Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aa5e509d authored by Victor Hsieh's avatar Victor Hsieh
Browse files

Reland: Deprecate .fsv_sig 

Diff from previous patch: changed the flag's package namespace

.fsv_sig is no longer used by anyone in the GMS ecosystem.

Guarde the deprecation with a flag. Also adding a host variant of flag
to be used for testing purposes.

Bug: 277916185
Test: adb shell device_config put hardware_backed_security \
              android.security.deprecate_fsv_sig false # and true
Test: atest CtsPackageManagerTestCases:android.content.pm.cts.ChecksumsTest
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.ApkVerityInstallTest
Change-Id: Idc85aade4190a040429b73d2730a690deaf21c2e
parent f155a724

services/core/java/com/android/server/pm/PackageInstallerSession.java

+3 −0
Original line number Original line Diff line number Diff line
@@ -3641,6 +3641,9 @@ public class PackageInstallerSession extends IPackageInstallerSession.Stub { 
    @GuardedBy("mLock")

    @GuardedBy("mLock")

    private void maybeStageFsveritySignatureLocked(File origFile, File targetFile,

    private void maybeStageFsveritySignatureLocked(File origFile, File targetFile,

            boolean fsVerityRequired) throws PackageManagerException {

            boolean fsVerityRequired) throws PackageManagerException {

        if (android.security.Flags.deprecateFsvSig()) {

            return;

        }

        final File originalSignature = new File(

        final File originalSignature = new File(

                VerityUtils.getFsveritySignatureFilePath(origFile.getPath()));

                VerityUtils.getFsveritySignatureFilePath(origFile.getPath()));

        if (originalSignature.exists()) {

        if (originalSignature.exists()) {

services/core/java/com/android/server/pm/PackageManagerServiceUtils.java

+3 −0
Original line number Original line Diff line number Diff line
@@ -547,6 +547,9 @@ public class PackageManagerServiceUtils { 




    /** Returns true if standard APK Verity is enabled. */

    /** Returns true if standard APK Verity is enabled. */

    static boolean isApkVerityEnabled() {

    static boolean isApkVerityEnabled() {

        if (android.security.Flags.deprecateFsvSig()) {

            return false;

        }

        return Build.VERSION.DEVICE_INITIAL_SDK_INT >= Build.VERSION_CODES.R

        return Build.VERSION.DEVICE_INITIAL_SDK_INT >= Build.VERSION_CODES.R

                || SystemProperties.getInt("ro.apk_verity.mode", FSVERITY_DISABLED)

                || SystemProperties.getInt("ro.apk_verity.mode", FSVERITY_DISABLED)

                        == FSVERITY_ENABLED;

                        == FSVERITY_ENABLED;