Merge changes from topic "fsverity-init-cleanup" into main
* changes: init.rc: stop using fsverity_init --lock init: remove unfinished fsverity signature support for APEX sepolicy
This commit is contained in:
Eric Biggers
Gerrit Code Review
commit
42164ff920
3 changed files with 3 additions and 51 deletions
|
|
@ -166,11 +166,9 @@ libinit_cc_defaults {
|
||||||
"libbootloader_message",
|
"libbootloader_message",
|
||||||
"libc++fs",
|
"libc++fs",
|
||||||
"libcgrouprc_format",
|
"libcgrouprc_format",
|
||||||
"libfsverity_init",
|
|
||||||
"liblmkd_utils",
|
"liblmkd_utils",
|
||||||
"liblz4",
|
"liblz4",
|
||||||
"libzstd",
|
"libzstd",
|
||||||
"libmini_keyctl_static",
|
|
||||||
"libmodprobe",
|
"libmodprobe",
|
||||||
"libprocinfo",
|
"libprocinfo",
|
||||||
"libprotobuf-cpp-lite",
|
"libprotobuf-cpp-lite",
|
||||||
|
|
|
||||||
|
|
@ -74,10 +74,8 @@
|
||||||
#include <android-base/unique_fd.h>
|
#include <android-base/unique_fd.h>
|
||||||
#include <fs_avb/fs_avb.h>
|
#include <fs_avb/fs_avb.h>
|
||||||
#include <fs_mgr.h>
|
#include <fs_mgr.h>
|
||||||
#include <fsverity_init.h>
|
|
||||||
#include <libgsi/libgsi.h>
|
#include <libgsi/libgsi.h>
|
||||||
#include <libsnapshot/snapshot.h>
|
#include <libsnapshot/snapshot.h>
|
||||||
#include <mini_keyctl_utils.h>
|
|
||||||
#include <selinux/android.h>
|
#include <selinux/android.h>
|
||||||
#include <ziparchive/zip_archive.h>
|
#include <ziparchive/zip_archive.h>
|
||||||
|
|
||||||
|
|
@ -510,7 +508,6 @@ bool OpenMonolithicPolicy(PolicyFile* policy_file) {
|
||||||
|
|
||||||
constexpr const char* kSigningCertRelease =
|
constexpr const char* kSigningCertRelease =
|
||||||
"/system/etc/selinux/com.android.sepolicy.cert-release.der";
|
"/system/etc/selinux/com.android.sepolicy.cert-release.der";
|
||||||
constexpr const char* kFsVerityProcPath = "/proc/sys/fs/verity";
|
|
||||||
const std::string kSepolicyApexMetadataDir = "/metadata/sepolicy/";
|
const std::string kSepolicyApexMetadataDir = "/metadata/sepolicy/";
|
||||||
const std::string kSepolicyApexSystemDir = "/system/etc/selinux/apex/";
|
const std::string kSepolicyApexSystemDir = "/system/etc/selinux/apex/";
|
||||||
const std::string kSepolicyZip = "SEPolicy.zip";
|
const std::string kSepolicyZip = "SEPolicy.zip";
|
||||||
|
|
@ -614,24 +611,6 @@ Result<void> GetPolicyFromApex(const std::string& dir) {
|
||||||
return {};
|
return {};
|
||||||
}
|
}
|
||||||
|
|
||||||
Result<void> LoadSepolicyApexCerts() {
|
|
||||||
key_serial_t keyring_id = android::GetKeyringId(".fs-verity");
|
|
||||||
if (keyring_id < 0) {
|
|
||||||
return Error() << "Failed to find .fs-verity keyring id";
|
|
||||||
}
|
|
||||||
|
|
||||||
// TODO(b/199914227) the release key should always exist. Once it's checked in, start
|
|
||||||
// throwing an error here if it doesn't exist.
|
|
||||||
if (access(kSigningCertRelease, F_OK) == 0) {
|
|
||||||
LoadKeyFromFile(keyring_id, "fsv_sepolicy_apex_release", kSigningCertRelease);
|
|
||||||
}
|
|
||||||
return {};
|
|
||||||
}
|
|
||||||
|
|
||||||
Result<void> SepolicyFsVerityCheck() {
|
|
||||||
return Error() << "TODO implement support for fsverity SEPolicy.";
|
|
||||||
}
|
|
||||||
|
|
||||||
Result<void> SepolicyCheckSignature(const std::string& dir) {
|
Result<void> SepolicyCheckSignature(const std::string& dir) {
|
||||||
std::string signature;
|
std::string signature;
|
||||||
if (!android::base::ReadFileToString(dir + kSepolicySignature, &signature)) {
|
if (!android::base::ReadFileToString(dir + kSepolicySignature, &signature)) {
|
||||||
|
|
@ -654,18 +633,7 @@ Result<void> SepolicyCheckSignature(const std::string& dir) {
|
||||||
return verifySignature(sepolicyStr, signature, *releaseKey);
|
return verifySignature(sepolicyStr, signature, *releaseKey);
|
||||||
}
|
}
|
||||||
|
|
||||||
Result<void> SepolicyVerify(const std::string& dir, bool supportsFsVerity) {
|
Result<void> SepolicyVerify(const std::string& dir) {
|
||||||
if (supportsFsVerity) {
|
|
||||||
auto fsVerityCheck = SepolicyFsVerityCheck();
|
|
||||||
if (fsVerityCheck.ok()) {
|
|
||||||
return fsVerityCheck;
|
|
||||||
}
|
|
||||||
// TODO(b/199914227) If the device supports fsverity, but we fail here, we should fail to
|
|
||||||
// boot and not carry on. For now, fallback to a signature checkuntil the fsverity
|
|
||||||
// logic is implemented.
