summaryrefslogtreecommitdiffstats
path: root/update_verifier
diff options
context:
space:
mode:
Diffstat (limited to 'update_verifier')
-rw-r--r--update_verifier/Android.mk16
-rw-r--r--update_verifier/update_verifier.cpp249
-rw-r--r--update_verifier/update_verifier.rc11
3 files changed, 186 insertions, 90 deletions
diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk
index 2bfd01622..1acd5eca0 100644
--- a/update_verifier/Android.mk
+++ b/update_verifier/Android.mk
@@ -20,8 +20,22 @@ LOCAL_CLANG := true
LOCAL_SRC_FILES := update_verifier.cpp
LOCAL_MODULE := update_verifier
-LOCAL_SHARED_LIBRARIES := libbase libcutils libhardware liblog
+LOCAL_SHARED_LIBRARIES := \
+ libbase \
+ libcutils \
+ libhardware \
+ liblog \
+ libutils \
+ libhidlbase \
+ android.hardware.boot@1.0
+LOCAL_CFLAGS := -Werror
LOCAL_C_INCLUDES += $(LOCAL_PATH)/..
+LOCAL_INIT_RC := update_verifier.rc
+
+ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true)
+ LOCAL_CFLAGS += -DPRODUCT_SUPPORTS_VERITY=1
+endif
+
include $(BUILD_EXECUTABLE)
diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp
index 5cff8be93..350020f13 100644
--- a/update_verifier/update_verifier.cpp
+++ b/update_verifier/update_verifier.cpp
@@ -19,88 +19,146 @@
* update. It gets invoked by init, and will only perform the verification if
* it's the first boot post an A/B OTA update.
*
- * It relies on dm-verity to capture any corruption on the partitions being
- * verified. dm-verity must be in enforcing mode, so that it will reboot the
- * device on dm-verity failures. When that happens, the bootloader should
+ * Update_verifier relies on dm-verity to capture any corruption on the partitions
+ * being verified. And its behavior varies depending on the dm-verity mode.
+ * Upon detection of failures:
+ * enforcing mode: dm-verity reboots the device
+ * eio mode: dm-verity fails the read and update_verifier reboots the device
+ * other mode: not supported and update_verifier reboots the device
+ *
+ * After a predefined number of failing boot attempts, the bootloader should
* mark the slot as unbootable and stops trying. Other dm-verity modes (
* for example, veritymode=EIO) are not accepted and simply lead to a
* verification failure.
*
* The current slot will be marked as having booted successfully if the
* verifier reaches the end after the verification.
- *
*/
+#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <string.h>
+#include <unistd.h>
#include <string>
#include <vector>
#include <android-base/file.h>
+#include <android-base/logging.h>
#include <android-base/parseint.h>
+#include <android-base/properties.h>
#include <android-base/strings.h>
#include <android-base/unique_fd.h>
-#include <cutils/properties.h>
-#include <hardware/boot_control.h>
-#define LOG_TAG "update_verifier"
-#include <log/log.h>
+#include <android/hardware/boot/1.0/IBootControl.h>
+#include <cutils/android_reboot.h>
+
+using android::sp;
+using android::hardware::boot::V1_0::IBootControl;
+using android::hardware::boot::V1_0::BoolResult;
+using android::hardware::boot::V1_0::CommandResult;
constexpr auto CARE_MAP_FILE = "/data/ota_package/care_map.txt";
+constexpr auto DM_PATH_PREFIX = "/sys/block/";
+constexpr auto DM_PATH_SUFFIX = "/dm/name";
+constexpr auto DEV_PATH = "/dev/block/";
constexpr int BLOCKSIZE = 4096;
-static bool read_blocks(const std::string& blk_device_prefix, const std::string& range_str) {
- char slot_suffix[PROPERTY_VALUE_MAX];
- property_get("ro.boot.slot_suffix", slot_suffix, "");
- std::string blk_device = blk_device_prefix + std::string(slot_suffix);
- android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(blk_device.c_str(), O_RDONLY)));
- if (fd.get() == -1) {
- SLOGE("Error reading partition %s: %s\n", blk_device.c_str(), strerror(errno));
- return false;
- }
+// Find directories in format of "/sys/block/dm-X".
