Loading adb/test_adb.py +1 −0 Original line number Diff line number Diff line Loading @@ -416,6 +416,7 @@ class ConnectionTest(unittest.TestCase): output.strip(), "already connected to {}".format(serial).encode("utf8")) @unittest.skip("Currently failing b/123247844") def test_reconnect(self): """Ensure that a disconnected device reconnects.""" Loading fs_mgr/libfs_avb/avb_util.cpp +13 −0 Original line number Diff line number Diff line Loading @@ -34,6 +34,19 @@ using android::base::unique_fd; namespace android { namespace fs_mgr { std::string GetAvbPropertyDescriptor(const std::string& key, const std::vector<VBMetaData>& vbmeta_images) { size_t value_size; for (const auto& vbmeta : vbmeta_images) { const char* value = avb_property_lookup(vbmeta.data(), vbmeta.size(), key.data(), key.size(), &value_size); if (value != nullptr) { return {value, value_size}; } } return ""; } // Constructs dm-verity arguments for sending DM_TABLE_LOAD ioctl to kernel. // See the following link for more details: // https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity Loading fs_mgr/libfs_avb/avb_util.h +3 −0 Original line number Diff line number Diff line Loading @@ -37,6 +37,9 @@ struct ChainInfo { : partition_name(chain_partition_name), public_key_blob(chain_public_key_blob) {} }; std::string GetAvbPropertyDescriptor(const std::string& key, const std::vector<VBMetaData>& vbmeta_images); // AvbHashtreeDescriptor to dm-verity table setup. std::unique_ptr<FsAvbHashtreeDescriptor> GetHashtreeDescriptor( const std::string& partition_name, const std::vector<VBMetaData>& vbmeta_images); Loading fs_mgr/libfs_avb/fs_avb.cpp +80 −43 Original line number Diff line number Diff line Loading @@ -263,6 +263,69 @@ AvbUniquePtr AvbHandle::LoadAndVerifyVbmeta( return avb_handle; } AvbUniquePtr AvbHandle::LoadAndVerifyVbmeta(const FstabEntry& fstab_entry) { if (fstab_entry.avb_key.empty()) { LERROR << "avb_key=/path/to/key is missing for " << fstab_entry.mount_point; return nullptr; } // Binds allow_verification_error and rollback_protection to device unlock state. bool allow_verification_error = IsDeviceUnlocked(); bool rollback_protection = !allow_verification_error; std::string expected_key_blob; if (!ReadFileToString(fstab_entry.avb_key, &expected_key_blob)) { if (!allow_verification_error) { LERROR << "Failed to load avb_key: " << fstab_entry.avb_key << " for mount point: " << fstab_entry.mount_point; return nullptr; } LWARNING << "Allowing no expected key blob when verification error is permitted"; expected_key_blob.clear(); } bool verification_disabled = false; VBMetaVerifyResult verify_result = VBMetaVerifyResult::kError; std::unique_ptr<VBMetaData> vbmeta = LoadAndVerifyVbmetaByPath( fstab_entry.blk_device, "" /* partition_name, no need for a standalone path */, expected_key_blob, allow_verification_error, rollback_protection, false /* not is_chained_vbmeta */, nullptr /* out_public_key_data */, &verification_disabled, &verify_result); if (!vbmeta) { LERROR << "Failed to load vbmeta: " << fstab_entry.blk_device; return nullptr; } AvbUniquePtr avb_handle(new AvbHandle()); if (!avb_handle) { LERROR << "Failed to allocate AvbHandle"; return nullptr; } avb_handle->vbmeta_images_.emplace_back(std::move(*vbmeta)); switch (verify_result) { case VBMetaVerifyResult::kSuccess: avb_handle->status_ = AvbHandleStatus::kSuccess; break; case VBMetaVerifyResult::kErrorVerification: avb_handle->status_ = AvbHandleStatus::kVerificationError; break; default: LERROR << "LoadAndVerifyVbmetaByPath failed, result: " << verify_result; return nullptr; } if (verification_disabled) { LINFO << "AVB verification disabled on: " << fstab_entry.mount_point; avb_handle->status_ = AvbHandleStatus::kVerificationDisabled; } LINFO << "Returning avb_handle for '" << fstab_entry.mount_point << "' with status: " << avb_handle->status_; return avb_handle; } AvbUniquePtr AvbHandle::LoadAndVerifyVbmeta() { // Loads inline vbmeta images, starting from /vbmeta. return