fstab contains device- and soc- specific content that should reside in
/odm or /vendor partition. This change searches the fstab.${ro.hardware}
file from /odm/etc, /vendor/etc and /, then use the first one found.
Bug: 35811655
Test: boot sailfish
Change-Id: I82f89b41a849faedb64072a7cfc52d7424e1aaa1
With the early mount support in init, fstab entries of verified partitions
(e.g., /system, /vendor) will be moved into device tree in kernel image.
Those early mount fstab entries will be removed from the fstab file to
prevent duplicated and/or inconsistent settings.
This change adds a new function: fs_mgr_read_fstab_with_dt(), to return
the combined results from both places. It also removes
fs_mgr_read_fstab_file() from the public APIs and makes it as an
internal function.
Bug: 35811655
Test: early mount /vendor with dm-verity on sailfish
Change-Id: I2fba3614685bf9f852a789cda6f53013e2164e60
- This is to collect data to understand if e2fsck -f option
can be dropped wholly based on information from fs.
- Ideally e2fsck should not fix fs if it was clean shutdown
or if it is not enabling quota.
- The log is added to /dev/fscklogs/log and other system components
can collect it later.
TODO: add mechanism to distinguish old vs new fs generation tool.
bug: 32246772
Test: reboot and check saved logs under different shutdown conditions (clean, non-clean)
Change-Id: Id00fad4c5f8ebbb9f9908164a1026e415df06721
To start Treble VTS test, a single AOSP system.img will be flashed onto
the device. The size of AOSP system.img might be different than the
system partition size on device, making locating verity metadata fail
(at the last fixed size of the partition).
This change allows disabling dm-verity on system partition when the
device is unlocked (orange device state) with invalid metadata.
BUG: 35603549
Test: Boot bullhead with a different-sized system.img, checks verity is
not enabled via:
"adb shell getprop | grep partition.system.verified"
Change-Id: Id89d023e82c78ff1902ab7a528431cf7f65e49ad
During early mount property area is not initialized, and as a result an
'eng' build will always incorrectly be detected as a 'secure' build by
early mount code path resulting into verity error and consequent boot
loop.
The change here makes sure the is_device_secure() check works with /
without properties based on the 'eng' build based build flag so the
early mount code works fine both ways.
Bug: 35791581
Bug: 27805372
Test: Boot sailfish-{eng,userdebug} builds successfully w/ early
mount enabled
Change-Id: Icd101ccad56b669f49b60bbb3005d5be9f53b02b
Signed-off-by: Sandeep Patil <sspatil@google.com>
If Device tree values are read for comparison, they produce false
negatives with std::strings due to trailing '\0'. This change
consolidates the triming of trailing null into a single helper function
to be used everywhere fs_mgr reads DT values for comparison or other
reasons where it wishes to have the trailing null trimmed.
b/27805372
Test: Boot sailfish w/ early mount /vendor
Change-Id: If71efc830dc440323df764c7461867e71ed6515b
Signed-off-by: Sandeep Patil <sspatil@google.com>
Fixes the compatible check in fs_mgr_boot_config by consolidating the
check in a single privately exported function within fs_mgr (i.e.
is_dt_compatible()).
b/27805372
Test: Boot sailfish w/ early mount
Change-Id: Ie2d1646b81cf9eba8d16828ca8cf2c75156c294c
Signed-off-by: Sandeep Patil <sspatil@google.com>
With init parsing fstab fragments from kernel separately, the fs_mgr
would completely miss the device tree entries. That leads to things like
'adb remount' to go through without warning for verity even if /system
is verified. This happens because 'verity_update_state' completely
misses the partitions passed to android through the device tree.
solution is to teach fs_mgr about device tree fstab entries and add 2
new public APIs.
1. fs_mgr_read_fstab_dt() - reads device tree and returns fstab
generated from it.
2. fs_mgr_read_fstab_default() - reads both device tree fstab and
/fstab.{ro.hardware} and returns the combined table.