+static int dm_name_filter(const dirent* de) {
+ if (android::base::StartsWith(de->d_name, "dm-")) {
+ return 1;
+ }
+ return 0;
+}
- // For block range string, first integer 'count' equals 2 * total number of valid ranges,
- // followed by 'count' number comma separated integers. Every two integers reprensent a
- // block range with the first number included in range but second number not included.
- // For example '4,64536,65343,74149,74150' represents: [64536,65343) and [74149,74150).
- std::vector<std::string> ranges = android::base::Split(range_str, ",");
- size_t range_count;
- bool status = android::base::ParseUint(ranges[0].c_str(), &range_count);
- if (!status || (range_count == 0) || (range_count % 2 != 0) ||
- (range_count != ranges.size()-1)) {
- SLOGE("Error in parsing range string.\n");
- return false;
+static bool read_blocks(const std::string& partition, const std::string& range_str) {
+ if (partition != "system" && partition != "vendor") {
+ LOG(ERROR) << "partition name must be system or vendor: " << partition;
+ return false;
+ }
+ // Iterate the content of "/sys/block/dm-X/dm/name". If it matches "system"
+ // (or "vendor"), then dm-X is a dm-wrapped system/vendor partition.
+ // Afterwards, update_verifier will read every block on the care_map_file of
+ // "/dev/block/dm-X" to ensure the partition's integrity.
+ dirent** namelist;
+ int n = scandir(DM_PATH_PREFIX, &namelist, dm_name_filter, alphasort);
+ if (n == -1) {
+ PLOG(ERROR) << "Failed to scan dir " << DM_PATH_PREFIX;
+ return false;
+ }
+ if (n == 0) {
+ LOG(ERROR) << "dm block device not found for " << partition;
+ return false;
+ }
+
+ std::string dm_block_device;
+ while (n--) {
+ std::string path = DM_PATH_PREFIX + std::string(namelist[n]->d_name) + DM_PATH_SUFFIX;
+ std::string content;
+ if (!android::base::ReadFileToString(path, &content)) {
+ PLOG(WARNING) << "Failed to read " << path;
+ } else if (android::base::Trim(content) == partition) {
+ dm_block_device = DEV_PATH + std::string(namelist[n]->d_name);
+ while (n--) {
+ free(namelist[n]);
+ }
+ break;
}
+ free(namelist[n]);
+ }
+ free(namelist);
- size_t blk_count = 0;
- for (size_t i = 1; i < ranges.size(); i += 2) {
- unsigned int range_start, range_end;
- bool parse_status = android::base::ParseUint(ranges[i].c_str(), &range_start);
- parse_status = parse_status && android::base::ParseUint(ranges[i+1].c_str(), &range_end);
- if (!parse_status || range_start >= range_end) {
- SLOGE("Invalid range pair %s, %s.\n", ranges[i].c_str(), ranges[i+1].c_str());
- return false;
- }
+ if (dm_block_device.empty()) {
+ LOG(ERROR) << "Failed to find dm block device for " << partition;
+ return false;
+ }
+ android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(dm_block_device.c_str(), O_RDONLY)));
+ if (fd.get() == -1) {
+ PLOG(ERROR) << "Error reading " << dm_block_device << " for partition " << partition;
+ return false;
+ }
- if (lseek64(fd.get(), static_cast<off64_t>(range_start) * BLOCKSIZE, SEEK_SET) == -1) {
- SLOGE("lseek to %u failed: %s.\n", range_start, strerror(errno));
- return false;
- }
+ // For block range string, first integer 'count' equals 2 * total number of valid ranges,
+ // followed by 'count' number comma separated integers. Every two integers reprensent a
+ // block range with the first number included in range but second number not included.
+ // For example '4,64536,65343,74149,74150' represents: [64536,65343) and [74149,74150).
