commit 97d3fc9c98f69171118cc0ed67b95721402c2646
author Bowgo Tsai <bowgotsai@google.com> Mon Jan 28 21:50:06 2019 +0800
committer Bowgo Tsai <bowgotsai@google.com> Thu Jan 31 07:06:14 2019 +0800
tree b7a43f60c73f26219dba98f93515479f8bce6add
parent 14adfd6b7bdfb851b359d46f698d7c5798c2cfde

Enable AVB for dynamic GSI (f.k.a. Live Image)

Bug: 117960205
Test: Use the dynamic Android to start GSI, checks verity is enabled.
Change-Id: I93b321808ba278b162fec5e231bff7229cac3937

fs_mgr/fs_mgr_fstab.cpp

diff --git a/fs_mgr/fs_mgr_fstab.cpp b/fs_mgr/fs_mgr_fstab.cpp
index 146e82f..de3aac1 100644
--- a/fs_mgr/fs_mgr_fstab.cpp
+++ b/fs_mgr/fs_mgr_fstab.cpp
@@ -979,12 +979,15 @@
 }
 
 FstabEntry BuildGsiSystemFstabEntry() {
+    // .logical_partition_name is required to look up AVB Hashtree descriptors.
     FstabEntry system = {
             .blk_device = "system_gsi",
             .mount_point = "/system",
             .fs_type = "ext4",
             .flags = MS_RDONLY,
             .fs_options = "barrier=1",
+            .avb_key = "/gsi.avbpubkey",
+            .logical_partition_name = "system"
     };
     system.fs_mgr_flags.wait = true;
     system.fs_mgr_flags.logical = true;

fs_mgr/libfs_avb/fs_avb.cpp

diff --git a/fs_mgr/libfs_avb/fs_avb.cpp b/fs_mgr/libfs_avb/fs_avb.cpp
index 773baf4..a1ae4e7 100644
--- a/fs_mgr/libfs_avb/fs_avb.cpp
+++ b/fs_mgr/libfs_avb/fs_avb.cpp
@@ -383,7 +383,8 @@
     return avb_handle;
 }
 
-AvbHashtreeResult AvbHandle::SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry) {
+AvbHashtreeResult AvbHandle::SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry,
+                                                        bool wait_for_verity_dev) {
     if (fstab_entry->avb_key.empty()) {
         LERROR << "avb_key=/path/to/key is missing for " << fstab_entry->mount_point;
         return AvbHashtreeResult::kFail;
@@ -400,7 +401,7 @@
                    << " for mount point: " << fstab_entry->mount_point;
             return AvbHashtreeResult::kFail;
         }
-        // Use empty key blob, which means no expectation, if allow verification error.
+        LWARNING << "Allowing no expected key blob when verification error is permitted";
         expected_key_blob.clear();
     }
 
@@ -423,7 +424,7 @@
     // Puts the vbmeta into a vector, for LoadAvbHashtreeToEnableVerity() to use.
     std::vector<VBMetaData> vbmeta_images;
     vbmeta_images.emplace_back(std::move(*vbmeta));
-    if (!LoadAvbHashtreeToEnableVerity(fstab_entry, true /* wait_for_verity_dev */, vbmeta_images,
+    if (!LoadAvbHashtreeToEnableVerity(fstab_entry, wait_for_verity_dev, vbmeta_images,
                                        fs_mgr_get_slot_suffix(), fs_mgr_get_other_slot_suffix())) {
         return AvbHashtreeResult::kFail;
     }

fs_mgr/libfs_avb/include/fs_avb/fs_avb.h

diff --git a/fs_mgr/libfs_avb/include/fs_avb/fs_avb.h b/fs_mgr/libfs_avb/include/fs_avb/fs_avb.h
index 55a320e..d4e3a6e 100644
--- a/fs_mgr/libfs_avb/include/fs_avb/fs_avb.h
+++ b/fs_mgr/libfs_avb/include/fs_avb/fs_avb.h
@@ -169,7 +169,8 @@
     AvbHashtreeResult SetUpAvbHashtree(FstabEntry* fstab_entry, bool wait_for_verity_dev);
 
     // Similar to above, but loads the offline vbmeta from the end of fstab_entry->blk_device.
-    static AvbHashtreeResult SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry);
+    static AvbHashtreeResult SetUpStandaloneAvbHashtree(FstabEntry* fstab_entry,
+                                                        bool wait_for_verity_dev = true);
 
     const std::string& avb_version() const { return avb_version_; }
     const VBMetaInfo& vbmeta_info() const { return vbmeta_info_; }

init/first_stage_mount.cpp

diff --git a/init/first_stage_mount.cpp b/init/first_stage_mount.cpp
index 153b857..3a4dc6a 100644
--- a/init/first_stage_mount.cpp
+++ b/init/first_stage_mount.cpp
@@ -683,22 +683,31 @@
 }
 
 bool FirstStageMountVBootV2::SetUpDmVerity(FstabEntry* fstab_entry) {
+    AvbHashtreeResult hashtree_result;
+
     if (fstab_entry->fs_mgr_flags.avb) {
         if (!InitAvbHandle()) return false;
-        AvbHashtreeResult hashtree_result =
+        hashtree_result =
                 avb_handle_->SetUpAvbHashtree(fstab_entry, false /* wait_for_verity_dev */);
-        switch (hashtree_result) {
-            case AvbHashtreeResult::kDisabled:
-                return true;  // Returns true to mount the partition.
-            case AvbHashtreeResult::kSuccess:
-                // The exact block device name (fstab_rec->blk_device) is changed to
-                // "/dev/block/dm-XX". Needs to create it because ueventd isn't started in init
-                // first stage.
-                return InitMappedDevice(fstab_entry->blk_device);
-            default:
-                return false;
-        }
+    } else if (!fstab_entry->avb_key.empty()) {
+        hashtree_result =
+                AvbHandle::SetUpStandaloneAvbHashtree(fstab_entry, false /* wait_for_verity_dev */);
+    } else {
+        return true;  // No need AVB, returns true to mount the partition directly.
     }
+
+    switch (hashtree_result) {
+        case AvbHashtreeResult::kDisabled:
+            return true;  // Returns true to mount the partition.
+        case AvbHashtreeResult::kSuccess:
+            // The exact block device name (fstab_rec->blk_device) is changed to
+            // "/dev/block/dm-XX". Needs to create it because ueventd isn't started in init
+            // first stage.
+            return InitMappedDevice(fstab_entry->blk_device);
+        default:
+            return false;
+    }
+
     return true;  // Returns true to mount the partition.
 }