This also reduces the hardcoded /fstab.{ro.hardware} occurence only to
fs_mgr and for eveyone who wants to read the "default" fstab must be
changed to call fs_mgr_read_fstab_default() instead. e.g. adb.
b/27805372
Test: Angler was used since it has 2 early mounted partitions instead of
one. 1 verified and 1 unverified.
- Boot angler successfully without early mount
- Boot angler successfully with /vendor early mount and test if 'adb
remount' warns us about verity
- Boot angler successfully with both /system and /vendor early mounted
and ensure 'adb remount' warns us about verity.
- check partitions.system.verified status after /system early mount ot
ensure it is set to VERITY_MODE_DEFAULT.
- 'adb disable-verity' with early mounted /system doesn't work due to
missing changes in adb
TODO:
change adb to use the new fs_mgr_read_fstab_default() API
Change-Id: I82038d87c7a44488e938acce2cc1082c08f6f73a
Signed-off-by: Sandeep Patil <sspatil@google.com>
depending on when fs_mgr is trying to read the configuration passed into
the kernel commandline, it may be able to read it successfully.
Specially in the case when init has not initialized properties.
This change adds a new fs_mgr_get_boot_config() API to be used by all
fs_mgr code in order to get filesystem parameters specified in kernel
command line or device tree. This way the fs_mgr code doesn't have to
handle the "early" cases separately anywhere.
Test:
Tested angler boot with both /system and /vendor mounted in init
first stage.
Tested sailfish to make sure /vendor can be continued to be
mounted early without verity
Change-Id: I9a44cdfc32681f714c5d73ae55c3deda95c02545
While technically possible, the verification at boot basically will
block init for as long as the entire partition is read while nothing
else is running. Disallow that as this is not going to be used anywhere.
Bug: 27805372
Test: boot angler with verifyatboot fs_mgr option for early mounted
vendor partition. That resulted in a panic() as expected.
Change-Id: I9da5caa163cae8bce6dbfb630f0ed5605ea044a0
Signed-off-by: Sandeep Patil <sspatil@google.com>
Consequently this removes the 'early' version of the exact same API.
This is to be used by early mount code where we need to do
1. setup verity
2. create verity device
3. mount partition
as separate steps since that happens during init first stage.
b/27805372
Test: Boot sailfish successfully
Change-Id: I01abecfdfa210d3e240a291ddcb3d2e9ed39ede6
Signed-off-by: Sandeep Patil <sspatil@google.com>
The 'verify_dev' parameter for fs_mgr_setup_verity is confusing, since
it doesn't necessarily control the "verification" part of the function.
Instead, it merely allows the caller to skip the
wait_for_dm_verity_device part of the function. So, rename that
parameter for what it is.
b/27805372
Test: Boot sailfish
Change-Id: I024e02fd728f5cd5bb333d9c3b512861731fa215
Signed-off-by: Sandeep Patil <sspatil@google.com>
This is to be used in early mount case where we will have a fully
prepared fstab_rec. fs_mgr_do_mount() does a lot more checks and
spends time preparing verity / avb devices before it does the actual
mount.
b/33254008
Test: Boot sailfish
Change-Id: I4481b5af8d900c8b7e3355b7513c325d8f2ecff2
Signed-off-by: Sandeep Patil <sspatil@google.com>
The .clang-format is a symlink to ../init/.clang-format, which is merged
recently. As init is the major user of fs_mgr, it's better to keep the
style consistent.
Only recent newly-added files written by me are formatted. For other
files, let's format them gradually to keep 'git blame' intact.
Bug: None
Test: Device can boot with AVB
Change-Id: I5c72f23b38534d5bcef3e4f9f0f477fa40496433
'slot_suffix' for A/B devices *must* be provided in kernel command line
or in device tree. The removed code was unnecessarily looking it up in
the 'misc' partition.
b/33254008
Test: Boot sailfish
Change-Id: I329af2d9a98c34a941596779eb78d14337b864e5
Signed-off-by: Sandeep Patil <sspatil@google.com>
This reverts commit 22e8199175.
