Loading core/java/com/android/internal/security/VerityUtils.java +16 −8 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ package com.android.internal.security; import android.annotation.NonNull; import android.annotation.Nullable; import android.os.Build; import android.os.SystemProperties; import android.system.Os; Loading @@ -41,6 +42,7 @@ import java.nio.ByteBuffer; import java.nio.ByteOrder; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; Loading Loading @@ -77,17 +79,23 @@ public abstract class VerityUtils { return filePath + FSVERITY_SIGNATURE_FILE_EXTENSION; } /** Enables fs-verity for the file with a PKCS#7 detached signature file. */ public static void setUpFsverity(@NonNull String filePath, @NonNull String signaturePath) /** Enables fs-verity for the file with an optional PKCS#7 detached signature file. */ public static void setUpFsverity(@NonNull String filePath, @Nullable String signaturePath) throws IOException { if (Files.size(Paths.get(signaturePath)) > MAX_SIGNATURE_FILE_SIZE_BYTES) { throw new SecurityException("Signature file is unexpectedly large: " + signaturePath); byte[] rawSignature = null; if (signaturePath != null) { Path path = Paths.get(signaturePath); if (Files.size(path) > MAX_SIGNATURE_FILE_SIZE_BYTES) { throw new SecurityException("Signature file is unexpectedly large: " + signaturePath); } setUpFsverity(filePath, Files.readAllBytes(Paths.get(signaturePath))); rawSignature = Files.readAllBytes(path); } setUpFsverity(filePath, rawSignature); } /** Enables fs-verity for the file with a PKCS#7 detached signature bytes. */ public static void setUpFsverity(@NonNull String filePath, @NonNull byte[] pkcs7Signature) /** Enables fs-verity for the file with an optional PKCS#7 detached signature bytes. */ public static void setUpFsverity(@NonNull String filePath, @Nullable byte[] pkcs7Signature) throws IOException { // This will fail if the public key is not already in .fs-verity kernel keyring. int errno = enableFsverityNative(filePath, pkcs7Signature); Loading Loading @@ -227,7 +235,7 @@ public abstract class VerityUtils { } private static native int enableFsverityNative(@NonNull String filePath, @NonNull byte[] pkcs7Signature); @Nullable byte[] pkcs7Signature); private static native int measureFsverityNative(@NonNull String filePath, @NonNull byte[] digest); private static native int statxForFsverityNative(@NonNull String filePath); Loading core/jni/com_android_internal_security_VerityUtils.cpp +12 −6 Original line number Diff line number Diff line Loading @@ -48,10 +48,6 @@ int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath, jbyteArra if (rfd.get() < 0) { return errno; } ScopedByteArrayRO signature_bytes(env, signature); if (signature_bytes.get() == nullptr) { return EINVAL; } fsverity_enable_arg arg = {}; arg.version = 1; Loading @@ -59,8 +55,18 @@ int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath, jbyteArra arg.block_size = 4096; arg.salt_size = 0; arg.salt_ptr = reinterpret_cast<uintptr_t>(nullptr); if (signature != nullptr) { ScopedByteArrayRO signature_bytes(env, signature); if (signature_bytes.get() == nullptr) { return EINVAL; } arg.sig_size = signature_bytes.size(); arg.sig_ptr = reinterpret_cast<uintptr_t>(signature_bytes.get()); } else { arg.sig_size = 0; arg.sig_ptr = reinterpret_cast<uintptr_t>(nullptr); } if (ioctl(rfd.get(), FS_IOC_ENABLE_VERITY, &arg) < 0) { return errno; Loading Loading
core/java/com/android/internal/security/VerityUtils.java +16 −8 Original line number Diff line number Diff line Loading @@ -17,6 +17,7 @@ package com.android.internal.security; import android.annotation.NonNull; import android.annotation.Nullable; import android.os.Build; import android.os.SystemProperties; import android.system.Os; Loading @@ -41,6 +42,7 @@ import java.nio.ByteBuffer; import java.nio.ByteOrder; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; Loading Loading @@ -77,17 +79,23 @@ public abstract class VerityUtils { return filePath + FSVERITY_SIGNATURE_FILE_EXTENSION; } /** Enables fs-verity for the file with a PKCS#7 detached signature file. */ public static void setUpFsverity(@NonNull String filePath, @NonNull String signaturePath) /** Enables fs-verity for the file with an optional PKCS#7 detached signature file. */ public static void setUpFsverity(@NonNull String filePath, @Nullable String signaturePath) throws IOException { if (Files.size(Paths.get(signaturePath)) > MAX_SIGNATURE_FILE_SIZE_BYTES) { throw new SecurityException("Signature file is unexpectedly large: " + signaturePath); byte[] rawSignature = null; if (signaturePath != null) { Path path = Paths.get(signaturePath); if (Files.size(path) > MAX_SIGNATURE_FILE_SIZE_BYTES) { throw new SecurityException("Signature file is unexpectedly large: " + signaturePath); } setUpFsverity(filePath, Files.readAllBytes(Paths.get(signaturePath))); rawSignature = Files.readAllBytes(path); } setUpFsverity(filePath, rawSignature); } /** Enables fs-verity for the file with a PKCS#7 detached signature bytes. */ public static void setUpFsverity(@NonNull String filePath, @NonNull byte[] pkcs7Signature) /** Enables fs-verity for the file with an optional PKCS#7 detached signature bytes. */ public static void setUpFsverity(@NonNull String filePath, @Nullable byte[] pkcs7Signature) throws IOException { // This will fail if the public key is not already in .fs-verity kernel keyring. int errno = enableFsverityNative(filePath, pkcs7Signature); Loading Loading @@ -227,7 +235,7 @@ public abstract class VerityUtils { } private static native int enableFsverityNative(@NonNull String filePath, @NonNull byte[] pkcs7Signature); @Nullable byte[] pkcs7Signature); private static native int measureFsverityNative(@NonNull String filePath, @NonNull byte[] digest); private static native int statxForFsverityNative(@NonNull String filePath); Loading
core/jni/com_android_internal_security_VerityUtils.cpp +12 −6 Original line number Diff line number Diff line Loading @@ -48,10 +48,6 @@ int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath, jbyteArra if (rfd.get() < 0) { return errno; } ScopedByteArrayRO signature_bytes(env, signature); if (signature_bytes.get() == nullptr) { return EINVAL; } fsverity_enable_arg arg = {}; arg.version = 1; Loading @@ -59,8 +55,18 @@ int enableFsverity(JNIEnv *env, jobject /* clazz */, jstring filePath, jbyteArra arg.block_size = 4096; arg.salt_size = 0; arg.salt_ptr = reinterpret_cast<uintptr_t>(nullptr); if (signature != nullptr) { ScopedByteArrayRO signature_bytes(env, signature); if (signature_bytes.get() == nullptr) { return EINVAL; } arg.sig_size = signature_bytes.size(); arg.sig_ptr = reinterpret_cast<uintptr_t>(signature_bytes.get()); } else { arg.sig_size = 0; arg.sig_ptr = reinterpret_cast<uintptr_t>(nullptr); } if (ioctl(rfd.get(), FS_IOC_ENABLE_VERITY, &arg) < 0) { return errno; Loading
