fs_mgr_avb: allow verification error when the device is unlocked
Current AVB flow in fs_mgr doesn't allow verification error even if the
device is unlocked. This makes first stage mount fail when the device
is flashed with a different-sized boot.img because there is verification
error (HASH_MISMATCH) for the boot partition.
Fix this by allowing verification error only when the device is
unlocked. Whether to enable dm-verity for HASHTREE partitions is still
controlled by the HASHTREE_DISABLED flag in the top-level vbmeta.
Bug: 37985430
Test: First stage mount /vendor with AVB on a device.
Check dm-verity is enabled on /vendor.
Test: Unlock device, flash a different-sized boot.img. Boot device and check
dm-verity is still enabled on /vendor.
Test: First stage mount /vendor with AVB on a device with HASHTREE_DISABLED
is set on the top-level vbmeta, check dm-verity is not enable on /vendor.
Change-Id: I709431bc1c37e4f86133d171cee8e90621cdb857
Merged-In: I709431bc1c37e4f86133d171cee8e90621cdb857
(cherry picked from commit 11409548776bbbbd77c5a02f93394e43c140559c)
diff --git a/fs_mgr/fs_mgr_avb.cpp b/fs_mgr/fs_mgr_avb.cpp
index 83bf8a7..d4dd76a 100644
--- a/fs_mgr/fs_mgr_avb.cpp
+++ b/fs_mgr/fs_mgr_avb.cpp
@@ -483,13 +483,34 @@
// Only allow two verify results:
// - AVB_SLOT_VERIFY_RESULT_OK.
// - AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION (for UNLOCKED state).
- if (verify_result == AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION) {
- if (!avb_verifier->IsDeviceUnlocked()) {
- LERROR << "ERROR_VERIFICATION isn't allowed";
+ // If the device is UNLOCKED, i.e., |allow_verification_error| is true for
+ // AvbSlotVerify(), then the following return values are all non-fatal:
+ // * AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION
+ // * AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED
+ // * AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX
+ // The latter two results were checked by bootloader prior to start fs_mgr so
+ // we just need to handle the first result here. See *dummy* operations in
+ // FsManagerAvbOps and the comments in external/avb/libavb/avb_slot_verify.h
+ // for more details.
+ switch (verify_result) {
+ case AVB_SLOT_VERIFY_RESULT_OK:
+ avb_handle->status_ = kFsManagerAvbHandleSuccess;
+ break;
+ case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION:
+ if (!avb_verifier->IsDeviceUnlocked()) {
+ LERROR << "ERROR_VERIFICATION isn't allowed when the device is LOCKED";
+ return nullptr;
+ }
+ avb_handle->status_ = kFsManagerAvbHandleErrorVerification;
+ break;
+ default:
+ LERROR << "avb_slot_verify failed, result: " << verify_result;
return nullptr;
- }
- } else if (verify_result != AVB_SLOT_VERIFY_RESULT_OK) {
- LERROR << "avb_slot_verify failed, result: " << verify_result;
+ }
+
+ // Verifies vbmeta images against the digest passed from bootloader.
+ if (!avb_verifier->VerifyVbmetaImages(*avb_handle->avb_slot_data_)) {
+ LERROR << "VerifyVbmetaImages failed";
return nullptr;
}
@@ -497,30 +518,20 @@
avb_handle->avb_version_ =
android::base::StringPrintf("%d.%d", AVB_VERSION_MAJOR, AVB_VERSION_MINOR);
- // Verifies vbmeta images against the digest passed from bootloader.
- if (!avb_verifier->VerifyVbmetaImages(*avb_handle->avb_slot_data_)) {
- LERROR << "VerifyVbmetaImages failed";
- return nullptr;
- } else {
- // Checks whether FLAGS_HASHTREE_DISABLED is set.
- AvbVBMetaImageHeader vbmeta_header;
- avb_vbmeta_image_header_to_host_byte_order(
- (AvbVBMetaImageHeader*)avb_handle->avb_slot_data_->vbmeta_images[0].vbmeta_data,
- &vbmeta_header);
+ // Checks whether FLAGS_HASHTREE_DISABLED is set.
+ AvbVBMetaImageHeader vbmeta_header;
+ avb_vbmeta_image_header_to_host_byte_order(
+ (AvbVBMetaImageHeader*)avb_handle->avb_slot_data_->vbmeta_images[0].vbmeta_data,
+ &vbmeta_header);
- bool hashtree_disabled =
- ((AvbVBMetaImageFlags)vbmeta_header.flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED);
- if (hashtree_disabled) {
- avb_handle->status_ = kFsManagerAvbHandleHashtreeDisabled;
- return avb_handle;
- }
+ bool hashtree_disabled =
+ ((AvbVBMetaImageFlags)vbmeta_header.flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED);
+ if (hashtree_disabled) {
+ avb_handle->status_ = kFsManagerAvbHandleHashtreeDisabled;
}
- if (verify_result == AVB_SLOT_VERIFY_RESULT_OK) {
- avb_handle->status_ = kFsManagerAvbHandleSuccess;
- return avb_handle;
- }
- return nullptr;
+ LINFO << "Returning avb_handle with status: " << avb_handle->status_;
+ return avb_handle;
}
bool FsManagerAvbHandle::SetUpAvb(struct fstab_rec* fstab_entry, bool wait_for_verity_dev) {
@@ -528,11 +539,12 @@
if (!avb_slot_data_ || avb_slot_data_->num_vbmeta_images < 1) {
return false;
}
+
+ if (status_ == kFsManagerAvbHandleUninitialized) return false;
if (status_ == kFsManagerAvbHandleHashtreeDisabled) {
LINFO << "AVB HASHTREE disabled on:" << fstab_entry->mount_point;
return true;
}
- if (status_ != kFsManagerAvbHandleSuccess) return false;
std::string partition_name(basename(fstab_entry->mount_point));
if (!avb_validate_utf8((const uint8_t*)partition_name.c_str(), partition_name.length())) {
diff --git a/fs_mgr/include/fs_mgr_avb.h b/fs_mgr/include/fs_mgr_avb.h
index a66ff42..65ff9941 100644
--- a/fs_mgr/include/fs_mgr_avb.h
+++ b/fs_mgr/include/fs_mgr_avb.h
@@ -25,9 +25,10 @@
#include "fs_mgr.h"
enum FsManagerAvbHandleStatus {
+ kFsManagerAvbHandleUninitialized = -1,
kFsManagerAvbHandleSuccess = 0,
kFsManagerAvbHandleHashtreeDisabled = 1,
- kFsManagerAvbHandleFail = 2,
+ kFsManagerAvbHandleErrorVerification = 2,
};
class FsManagerAvbHandle;
@@ -88,7 +89,7 @@
};
protected:
- FsManagerAvbHandle() : avb_slot_data_(nullptr), status_(kFsManagerAvbHandleFail) {}
+ FsManagerAvbHandle() : avb_slot_data_(nullptr), status_(kFsManagerAvbHandleUninitialized) {}
private:
AvbSlotVerifyData* avb_slot_data_;