PawletOS/android_bootable_recovery
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge "Make update_verifier generic across verified boot versions."

Browse Source
This commit is contained in:
Tao Bao
2018-04-23 22:33:45 +00:00
committed by Gerrit Code Review
parent bcb015239c 1cc0351915
commit ea63f59469
4 changed files with 22 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Android.mk
-8
View File
@@ -74,14 +74,6 @@ ifeq ($(AB_OTA_UPDATER),true)
LOCAL_CFLAGS += -DAB_OTA_UPDATER=1 LOCAL_CFLAGS += -DAB_OTA_UPDATER=1
endif endif
ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true)
LOCAL_CFLAGS += -DPRODUCT_SUPPORTS_VERITY=1
endif
ifeq ($(BOARD_AVB_ENABLE),true)
LOCAL_CFLAGS += -DBOARD_AVB_ENABLE=1
endif
LOCAL_MODULE := recovery_component_test LOCAL_MODULE := recovery_component_test
LOCAL_COMPATIBILITY_SUITE := device-tests LOCAL_COMPATIBILITY_SUITE := device-tests
LOCAL_C_INCLUDES := bootable/recovery LOCAL_C_INCLUDES := bootable/recovery
tests/component/update_verifier_test.cpp
+4 -5
View File
@@ -17,6 +17,8 @@
#include <string> #include <string>
#include <android-base/file.h> #include <android-base/file.h>
#include <android-base/properties.h>
#include <android-base/strings.h>
#include <android-base/test_utils.h> #include <android-base/test_utils.h>
#include <gtest/gtest.h> #include <gtest/gtest.h>
#include <update_verifier/update_verifier.h> #include <update_verifier/update_verifier.h>
@@ -24,11 +26,8 @@
class UpdateVerifierTest : public ::testing::Test { class UpdateVerifierTest : public ::testing::Test {
protected: protected:
void SetUp() override { void SetUp() override {
#if defined(PRODUCT_SUPPORTS_VERITY) || defined(BOARD_AVB_ENABLE) std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", "");
verity_supported = true; verity_supported = android::base::EqualsIgnoreCase(verity_mode, "enforcing");
#else
verity_supported = false;
#endif
} }
bool verity_supported; bool verity_supported;
update_verifier/Android.mk
-8
View File
@@ -39,14 +39,6 @@ LOCAL_EXPORT_C_INCLUDE_DIRS := \
LOCAL_C_INCLUDES := \ LOCAL_C_INCLUDES := \
$(LOCAL_PATH)/include $(LOCAL_PATH)/include
ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true)
LOCAL_CFLAGS += -DPRODUCT_SUPPORTS_VERITY=1
endif
ifeq ($(BOARD_AVB_ENABLE),true)
LOCAL_CFLAGS += -DBOARD_AVB_ENABLE=1
endif
include $(BUILD_STATIC_LIBRARY) include $(BUILD_STATIC_LIBRARY)
# update_verifier (executable) # update_verifier (executable)
update_verifier/update_verifier.cpp
+18 -27
View File
@@ -15,24 +15,26 @@
*/ */
/* /*
* This program verifies the integrity of the partitions after an A/B OTA * update_verifier verifies the integrity of the partitions after an A/B OTA update. It gets invoked
* update. It gets invoked by init, and will only perform the verification if * by init, and will only perform the verification if it's the first boot post an A/B OTA update
* it's the first boot post an A/B OTA update. * (https://source.android.com/devices/tech/ota/ab/#after_reboot).
* *
* Update_verifier relies on dm-verity to capture any corruption on the partitions * update_verifier relies on device-mapper-verity (dm-verity) to capture any corruption on the
* being verified. And its behavior varies depending on the dm-verity mode. * partitions being verified (https://source.android.com/security/verifiedboot). The verification
* Upon detection of failures: * will be skipped, if dm-verity is not enabled on the device.
*
* Upon detecting verification failures, the device will be rebooted, although the trigger of the
* reboot depends on the dm-verity mode.