- revert for now. will collect more data to check safety.
bug: 32246772
Test: reboots
Change-Id: Ibbb39005c64b26e9990c271b0b949feafae17773
* changes:
init: fstab: add support to read fstab entries from device tree
init: early_mount: add support to mount non-verity partitions early
init: remove the existing early_mount code
init: refactor: add support for doing early coldboot
ueventd: make selinux labeling optional for device creation
This is done by parsing 'androidboot.fstab=<fstab>' kernel cmdline
option to get the fstab file that *only* specifies partitions to be
mounted early (i.e. in init's first stage).
Note that, the same fstab file may not be used as an argument to
mount_all later in the boot as that will cause fs_mgr to fail with
EBUSY.
TODO:
- Possibly add a new mount_mode so the same fstab can be used for
early_mount, 'mount_all --early/--late' etc.
- Add support for dm-verity enabled partitions to mount early.
- Add support for getting fstab arguments through DT instead of kernel
cmdline.
Bug: 27805372
Test:
Boot angler by passing a seperate fstab file using the kernel
cmdline option to mount vendor partition early, remove the vendor
partition entry from the main fstab file for the test.
Boot sailfish by passing a seperate fstab entry via device tree
to mount vendor partition early. Remove vendor partition entry from
the main fstab file for the test
Change-Id: I18785b893c54c8cee960ab44d5e8f83e5d624aa8
Signed-off-by: Sandeep Patil <sspatil@google.com>
Make the fs_mgr changes needed to support specifying aes-256-heh
filenames encryption. To do this, extend the "fileencryption" fstab
option to have the syntax
fileencryption=contents_encryption_mode[:filenames_encryption_mode].
The previous filenames encryption mode, aes-256-cts, remains supported
and will be used by default if no mode is explicitly specified.
For consistency, also make "aes-256-xts" an alias for the "software"
contents encryption mode.
Bug: 34712722
Change-Id: I74c0f5fe7cddde7055d7b031d96a2916ca611eb7
Remove polling_vbmeta_blk_device() as it tries to get /vbmeta entry
from fstab. Also move the polling of a partition inside read_from_partition()
in fs_mgr_avb_ops.cpp as it's where the reads happen.
Bug: 31264231
Test: Device can boot with AVB
Change-Id: Id717e160b085eca42eb9bc5eb2fa7e658bea3ad6
This is the minimal change just to replace KLOG_{INFO, WARNING, ERROR}
defined in <cutils/klog.h> to LOG()/PLOG() defined in
<android-base/logging.h>.
The logging.h uses program invocation name as the tag when logging.
e.g., init logs will have "init: ..." at the beginning in each line.
To facilitate debugging, this commit adds [libfs_mgr] after the tag,
and the resulting output will like this:
[ 11.278002] init: [libfs_mgr]Enabling dm-verity for system (mode 2)
[ 11.283309] init: [libfs_mgr]loading verity table: '1 /dev/block/platform/soc.0/f9824900.sdhci/by-name/system ...'
[ 11.337884] init: [libfs_mgr]Not running /system/bin/tune2fs on /dev/block/dm-0 (executable not in system image)
[ 11.362281] init: [libfs_mgr]__mount(source=/dev/block/dm-0,target=/system,type=ext4)=0
[ 11.376331] init: [libfs_mgr]Requested quota status is match on /dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor
[ 11.398237] init: [libfs_mgr]__mount(source=/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor,target=/vendor,type=ext4)=0
[ 11.410735] init: [libfs_mgr]Requested quota status is match on /dev/block/platform/soc.0/f9824900.sdhci/by-name/userdata
[ 11.426783] init: [libfs_mgr]check_fs(): mount(/dev/block/platform/soc.0/f9824900.sdhci/by-name/userdata,/data,ext4)=-1: Invalid argument
[ 11.439154] init: [libfs_mgr]Running /system/bin/e2fsck on /dev/block/platform/soc.0/f9824900.sdhci/by-name/userdata
Bug: 34336098
Test: check device can boot
Change-Id: Idcbaca1050e2d8eabe1e4510a0af03aa0312d03a
dm_target_spec->next should be set to the next multiple of 8.
It doesn't matter before because dm_ioctl->target_count is set to 1 so
only the first dm_target_spec will be processed.