|
|
||||||
LOG(INFO) << "Falling back to standard signature check. " << fsVerityCheck.error();
|
|
||||||
}
|
|
||||||
|
|
||||||
auto sepolicySignature = SepolicyCheckSignature(dir);
|
auto sepolicySignature = SepolicyCheckSignature(dir);
|
||||||
if (!sepolicySignature.ok()) {
|
if (!sepolicySignature.ok()) {
|
||||||
return Error() << "Apex SEPolicy failed signature check";
|
return Error() << "Apex SEPolicy failed signature check";
|
||||||
|
|
@ -698,23 +666,13 @@ void CleanupApexSepolicy() {
|
||||||
// 6. Sets selinux into enforcing mode and continues normal booting.
|
// 6. Sets selinux into enforcing mode and continues normal booting.
|
||||||
//
|
//
|
||||||
void PrepareApexSepolicy() {
|
void PrepareApexSepolicy() {
|
||||||
bool supportsFsVerity = access(kFsVerityProcPath, F_OK) == 0;
|
|
||||||
if (supportsFsVerity) {
|
|
||||||
auto loadSepolicyApexCerts = LoadSepolicyApexCerts();
|
|
||||||
if (!loadSepolicyApexCerts.ok()) {
|
|
||||||
// TODO(b/199914227) If the device supports fsverity, but we fail here, we should fail
|
|
||||||
// to boot and not carry on. For now, fallback to a signature checkuntil the fsverity
|
|
||||||
// logic is implemented.
|
|
||||||
LOG(INFO) << loadSepolicyApexCerts.error();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// If apex sepolicy zip exists in /metadata/sepolicy, use that, otherwise use version on
|
// If apex sepolicy zip exists in /metadata/sepolicy, use that, otherwise use version on
|
||||||
// /system.
|
// /system.
|
||||||
auto dir = (access((kSepolicyApexMetadataDir + kSepolicyZip).c_str(), F_OK) == 0)
|
auto dir = (access((kSepolicyApexMetadataDir + kSepolicyZip).c_str(), F_OK) == 0)
|
||||||
? kSepolicyApexMetadataDir
|
? kSepolicyApexMetadataDir
|
||||||
: kSepolicyApexSystemDir;
|
: kSepolicyApexSystemDir;
|
||||||
|
|
||||||
auto sepolicyVerify = SepolicyVerify(dir, supportsFsVerity);
|
auto sepolicyVerify = SepolicyVerify(dir);
|
||||||
if (!sepolicyVerify.ok()) {
|
if (!sepolicyVerify.ok()) {
|
||||||
LOG(INFO) << "Error: " << sepolicyVerify.error();
|
LOG(INFO) << "Error: " << sepolicyVerify.error();
|
||||||
// If signature verification fails, fall back to version on /system.
|
// If signature verification fails, fall back to version on /system.
|
||||||
|
|
|
||||||
|
|
@ -1021,13 +1021,9 @@ on post-fs-data
|
||||||
# Must start after 'derive_classpath' to have *CLASSPATH variables set.
|
# Must start after 'derive_classpath' to have *CLASSPATH variables set.
|
||||||
start odsign
|
start odsign
|
||||||
|
|
||||||
# Before we can lock keys and proceed to the next boot stage, wait for
|
# Wait for odsign to be done with the key.
|
||||||
# odsign to be done with the key
|
|
||||||
wait_for_prop odsign.key.done 1
|
wait_for_prop odsign.key.done 1
|
||||||
|
|
||||||
# Lock the fs-verity keyring, so no more keys can be added
|
|
||||||
exec -- /system/bin/fsverity_init --lock
|
|
||||||
|
|
||||||
# Bump the boot level to 1000000000; this prevents further on-device signing.
|
# Bump the boot level to 1000000000; this prevents further on-device signing.
|
||||||
# This is a special value that shuts down the thread which listens for
|
# This is a special value that shuts down the thread which listens for
|
||||||
# further updates.
|
# further updates.
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue