adb_debug.prop is migrated too. And ramdisk_available is added to all
dependencies.
Bug: 187196593
Test: boot
Change-Id: I59cd149e0021211b8fd59c44b93bbf18dc8637bf
Merged-In: I59cd149e0021211b8fd59c44b93bbf18dc8637bf
libavb is moving to use boringssl for crypto operations in user space
rather than using its own implementation. Link with libcrypto to
resolved the new dependencies.
Test: atest --host --host-unit-test-only --test-mapping system/core/fs_mgr/libfs_avb
Bug: 185329132
Change-Id: I412f4ef677aa6e29c5b67ffe5e3e8377640a2847
The latest kernel supports dm-verity has new error handling mode(panic).
However, there is no code to support in android.
Signed-off-by: JeongHyeon Lee <jhs2.lee@samsung.com>
Change-Id: Ib88ec258adb76ca4c88df1a78636f73f40604b40
remove duplicate postsubmit setup, they already run in host-unit-tests presubmit
Change-Id: I4065d7a50729a14911ec64f10082987d3f9ddcfc
Test:presubmit
Bug: 183622274
We should check FLAGS_VERIFICATION_DISABLED is set or not
after verifying the vbmeta digest against `androidboot.vbmeta.digest`
from bootloader. This is to ensure the /vbmeta content is not
changed since the bootloader has verified it.
We still allow vbmeta digest verification error if the device is
unlocked. Note that this change will introduce a limitation that
the device will not boot if:
1. The image is signed with FLAGS_VERIFICATION_DISABLED is set
2. The device state is locked
However, it should not be a concern as we shouldn't boot a locked
device without verification.
Bug: 179452884
Test: build image with BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2,
boot the device, then `adb shell touch /metadata/gsi/dsu/avb_enforce`.
Reboot the device, checks the device does not boot because
`androidboot.vbmeta.digest` is empty but AVB is enforced.
Change-Id: Id15a25403d16b36d528dc3b8998910807e801ad2
There more output lines of `avbtool` now, adjusts the expected
output of `avbtool info_image --image test.img` in the test
cases.
Bug: 178215452
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Change-Id: I924d6d97ef0a4c19c93017c2491bf251dfc51cae
The GKI verification VTS test will need to examine the boot partition's
hash descriptor, so add support to access this descriptor.
Bug: 148800209
Test: atest AvbTest#Boot
Change-Id: I92e32f61a265671ae0940c44147391f73776e66a
Avb keys used to verify a partition are stored in the first-stage
ramdisk. However, after /system is mounted, init will chroot into it.
This makes those keys inaccessible for later mounts, e.g., /vendor or
/product.
This change retains avb keys by reading all of them before chroot
into /system.
Note that it is intentional to perform public matching for both
preload_avb_key_blobs and fstab_entry.avb_keys in libfs_avb.
As some keys might only be availble before init chroots into /system,
e.g., /avb/key1 in the first-stage ramdisk, while other keys might
only be available after the chroot, e.g., /system/etc/avb/key2.
Bug: 147585411
Test: specify avb_keys for a partition and checks the keys are preloaded
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Change-Id: I6bd490c4215480db2937cdfc3fea0d616e224a91
Hard coding multiple keys in the avb_keys flag isn't flexible and
causes some pains when upgrading an Android codebase.
e.g., from Android 10 to Android 11.
This CL supports specifying a directory for the avb_keys
for fs_mgr to list then use the avb keys under the directory.
Bug: 144399552
Test: config a fstab using avb_keys as a dir to boot
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Change-Id: Ie74845d8c8e4aa45e8a9e3b862424cec641f8090
The test requires to load and verify vbmeta struct from partitions,
and thus needs adb root.
Bug: None
Test: atest libfs_avb_device_test
Change-Id: I4924d6e41edc78898d9ef9c3d7f52c9066f750b1
C++20 will require members in a designated initializer to be in order
unlike C99.
Bug: 139945549
Test: mm
Change-Id: I8804f7dd5cba1035ac7a2979a47b661d722f664a
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
This fixes a race condition where WaitForFile() after
GetDmDevicePathByName appears to succeed, but a subsequent operation on
the path fails. This can happen when CreateDevice() is called
immediately after a call to DeleteDevice (from any process), and the
path is re-used, enqueuing udev events to remove and re-add the block
device.
