Support fs-verity setup with null/no signature (d163351b) · Commits · e / os / android_frameworks_base

core/java/com/android/internal/security/VerityUtils.java

+16 −8

Original line number	Diff line number	Diff line
		@@ -17,6 +17,7 @@
		package com.android.internal.security;

		import android.annotation.NonNull;
		import android.annotation.Nullable;
		import android.os.Build;
		import android.os.SystemProperties;
		import android.system.Os;
		@@ -41,6 +42,7 @@ import java.nio.ByteBuffer;
		import java.nio.ByteOrder;
		import java.nio.charset.StandardCharsets;
		import java.nio.file.Files;
		import java.nio.file.Path;
		import java.nio.file.Paths;
		import java.security.cert.CertificateException;
		import java.security.cert.CertificateFactory;
		@@ -77,17 +79,23 @@ public abstract class VerityUtils {
		return filePath + FSVERITY_SIGNATURE_FILE_EXTENSION;
		}

		/** Enables fs-verity for the file with a PKCS#7 detached signature file. */
		public static void setUpFsverity(@NonNull String filePath, @NonNull String signaturePath)
		/** Enables fs-verity for the file with an optional PKCS#7 detached signature file. */
		public static void setUpFsverity(@NonNull String filePath, @Nullable String signaturePath)
		throws IOException {
		if (Files.size(Paths.get(signaturePath)) > MAX_SIGNATURE_FILE_SIZE_BYTES) {
		throw new SecurityException("Signature file is unexpectedly large: " + signaturePath);
		byte[] rawSignature = null;
		if (signaturePath != null) {
		Path path = Paths.get(signaturePath);
		if (Files.size(path) > MAX_SIGNATURE_FILE_SIZE_BYTES) {
		throw new SecurityException("Signature file is unexpectedly large: "
		+ signaturePath);
		}
		setUpFsverity(filePath, Files.readAllBytes(Paths.get(signaturePath)));
		rawSignature = Files.readAllBytes(path);
		}
		setUpFsverity(filePath, rawSignature);
		}

		/** Enables fs-verity for the file with a PKCS#7 detached signature bytes. */
		public static void setUpFsverity(@NonNull String filePath, @NonNull byte[] pkcs7Signature)
		/** Enables fs-verity for the file with an optional PKCS#7 detached signature bytes. */
		public static void setUpFsverity(@NonNull String filePath, @Nullable byte[] pkcs7Signature)
		throws IOException {
		// This will fail if the public key is not already in .fs-verity kernel keyring.
		int errno = enableFsverityNative(filePath, pkcs7Signature);
		@@ -227,7 +235,7 @@ public abstract class VerityUtils {
		}

		private static native int enableFsverityNative(@NonNull String filePath,
		@NonNull byte[] pkcs7Signature);
		@Nullable byte[] pkcs7Signature);
		private static native int measureFsverityNative(@NonNull String filePath,
		@NonNull byte[] digest);
		private static native int statxForFsverityNative(@NonNull String filePath);

core/jni/com_android_internal_security_VerityUtils.cpp

+12 −6

Original line number	Diff line number	Diff line
		@@ -48,10 +48,6 @@ int enableFsverity(JNIEnv env, jobject / clazz */, jstring filePath, jbyteArra
		if (rfd.get() < 0) {
		return errno;
		}
		ScopedByteArrayRO signature_bytes(env, signature);
		if (signature_bytes.get() == nullptr) {
		return EINVAL;
		}

		fsverity_enable_arg arg = {};
		arg.version = 1;
		@@ -59,8 +55,18 @@ int enableFsverity(JNIEnv env, jobject / clazz */, jstring filePath, jbyteArra
		arg.block_size = 4096;
		arg.salt_size = 0;
		arg.salt_ptr = reinterpret_cast<uintptr_t>(nullptr);

		if (signature != nullptr) {
		ScopedByteArrayRO signature_bytes(env, signature);
		if (signature_bytes.get() == nullptr) {
		return EINVAL;
		}
		arg.sig_size = signature_bytes.size();
		arg.sig_ptr = reinterpret_cast<uintptr_t>(signature_bytes.get());
		} else {
		arg.sig_size = 0;
		arg.sig_ptr = reinterpret_cast<uintptr_t>(nullptr);
		}

		if (ioctl(rfd.get(), FS_IOC_ENABLE_VERITY, &arg) < 0) {
		return errno;