Loading core/java/android/security/flags.aconfig +0 −8 Original line number Diff line number Diff line Loading @@ -51,14 +51,6 @@ flag { } } flag { name: "extend_vb_chain_to_updated_apk" namespace: "hardware_backed_security" description: "Use v4 signature and fs-verity to chain verification of allowlisted APKs to Verified Boot" bug: "277916185" is_fixed_read_only: true } flag { name: "binary_transparency_sepolicy_hash" namespace: "hardware_backed_security" Loading core/java/android/util/apk/ApkSignatureSchemeV4Verifier.java +1 −4 Original line number Diff line number Diff line Loading @@ -88,7 +88,7 @@ public class ApkSignatureSchemeV4Verifier { if (signatureBytes != null && signatureBytes.length > 0) { needsConsistencyCheck = false; signature = V4Signature.readFrom(signatureBytes); } else if (android.security.Flags.extendVbChainToUpdatedApk()) { } else { // 2. Try fs-verity next. fs-verity checks against the Merkle tree, but the // v4 signature file (including a raw root hash) is managed separately. We need to // ensure the signed data from the file is consistent with the actual file. Loading @@ -101,9 +101,6 @@ public class ApkSignatureSchemeV4Verifier { throw new SignatureNotFoundException( "Failed to obtain signature bytes from .idsig"); } } else { throw new SignatureNotFoundException( "Failed to obtain signature bytes from IncFS."); } if (!signature.isVersionSupported()) { throw new SecurityException( Loading services/core/java/com/android/server/SystemConfig.java +6 −8 Original line number Diff line number Diff line Loading @@ -1697,7 +1697,6 @@ public class SystemConfig { } } break; case "require-strict-signature": { if (android.security.Flags.extendVbChainToUpdatedApk()) { String packageName = parser.getAttributeValue(null, "package"); if (TextUtils.isEmpty(packageName)) { Slog.w(TAG, "<" + name + "> without valid package in " + permFile Loading @@ -1705,7 +1704,6 @@ public class SystemConfig { } else { mPreinstallPackagesWithStrictSignatureCheck.add(packageName); } } } break; case "oem-defined-uid": { final String uidName = parser.getAttributeValue(null, "name"); Loading services/core/java/com/android/server/pm/InstallPackageHelper.java +0 −3 Original line number Diff line number Diff line Loading @@ -4519,9 +4519,6 @@ final class InstallPackageHelper { * at boot. */ private boolean needSignatureMatchToSystem(String packageName) { if (!android.security.Flags.extendVbChainToUpdatedApk()) { return false; } return mPm.mInjector.getSystemConfig().getPreinstallPackagesWithStrictSignatureCheck() .contains(packageName); } Loading services/core/java/com/android/server/pm/PackageInstallerSession.java +4 −9 Original line number Diff line number Diff line Loading @@ -3610,11 +3610,9 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { // Needs to happen before the first v4 signature verification, which happens in // getAddedApkLitesLocked. if (android.security.Flags.extendVbChainToUpdatedApk()) { if (!isIncrementalInstallation()) { enableFsVerityToAddedApksWithIdsig(); } } final List<ApkLite> addedFiles = getAddedApkLitesLocked(); if (addedFiles.isEmpty() Loading Loading @@ -4124,8 +4122,7 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { stageFileLocked(origFile, targetFile); // Stage APK's v4 signature if present, and fs-verity is supported. if (android.security.Flags.extendVbChainToUpdatedApk() && VerityUtils.isFsVeritySupported()) { if (VerityUtils.isFsVeritySupported()) { maybeStageV4SignatureLocked(origFile, targetFile); } // Stage ART managed install files (e.g., dex metadata (.dm)) and corresponding fs-verity Loading @@ -4152,9 +4149,7 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { private void inheritFileLocked(File origFile, List<String> artManagedFilePaths) { mResolvedInheritedFiles.add(origFile); if (android.security.Flags.extendVbChainToUpdatedApk()) { maybeInheritV4SignatureLocked(origFile); } // Inherit ART managed install files (e.g., dex metadata (.dm)) if present. if (com.android.art.flags.Flags.artServiceV3()) { Loading Loading