* enforcing mode: dm-verity reboots the device * enforcing mode: dm-verity reboots the device
* eio mode: dm-verity fails the read and update_verifier reboots the device * eio mode: dm-verity fails the read and update_verifier reboots the device
* other mode: not supported and update_verifier reboots the device * other mode: not supported and update_verifier reboots the device
* *
* After a predefined number of failing boot attempts, the bootloader should * All these reboots prevent the device from booting into a known corrupt state. If the device
* mark the slot as unbootable and stops trying. Other dm-verity modes ( * continuously fails to boot into the new slot, the bootloader should mark the slot as unbootable
* for example, veritymode=EIO) are not accepted and simply lead to a * and trigger a fallback to the old slot.
* verification failure.
* *
* The current slot will be marked as having booted successfully if the * The current slot will be marked as having booted successfully if the verifier reaches the end
* verifier reaches the end after the verification. * after the verification.
*/ */
#include "update_verifier/update_verifier.h" #include "update_verifier/update_verifier.h"
@@ -103,12 +105,10 @@ static bool read_blocks(const std::string& partition, const std::string& range_s
PLOG(WARNING) << "Failed to read " << path; PLOG(WARNING) << "Failed to read " << path;
} else { } else {
std::string dm_block_name = android::base::Trim(content); std::string dm_block_name = android::base::Trim(content);
#ifdef BOARD_AVB_ENABLE
// AVB is using 'vroot' for the root block device but we're expecting 'system'. // AVB is using 'vroot' for the root block device but we're expecting 'system'.
if (dm_block_name == "vroot") { if (dm_block_name == "vroot") {
dm_block_name = "system"; dm_block_name = "system";
} }
#endif
if (dm_block_name == partition) { if (dm_block_name == partition) {
dm_block_device = DEV_PATH + std::string(namelist[n]->d_name); dm_block_device = DEV_PATH + std::string(namelist[n]->d_name);
while (n--) { while (n--) {
@@ -264,19 +264,13 @@ int update_verifier(int argc, char** argv) {
if (is_successful == BoolResult::FALSE) { if (is_successful == BoolResult::FALSE) {
// The current slot has not booted successfully. // The current slot has not booted successfully.
#if defined(PRODUCT_SUPPORTS_VERITY) || defined(BOARD_AVB_ENABLE)
bool skip_verification = false; bool skip_verification = false;
std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", ""); std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", "");
if (verity_mode.empty()) { if (verity_mode.empty()) {
// With AVB it's possible to disable verification entirely and // Skip the verification if ro.boot.veritymode property is not set. This could be a result
// in this case ro.boot.veritymode is empty. // that device doesn't support dm-verity, or has disabled that.
#if defined(BOARD_AVB_ENABLE) LOG(WARNING) << "dm-verity not enabled; marking without verification.";
LOG(WARNING) << "verification has been disabled; marking without verification.";
skip_verification = true; skip_verification = true;
#else
LOG(ERROR) << "Failed to get dm-verity mode.";
return reboot_device();
#endif
} else if (android::base::EqualsIgnoreCase(verity_mode, "eio")) { } else if (android::base::EqualsIgnoreCase(verity_mode, "eio")) {
// We shouldn't see verity in EIO mode if the current slot hasn't booted successfully before. // We shouldn't see verity in EIO mode if the current slot hasn't booted successfully before.
// Continue the verification until we fail to read some blocks. // Continue the verification until we fail to read some blocks.
@@ -285,7 +279,7 @@ int update_verifier(int argc, char** argv) {
LOG(WARNING) << "dm-verity in disabled mode; marking without verification."; LOG(WARNING) << "dm-verity in disabled mode; marking without verification.";
skip_verification = true; skip_verification = true;
} else if (verity_mode != "enforcing") { } else if (verity_mode != "enforcing") {
LOG(ERROR) << "Unexpected dm-verity mode : " << verity_mode << ", expecting enforcing."; LOG(ERROR) << "Unexpected dm-verity mode: " << verity_mode << ", expecting enforcing.";
return reboot_device(); return reboot_device();
} }
@@ -296,9 +290,6 @@ int update_verifier(int argc, char** argv) {
return reboot_device(); return reboot_device();
} }
} }
#else
LOG(WARNING) << "dm-verity not enabled; marking without verification.";
#endif
CommandResult cr; CommandResult cr;
module->markBootSuccessful([&cr](CommandResult result) { cr = result; }); module->markBootSuccessful([&cr](CommandResult result) { cr = result; });