Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 34ef33bf authored by Treehugger Robot's avatar Treehugger Robot Committed by Automerger Merge Worker
Browse files

Merge "Support fs-verity setup with null/no signature" am: 52d2b21a am: f56d37a8 

Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/2351935



Change-Id: I07ae569d9aa2866aeda34a72b6f2588bf7df2415
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents 2f58b09f f56d37a8

core/java/com/android/internal/security/VerityUtils.java

+16 −8
Original line number Original line Diff line number Diff line
@@ -17,6 +17,7 @@ 
package com.android.internal.security;

package com.android.internal.security;





import android.annotation.NonNull;

import android.annotation.NonNull;

import android.annotation.Nullable;

import android.os.Build;

import android.os.Build;

import android.os.SystemProperties;

import android.os.SystemProperties;

import android.system.Os;

import android.system.Os;
@@ -41,6 +42,7 @@ import java.nio.ByteBuffer; 
import java.nio.ByteOrder;

import java.nio.ByteOrder;

import java.nio.charset.StandardCharsets;

import java.nio.charset.StandardCharsets;

import java.nio.file.Files;

import java.nio.file.Files;

import java.nio.file.Path;

import java.nio.file.Paths;

import java.nio.file.Paths;

import java.security.cert.CertificateException;

import java.security.cert.CertificateException;

import java.security.cert.CertificateFactory;

import java.security.cert.CertificateFactory;
@@ -77,17 +79,23 @@ public abstract class VerityUtils { 
        return filePath + FSVERITY_SIGNATURE_FILE_EXTENSION;

        return filePath + FSVERITY_SIGNATURE_FILE_EXTENSION;

    }

    }





    /** Enables fs-verity for the file with a PKCS#7 detached signature file. */

    /** Enables fs-verity for the file with an optional PKCS#7 detached signature file. */

    public static void setUpFsverity(@NonNull String filePath, @NonNull String signaturePath)

    public static void setUpFsverity(@NonNull String filePath, @Nullable String signaturePath)

            throws IOException {

            throws IOException {

        if (Files.size(Paths.get(signaturePath)) > MAX_SIGNATURE_FILE_SIZE_BYTES) {

        byte[] rawSignature = null;

            throw new SecurityException("Signature file is unexpectedly large: " + signaturePath);

        if (signaturePath != null) {

            Path path = Paths.get(signaturePath);

            if (Files.size(path) > MAX_SIGNATURE_FILE_SIZE_BYTES) {

                throw new SecurityException("Signature file is unexpectedly large: "

                        + signaturePath);

            }

            }

        setUpFsverity(filePath, Files.readAllBytes(Paths.get(signaturePath)));

            rawSignature = Files.readAllBytes(path);

        }

        setUpFsverity(filePath, rawSignature);

    }

    }





    /** Enables fs-verity for the file with a PKCS#7 detached signature bytes. */

    /** Enables fs-verity for the file with an optional PKCS#7 detached signature bytes. */

    public static void setUpFsverity(@NonNull String filePath, @NonNull byte[] pkcs7Signature)

    public static void setUpFsverity(@NonNull String filePath, @Nullable byte[] pkcs7Signature)

            throws IOException {

            throws IOException {

        // This will fail if the public key is not already in .fs-verity kernel keyring.

        // This will fail if the public key is not already in .fs-verity kernel keyring.

        int errno = enableFsverityNative(filePath, pkcs7Signature);

        int errno = enableFsverityNative(filePath, pkcs7Signature);
@@ -227,7 +235,7 @@ public abstract class VerityUtils { 
    }

    }





    private static native int enableFsverityNative(@NonNull String filePath,

    private static native int enableFsverityNative(@NonNull String filePath,

            @NonNull byte[] pkcs7Signature);

            @Nullable byte[] pkcs7Signature);

    private static native int measureFsverityNative(@NonNull String filePath,

    private static native int measureFsverityNative(@NonNull String filePath,

            @NonNull byte[] digest);

            @NonNull byte[] digest);

    private static native int statxForFsverityNative(@NonNull String filePath);

    private static native int statxForFsverityNative(@NonNull String filePath);

core/jni/com_android_internal_security_VerityUtils.cpp

+12 −6
Original line number Original line Diff line number Diff line
@@ -48,10 +48,6 @@ int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath, jbyteArra 
    if (rfd.get() < 0) {

    if (rfd.get() < 0) {

        return errno;

        return errno;

    }

    }

    ScopedByteArrayRO signature_bytes(env, signature);

    if (signature_bytes.get() == nullptr) {

        return EINVAL;

    }





    fsverity_enable_arg arg = {};

    fsverity_enable_arg arg = {};

    arg.version = 1;

    arg.version = 1;
@@ -59,8 +55,18 @@ int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath, jbyteArra 
    arg.block_size = 4096;

    arg.block_size = 4096;

    arg.salt_size = 0;

    arg.salt_size = 0;

    arg.salt_ptr = reinterpret_cast<uintptr_t>(nullptr);

    arg.salt_ptr = reinterpret_cast<uintptr_t>(nullptr);



    if (signature != nullptr) {

        ScopedByteArrayRO signature_bytes(env, signature);

        if (signature_bytes.get() == nullptr) {

            return EINVAL;

        }

        arg.sig_size = signature_bytes.size();

        arg.sig_size = signature_bytes.size();

        arg.sig_ptr = reinterpret_cast<uintptr_t>(signature_bytes.get());

        arg.sig_ptr = reinterpret_cast<uintptr_t>(signature_bytes.get());

    } else {

        arg.sig_size = 0;

        arg.sig_ptr = reinterpret_cast<uintptr_t>(nullptr);

    }





    if (ioctl(rfd.get(), FS_IOC_ENABLE_VERITY, &arg) < 0) {

    if (ioctl(rfd.get(), FS_IOC_ENABLE_VERITY, &arg) < 0) {

        return errno;

        return errno;