core/java/android/security/flags.aconfig +0 −8 Original line number Diff line number Diff line Loading @@ -51,14 +51,6 @@ flag { } } flag { name: "extend_vb_chain_to_updated_apk" namespace: "hardware_backed_security" description: "Use v4 signature and fs-verity to chain verification of allowlisted APKs to Verified Boot" bug: "277916185" is_fixed_read_only: true } flag { name: "binary_transparency_sepolicy_hash" namespace: "hardware_backed_security" Loading
core/java/android/util/apk/ApkSignatureSchemeV4Verifier.java +1 −4 Original line number Diff line number Diff line Loading @@ -88,7 +88,7 @@ public class ApkSignatureSchemeV4Verifier { if (signatureBytes != null && signatureBytes.length > 0) { needsConsistencyCheck = false; signature = V4Signature.readFrom(signatureBytes); } else if (android.security.Flags.extendVbChainToUpdatedApk()) { } else { // 2. Try fs-verity next. fs-verity checks against the Merkle tree, but the // v4 signature file (including a raw root hash) is managed separately. We need to // ensure the signed data from the file is consistent with the actual file. Loading @@ -101,9 +101,6 @@ public class ApkSignatureSchemeV4Verifier { throw new SignatureNotFoundException( "Failed to obtain signature bytes from .idsig"); } } else { throw new SignatureNotFoundException( "Failed to obtain signature bytes from IncFS."); } if (!signature.isVersionSupported()) { throw new SecurityException( Loading
services/core/java/com/android/server/SystemConfig.java +6 −8 Original line number Diff line number Diff line Loading @@ -1697,7 +1697,6 @@ public class SystemConfig { } } break; case "require-strict-signature": { if (android.security.Flags.extendVbChainToUpdatedApk()) { String packageName = parser.getAttributeValue(null, "package"); if (TextUtils.isEmpty(packageName)) { Slog.w(TAG, "<" + name + "> without valid package in " + permFile Loading @@ -1705,7 +1704,6 @@ public class SystemConfig { } else { mPreinstallPackagesWithStrictSignatureCheck.add(packageName); } } } break; case "oem-defined-uid": { final String uidName = parser.getAttributeValue(null, "name"); Loading
services/core/java/com/android/server/pm/InstallPackageHelper.java +0 −3 Original line number Diff line number Diff line Loading @@ -4519,9 +4519,6 @@ final class InstallPackageHelper { * at boot. */ private boolean needSignatureMatchToSystem(String packageName) { if (!android.security.Flags.extendVbChainToUpdatedApk()) { return false; } return mPm.mInjector.getSystemConfig().getPreinstallPackagesWithStrictSignatureCheck() .contains(packageName); } Loading
services/core/java/com/android/server/pm/PackageInstallerSession.java +4 −9 Original line number Diff line number Diff line Loading @@ -3610,11 +3610,9 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { // Needs to happen before the first v4 signature verification, which happens in // getAddedApkLitesLocked. if (android.security.Flags.extendVbChainToUpdatedApk()) { if (!isIncrementalInstallation()) { enableFsVerityToAddedApksWithIdsig(); } } final List<ApkLite> addedFiles = getAddedApkLitesLocked(); if (addedFiles.isEmpty() Loading Loading @@ -4124,8 +4122,7 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { stageFileLocked(origFile, targetFile); // Stage APK's v4 signature if present, and fs-verity is supported. if (android.security.Flags.extendVbChainToUpdatedApk() && VerityUtils.isFsVeritySupported()) { if (VerityUtils.isFsVeritySupported()) { maybeStageV4SignatureLocked(origFile, targetFile); } // Stage ART managed install files (e.g., dex metadata (.dm)) and corresponding fs-verity Loading @@ -4152,9 +4149,7 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { private void inheritFileLocked(File origFile, List<String> artManagedFilePaths) { mResolvedInheritedFiles.add(origFile); if (android.security.Flags.extendVbChainToUpdatedApk()) { maybeInheritV4SignatureLocked(origFile); } // Inherit ART managed install files (e.g., dex metadata (.dm)) if present. if (com.android.art.flags.Flags.artServiceV3()) { Loading