+ std::vector<std::string> ranges = android::base::Split(range_str, ",");
+ size_t range_count;
+ bool status = android::base::ParseUint(ranges[0], &range_count);
+ if (!status || (range_count == 0) || (range_count % 2 != 0) ||
+ (range_count != ranges.size() - 1)) {
+ LOG(ERROR) << "Error in parsing range string.";
+ return false;
+ }
- size_t size = (range_end - range_start) * BLOCKSIZE;
- std::vector<uint8_t> buf(size);
- if (!android::base::ReadFully(fd.get(), buf.data(), size)) {
- SLOGE("Failed to read blocks %u to %u: %s.\n", range_start, range_end,
- strerror(errno));
- return false;
- }
- blk_count += (range_end - range_start);
+ size_t blk_count = 0;
+ for (size_t i = 1; i < ranges.size(); i += 2) {
+ unsigned int range_start, range_end;
+ bool parse_status = android::base::ParseUint(ranges[i], &range_start);
+ parse_status = parse_status && android::base::ParseUint(ranges[i + 1], &range_end);
+ if (!parse_status || range_start >= range_end) {
+ LOG(ERROR) << "Invalid range pair " << ranges[i] << ", " << ranges[i + 1];
+ return false;
}
- SLOGI("Finished reading %zu blocks on %s.\n", blk_count, blk_device.c_str());
- return true;
+ if (lseek64(fd.get(), static_cast<off64_t>(range_start) * BLOCKSIZE, SEEK_SET) == -1) {
+ PLOG(ERROR) << "lseek to " << range_start << " failed";
+ return false;
+ }
+
+ size_t size = (range_end - range_start) * BLOCKSIZE;
+ std::vector<uint8_t> buf(size);
+ if (!android::base::ReadFully(fd.get(), buf.data(), size)) {
+ PLOG(ERROR) << "Failed to read blocks " << range_start << " to " << range_end;
+ return false;
+ }
+ blk_count += (range_end - range_start);
+ }
+
+ LOG(INFO) << "Finished reading " << blk_count << " blocks on " << dm_block_device;
+ return true;
}
static bool verify_image(const std::string& care_map_name) {
@@ -109,24 +167,24 @@ static bool verify_image(const std::string& care_map_name) {
// in /data/ota_package. To allow the device to continue booting in this situation,
// we should print a warning and skip the block verification.
if (care_map_fd.get() == -1) {
- SLOGI("Warning: care map %s not found.\n", care_map_name.c_str());
+ PLOG(WARNING) << "Failed to open " << care_map_name;
return true;
}
// Care map file has four lines (two lines if vendor partition is not present):
- // First line has the block device name, e.g./dev/block/.../by-name/system.
+ // First line has the block partition name (system/vendor).
// Second line holds all ranges of blocks to verify.
// The next two lines have the same format but for vendor partition.
std::string file_content;
if (!android::base::ReadFdToString(care_map_fd.get(), &file_content)) {
- SLOGE("Error reading care map contents to string.\n");
+ LOG(ERROR) << "Error reading care map contents to string.";
return false;
}
std::vector<std::string> lines;
lines = android::base::Split(android::base::Trim(file_content), "\n");
if (lines.size() != 2 && lines.size() != 4) {
- SLOGE("Invalid lines in care_map: found %zu lines, expecting 2 or 4 lines.\n",
- lines.size());
+ LOG(ERROR) << "Invalid lines in care_map: found " << lines.size()
+ << " lines, expecting 2 or 4 lines.";
return false;
}
@@ -139,51 +197,64 @@ static bool verify_image(const std::string& care_map_name) {
return true;
}
+static int reboot_device() {
+ if (android_reboot(ANDROID_RB_RESTART2, 0, nullptr) == -1) {
+ LOG(ERROR) << "Failed to reboot.";
+ return -1;
+ }
+ while (true) pause();
+}
+
int main(int argc, char** argv) {
for (int i = 1; i < argc; i++) {
- SLOGI("Started with arg %d: %s\n", i, argv[i]);
+ LOG(INFO) << "Started with arg " << i << ": " << argv[i];
}
- const hw_module_t* hw_module;
- if (hw_get_module("bootctrl", &hw_module) != 0) {
- SLOGE("Error getting bootctrl module.\n");
- return -1;
+ sp<IBootControl> module = IBootControl::getService();
+ if (module == nullptr) {
+ LOG(ERROR) << "Error getting bootctrl module.";
+ return reboot_device();
}
- boot_control_module_t* module = reinterpret_cast<boot_control_module_t*>(
- const_cast<hw_module_t*>(hw_module));
- module->init(module);
+ uint32_t current_slot = module->getCurrentSlot();
+ BoolResult is_successful = module->isSlotMarkedSuccessful(current_slot);
+ LOG(INFO) << "Booting slot " << current_slot << ": isSlotMarkedSuccessful="
+ << static_cast<int32_t>(is_successful);
- unsigned current_slot = module->getCurrentSlot(module);
- int is_successful= module->isSlotMarkedSuccessful(module, current_slot);
- SLOGI("Booting slot %u: isSlotMarkedSuccessful=%d\n", current_slot, is_successful);
- if (is_successful == 0) {
+ if (is_successful == BoolResult::FALSE) {
// The current slot has not booted successfully.
