diff options
Diffstat (limited to 'update_verifier')
-rw-r--r-- | update_verifier/Android.mk | 16 | ||||
-rw-r--r-- | update_verifier/update_verifier.cpp | 249 | ||||
-rw-r--r-- | update_verifier/update_verifier.rc | 11 |
3 files changed, 186 insertions, 90 deletions
diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk index 2bfd01622..1acd5eca0 100644 --- a/update_verifier/Android.mk +++ b/update_verifier/Android.mk @@ -20,8 +20,22 @@ LOCAL_CLANG := true LOCAL_SRC_FILES := update_verifier.cpp LOCAL_MODULE := update_verifier -LOCAL_SHARED_LIBRARIES := libbase libcutils libhardware liblog +LOCAL_SHARED_LIBRARIES := \ + libbase \ + libcutils \ + libhardware \ + liblog \ + libutils \ + libhidlbase \ + android.hardware.boot@1.0 +LOCAL_CFLAGS := -Werror LOCAL_C_INCLUDES += $(LOCAL_PATH)/.. +LOCAL_INIT_RC := update_verifier.rc + +ifeq ($(PRODUCTS.$(INTERNAL_PRODUCT).PRODUCT_SUPPORTS_VERITY),true) + LOCAL_CFLAGS += -DPRODUCT_SUPPORTS_VERITY=1 +endif + include $(BUILD_EXECUTABLE) diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp index 5cff8be93..350020f13 100644 --- a/update_verifier/update_verifier.cpp +++ b/update_verifier/update_verifier.cpp @@ -19,88 +19,146 @@ * update. It gets invoked by init, and will only perform the verification if * it's the first boot post an A/B OTA update. * - * It relies on dm-verity to capture any corruption on the partitions being - * verified. dm-verity must be in enforcing mode, so that it will reboot the - * device on dm-verity failures. When that happens, the bootloader should + * Update_verifier relies on dm-verity to capture any corruption on the partitions + * being verified. And its behavior varies depending on the dm-verity mode. + * Upon detection of failures: + * enforcing mode: dm-verity reboots the device + * eio mode: dm-verity fails the read and update_verifier reboots the device + * other mode: not supported and update_verifier reboots the device + * + * After a predefined number of failing boot attempts, the bootloader should * mark the slot as unbootable and stops trying. Other dm-verity modes ( * for example, veritymode=EIO) are not accepted and simply lead to a * verification failure. * * The current slot will be marked as having booted successfully if the * verifier reaches the end after the verification. - * */ +#include <dirent.h> #include <errno.h> #include <fcntl.h> #include <stdio.h> #include <string.h> +#include <unistd.h> #include <string> #include <vector> #include <android-base/file.h> +#include <android-base/logging.h> #include <android-base/parseint.h> +#include <android-base/properties.h> #include <android-base/strings.h> #include <android-base/unique_fd.h> -#include <cutils/properties.h> -#include <hardware/boot_control.h> -#define LOG_TAG "update_verifier" -#include <log/log.h> +#include <android/hardware/boot/1.0/IBootControl.h> +#include <cutils/android_reboot.h> + +using android::sp; +using android::hardware::boot::V1_0::IBootControl; +using android::hardware::boot::V1_0::BoolResult; +using android::hardware::boot::V1_0::CommandResult; constexpr auto CARE_MAP_FILE = "/data/ota_package/care_map.txt"; +constexpr auto DM_PATH_PREFIX = "/sys/block/"; +constexpr auto DM_PATH_SUFFIX = "/dm/name"; +constexpr auto DEV_PATH = "/dev/block/"; constexpr int BLOCKSIZE = 4096; -static bool read_blocks(const std::string& blk_device_prefix, const std::string& range_str) { - char slot_suffix[PROPERTY_VALUE_MAX]; - property_get("ro.boot.slot_suffix", slot_suffix, ""); - std::string blk_device = blk_device_prefix + std::string(slot_suffix); - android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(blk_device.c_str(), O_RDONLY))); - if (fd.get() == -1) { - SLOGE("Error reading partition %s: %s\n", blk_device.c_str(), strerror(errno)); - return false; - } +// Find directories in format of "/sys/block/dm-X". +static int dm_name_filter(const dirent* de) { + if (android::base::StartsWith(de->d_name, "dm-")) { + return 1; + } + return 0; +} - // For block range string, first integer 'count' equals 2 * total number of valid ranges, - // followed by 'count' number comma separated integers. Every two integers reprensent a - // block range with the first number included in range but second number not included. - // For example '4,64536,65343,74149,74150' represents: [64536,65343) and [74149,74150). - std::vector<std::string> ranges = android::base::Split(range_str, ","); - size_t range_count; - bool status = android::base::ParseUint(ranges[0].c_str(), &range_count); - if (!status || (range_count == 0) || (range_count % 2 != 0) || - (range_count != ranges.size()-1)) { - SLOGE("Error in parsing range string.\n"); - return false; +static bool read_blocks(const std::string& partition, const std::string& range_str) { + if (partition != "system" && partition != "vendor") { + LOG(ERROR) << "partition name must be system or vendor: " << partition; + return false; + } + // Iterate the content of "/sys/block/dm-X/dm/name". If it matches "system" + // (or "vendor"), then dm-X is a dm-wrapped system/vendor partition. + // Afterwards, update_verifier will read every block on the care_map_file of + // "/dev/block/dm-X" to ensure the partition's integrity. + dirent** namelist; + int n = scandir(DM_PATH_PREFIX, &namelist, dm_name_filter, alphasort); + if (n == -1) { + PLOG(ERROR) << "Failed to scan dir " << DM_PATH_PREFIX; + return false; + } + if (n == 0) { + LOG(ERROR) << "dm block device not found for " << partition; + return false; + } + + std::string dm_block_device; + while (n--) { + std::string path = DM_PATH_PREFIX + std::string(namelist[n]->d_name) + DM_PATH_SUFFIX; + std::string content; + if (!android::base::ReadFileToString(path, &content)) { + PLOG(WARNING) << "Failed to read " << path; + } else if (android::base::Trim(content) == partition) { + dm_block_device = DEV_PATH + std::string(namelist[n]->d_name); + while (n--) { + free(namelist[n]); + } + break; } + free(namelist[n]); + } + free(namelist); - size_t blk_count = 0; - for (size_t i = 1; i < ranges.size(); i += 2) { - unsigned int range_start, range_end; - bool parse_status = android::base::ParseUint(ranges[i].c_str(), &range_start); - parse_status = parse_status && android::base::ParseUint(ranges[i+1].c_str(), &range_end); - if (!parse_status || range_start >= range_end) { - SLOGE("Invalid range pair %s, %s.\n", ranges[i].c_str(), ranges[i+1].c_str()); - return false; - } + if (dm_block_device.empty()) { + LOG(ERROR) << "Failed to find dm block device for " << partition; + return false; + } + android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(dm_block_device.c_str(), O_RDONLY))); + if (fd.get() == -1) { + PLOG(ERROR) << "Error reading " << dm_block_device << " for partition " << partition; + return false; + } - if (lseek64(fd.get(), static_cast<off64_t>(range_start) * BLOCKSIZE, SEEK_SET) == -1) { - SLOGE("lseek to %u failed: %s.\n", range_start, strerror(errno)); - return false; - } + // For block range string, first integer 'count' equals 2 * total number of valid ranges, + // followed by 'count' number comma separated integers. Every two integers reprensent a + // block range with the first number included in range but second number not included. + // For example '4,64536,65343,74149,74150' represents: [64536,65343) and [74149,74150). + std::vector<std::string> ranges = android::base::Split(range_str, ","); + size_t range_count; + bool status = android::base::ParseUint(ranges[0], &range_count); + if (!status || (range_count == 0) || (range_count % 2 != 0) || + (range_count != ranges.size() - 1)) { + LOG(ERROR) << "Error in parsing range string."; + return false; + } - size_t size = (range_end - range_start) * BLOCKSIZE; - std::vector<uint8_t> buf(size); - if (!android::base::ReadFully(fd.get(), buf.data(), size)) { - SLOGE("Failed to read blocks %u to %u: %s.\n", range_start, range_end, - strerror(errno)); - return false; - } - blk_count += (range_end - range_start); + size_t blk_count = 0; + for (size_t i = 1; i < ranges.size(); i += 2) { + unsigned int range_start, range_end; + bool parse_status = android::base::ParseUint(ranges[i], &range_start); + parse_status = parse_status && android::base::ParseUint(ranges[i + 1], &range_end); + if (!parse_status || range_start >= range_end) { + LOG(ERROR) << "Invalid range pair " << ranges[i] << ", " << ranges[i + 1]; + return false; } - SLOGI("Finished reading %zu blocks on %s.\n", blk_count, blk_device.c_str()); - return true; + if (lseek64(fd.get(), static_cast<off64_t>(range_start) * BLOCKSIZE, SEEK_SET) == -1) { + PLOG(ERROR) << "lseek to " << range_start << " failed"; + return false; + } + + size_t size = (range_end - range_start) * BLOCKSIZE; + std::vector<uint8_t> buf(size); + if (!android::base::ReadFully(fd.get(), buf.data(), size)) { + PLOG(ERROR) << "Failed to read blocks " << range_start << " to " << range_end; + return false; + } + blk_count += (range_end - range_start); + } + + LOG(INFO) << "Finished reading " << blk_count << " blocks on " << dm_block_device; + return true; } static bool verify_image(const std::string& care_map_name) { @@ -109,24 +167,24 @@ static bool verify_image(const std::string& care_map_name) { // in /data/ota_package. To allow the device to continue booting in this situation, // we should print a warning and skip the block verification. if (care_map_fd.get() == -1) { - SLOGI("Warning: care map %s not found.\n", care_map_name.c_str()); + PLOG(WARNING) << "Failed to open " << care_map_name; return true; } // Care map file has four lines (two lines if vendor partition is not present): - // First line has the block device name, e.g./dev/block/.../by-name/system. + // First line has the block partition name (system/vendor). // Second line holds all ranges of blocks to verify. // The next two lines have the same format but for vendor partition. std::string file_content; if (!android::base::ReadFdToString(care_map_fd.get(), &file_content)) { - SLOGE("Error reading care map contents to string.\n"); + LOG(ERROR) << "Error reading care map contents to string."; return false; } std::vector<std::string> lines; lines = android::base::Split(android::base::Trim(file_content), "\n"); if (lines.size() != 2 && lines.size() != 4) { - SLOGE("Invalid lines in care_map: found %zu lines, expecting 2 or 4 lines.\n", - lines.size()); + LOG(ERROR) << "Invalid lines in care_map: found " << lines.size() + << " lines, expecting 2 or 4 lines."; return false; } @@ -139,51 +197,64 @@ static bool verify_image(const std::string& care_map_name) { return true; } +static int reboot_device() { + if (android_reboot(ANDROID_RB_RESTART2, 0, nullptr) == -1) { + LOG(ERROR) << "Failed to reboot."; + return -1; + } + while (true) pause(); +} + int main(int argc, char** argv) { for (int i = 1; i < argc; i++) { - SLOGI("Started with arg %d: %s\n", i, argv[i]); + LOG(INFO) << "Started with arg " << i << ": " << argv[i]; } - const hw_module_t* hw_module; - if (hw_get_module("bootctrl", &hw_module) != 0) { - SLOGE("Error getting bootctrl module.