The fix for this is to introduce a new variant of CreateDevice() that
has a timeout parameter. When the timeout is positive, CreateDevice()
will wait for a /dev/block/mapper/by-uuid symlink to be created, which
signals that ueventd has finished processing the operation.
ueventd will now create these by-uuid symlinks for device-mapper nodes.
Unfortunately, the uuid is only available during "change" events, so we
have to special case device-mapper symlink creation. And since the uuid
is not available during "remove" events, we simply find matching links
to remove them.
This ensures that callers of CreateDevice() can use the device path
knowing that no asynchronous removals are pending. Code that uses the
old CreateDevice+WaitForFile pattern will be transitioned to the new
method.
Note that it is safe to ignore the timeout, or to use the "unsafe"
CreateDevice, if the caller ensures the path by other means. For example
first-stage init has no device removal, and regenerates uevents until
it has acquired all the paths it needs.
Finally, since libdm now inspects sysfs unconditionally, libdm consumers
need r_dir_file perms for sysfs_dm in their sepolicy. Additionally
linking to libdm now requires linking to libext2_uuid.
Bug: 135771280
Test: libdm_test
device flashes, boots
Change-Id: If5a7383ea38f32a7fbbcf24842dce6a668050a70
boot-debug.img is introduced to allow 'adb root' if the device is
unlocked, and it cannot be release signed. If /boot partition is chained
in AVB signing and boot-debug.img is used, avb_slot_verify() in
userspace will return AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED
and fs_mgr will refuse to boot. This CL treats the public key rejection
as non-fatal for chained vbmeta to continue booting, if the device is
unlocked.
Bug: 129508966
Test: can root with user load which /boot chained in AVB signing
Change-Id: Idfa8caffbb96f33702b1749afd2e2a59616ddba7
umount_all is the cleanup step for mount_all.
In particular, the mount_all builtin creates a verity device,
'postinstall-verity', for the following line:
system /postinstall ... ... slotselect_other,logical,avb_keys=...
cppreopt umounts /postinstall but doesn't destroy the postinstall-verity
device, causing OTA to fail (because it cannot destroy the
system_[other] device). umount_all also destroy the verity device.
Note that mount_all does not map system_[other]; it is mapped by
first stage init. Hence, umount_all doesn't destroy it either. The OTA
client is reponsible for unmapping the device itself.
Bug: 129988285
Test: flash, boot, then check `dmctl list devices`, then OTA
Change-Id: Id3ab65b3860b6ea6cfec310ab13652009c81f415
Merged-In: Id3ab65b3860b6ea6cfec310ab13652009c81f415
On some devices (e.g., emulator), init needs to read AVB footer from
a logical partition because:
1) Dynamic/logical partition is enabled
2) The partition is AVB chained, i.e., need to locate footer from the end
3) Logical partition is not understandable by bootloader,
but there is no bootloader in this case
Bug: 125540538
Bug: 128434470
Test: boot and force the fallback path, to check it can get logical path
Change-Id: Ie304bce234cbf0f938f386f7ce59235c851e0e2d
The FstabEntry.avb_key is renamed to FstabEntry.avb_keys, to
allow specifying multiple avb keys, separated by ':'
(because ',' is already used by fstab parsing).
Bug: 124013032
Test: boot live GSI with multiple allowed AVB keys
Change-Id: Iacd3472a1d5a659dfecf09ea6074d622658f4d0b
This commit extracts the security patch level (SPL), e.g.,
com.android.build.system.security_patch = 2019-04-05 from AVB property
descriptors when attempting to mount a standalone image (e.g., live
GSI). Then compares the SPL between the old system.img and the new live
system.img for rollback protection.
Bug: 122705329
Test: boot an old Live GSI, checks rollback is detected
Change-Id: I7aae58c0b2062a3ff57ed932ad58e7b604453fed
The client can include <fs_avb/fs_avb_util.h> to use the two new
functions to load vbmeta for a FstabEntry and extract the hash tree
descriptor from the loaded vbmeta, respectively.
// Given a FstabEntry, loads and verifies the vbmeta.
std::unique_ptr<VBMetaData> LoadAndVerifyVbmeta(...);
// Gets the hashtree descriptor with avb_partition_name from the vbmeta.
std::unique_ptr<FsAvbHashtreeDescriptor> GetHashtreeDescriptor(...);
Bug: 65470881
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Test: atest libfs_avb_device_test
Change-Id: I7d6619eb8140c14734ffb8f8a1b22cddd2f562f0
This allows the client to get the public key data without need to
provide the expected key data to load vbmeta. Then do the comparison by
themselves, to allow "key rotation".
