Loading libkeyutils/mini_keyctl.cpp +0 −9 Original line number Diff line number Diff line Loading @@ -30,7 +30,6 @@ static void Usage(int exit_code) { fprintf(stderr, "usage: mini-keyctl <action> [args,]\n"); fprintf(stderr, " mini-keyctl add <type> <desc> <data> <keyring>\n"); fprintf(stderr, " mini-keyctl padd <type> <desc> <keyring>\n"); fprintf(stderr, " mini-keyctl dadd <type> <desc_prefix> <cert_dir> <keyring>\n"); fprintf(stderr, " mini-keyctl unlink <key> <keyring>\n"); fprintf(stderr, " mini-keyctl restrict_keyring <keyring>\n"); fprintf(stderr, " mini-keyctl security <key>\n"); Loading @@ -56,14 +55,6 @@ int main(int argc, const char** argv) { std::string data = argv[4]; std::string keyring = argv[5]; return Add(type, desc, data, keyring); } else if (action == "dadd") { if (argc != 6) Usage(1); std::string type = argv[2]; // The key description contains desc_prefix and an index. std::string desc_prefix = argv[3]; std::string cert_dir = argv[4]; std::string keyring = argv[5]; return AddCertsFromDir(type, desc_prefix, cert_dir, keyring); } else if (action == "padd") { if (argc != 5) Usage(1); std::string type = argv[2]; Loading libkeyutils/mini_keyctl_utils.cpp +0 −47 Original line number Diff line number Diff line Loading @@ -86,53 +86,6 @@ static bool GetKeyringId(const std::string& keyring_desc, key_serial_t* keyring_ return false; } int AddCertsFromDir(const std::string& type, const std::string& desc_prefix, const std::string& cert_dir, const std::string& keyring) { key_serial_t keyring_id; if (!GetKeyringId(keyring, &keyring_id)) { LOG(ERROR) << "Can not find keyring id"; return 1; } std::unique_ptr<DIR, int (*)(DIR*)> dir(opendir(cert_dir.c_str()), closedir); if (!dir) { PLOG(WARNING) << "Failed to open directory " << cert_dir; return 1; } int keys_added = 0; struct dirent* dp; while ((dp = readdir(dir.get())) != NULL) { if (dp->d_type != DT_REG) { continue; } std::string cert_path = cert_dir + "/" + dp->d_name; std::string cert_buf; if (!android::base::ReadFileToString(cert_path, &cert_buf, false /* follow_symlinks */)) { LOG(ERROR) << "Failed to read " << cert_path; continue; } if (cert_buf.size() > kMaxCertSize) { LOG(ERROR) << "Certficate size too large: " << cert_path; continue; } // Add key to keyring. int key_desc_index = keys_added; std::string key_desc = desc_prefix + std::to_string(key_desc_index); key_serial_t key = add_key(type.c_str(), key_desc.c_str(), &cert_buf[0], cert_buf.size(), keyring_id); if (key < 0) { PLOG(ERROR) << "Failed to add key to keyring: " << cert_path; continue; } LOG(INFO) << "Key " << cert_path << " added to " << keyring << " with key id 0x" << std::hex << key; keys_added++; } return 0; } int Unlink(key_serial_t key, const std::string& keyring) { key_serial_t keyring_id; if (!GetKeyringId(keyring, &keyring_id)) { Loading libkeyutils/mini_keyctl_utils.h +0 −5 Original line number Diff line number Diff line Loading @@ -18,11 +18,6 @@ #include <string> // Add all files in a directory as certificates to a keyring. |keyring| could be the keyring // description or keyring id in hex. int AddCertsFromDir(const std::string& type, const std::string& desc_prefix, const std::string& cert_dir, const std::string& keyring); // Add key to a keyring. Returns non-zero if error happens. int Add(const std::string& type, const std::string& desc, const std::string& data, const std::string& keyring); Loading rootdir/Android.mk +10 −0 Original line number Diff line number Diff line Loading @@ -8,6 +8,7 @@ LOCAL_MODULE := init.rc LOCAL_SRC_FILES := $(LOCAL_MODULE) LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) LOCAL_REQUIRED_MODULES := fsverity_init # The init symlink must be a post install command of a file that is to TARGET_ROOT_OUT. # Since init.rc is required for init and satisfies that requirement, we hijack it to create the symlink. Loading Loading @@ -56,6 +57,15 @@ endif endif ####################################### # fsverity_init include $(CLEAR_VARS) LOCAL_MODULE:= fsverity_init LOCAL_MODULE_CLASS := EXECUTABLES LOCAL_SRC_FILES := fsverity_init.sh include $(BUILD_PREBUILT) ####################################### # init.environ.rc Loading rootdir/fsverity_init.sh 0 → 100644 +29 −0 Original line number Diff line number Diff line #!/system/bin/sh # # Copyright (C) 2019 The Android Open Source Project # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Enforce fsverity signature checking echo 1 > /proc/sys/fs/verity/require_signatures # Load all keys for cert in /product/etc/security/fsverity/*.der; do /system/bin/mini-keyctl padd asymmetric fsv_product .fs-verity < "$cert" || log -p e -t fsverity_init "Failed to load $cert" done # Prevent future key links to .fs-verity keyring /system/bin/mini-keyctl restrict_keyring .fs-verity || log -p e -t fsverity_init "Failed to restrict .fs-verity keyring" Loading
