Gitiles
Code Review Sign In
review.blissroms.org / platform_system_core / 206c5bf4a9d7727523b8b1b98239491a54963d1e
commit206c5bf4a9d7727523b8b1b98239491a54963d1e[log] [tgz]
authorDanny Lin <danny@kdrag0n.dev>Tue Oct 05 19:06:04 2021 -0700
committerAyan Mukherjee <mukherjeeayan725@gmail.com>Fri Dec 17 00:24:42 2021 -0500
treed0b73c4bb62c74008e18fb93a3d789aec7e774e8
parent47c213c4ae4d045b577c2f198cbecae4e5680a24 [diff]
libfs_avb: Disable dm-verity when AVB is permissive

When the bootloader is unlocked (i.e. AVB is permissive), enforcing
dm-verity on system partitions is meaningless because the bootloader
doesn't enforce verification on the root of the high-level verified boot
chain: the kernel. As a result, mounting system partitions with
dm-verity (hashtree verification) is futile when the code performing
verification has not been verified in the first place; users can also
disable dm-verity manually by flashing vbmeta with `fastboot flash
--disable-verity vbmeta vbmeta.img`.

For user and developer convenience, disable dm-verity automatically when
the bootloader is unlocked by checking for permissive AVB. This makes it
possible to ship enforcing vbmeta images for security-conscious users to
lock their bootloader and reap the benefits of verified boot, while
still allowing users with unlocked bootloaders to modify system
partitions.

Change-Id: Ie88362cfbda75561ef450e00fdc82ade221facb5
Signed-off-by: rezaadi0105 <rezaadipangestu5@gmail.com>
1 file changed
tree: d0b73c4bb62c74008e18fb93a3d789aec7e774e8
  1. bootstat/
  2. cli-test/
  3. code_coverage/
  4. debuggerd/
  5. diagnose_usb/
  6. fastboot/
  7. fs_mgr/
  8. gatekeeperd/
  9. healthd/
  10. include/
  11. init/
  12. janitors/
  13. libappfuse/
  14. libasyncio/
  15. libbinderwrapper/
  16. libcrypto_utils/
  17. libcutils/
  18. libdiskconfig/
  19. libgrallocusage/
  20. libkeyutils/
  21. libmodprobe/
  22. libnetutils/
  23. libpackagelistparser/
  24. libprocessgroup/
  25. libqtaguid/
  26. libsparse/
  27. libstats/
  28. libsuspend/
  29. libsync/
  30. libsystem/
  31. libsysutils/
  32. libusbhost/
  33. libutils/
  34. libvndksupport/
  35. llkd/
  36. mini_keyctl/
  37. mkbootfs/
  38. property_service/
  39. reboot/
  40. rootdir/
  41. run-as/
  42. sdcard/
  43. set-verity-state/
  44. shell_and_utilities/
  45. storaged/
  46. toolbox/
  47. trusty/
  48. usbd/
  49. watchdogd/
  50. .clang-format.clang-format-4
  51. .clang-format-2 ⇨ ../../build/soong/scripts/system-clang-format-2
  52. .clang-format-4 ⇨ ../../build/soong/scripts/system-clang-format
  53. .gitignore
  54. CleanSpec.mk
  55. METADATA
  56. MODULE_LICENSE_APACHE2
  57. OWNERS
  58. PREUPLOAD.cfg
  59. TEST_MAPPING