\n"); - return -1; + sp<IBootControl> module = IBootControl::getService(); + if (module == nullptr) { + LOG(ERROR) << "Error getting bootctrl module."; + return reboot_device(); } - boot_control_module_t* module = reinterpret_cast<boot_control_module_t*>( - const_cast<hw_module_t*>(hw_module)); - module->init(module); + uint32_t current_slot = module->getCurrentSlot(); + BoolResult is_successful = module->isSlotMarkedSuccessful(current_slot); + LOG(INFO) << "Booting slot " << current_slot << ": isSlotMarkedSuccessful=" + << static_cast<int32_t>(is_successful); - unsigned current_slot = module->getCurrentSlot(module); - int is_successful= module->isSlotMarkedSuccessful(module, current_slot); - SLOGI("Booting slot %u: isSlotMarkedSuccessful=%d\n", current_slot, is_successful); - if (is_successful == 0) { + if (is_successful == BoolResult::FALSE) { // The current slot has not booted successfully. - char verity_mode[PROPERTY_VALUE_MAX]; - if (property_get("ro.boot.veritymode", verity_mode, "") == -1) { - SLOGE("Failed to get dm-verity mode"); - return -1; - } else if (strcasecmp(verity_mode, "eio") == 0) { - // We shouldn't see verity in EIO mode if the current slot hasn't booted - // successfully before. Therefore, fail the verification when veritymode=eio. - SLOGE("Found dm-verity in EIO mode, skip verification."); - return -1; - } else if (strcmp(verity_mode, "enforcing") != 0) { - SLOGE("Unexpected dm-verity mode : %s, expecting enforcing.", verity_mode); - return -1; - } else if (!verify_image(CARE_MAP_FILE)) { - SLOGE("Failed to verify all blocks in care map file.\n"); - return -1; + +#ifdef PRODUCT_SUPPORTS_VERITY + std::string verity_mode = android::base::GetProperty("ro.boot.veritymode", ""); + if (verity_mode.empty()) { + LOG(ERROR) << "Failed to get dm-verity mode."; + return reboot_device(); + } else if (android::base::EqualsIgnoreCase(verity_mode, "eio")) { + // We shouldn't see verity in EIO mode if the current slot hasn't booted successfully before. + // Continue the verification until we fail to read some blocks. + LOG(WARNING) << "Found dm-verity in EIO mode."; + } else if (verity_mode != "enforcing") { + LOG(ERROR) << "Unexpected dm-verity mode : " << verity_mode << ", expecting enforcing."; + return reboot_device(); + } + + if (!verify_image(CARE_MAP_FILE)) { + LOG(ERROR) << "Failed to verify all blocks in care map file."; + return reboot_device(); } +#else + LOG(WARNING) << "dm-verity not enabled; marking without verification."; +#endif - int ret = module->markBootSuccessful(module); - if (ret != 0) { - SLOGE("Error marking booted successfully: %s\n", strerror(-ret)); - return -1; + CommandResult cr; + module->markBootSuccessful([&cr](CommandResult result) { cr = result; }); + if (!cr.success) { + LOG(ERROR) << "Error marking booted successfully: " << cr.errMsg; + return reboot_device(); } - SLOGI("Marked slot %u as booted successfully.\n", current_slot); + LOG(INFO) << "Marked slot " << current_slot << " as booted successfully."; } - SLOGI("Leaving update_verifier.\n"); + LOG(INFO) << "Leaving update_verifier."; return 0; } diff --git a/update_verifier/update_verifier.rc b/update_verifier/update_verifier.rc new file mode 100644 index 000000000..862b06257 --- /dev/null +++ b/update_verifier/update_verifier.rc @@ -0,0 +1,11 @@ +service update_verifier_nonencrypted /system/bin/update_verifier nonencrypted + user root + group cache system + priority -20 + ioprio rt 0 + +service update_verifier /system/bin/update_verifier ${vold.decrypt} + user root + group cache system + priority -20 + ioprio rt 0 |