- char verity_mode[PROPERTY_VALUE_MAX];
- if (property_get("ro.boot.veritymode", verity_mode, "") == -1) {
- SLOGE("Failed to get dm-verity mode");
- return -1;
- } else if (strcasecmp(verity_mode, "eio") == 0) {
- // We shouldn't see verity in EIO mode if the current slot hasn't booted
- // successfully before. Therefore, fail the verification when veritymode=eio.
- SLOGE("Found dm-verity in EIO mode, skip verification.");
- return -1;
- } else if (strcmp(verity_mode, "enforcing") != 0) {
- SLOGE("Unexpected dm-verity mode : %s, expecting enforcing.", verity_mode);
- return -1;
- } else if (!verify_image(CARE_MAP_FILE)) {
- SLOGE("Failed to verify all blocks in care map file.\n");
- return -1;
+
+#ifdef PRODUCT_SUPPORTS_VERITY
+ std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", "");
+ if (verity_mode.empty()) {
+ LOG(ERROR) << "Failed to get dm-verity mode.";
+ return reboot_device();
+ } else if (android::base::EqualsIgnoreCase(verity_mode, "eio")) {
+ // We shouldn't see verity in EIO mode if the current slot hasn't booted successfully before.
+ // Continue the verification until we fail to read some blocks.
+ LOG(WARNING) << "Found dm-verity in EIO mode.";
+ } else if (verity_mode != "enforcing") {
+ LOG(ERROR) << "Unexpected dm-verity mode : " << verity_mode << ", expecting enforcing.";
+ return reboot_device();
+ }
+
+ if (!verify_image(CARE_MAP_FILE)) {
+ LOG(ERROR) << "Failed to verify all blocks in care map file.";
+ return reboot_device();
}
+#else
+ LOG(WARNING) << "dm-verity not enabled; marking without verification.";
+#endif
- int ret = module->markBootSuccessful(module);
- if (ret != 0) {
- SLOGE("Error marking booted successfully: %s\n", strerror(-ret));
- return -1;
+ CommandResult cr;
+ module->markBootSuccessful([&cr](CommandResult result) { cr = result; });
+ if (!cr.success) {
+ LOG(ERROR) << "Error marking booted successfully: " << cr.errMsg;
+ return reboot_device();
}
- SLOGI("Marked slot %u as booted successfully.\n", current_slot);
+ LOG(INFO) << "Marked slot " << current_slot << " as booted successfully.";
}
- SLOGI("Leaving update_verifier.\n");
+ LOG(INFO) << "Leaving update_verifier.";
return 0;
}
diff --git a/update_verifier/update_verifier.rc b/update_verifier/update_verifier.rc
new file mode 100644
index 000000000..862b06257
--- /dev/null
+++ b/update_verifier/update_verifier.rc
@@ -0,0 +1,11 @@
+service update_verifier_nonencrypted /system/bin/update_verifier nonencrypted
+ user root
+ group cache system
+ priority -20
+ ioprio rt 0
+
+service update_verifier /system/bin/update_verifier ${vold.decrypt}
+ user root
+ group cache system
+ priority -20
+ ioprio rt 0