Revert "Set earlyBootEnded before apex starts"

Revert "Cryptographic security for MAX_BOOT_LEVEL" Revert submission 1660531-max-boot-level-crypto Reason for revert: broken test com.android.tests.odsign.OnDeviceSigningHostTest#verifyArtUpgradeSignsFiles on aosp-master on aosp_cf_x86_64_phone-userdebug at 7261517 Reverted Changes: Ia3b968afc:Set earlyBootEnded before apex starts Ia69891291:Expose AID_KEYSTORE I12530cd13:Cryptographic security for MAX_BOOT_LEVEL Bug: 184635938 Change-Id: Ibf63734a02a2c132142671c0fae5d0177bf46079 Test: forrest run for the broken test
2021-04-06 16:07:07 +00:00 · 2021-04-06 16:07:07 +00:00 · 82cfe66794
commit 82cfe66794
parent 02e0ddcaf9
1 changed files with 16 additions and 25 deletions
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@ -471,6 +471,9 @@ on init
    chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
    start lmkd

+    # Set an initial boot level - start at 10 in case we need to add earlier ones.
+    setprop keystore.boot_level 10
+
    # Start essential services.
    start servicemanager
    start hwservicemanager
@ -627,6 +630,8 @@ on late-fs
    write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1

 on post-fs-data
+    # Boot level 30 - at this point daemons like apexd and odsign run
+    setprop keystore.boot_level 30

    mark_post_data

@ -647,9 +652,6 @@ on post-fs-data
    mkdir /data/bootchart 0755 shell shell encryption=Require
    bootchart start

-    # Avoid predictable entropy pool. Carry over entropy from previous boot.
-    copy /data/system/entropy.dat /dev/urandom
-
    mkdir /data/vendor 0771 root root encryption=Require
    mkdir /data/vendor_ce 0771 root root encryption=None
    mkdir /data/vendor_de 0771 root root encryption=None
@ -665,23 +667,6 @@ on post-fs-data
    # Make sure that apexd is started in the default namespace
    enter_default_mount_ns

-    # set up keystore directory structure first so that we can end early boot
-    # and start apexd
-    mkdir /data/misc 01771 system misc encryption=Require
-    mkdir /data/misc/keystore 0700 keystore keystore
-
-    # Boot level 30
-    # odsign signing keys have MAX_BOOT_LEVEL=30
-    # This is currently the earliest boot level, but we start at 30
-    # to leave room for earlier levels.
-    setprop keystore.boot_level 30
-
-    # Now that /data is mounted and we have created /data/misc/keystore,
-    # we can tell keystore to stop allowing use of early-boot keys,
-    # and access its database for the first time to support creation and
-    # use of MAX_BOOT_LEVEL keys.
-    exec - system system -- /system/bin/vdc keymaster earlyBootEnded
-
    # /data/apex is now available. Start apexd to scan and activate APEXes.
    mkdir /data/apex 0755 root system encryption=None
    mkdir /data/apex/active 0755 root system
@ -693,7 +678,11 @@ on post-fs-data
    mkdir /data/apex/ota_reserved 0700 root system encryption=Require
    start apexd

-    # create rest of basic filesystem structure
+    # Avoid predictable entropy pool. Carry over entropy from previous boot.
+    copy /data/system/entropy.dat /dev/urandom
+
+    # create basic filesystem structure
+    mkdir /data/misc 01771 system misc encryption=Require
    mkdir /data/misc/recovery 0770 system log
    copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1
    chmod 0440 /data/misc/recovery/ro.build.fingerprint.1
@ -717,6 +706,7 @@ on post-fs-data
    mkdir /data/misc/nfc 0770 nfc nfc
    mkdir /data/misc/nfc/logs 0770 nfc nfc
    mkdir /data/misc/credstore 0700 credstore credstore
+    mkdir /data/misc/keystore 0700 keystore keystore
    mkdir /data/misc/gatekeeper 0700 system system
    mkdir /data/misc/keychain 0771 system system
    mkdir /data/misc/net 0750 root shell
@ -924,13 +914,14 @@ on post-fs-data
    # odsign to be done with the key
    wait_for_prop odsign.key.done 1

+    # After apexes are mounted, tell keymaster early boot has ended, so it will
+    # stop allowing use of early-boot keys
+    exec - system system -- /system/bin/vdc keymaster earlyBootEnded
+
    # Lock the fs-verity keyring, so no more keys can be added
    exec -- /system/bin/fsverity_init --lock

-    # Bump the boot level to 1000000000; this prevents further on-device signing.
-    # This is a special value that shuts down the thread which listens for
-    # further updates.
-    setprop keystore.boot_level 1000000000
+    setprop keystore.boot_level 40

    # Allow apexd to snapshot and restore device encrypted apex data in the case
    # of a rollback. This should be done immediately after DE_user data keys