From 150483e3a1d7e88e6827d8ba11ec7a8b9e3688f7 Mon Sep 17 00:00:00 2001 From: Armelle Laine Date: Thu, 21 Nov 2024 03:11:51 +0000 Subject: [PATCH 1/3] trusty: utils: rpmb_dev: secure storage support for test VM Bug: 367423387 Test: start storageprxyd_test_system Change-Id: Ia9c07d9872a2975c4bd621c16a5df437e8a0736b --- trusty/trusty-storage-cf.mk | 1 + trusty/utils/rpmb_dev/Android.bp | 9 +++ trusty/utils/rpmb_dev/rpmb_dev.test.system.rc | 56 +++++++++++++++++++ 3 files changed, 66 insertions(+) create mode 100644 trusty/utils/rpmb_dev/rpmb_dev.test.system.rc diff --git a/trusty/trusty-storage-cf.mk b/trusty/trusty-storage-cf.mk index 3b46445da..acefd3e99 100644 --- a/trusty/trusty-storage-cf.mk +++ b/trusty/trusty-storage-cf.mk @@ -22,4 +22,5 @@ PRODUCT_PACKAGES += \ storageproxyd.system \ rpmb_dev.system \ + rpmb_dev.test.system \ diff --git a/trusty/utils/rpmb_dev/Android.bp b/trusty/utils/rpmb_dev/Android.bp index ef23cc50f..2f362e8b7 100644 --- a/trusty/utils/rpmb_dev/Android.bp +++ b/trusty/utils/rpmb_dev/Android.bp @@ -58,3 +58,12 @@ cc_binary { "rpmb_dev.wv.system.rc", ], } + +cc_binary { + name: "rpmb_dev.test.system", + defaults: ["rpmb_dev.cc_defaults"], + system_ext_specific: true, + init_rc: [ + "rpmb_dev.test.system.rc", + ], +} diff --git a/trusty/utils/rpmb_dev/rpmb_dev.test.system.rc b/trusty/utils/rpmb_dev/rpmb_dev.test.system.rc new file mode 100644 index 000000000..2127798e1 --- /dev/null +++ b/trusty/utils/rpmb_dev/rpmb_dev.test.system.rc @@ -0,0 +1,56 @@ +service trusty_test_vm /apex/com.android.virt/bin/vm run \ + /data/local/tmp/TrustyTestVM_UnitTests/trusty-test_vm-config.json + disabled + user system + group system + +service storageproxyd_test_system /system_ext/bin/storageproxyd.system \ + -d VSOCK:${trusty.test_vm.vm_cid}:1 \ + -r /dev/socket/rpmb_mock_test_system \ + -p /data/secure_storage_test_system \ + -t sock + disabled + class hal + user system + group system + +service rpmb_mock_init_test_system /system_ext/bin/rpmb_dev.test.system \ + --dev /mnt/secure_storage_rpmb_test_system/persist/RPMB_DATA --init --size 2048 + disabled + user system + group system + oneshot + +service rpmb_mock_test_system /system_ext/bin/rpmb_dev.test.system \ + --dev /mnt/secure_storage_rpmb_test_system/persist/RPMB_DATA \ + --sock rpmb_mock_test_system + disabled + user system + group system + socket rpmb_mock_test_system stream 660 system system + +# RPMB Mock +on post-fs-data + # Create a persistent location for the RPMB data + # (work around lack of RPMb block device on CF). + # file contexts secure_storage_rpmb_system_file + # (only used on Cuttlefish as this is non secure) + mkdir /metadata/secure_storage_rpmb_test_system 0770 system system + mkdir /mnt/secure_storage_rpmb_test_system 0770 system system + symlink /metadata/secure_storage_rpmb_test_system \ + /mnt/secure_storage_rpmb_test_system/persist + # Create a system persist directory in /metadata + # (work around lack of dedicated system persist partition). + # file contexts secure_storage_persist_system_file + mkdir /metadata/secure_storage_persist_test_system 0770 system system + mkdir /mnt/secure_storage_persist_test_system 0770 system system + symlink /metadata/secure_storage_persist_test_system \ + /mnt/secure_storage_persist_test_system/persist + # file contexts secure_storage_system_file + mkdir /data/secure_storage_test_system 0770 root system + symlink /mnt/secure_storage_persist_test_system/persist \ + /data/secure_storage_test_system/persist + chown root system /data/secure_storage_test_system/persist + # setprop storageproxyd_test_system.trusty_ipc_dev VSOCK:${trusty.test_vm.vm_cid}:1 + exec_start rpmb_mock_init_test_system + start rpmb_mock_test_system From ee7a713757314366023e855a76ff17943b6b9296 Mon Sep 17 00:00:00 2001 From: "Isaac J. Manjarres" Date: Tue, 3 Dec 2024 09:42:56 -0800 Subject: [PATCH 2/3] ashmem: Ensure all memfds have non-executable permissions by default Currently, memfds are created with executable permissions, meaning that one can load a binary into a memfd buffer and use fexecve() to run said binary. This is not desirable for security reasons, and also does not match with the behavior that the ashmem driver currently supports. When the ashmem driver is in use, /dev/ashmem* does not have executable permissions, so fexecve() cannot be used on those buffers. Linux kernels 6.3+ offer MFD_NOEXEC_SEAL as part of the memfd interface, which allows one to create memfds with non-executable permissions. Furthermore, the executable permissions cannot be changed on these memfds. This matches the expected behavior that ashmem provided, so allow memfd usage only if MFD_NOEXEC_SEAL is supported, and create memfds with non-executable permissions by default. Bug: 111903542 Change-Id: Ibb2c2be3c118ead44fc12bcd2b63dcf6f83c9b03 Signed-off-by: Isaac J. Manjarres --- libcutils/ashmem-dev.cpp | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/libcutils/ashmem-dev.cpp b/libcutils/ashmem-dev.cpp index 46b8ef263..cebfa5d12 100644 --- a/libcutils/ashmem-dev.cpp +++ b/libcutils/ashmem-dev.cpp @@ -114,8 +114,14 @@ static bool __has_memfd_support() { // Check if kernel support exists, otherwise fall back to ashmem. // This code needs to build on old API levels, so we can't use the libc // wrapper. + // + // MFD_NOEXEC_SEAL is used to match the semantics of the ashmem device, + // which did not have executable permissions. This also seals the executable + // permissions of the buffer (i.e. they cannot be changed by fchmod()). + // + // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING. android::base::unique_fd fd( - syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_ALLOW_SEALING)); + syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_NOEXEC_SEAL)); if (fd == -1) { ALOGE("memfd_create failed: %s, no memfd support.\n", strerror(errno)); return false; @@ -289,7 +295,13 @@ int ashmem_valid(int fd) static int memfd_create_region(const char* name, size_t size) { // This code needs to build on old API levels, so we can't use the libc // wrapper. - android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_ALLOW_SEALING)); + // + // MFD_NOEXEC_SEAL to match the semantics of the ashmem device, which did + // not have executable permissions. This also seals the executable + // permissions of the buffer (i.e. they cannot be changed by fchmod()). + // + // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING. + android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_NOEXEC_SEAL)); if (fd == -1) { ALOGE("memfd_create(%s, %zd) failed: %s\n", name, size, strerror(errno)); From 683e3c07614f452baf3e18f67a1140988709b0f2 Mon Sep 17 00:00:00 2001 From: Dennis Shen Date: Thu, 26 Sep 2024 13:36:18 +0000 Subject: [PATCH 3/3] Start aconfigd socket defined in configinfra mainline module Context: to have better future updatability. The responsiblity of managing mainline module storage files and a socket service for flag overrides will be moved to the configinfra mainline module. Later, aconfigd on /system will only be repsopnsbile for managing platform partition storage files. Bug: b/369810972 Test: m, launch avd and then inspect the logcat log to confirm the service is launched. Change-Id: I490e5aa432fa4afa236689ad0999e5602f7d297e --- rootdir/init.rc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rootdir/init.rc b/rootdir/init.rc index e487797aa..ae6a6588b 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -1004,6 +1004,11 @@ on post-fs-data exec_start system_aconfigd_mainline_init start system_aconfigd_socket_service + # start mainline aconfigd init, after transition, the above system_aconfigd_mainline_init + # will be deprecated + exec_start mainline_aconfigd_init + start mainline_aconfigd_socket_service + # Create directories for boot animation. mkdir /data/misc/bootanim 0755 system system