LoadAndVerifyVbmeta("vbmeta", fs_mgr_get_slot_suffix(), fs_mgr_get_other_slot_suffix(), Loading Loading @@ -358,52 +421,12 @@ AvbUniquePtr AvbHandle::Open() { AvbHashtreeResult AvbHandle::SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry, bool wait_for_verity_dev) { if (fstab_entry->avb_key.empty()) { LERROR << "avb_key=/path/to/key is missing for " << fstab_entry->mount_point; return AvbHashtreeResult::kFail; } // Binds allow_verification_error and rollback_protection to device unlock state. bool allow_verification_error = IsDeviceUnlocked(); bool rollback_protection = !allow_verification_error; std::string expected_key_blob; if (!ReadFileToString(fstab_entry->avb_key, &expected_key_blob)) { if (!allow_verification_error) { LERROR << "Failed to load avb_key: " << fstab_entry->avb_key << " for mount point: " << fstab_entry->mount_point; return AvbHashtreeResult::kFail; } LWARNING << "Allowing no expected key blob when verification error is permitted"; expected_key_blob.clear(); } bool verification_disabled = false; std::unique_ptr<VBMetaData> vbmeta = LoadAndVerifyVbmetaByPath( fstab_entry->blk_device, "" /* partition_name, no need for a standalone path */, expected_key_blob, allow_verification_error, rollback_protection, false /* not is_chained_vbmeta */, nullptr /* out_public_key_data */, &verification_disabled, nullptr /* out_verify_result */); if (!vbmeta) { LERROR << "Failed to load vbmeta: " << fstab_entry->blk_device; return AvbHashtreeResult::kFail; } if (verification_disabled) { LINFO << "AVB verification disabled on: " << fstab_entry->mount_point; return AvbHashtreeResult::kDisabled; } // Puts the vbmeta into a vector, for LoadAvbHashtreeToEnableVerity() to use. std::vector<VBMetaData> vbmeta_images; vbmeta_images.emplace_back(std::move(*vbmeta)); if (!LoadAvbHashtreeToEnableVerity(fstab_entry, wait_for_verity_dev, vbmeta_images, fs_mgr_get_slot_suffix(), fs_mgr_get_other_slot_suffix())) { auto avb_handle = LoadAndVerifyVbmeta(*fstab_entry); if (!avb_handle) { return AvbHashtreeResult::kFail; } return AvbHashtreeResult::kSuccess; return avb_handle->SetUpAvbHashtree(fstab_entry, wait_for_verity_dev); } AvbHashtreeResult AvbHandle::SetUpAvbHashtree(FstabEntry* fstab_entry, bool wait_for_verity_dev) { Loading @@ -425,5 +448,19 @@ AvbHashtreeResult AvbHandle::SetUpAvbHashtree(FstabEntry* fstab_entry, bool wait return AvbHashtreeResult::kSuccess; } std::string AvbHandle::GetSecurityPatchLevel(const FstabEntry& fstab_entry) const { if (vbmeta_images_.size() < 1) { return ""; } std::string avb_partition_name = DeriveAvbPartitionName(fstab_entry, fs_mgr_get_slot_suffix(), fs_mgr_get_other_slot_suffix()); auto avb_prop_name = "com.android.build." + avb_partition_name + ".security_patch"; return GetAvbPropertyDescriptor(avb_prop_name, vbmeta_images_); } bool AvbHandle::IsDeviceUnlocked() { return android::fs_mgr::IsDeviceUnlocked(); } } // namespace fs_mgr } // namespace android fs_mgr/libfs_avb/include/fs_avb/fs_avb.h +6 −0 Original line number Diff line number Diff line Loading @@ -85,6 +85,8 @@ class AvbHandle { // TODO(bowgotsai): remove Open() and switch to LoadAndVerifyVbmeta(). static AvbUniquePtr Open(); // loads inline vbmeta, via libavb. static AvbUniquePtr LoadAndVerifyVbmeta(); // loads inline vbmeta. static AvbUniquePtr LoadAndVerifyVbmeta( const FstabEntry& fstab_entry); // loads offline vbmeta. static AvbUniquePtr LoadAndVerifyVbmeta( // loads offline vbmeta. const std::string& partition_name, const std::string& ab_suffix, const std::string& ab_other_suffix, const std::string& expected_public_key, Loading @@ -108,6 +110,10 @@ class AvbHandle { static AvbHashtreeResult SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry, bool wait_for_verity_dev = true); static bool IsDeviceUnlocked(); std::string GetSecurityPatchLevel(const FstabEntry& fstab_entry) const; const std::string& avb_version() const { return avb_version_; } const VBMetaInfo& vbmeta_info() const { return vbmeta_info_; } AvbHandleStatus status() const { return status_; } Loading Loading
