Skip enabling dm-verity for live GSI when needed
Currently the dm-verity for live GSI is always enabled, even if the
disable bit in the top-level /vbmeta is set. We should skip setting up
dm-verity on live system.img when adb disable-verity is ever set.
Bug: 124291583
Test: adb disable-verity, then boot live GSI
Test: fastboot flash --disable-verification vbmeta vbmeta.img,
then boot live GSI
Change-Id: Id52d20d0b2e56dfa7de8f866dcc989b82a96c879
diff --git a/init/first_stage_mount.cpp b/init/first_stage_mount.cpp
index 1b077bc..898e28e 100644
--- a/init/first_stage_mount.cpp
+++ b/init/first_stage_mount.cpp
@@ -47,6 +47,7 @@
using android::base::Split;
using android::base::Timer;
using android::fs_mgr::AvbHandle;
+using android::fs_mgr::AvbHandleStatus;
using android::fs_mgr::AvbHashtreeResult;
using android::fs_mgr::AvbUniquePtr;
using android::fs_mgr::BuildGsiSystemFstabEntry;
@@ -737,8 +738,17 @@
hashtree_result =
avb_handle_->SetUpAvbHashtree(fstab_entry, false /* wait_for_verity_dev */);
} else if (!fstab_entry->avb_key.empty()) {
- hashtree_result =
- AvbHandle::SetUpStandaloneAvbHashtree(fstab_entry, false /* wait_for_verity_dev */);
+ if (!InitAvbHandle()) return false;
+ // Checks if hashtree should be disabled from the top-level /vbmeta.
+ if (avb_handle_->status() == AvbHandleStatus::kHashtreeDisabled ||
+ avb_handle_->status() == AvbHandleStatus::kVerificationDisabled) {
+ LOG(ERROR) << "Top-level vbmeta is disabled, skip Hashtree setup for "
+ << fstab_entry->mount_point;
+ return true; // Returns true to mount the partition directly.
+ } else {
+ hashtree_result = AvbHandle::SetUpStandaloneAvbHashtree(
+ fstab_entry, false /* wait_for_verity_dev */);
+ }
} else {
return true; // No need AVB, returns true to mount the partition directly.
}
@@ -754,8 +764,6 @@
default:
return false;
}
-
- return true; // Returns true to mount the partition.
}
bool FirstStageMountVBootV2::InitAvbHandle() {