,