diff options
-rw-r--r-- | Android.mk | 1 | ||||
-rw-r--r-- | tests/Android.mk | 8 | ||||
-rw-r--r-- | tests/component/update_verifier_test.cpp | 9 | ||||
-rw-r--r-- | update_verifier/Android.bp | 83 | ||||
-rw-r--r-- | update_verifier/Android.mk | 77 | ||||
-rw-r--r-- | update_verifier/update_verifier.cpp | 45 |
6 files changed, 105 insertions, 118 deletions
diff --git a/Android.mk b/Android.mk index 010a51630..55ec38799 100644 --- a/Android.mk +++ b/Android.mk @@ -215,4 +215,3 @@ include \ $(LOCAL_PATH)/tests/Android.mk \ $(LOCAL_PATH)/tools/Android.mk \ $(LOCAL_PATH)/updater/Android.mk \ - $(LOCAL_PATH)/update_verifier/Android.mk \ diff --git a/tests/Android.mk b/tests/Android.mk index b29ff50f6..fd4497858 100644 --- a/tests/Android.mk +++ b/tests/Android.mk @@ -74,14 +74,6 @@ ifeq ($(AB_OTA_UPDATER),true) LOCAL_CFLAGS += -DAB_OTA_UPDATER=1 endif -ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true) -LOCAL_CFLAGS += -DPRODUCT_SUPPORTS_VERITY=1 -endif - -ifeq ($(BOARD_AVB_ENABLE),true) -LOCAL_CFLAGS += -DBOARD_AVB_ENABLE=1 -endif - LOCAL_MODULE := recovery_component_test LOCAL_COMPATIBILITY_SUITE := device-tests LOCAL_C_INCLUDES := bootable/recovery diff --git a/tests/component/update_verifier_test.cpp b/tests/component/update_verifier_test.cpp index 1544bb2a4..f6ef6dcfd 100644 --- a/tests/component/update_verifier_test.cpp +++ b/tests/component/update_verifier_test.cpp @@ -17,6 +17,8 @@ #include <string> #include <android-base/file.h> +#include <android-base/properties.h> +#include <android-base/strings.h> #include <android-base/test_utils.h> #include <gtest/gtest.h> #include <update_verifier/update_verifier.h> @@ -24,11 +26,8 @@ class UpdateVerifierTest : public ::testing::Test { protected: void SetUp() override { -#if defined(PRODUCT_SUPPORTS_VERITY) || defined(BOARD_AVB_ENABLE) - verity_supported = true; -#else - verity_supported = false; -#endif + std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", ""); + verity_supported = android::base::EqualsIgnoreCase(verity_mode, "enforcing"); } bool verity_supported; diff --git a/update_verifier/Android.bp b/update_verifier/Android.bp new file mode 100644 index 000000000..f6c7056d9 --- /dev/null +++ b/update_verifier/Android.bp @@ -0,0 +1,83 @@ +// Copyright (C) 2018 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +cc_defaults { + name: "update_verifier_defaults", + + cflags: [ + "-Wall", + "-Werror", + ], + + local_include_dirs: [ + "include", + ], +} + +cc_library_static { + name: "libupdate_verifier", + + defaults: [ + "update_verifier_defaults", + ], + + srcs: [ + "update_verifier.cpp", + ], + + export_include_dirs: [ + "include", + ], + + static_libs: [ + "libotautil", + ], + + shared_libs: [ + "android.hardware.boot@1.0", + "libbase", + "libcutils", + ], +} + +cc_binary { + name: "update_verifier", + + defaults: [ + "update_verifier_defaults", + ], + + srcs: [ + "update_verifier_main.cpp", + ], + + static_libs: [ + "libupdate_verifier", + "libotautil", + ], + + shared_libs: [ + "android.hardware.boot@1.0", + "libbase", + "libcutils", + "libhardware", + "libhidlbase", + "liblog", + "libutils", + ], + + init_rc: [ + "update_verifier.rc", + ], +} diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk deleted file mode 100644 index 0ff88546f..000000000 --- a/update_verifier/Android.mk +++ /dev/null @@ -1,77 +0,0 @@ -# Copyright (C) 2015 The Android Open Source Project -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -LOCAL_PATH := $(call my-dir) - -# libupdate_verifier (static library) -# =============================== -include $(CLEAR_VARS) - -LOCAL_SRC_FILES := \ - update_verifier.cpp - -LOCAL_MODULE := libupdate_verifier - -LOCAL_STATIC_LIBRARIES := \ - libotautil - -LOCAL_SHARED_LIBRARIES := \ - libbase \ - libcutils \ - android.hardware.boot@1.0 - -LOCAL_CFLAGS := -Wall -Werror - -LOCAL_EXPORT_C_INCLUDE_DIRS := \ - $(LOCAL_PATH)/include - -LOCAL_C_INCLUDES := \ - $(LOCAL_PATH)/include - -ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true) -LOCAL_CFLAGS += -DPRODUCT_SUPPORTS_VERITY=1 -endif - -ifeq ($(BOARD_AVB_ENABLE),true) -LOCAL_CFLAGS += -DBOARD_AVB_ENABLE=1 -endif - -include $(BUILD_STATIC_LIBRARY) - -# update_verifier (executable) -# =============================== -include $(CLEAR_VARS) - -LOCAL_SRC_FILES := \ - update_verifier_main.cpp - -LOCAL_MODULE := update_verifier -LOCAL_STATIC_LIBRARIES := \ - libupdate_verifier \ - libotautil - -LOCAL_SHARED_LIBRARIES := \ - libbase \ - libcutils \ - libhardware \ - liblog \ - libutils \ - libhidlbase \ - android.hardware.boot@1.0 - -LOCAL_CFLAGS := -Wall -Werror - -LOCAL_INIT_RC := update_verifier.rc - -include $(BUILD_EXECUTABLE) diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index 92d931371..dc7276326 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -15,24 +15,26 @@ */ /* - * This program verifies the integrity of the partitions after an A/B OTA - * update. It gets invoked by init, and will only perform the verification if - * it's the first boot post an A/B OTA update. + * update_verifier verifies the integrity of the partitions after an A/B OTA update. It gets invoked + * by init, and will only perform the verification if it's the first boot post an A/B OTA update + * (https://source.android.com/devices/tech/ota/ab/#after_reboot). * - * Update_verifier relies on dm-verity to capture any corruption on the partitions - * being verified. And its behavior varies depending on the dm-verity mode. - * Upon detection of failures: + * update_verifier relies on device-mapper-verity (dm-verity) to capture any corruption on the + * partitions being verified (https://source.android.com/security/verifiedboot). The verification + * will be skipped, if dm-verity is not enabled on the device. + * + * Upon detecting verification failures, the device will be rebooted, although the trigger of the + * reboot depends on the dm-verity mode. * enforcing mode: dm-verity reboots the device * eio mode: dm-verity fails the read and update_verifier reboots the device * other mode: not supported and update_verifier reboots the device * - * After a predefined number of failing boot attempts, the bootloader should - * mark the slot as unbootable and stops trying. Other dm-verity modes ( - * for example, veritymode=EIO) are not accepted and simply lead to a - * verification failure. + * All these reboots prevent the device from booting into a known corrupt state. If the device + * continuously fails to boot into the new slot, the bootloader should mark the slot as unbootable + * and trigger a fallback to the old slot. * - * The current slot will be marked as having booted successfully if the - * verifier reaches the end after the verification. + * The current slot will be marked as having booted successfully if the verifier reaches the end + * after the verification. */ #include "update_verifier/update_verifier.h" @@ -103,12 +105,10 @@ static bool read_blocks(const std::string& partition, const std::string& range_s PLOG(WARNING) << "Failed to read " << path; } else { std::string dm_block_name = android::base::Trim(content); -#ifdef BOARD_AVB_ENABLE // AVB is using 'vroot' for the root block device but we're expecting 'system'. if (dm_block_name == "vroot") { dm_block_name = "system"; } -#endif if (dm_block_name == partition) { dm_block_device = DEV_PATH + std::string(namelist[n]->d_name); while (n--) { @@ -264,19 +264,13 @@ int update_verifier(int argc, char** argv) { if (is_successful == BoolResult::FALSE) { // The current slot has not booted successfully. -#if defined(PRODUCT_SUPPORTS_VERITY) || defined(BOARD_AVB_ENABLE) bool skip_verification = false; std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", ""); if (verity_mode.empty()) { - // With AVB it's possible to disable verification entirely and - // in this case ro.boot.veritymode is empty. -#if defined(BOARD_AVB_ENABLE) - LOG(WARNING) << "verification has been disabled; marking without verification."; + // Skip the verification if ro.boot.veritymode property is not set. This could be a result + // that device doesn't support dm-verity, or has disabled that. + LOG(WARNING) << "dm-verity not enabled; marking without verification."; skip_verification = true; -#else - LOG(ERROR) << "Failed to get dm-verity mode."; - return reboot_device(); -#endif } else if (android::base::EqualsIgnoreCase(verity_mode, "eio")) { // We shouldn't see verity in EIO mode if the current slot hasn't booted successfully before. // Continue the verification until we fail to read some blocks. @@ -285,7 +279,7 @@ int update_verifier(int argc, char** argv) { LOG(WARNING) << "dm-verity in disabled mode; marking without verification."; skip_verification = true; } else if (verity_mode != "enforcing") { - LOG(ERROR) << "Unexpected dm-verity mode : " << verity_mode << ", expecting enforcing."; + LOG(ERROR) << "Unexpected dm-verity mode: " << verity_mode << ", expecting enforcing."; return reboot_device(); } @@ -296,9 +290,6 @@ int update_verifier(int argc, char** argv) { return reboot_device(); } } -#else - LOG(WARNING) << "dm-verity not enabled; marking without verification."; -#endif CommandResult cr; module->markBootSuccessful([&cr](CommandResult result) { cr = result; }); |