fs_mgr_verity: allow verification error when the device is unlocked
On a A/B device, the image combination in VTS is:
- system.img (userdebug): provided by Google (system as root)
- vendor.img (user): provided by the OEM
The generic system.img provided by Google doesn't have /verity_key.
So verified boot will fail when it tries to verify the signature of
vendor.img. This CL allows signature verification error (including
no verity_key) when the device is unlocked.
This CL also changes the return value to FS_MGR_SETUP_VERITY_SKIPPED when
signature verification failed in logging mode. Otherwise, first stage
mount will fail because it assumes verity device initialization should be
successful when receiving FS_MGR_SETUP_VERITY_SUCCESS.
Bug: 63821912
Test: boot generic system.img on a A/B device
Change-Id: I33e5ef753913ae9f0c8b02c518ae94d4c8505611
diff --git a/fs_mgr/fs_mgr_verity.cpp b/fs_mgr/fs_mgr_verity.cpp
index 5de0903..7f8e1e2 100644
--- a/fs_mgr/fs_mgr_verity.cpp
+++ b/fs_mgr/fs_mgr_verity.cpp
@@ -841,9 +841,15 @@
// verify the signature on the table
if (verify_verity_signature(verity) < 0) {
+ // Allow signature verification error when the device is unlocked
+ if (fs_mgr_is_device_unlocked()) {
+ retval = FS_MGR_SETUP_VERITY_SKIPPED;
+ LWARNING << "Allow signature verification error when the device is unlocked";
+ goto out;
+ }
if (params.mode == VERITY_MODE_LOGGING) {
// the user has been warned, allow mounting without dm-verity
- retval = FS_MGR_SETUP_VERITY_SUCCESS;
+ retval = FS_MGR_SETUP_VERITY_SKIPPED;
goto out;
}