Enable AVB for dynamic GSI (f.k.a. Live Image)

Bug: 117960205 Test: Use the dynamic Android to start GSI, checks verity is enabled. Change-Id: I93b321808ba278b162fec5e231bff7229cac3937
2019-01-28 21:50:06 +08:00 · 2019-01-28 21:50:06 +08:00 · ee6114fb1d
commit ee6114fb1d
parent 2dc8b4cec8
4 changed files with 30 additions and 16 deletions
--- a/fs_mgr/fs_mgr_fstab.cpp
+++ b/fs_mgr/fs_mgr_fstab.cpp
@ -979,12 +979,15 @@ int fs_mgr_is_checkpoint_blk(const struct fstab_rec* fstab) {
 }

 FstabEntry BuildGsiSystemFstabEntry() {
+    // .logical_partition_name is required to look up AVB Hashtree descriptors.
    FstabEntry system = {
            .blk_device = "system_gsi",
            .mount_point = "/system",
            .fs_type = "ext4",
            .flags = MS_RDONLY,
            .fs_options = "barrier=1",
+            .avb_key = "/gsi.avbpubkey",
+            .logical_partition_name = "system"
    };
    system.fs_mgr_flags.wait = true;
    system.fs_mgr_flags.logical = true;
--- a/fs_mgr/libfs_avb/fs_avb.cpp
+++ b/fs_mgr/libfs_avb/fs_avb.cpp
@ -383,7 +383,8 @@ AvbUniquePtr AvbHandle::Open() {
    return avb_handle;
 }

-AvbHashtreeResult AvbHandle::SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry) {
+AvbHashtreeResult AvbHandle::SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry,
+                                                        bool wait_for_verity_dev) {
    if (fstab_entry->avb_key.empty()) {
        LERROR << "avb_key=/path/to/key is missing for " << fstab_entry->mount_point;
        return AvbHashtreeResult::kFail;
@ -400,7 +401,7 @@ AvbHashtreeResult AvbHandle::SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry)
                   << " for mount point: " << fstab_entry->mount_point;
            return AvbHashtreeResult::kFail;
        }
-        // Use empty key blob, which means no expectation, if allow verification error.
+        LWARNING << "Allowing no expected key blob when verification error is permitted";
        expected_key_blob.clear();
    }

@ -423,7 +424,7 @@ AvbHashtreeResult AvbHandle::SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry)
    // Puts the vbmeta into a vector, for LoadAvbHashtreeToEnableVerity() to use.
    std::vector<VBMetaData> vbmeta_images;
    vbmeta_images.emplace_back(std::move(*vbmeta));
-    if (!LoadAvbHashtreeToEnableVerity(fstab_entry, true /* wait_for_verity_dev */, vbmeta_images,
+    if (!LoadAvbHashtreeToEnableVerity(fstab_entry, wait_for_verity_dev, vbmeta_images,
                                       fs_mgr_get_slot_suffix(), fs_mgr_get_other_slot_suffix())) {
        return AvbHashtreeResult::kFail;
    }
--- a/fs_mgr/libfs_avb/include/fs_avb/fs_avb.h
+++ b/fs_mgr/libfs_avb/include/fs_avb/fs_avb.h
@ -169,7 +169,8 @@ class AvbHandle {
    AvbHashtreeResult SetUpAvbHashtree(FstabEntry* fstab_entry, bool wait_for_verity_dev);

    // Similar to above, but loads the offline vbmeta from the end of fstab_entry->blk_device.
-    static AvbHashtreeResult SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry);
+    static AvbHashtreeResult SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry,
+                                                        bool wait_for_verity_dev = true);

    const std::string& avb_version() const { return avb_version_; }
    const VBMetaInfo& vbmeta_info() const { return vbmeta_info_; }
--- a/init/first_stage_mount.cpp
+++ b/init/first_stage_mount.cpp
@ -683,22 +683,31 @@ bool FirstStageMountVBootV2::GetDmVerityDevices() {
 }

 bool FirstStageMountVBootV2::SetUpDmVerity(FstabEntry* fstab_entry) {
+    AvbHashtreeResult hashtree_result;
+
    if (fstab_entry->fs_mgr_flags.avb) {
        if (!InitAvbHandle()) return false;
-        AvbHashtreeResult hashtree_result =
+        hashtree_result =
                avb_handle_->SetUpAvbHashtree(fstab_entry, false /* wait_for_verity_dev */);
-        switch (hashtree_result) {
-            case AvbHashtreeResult::kDisabled:
-                return true;  // Returns true to mount the partition.
-            case AvbHashtreeResult::kSuccess:
-                // The exact block device name (fstab_rec->blk_device) is changed to
-                // "/dev/block/dm-XX". Needs to create it because ueventd isn't started in init
-                // first stage.
-                return InitMappedDevice(fstab_entry->blk_device);
-            default:
-                return false;
-        }
+    } else if (!fstab_entry->avb_key.empty()) {
+        hashtree_result =
+                AvbHandle::SetUpStandaloneAvbHashtree(fstab_entry, false /* wait_for_verity_dev */);
+    } else {
+        return true;  // No need AVB, returns true to mount the partition directly.
    }
+
+    switch (hashtree_result) {
+        case AvbHashtreeResult::kDisabled:
+            return true;  // Returns true to mount the partition.
+        case AvbHashtreeResult::kSuccess:
+            // The exact block device name (fstab_rec->blk_device) is changed to
+            // "/dev/block/dm-XX". Needs to create it because ueventd isn't started in init
+            // first stage.
+            return InitMappedDevice(fstab_entry->blk_device);
+        default:
+            return false;
+    }
+
    return true;  // Returns true to mount the partition.
 }