Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fa59bba6 authored by Sandeep Patil's avatar Sandeep Patil Committed by Tom Cherry
Browse files

fs_mgr: differentiate if fs_mgr_set_verity() was skipped or disabled 



In case of non-secure builds (eng variant) fs_mgr_setup_verity() skips
verity checks regardless of fstab options. This is slightly different
than 'adb disable-verity' where it would first read the verity metadata
to check if verity is disabled.

So, this change adds a new return value of FS_MGR_SETUP_VERITY_SKIPPED
instead of piggy backing on the FS_MGR_SETUP_VERITY_DISABLED.

Bug: 62864413
Test: Boot sailfish

Merged-In: I42bf2bdce0ecb18b4c3b568e2bc96bf1590dfb35
Change-Id: I42bf2bdce0ecb18b4c3b568e2bc96bf1590dfb35
Signed-off-by: default avatarSandeep Patil <sspatil@google.com>
(cherry picked from commit 95366e97)
parent b7806433

fs_mgr/fs_mgr.cpp

+6 −2
Original line number Diff line number Diff line
@@ -859,7 +859,9 @@ int fs_mgr_mount_all(struct fstab *fstab, int mount_mode) 
            }

        } else if ((fstab->recs[i].fs_mgr_flags & MF_VERIFY) && is_device_secure()) {

            int rc = fs_mgr_setup_verity(&fstab->recs[i], true);

            if (__android_log_is_debuggable() && rc == FS_MGR_SETUP_VERITY_DISABLED) {

            if (__android_log_is_debuggable() &&

                    (rc == FS_MGR_SETUP_VERITY_DISABLED ||

                     rc == FS_MGR_SETUP_VERITY_SKIPPED)) {

                LINFO << "Verity disabled";

            } else if (rc != FS_MGR_SETUP_VERITY_SUCCESS) {

                LERROR << "Could not set up verified partition, skipping!";
@@ -1077,7 +1079,9 @@ int fs_mgr_do_mount(struct fstab *fstab, const char *n_name, char *n_blk_device, 
            }

        } else if ((fstab->recs[i].fs_mgr_flags & MF_VERIFY) && is_device_secure()) {

            int rc = fs_mgr_setup_verity(&fstab->recs[i], true);

            if (__android_log_is_debuggable() && rc == FS_MGR_SETUP_VERITY_DISABLED) {

            if (__android_log_is_debuggable() &&

                    (rc == FS_MGR_SETUP_VERITY_DISABLED ||

                     rc == FS_MGR_SETUP_VERITY_SKIPPED)) {

                LINFO << "Verity disabled";

            } else if (rc != FS_MGR_SETUP_VERITY_SUCCESS) {

                LERROR << "Could not set up verified partition, skipping!";

fs_mgr/fs_mgr_verity.cpp

+1 −1
Original line number Diff line number Diff line
@@ -738,7 +738,7 @@ int fs_mgr_setup_verity(struct fstab_rec *fstab, bool wait_for_verity_dev) 
    // setup is needed at all.

    if (!is_device_secure()) {

        LINFO << "Verity setup skipped for " << mount_point;

        return FS_MGR_SETUP_VERITY_SUCCESS;

        return FS_MGR_SETUP_VERITY_SKIPPED;

    }



    if (fec_open(&f, fstab->blk_device, O_RDONLY, FEC_VERITY_DISABLE,

fs_mgr/include/fs_mgr.h

+1 −0
Original line number Diff line number Diff line
@@ -146,6 +146,7 @@ int fs_mgr_swapon_all(struct fstab *fstab); 


int fs_mgr_do_format(struct fstab_rec *fstab, bool reserve_footer);



#define FS_MGR_SETUP_VERITY_SKIPPED  (-3)

#define FS_MGR_SETUP_VERITY_DISABLED (-2)

#define FS_MGR_SETUP_VERITY_FAIL (-1)

#define FS_MGR_SETUP_VERITY_SUCCESS 0

init/init_first_stage.cpp

+8 −4
Original line number Diff line number Diff line
@@ -286,13 +286,17 @@ bool FirstStageMountVBootV1::GetRequiredDevices() { 
bool FirstStageMountVBootV1::SetUpDmVerity(fstab_rec* fstab_rec) {

    if (fs_mgr_is_verified(fstab_rec)) {

        int ret = fs_mgr_setup_verity(fstab_rec, false /* wait_for_verity_dev */);

        if (ret == FS_MGR_SETUP_VERITY_DISABLED) {

            LOG(INFO) << "Verity disabled for '" << fstab_rec->mount_point << "'";

        } else if (ret == FS_MGR_SETUP_VERITY_SUCCESS) {

        switch (ret) {

        case FS_MGR_SETUP_VERITY_SKIPPED:

        case FS_MGR_SETUP_VERITY_DISABLED:

            LOG(INFO) << "Verity disabled/skipped for '" << fstab_rec->mount_point << "'";

            break;

        case FS_MGR_SETUP_VERITY_SUCCESS:

            // The exact block device name (fstab_rec->blk_device) is changed to "/dev/block/dm-XX".

            // Needs to create it because ueventd isn't started in init first stage.

            InitVerityDevice(fstab_rec->blk_device);

        } else {

            break;

        default:

            return false;

        }

    }