libkeyutils/mini_keyctl.cpp +0 −9 Original line number Diff line number Diff line Loading @@ -30,7 +30,6 @@ static void Usage(int exit_code) { fprintf(stderr, "usage: mini-keyctl <action> [args,]\n"); fprintf(stderr, " mini-keyctl add <type> <desc> <data> <keyring>\n"); fprintf(stderr, " mini-keyctl padd <type> <desc> <keyring>\n"); fprintf(stderr, " mini-keyctl dadd <type> <desc_prefix> <cert_dir> <keyring>\n"); fprintf(stderr, " mini-keyctl unlink <key> <keyring>\n"); fprintf(stderr, " mini-keyctl restrict_keyring <keyring>\n"); fprintf(stderr, " mini-keyctl security <key>\n"); Loading @@ -56,14 +55,6 @@ int main(int argc, const char** argv) { std::string data = argv[4]; std::string keyring = argv[5]; return Add(type, desc, data, keyring); } else if (action == "dadd") { if (argc != 6) Usage(1); std::string type = argv[2]; // The key description contains desc_prefix and an index. std::string desc_prefix = argv[3]; std::string cert_dir = argv[4]; std::string keyring = argv[5]; return AddCertsFromDir(type, desc_prefix, cert_dir, keyring); } else if (action == "padd") { if (argc != 5) Usage(1); std::string type = argv[2]; Loading
libkeyutils/mini_keyctl_utils.cpp +0 −47 Original line number Diff line number Diff line Loading @@ -86,53 +86,6 @@ static bool GetKeyringId(const std::string& keyring_desc, key_serial_t* keyring_ return false; } int AddCertsFromDir(const std::string& type, const std::string& desc_prefix, const std::string& cert_dir, const std::string& keyring) { key_serial_t keyring_id; if (!GetKeyringId(keyring, &keyring_id)) { LOG(ERROR) << "Can not find keyring id"; return 1; } std::unique_ptr<DIR, int (*)(DIR*)> dir(opendir(cert_dir.c_str()), closedir); if (!dir) { PLOG(WARNING) << "Failed to open directory " << cert_dir; return 1; } int keys_added = 0; struct dirent* dp; while ((dp = readdir(dir.get())) != NULL) { if (dp->d_type != DT_REG) { continue; } std::string cert_path = cert_dir + "/" + dp->d_name; std::string cert_buf; if (!android::base::ReadFileToString(cert_path, &cert_buf, false /* follow_symlinks */)) { LOG(ERROR) << "Failed to read " << cert_path; continue; } if (cert_buf.size() > kMaxCertSize) { LOG(ERROR) << "Certficate size too large: " << cert_path; continue; } // Add key to keyring. int key_desc_index = keys_added; std::string key_desc = desc_prefix + std::to_string(key_desc_index); key_serial_t key = add_key(type.c_str(), key_desc.c_str(), &cert_buf[0], cert_buf.size(), keyring_id); if (key < 0) { PLOG(ERROR) << "Failed to add key to keyring: " << cert_path; continue; } LOG(INFO) << "Key " << cert_path << " added to " << keyring << " with key id 0x" << std::hex << key; keys_added++; } return 0; } int Unlink(key_serial_t key, const std::string& keyring) { key_serial_t keyring_id; if (!GetKeyringId(keyring, &keyring_id)) { Loading
libkeyutils/mini_keyctl_utils.h +0 −5 Original line number Diff line number Diff line Loading @@ -18,11 +18,6 @@ #include <string> // Add all files in a directory as certificates to a keyring. |keyring| could be the keyring // description or keyring id in hex. int AddCertsFromDir(const std::string& type, const std::string& desc_prefix, const std::string& cert_dir, const std::string& keyring); // Add key to a keyring. Returns non-zero if error happens. int Add(const std::string& type, const std::string& desc, const std::string& data, const std::string& keyring); Loading
rootdir/Android.mk +10 −0 Original line number Diff line number Diff line Loading @@ -8,6 +8,7 @@ LOCAL_MODULE := init.rc LOCAL_SRC_FILES := $(LOCAL_MODULE) LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) LOCAL_REQUIRED_MODULES := fsverity_init # The init symlink must be a post install command of a file that is to TARGET_ROOT_OUT. # Since init.rc is required for init and satisfies that requirement, we hijack it to create the symlink. Loading Loading @@ -56,6 +57,15 @@ endif endif ####################################### # fsverity_init include $(CLEAR_VARS) LOCAL_MODULE:= fsverity_init LOCAL_MODULE_CLASS := EXECUTABLES LOCAL_SRC_FILES := fsverity_init.sh include $(BUILD_PREBUILT) ####################################### # init.environ.rc Loading
rootdir/fsverity_init.sh 0 → 100644 +29 −0 Original line number Diff line number Diff line #!/system/bin/sh # # Copyright (C) 2019 The Android Open Source Project # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Enforce fsverity signature checking echo 1 > /proc/sys/fs/verity/require_signatures # Load all keys for cert in /product/etc/security/fsverity/*.der; do /system/bin/mini-keyctl padd asymmetric fsv_product .fs-verity < "$cert" || log -p e -t fsverity_init "Failed to load $cert" done # Prevent future key links to .fs-verity keyring /system/bin/mini-keyctl restrict_keyring .fs-verity || log -p e -t fsverity_init "Failed to restrict .fs-verity keyring"