adb/test_adb.py +1 −0 Original line number Diff line number Diff line Loading @@ -416,6 +416,7 @@ class ConnectionTest(unittest.TestCase): output.strip(), "already connected to {}".format(serial).encode("utf8")) @unittest.skip("Currently failing b/123247844") def test_reconnect(self): """Ensure that a disconnected device reconnects.""" Loading
fs_mgr/libfs_avb/avb_util.cpp +13 −0 Original line number Diff line number Diff line Loading @@ -34,6 +34,19 @@ using android::base::unique_fd; namespace android { namespace fs_mgr { std::string GetAvbPropertyDescriptor(const std::string& key, const std::vector<VBMetaData>& vbmeta_images) { size_t value_size; for (const auto& vbmeta : vbmeta_images) { const char* value = avb_property_lookup(vbmeta.data(), vbmeta.size(), key.data(), key.size(), &value_size); if (value != nullptr) { return {value, value_size}; } } return ""; } // Constructs dm-verity arguments for sending DM_TABLE_LOAD ioctl to kernel. // See the following link for more details: // https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity Loading
fs_mgr/libfs_avb/avb_util.h +3 −0 Original line number Diff line number Diff line Loading @@ -37,6 +37,9 @@ struct ChainInfo { : partition_name(chain_partition_name), public_key_blob(chain_public_key_blob) {} }; std::string GetAvbPropertyDescriptor(const std::string& key, const std::vector<VBMetaData>& vbmeta_images); // AvbHashtreeDescriptor to dm-verity table setup. std::unique_ptr<FsAvbHashtreeDescriptor> GetHashtreeDescriptor( const std::string& partition_name, const std::vector<VBMetaData>& vbmeta_images); Loading
fs_mgr/libfs_avb/fs_avb.cpp +80 −43 Original line number Diff line number Diff line Loading @@ -263,6 +263,69 @@ AvbUniquePtr AvbHandle::LoadAndVerifyVbmeta( return avb_handle; } AvbUniquePtr AvbHandle::LoadAndVerifyVbmeta(const FstabEntry& fstab_entry) { if (fstab_entry.avb_key.empty()) { LERROR << "avb_key=/path/to/key is missing for " << fstab_entry.mount_point; return nullptr; } // Binds allow_verification_error and rollback_protection to device unlock state. bool allow_verification_error = IsDeviceUnlocked(); bool rollback_protection = !allow_verification_error; std::string expected_key_blob; if (!ReadFileToString(fstab_entry.avb_key, &expected_key_blob)) { if (!allow_verification_error) { LERROR << "Failed to load avb_key: " << fstab_entry.avb_key << " for mount point: " << fstab_entry.mount_point; return nullptr; } LWARNING << "Allowing no expected key blob when verification error is permitted"; expected_key_blob.clear(); } bool verification_disabled = false; VBMetaVerifyResult verify_result = VBMetaVerifyResult::kError; std::unique_ptr<VBMetaData> vbmeta = LoadAndVerifyVbmetaByPath( fstab_entry.blk_device, "" /* partition_name, no need for a standalone path */, expected_key_blob, allow_verification_error, rollback_protection, false /* not is_chained_vbmeta */, nullptr /* out_public_key_data */, &verification_disabled, &verify_result); if (!vbmeta) { LERROR << "Failed to load vbmeta: " << fstab_entry.blk_device; return nullptr; } AvbUniquePtr avb_handle(new AvbHandle()); if (!avb_handle) { LERROR << "Failed to allocate AvbHandle"; return nullptr; } avb_handle->vbmeta_images_.emplace_back(std::move(*vbmeta)); switch (verify_result) { case VBMetaVerifyResult::kSuccess: avb_handle->status_ = AvbHandleStatus::kSuccess; break; case VBMetaVerifyResult::kErrorVerification: avb_handle->status_ = AvbHandleStatus::kVerificationError; break; default: LERROR << "LoadAndVerifyVbmetaByPath failed, result: " << verify_result; return nullptr; } if (verification_disabled) { LINFO << "AVB verification disabled on: " << fstab_entry.mount_point; avb_handle->status_ = AvbHandleStatus::kVerificationDisabled; } LINFO << "Returning avb_handle for '" << fstab_entry.mount_point << "' with status: " << avb_handle->status_; return avb_handle; } AvbUniquePtr AvbHandle::LoadAndVerifyVbmeta() { // Loads inline vbmeta images, starting from /vbmeta. return