Gitiles
Code Review Sign In
review.blissroms.org / platform_system_core_old / 7dcd0963726e6f61c2c0bebf312bce3db062298a^! / .
commit7dcd0963726e6f61c2c0bebf312bce3db062298a[log] [tgz]
authorDavid Zeuthen <zeuthen@google.com>Wed May 17 10:36:35 2017 -0400
committerDavid Zeuthen <zeuthen@google.com>Wed May 17 14:28:47 2017 -0400
treeb988342851a357a76ebe9b32437454cc77f05c0e
parent6e1e1707962d6ea1dffe9c1796edf01934da260b [diff]
adb: Allow disabling verity on eng builds when using AVB.

Unlike VB1.0, if a device is using AVB then dm-verity is used on any
build (userdebug, eng, etc.). Therefore, we should allow disabling
verity on any build (except USER), not just userdebug. This bug was
pointed out in https://android-review.googlesource.com/#/c/371372/

Bug: 34124301
Test: Manually tested on -eng build on device using AVB.
Change-Id: I314550c13d7458d5d1ef68eb06f98849e11fbe15

diff --git a/adb/set_verity_enable_state_service.cpp b/adb/set_verity_enable_state_service.cpp
index b2b1c18..253d14a 100644
--- a/adb/set_verity_enable_state_service.cpp
+++ b/adb/set_verity_enable_state_service.cpp

@@ -139,25 +139,36 @@
     bool any_changed = false;
 
     bool enable = (cookie != NULL);
-    if (!kAllowDisableVerity) {
-        WriteFdFmt(fd, "%s-verity only works for userdebug builds\n",
-                   enable ? "enable" : "disable");
+
+    // Figure out if we're using VB1.0 or VB2.0 (aka AVB) - by
+    // contract, androidboot.vbmeta.digest is set by the bootloader
+    // when using AVB).
+    bool using_avb = !android::base::GetProperty("ro.boot.vbmeta.digest", "").empty();
+
+    // If using AVB, dm-verity is used on any build so we want it to
+    // be possible to disable/enable on any build (except USER). For
+    // VB1.0 dm-verity is only enabled on certain builds.
+    if (!using_avb) {
+        if (!kAllowDisableVerity) {
+            WriteFdFmt(fd, "%s-verity only works for userdebug builds\n",
+                       enable ? "enable" : "disable");
+        }
+
+        if (!android::base::GetBoolProperty("ro.secure", false)) {
+            WriteFdFmt(fd, "verity not enabled - ENG build\n");
+            return;
+        }
     }
 
-    if (!android::base::GetBoolProperty("ro.secure", false)) {
-        WriteFdFmt(fd, "verity not enabled - ENG build\n");
-        return;
-    }
+    // Should never be possible to disable dm-verity on a USER build
+    // regardless of using AVB or VB1.0.
     if (!__android_log_is_debuggable()) {
         WriteFdFmt(fd, "verity cannot be disabled/enabled - USER build\n");
         return;
     }
 
-    // Figure out if we're using VB1.0 or VB2.0 (aka AVB).
-    std::string vbmeta_hash = android::base::GetProperty("ro.boot.vbmeta.digest", "");
-    if (vbmeta_hash != "") {
-        // Yep, the system is using AVB (by contract, androidboot.vbmeta.hash is
-        // set by the bootloader when using AVB).
+    if (using_avb) {
+        // Yep, the system is using AVB.
         AvbOps* ops = avb_ops_user_new();
         if (ops == nullptr) {
             WriteFdFmt(fd, "Error getting AVB ops\n");