Commit 199214e7 authored Mar 19, 2025 by Karuna Wadhera

Run module code only after KeyMints receive module info

In order to prevent updateable APEX modules from interfering in module
measurement, have `perform_apex_config` wait for the new system
property `keystore.module_hash.sent` to be set to true before running.
Keystore sets `keystore.module_hash.sent` to true after receiving a
non-error response to `setAdditionalAttestationInfo` from all V4+
KeyMints.

Since Keystore waits for `apexd.status` to be set to
`activated` (before calling `setAdditionalAttestationInfo`),
`perform_apex_config` no longer needs to (once flagging is removed).

With ag/32459798, if sending module info fails, Keystore will crash
(five times), and the device will reboot to bootloader. Preventing boot
from continuing is an intended consequence - an error here likely
indicates a more general issue with Keystore or KeyMint (and one that
likely isn't specific to an individual device).

Bug: 400439023
Test: See executed testing plan at go/32464289-test-plan
Change-Id: I916f64c8bccec45463a5d51bebdcdd60f9eb5977

parent c4ab2ad6

rootdir/init.rc

+4 −1

Original line number	Diff line number	Diff line
		@@ -997,8 +997,11 @@ on post-fs-data
		mkdir /data/misc/stats-service/ 0770 statsd system
		mkdir /data/misc/train-info/ 0770 statsd system

		# Wait for apexd to finish activating APEXes before starting more processes.
		# TODO(b/400439023): Remove once attest modules flagging is removed.
		wait_for_prop apexd.status activated
		# Wait for KeyMints to receive APEX module info before starting code from updateable APEXes.
		# This is to prevent APEX modules from interfering in module measurement.
		wait_for_prop keystore.module_hash.sent true
		perform_apex_config

		exec_start system_aconfigd_mainline_init