LoadAndVerifyVbmeta("vbmeta", fs_mgr_get_slot_suffix(), fs_mgr_get_other_slot_suffix(), Loading Loading @@ -358,52 +421,12 @@ AvbUniquePtr AvbHandle::Open() { AvbHashtreeResult AvbHandle::SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry, bool wait_for_verity_dev) { if (fstab_entry->avb_key.empty()) { LERROR << "avb_key=/path/to/key is missing for " << fstab_entry->mount_point; return AvbHashtreeResult::kFail; } // Binds allow_verification_error and rollback_protection to device unlock state. bool allow_verification_error = IsDeviceUnlocked(); bool rollback_protection = !allow_verification_error; std::string expected_key_blob; if (!ReadFileToString(fstab_entry->avb_key, &expected_key_blob)) { if (!allow_verification_error) { LERROR << "Failed to load avb_key: " << fstab_entry->avb_key << " for mount point: " << fstab_entry->mount_point; return AvbHashtreeResult::kFail; } LWARNING << "Allowing no expected key blob when verification error is permitted"; expected_key_blob.clear(); } bool verification_disabled = false; std::unique_ptr<VBMetaData> vbmeta = LoadAndVerifyVbmetaByPath( fstab_entry->blk_device, "" /* partition_name, no need for a standalone path */, expected_key_blob, allow_verification_error, rollback_protection, false /* not is_chained_vbmeta */, nullptr /* out_public_key_data */, &verification_disabled, nullptr /* out_verify_result */); if (!vbmeta) { LERROR << "Failed to load vbmeta: " << fstab_entry->blk_device; return AvbHashtreeResult::kFail; } if (verification_disabled) { LINFO << "AVB verification disabled on: " << fstab_entry->mount_point; return AvbHashtreeResult::kDisabled; } // Puts the vbmeta into a vector, for LoadAvbHashtreeToEnableVerity() to use. std::vector<VBMetaData> vbmeta_images; vbmeta_images.emplace_back(std::move(*vbmeta)); if (!LoadAvbHashtreeToEnableVerity(fstab_entry, wait_for_verity_dev, vbmeta_images, fs_mgr_get_slot_suffix(), fs_mgr_get_other_slot_suffix())) { auto avb_handle = LoadAndVerifyVbmeta(*fstab_entry); if (!avb_handle) { return AvbHashtreeResult::kFail; } return AvbHashtreeResult::kSuccess; return avb_handle->SetUpAvbHashtree(fstab_entry, wait_for_verity_dev); } AvbHashtreeResult AvbHandle::SetUpAvbHashtree(FstabEntry* fstab_entry, bool wait_for_verity_dev) { Loading @@ -425,5 +448,19 @@ AvbHashtreeResult AvbHandle::SetUpAvbHashtree(FstabEntry* fstab_entry, bool wait return AvbHashtreeResult::kSuccess; } std::string AvbHandle::GetSecurityPatchLevel(const FstabEntry& fstab_entry) const { if (vbmeta_images_.size() < 1) { return ""; } std::string avb_partition_name = DeriveAvbPartitionName(fstab_entry, fs_mgr_get_slot_suffix(), fs_mgr_get_other_slot_suffix()); auto avb_prop_name = "com.android.build." + avb_partition_name + ".security_patch"; return GetAvbPropertyDescriptor(avb_prop_name, vbmeta_images_); } bool AvbHandle::IsDeviceUnlocked() { return android::fs_mgr::IsDeviceUnlocked(); } } // namespace fs_mgr } // namespace android
fs_mgr/libfs_avb/include/fs_avb/fs_avb.h +6 −0 Original line number Diff line number Diff line Loading @@ -85,6 +85,8 @@ class AvbHandle { // TODO(bowgotsai): remove Open() and switch to LoadAndVerifyVbmeta(). static AvbUniquePtr Open(); // loads inline vbmeta, via libavb. static AvbUniquePtr LoadAndVerifyVbmeta(); // loads inline vbmeta. static AvbUniquePtr LoadAndVerifyVbmeta( const FstabEntry& fstab_entry); // loads offline vbmeta. static AvbUniquePtr LoadAndVerifyVbmeta( // loads offline vbmeta. const std::string& partition_name, const std::string& ab_suffix, const std::string& ab_other_suffix, const std::string& expected_public_key, Loading @@ -108,6 +110,10 @@ class AvbHandle { static AvbHashtreeResult SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry, bool wait_for_verity_dev = true); static bool IsDeviceUnlocked(); std::string GetSecurityPatchLevel(const FstabEntry& fstab_entry) const; const std::string& avb_version() const { return avb_version_; } const VBMetaInfo& vbmeta_info() const { return vbmeta_info_; } AvbHandleStatus status() const { return status_; } Loading
