Supporting Pixel 2 is going to require AVB v2 signing. The signing utility, avbtool, is Python, so that's a bit trickier for on-device signing.
From further testing by
@topjohnwu it seems that AVB v2 signing might not be enforced currently on unlocked Pixel 2 bootloaders, so that's good news... for now at least, since we know Google also likes to change the rules, sometimes month-to-month, like they did on the Pixel with AVB v1.
Regardless, here's some fun I whipped up for anybody semi-savvy wanting to play around with on-device AVB v2 signing.
It's straight up using Python (all credit there to
QPython) to run
avbtool with a simple little wrapper script I wrote. This is labeled "-arm" because of this Python dependency, which is only built for ARM, but it should/does work on ARM64, and possibly x86 and x86_64 with the libhoudini compatibility layer. I'm not sure if MIPS/64 has a similar compatibility layer, so MIPS devices may be out of luck for now.
Unpack to /data/local/avbtool-arm or anywhere that isn't under /sdcard so that you can set executable permissions to my avbtool script and be able to run it.
Syntax is pretty straightforward, but it's complicated slightly by avbtool wanting the size of the partition so that it can pad the entire partition and place a footer at the end denoting the signature. So:
Code:
./avbtool add_hash_footer --image boot-new.img --partition_size $(wc -c < boot-original.img) --partition_name boot
where boot-new.img is your unsigned, repacked image, and boot-original.img is an untouched signed dump from the target device.
There's an embedded default testkey in avbtool, but I've also thrown in the other rsa testkey .pem files which can be used with some of the avbtool command-line options.
Happy hacking!