fs_mgr: validate corrected signatures
If signature verification fails and we have an error corrected
signature available, attempt to verify that instead.
Needs changes from
Ie913c21ba1d07d6df4c6feeb7226b2ec963f4d19
Bug: 28943429
Change-Id: I7d48701916fe430b17aa05acb120f22a1802733d
(cherry picked from commit 830126637ae4e5198df075fba57c1e498624dab6)
diff --git a/fs_mgr/fs_mgr_verity.cpp b/fs_mgr/fs_mgr_verity.cpp
index aa32600..25b023e 100644
--- a/fs_mgr/fs_mgr_verity.cpp
+++ b/fs_mgr/fs_mgr_verity.cpp
@@ -142,6 +142,18 @@
return retval;
}
+static int verify_verity_signature(const struct fec_verity_metadata& verity)
+{
+ if (verify_table(verity.signature, sizeof(verity.signature),
+ verity.table, verity.table_length) == 0 ||
+ verify_table(verity.ecc_signature, sizeof(verity.ecc_signature),
+ verity.table, verity.table_length) == 0) {
+ return 0;
+ }
+
+ return -1;
+}
+
static int invalidate_table(char *table, size_t table_length)
{
size_t n = 0;
@@ -947,8 +959,7 @@
}
// verify the signature on the table
- if (verify_table(verity.signature, sizeof(verity.signature), params.table,
- verity.table_length) < 0) {
+ if (verify_verity_signature(verity) < 0) {
if (params.mode == VERITY_MODE_LOGGING) {
// the user has been warned, allow mounting without dm-verity
retval = FS_MGR_SETUP_VERITY_SUCCESS;