Bug: 65470881
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Test: boot a device
Change-Id: Icd4e317c2f79cd35e46cdd14f858575ee692facd
The following static function has been added into class AvbHandle to
support loading the AVB hashtree descriptor to enable dm-verity for
a FstabEntry.
static AvbHashtreeResult SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry);
Bug: 112103720
Bug: 117960205
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Test: Add /system/etc/system_other.avbpubkey, then add
avb_key=/system/etc/system_other.avbpubkey into /system/etc/fstab.postinstall.
factory reset, boot a device and checks that system_other is
mounted with verity (see the serial log below)
Serial log:
-----------
init: [libfs_avb]Built verity table: '1 /dev/block/by-name/system_a
/dev/block/by-name/system_a 4096 4096 8521
8521 sha1 895ba03023a35172b393429fadad9ee228b39203
3405d16fec2cd12ad9e6b36d3bc983e1e83b5e09 10 use_fec_from_device
/dev/block/by-name/system_a fec_roots 2 fec_blocks 8589 fec_start 8589
restart_on_corruption ignore_zero_blocks'
init: [libfs_mgr]superblock s_max_mnt_count:65535,/dev/block/dm-7
init: [libfs_mgr]__mount(source=/dev/block/dm-7,target=/postinstall,type=ext4)=0:
Success
Change-Id: Ie339a43ff9c6a7d170e12ef466df666b98ddec19
This commits adds the following two public functions into
class AvbHandle, and verified by 'libfs_avb_test':
static AvbUniquePtr LoadAndVerifyVbmeta(); // loads inline vbmeta.
static AvbUniquePtr LoadAndVerifyVbmeta( // loads offline vbmeta.
const std::string& partition_name, const std::string& ab_suffix,
const std::string& ab_other_suffix, const std::string& expected_public_key,
const HashAlgorithm& hash_algorithm, bool allow_verification_error,
bool load_chained_vbmeta, bool rollback_protection,
std::function<std::string(const std::string&)> custom_device_path = nullptr);
The first function LoadAndVerifyVbmeta() will be used to replace Open(),
in a separate CL in the future. Many libfs_avb internal utils are added
into avb_util.cpp as well, which are verified by
'libfs_avb_internal_test'.
Bug: 112103720
Bug: 117960205
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Change-Id: I807b8af0b69c9a4511f6f120e9754aca5442830e
Damaged avb metadata can result in avb_slot_verify returning a
nullptr in avb_slot_data. Instead of an illegal access
violation in first_stage_init, we return the verify_result so
that it can be acted upon.
Test: confirm happenstance damaged vbmeta does not crash init.
Change-Id: I15be5bd32760bcc3418c5d8a943b016c0ddd56bc
This commit has the following changes:
1. Builds libfs_avb via "fs_mgr/libfs_avb/Android.bp" instead of
"fs_mgr/Android.bp", and removes the libfs_avb source
dependencies on "fs_mgr/fs_mgr_priv.h".
2. Moves static functions in fs_avb.cpp into util.cpp or
avb_util.cpp, depending on whether the function is related to
AVB or not.
3. Introduces two host unit tests: libfs_avb_test and
libfs_avb_internal_test, the former is to test public
<fs_avb/fs_avb.h> APIs, while the latter is to test libfs_avb
internal functions.
4. Splits fs_avb_unittest_util.* into:
- fs_avb_test_util.* (host static lib: libfs_avb_test_util),
- basic_test.cpp (host executable: libfs_avb_test)
Bug: 112103720
Bug: 117960205
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Test: boot a device
Change-Id: I11d6c9e9019e20b594d9321b9a28118d4806e5a7
Currently vbmeta images are stored in AvbSlotVerifyData defined in
libavb, which contains some fields that isn't needed by fs_mgr.
e.g., loaded_partition, rollback_indexes. Adding a new class VBMetaData
to replace it.
Bug: 112103720
Bug: 117960205
Test: boot crosshatch
Change-Id: I480461dad3c6aca7e028097662a3b06c3aa6646d