Bug: None
Test: check device can boot with dm-verity
Change-Id: I96b9b0307a40b05640db06d1c614c16d8144bb47
This is the minimal change just to keep it building, and doesn't
attempt to clean up the code.
Bug: 34336098
Test: check device can boot
Change-Id: I5ff897874f1f14a9a5d1f14fedf1b0749e86dbb3
external/avb/libavb provides the new Android Verified Boot (AVB) flow.
It has different verity metadata format than previous formats in
fs_mgr_verity.cpp fs_mgr should support using libavb to read the metadata
(a.k.a. HASHTREE descriptor in AVB) to enable dm-verity in kernel.
Two important files in this commit:
- fs_mgr_avb_ops.c: an implementation of struct AvbOps* for libavb to do
platform dependent I/O operations, e.g., read_from_partition.
- fs_mgr_avb.cpp: it reads the metadata (a.k.a. vbmeta images in AVB) from
all partitions, verifies its integrity against the values of
androidboot.vbmeta.{hash_alg, size, digest} passed from bootloader in
kernel command line. Then enable dm-verity for partitions having the
corresponding HASHTREE descriptor and with an 'avb' fstab flag.
Bug: 31264231
Test: Enable dm-verity on /system partition
Test: Enable dm-verity with FEC on /system partition
Change-Id: I4652806984fe5a30c61be0839135b5ca78323d38
When doing a factory reset in recovery, flash erase & logical block
sizes are needed for tuning the parameters of the new userdata image.
Add flags to allow this information to be stored in recovery.fstab
Test: Factory reset marlin & confirm userdata is rebuilt correctly
Bug: 33243520
Change-Id: I6c4414d4e9026be4a3646523656ac151e93015e7
Signed-off-by: Connor O'Brien <connoro@google.com>
Pointer from strdup is lost hence triggers mem leak warning from
clang, since ptr returned from basename may not point to start of
duplicated string any more.
Switch to use gnu version of basename which doesn't modify input
string so that strdup is no longer necessary.
Bug: 27126348
Test: compile
Change-Id: I937a68c01c223230932c932bffdd35da6503c3c4
Make the code more C++-ish by replacing char* or char** with
std::string&.
Bug: 31264231
Test: check device can boot with dm-verity
Change-Id: Ie3ca3f449b52959d1a7b2887d722eb5ce366c4f9
This commits moves some common functions out of fs_mgr_verity.cpp to be
reused by other verified boot flows. It includes:
- Move common functions into fs_mgr.c
- Move dm_ioctl related functions to a new file: fs_mgr_dm_ioctl.cpp
Bug: 31264231
Test: check device can boot with dm-verity
Change-Id: Iaa0d8031efbaae12aa28f872f62d3fc3d3763b51
This now combines all the "libsparse" libraries into the same soong
target. A minor side-effect of this change is that the libsparse
static library depends on the libz shared library instead of the libz
static library. This minor change has no effect since targets using
the static libsparse library need to explicitly include either the
static libz or the shared one.
Bug: 34220783
Change-Id: I8f41586cf4c3336791cfa57ab4f5ae59a76d7ffa
This allows a remount to be performed on partitions which have been
verified at boot, without causing the verity service to complain of
"corrupted" blocks that could have been modified as a result of a
remount (while the verity checksum remained unchanged).
(cherry picked from commit dd78ae75ff)
Bug: 32638755
Test: Compile
Change-Id: I77cf7dd20ee5c5f5dac80f73f292e32583fe5906
Running dm-verity on heavily accessed partitions leads to performance
slowdowns, especially on low-RAM and slow-CPU devices.
This patch introduces a flag to allow an entire verified partition to be
read once at boot, to check for corruptions. If the reads are
successful, we can mount the partition as raw & read-only, and if not,
we can revert to mounting it as a verity partition, just like before.
Usage of this flag will entail a slowdown of time-to-boot, but should
lead to improvements in runtime performance.
(cherry picked from commit 34543c03e6)
Bug: 32433608
Test: Compile
Change-Id: I97717683a00ad6fa347e63b72b1a9bf1d2946315
