tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Support booting a chained boot-debug.img

Browse source 
boot-debug.img is introduced to allow 'adb root' if the device is
unlocked, and it cannot be release signed. If /boot partition is chained
in AVB signing and boot-debug.img is used, avb_slot_verify() in
userspace will return AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED
and fs_mgr will refuse to boot. This CL treats the public key rejection
as non-fatal for chained vbmeta to continue booting, if the device is
unlocked.

Bug: 129508966
Test: can root with user load which /boot chained in AVB signing
Change-Id: Idfa8caffbb96f33702b1749afd2e2a59616ddba7
This commit is contained in:
Iris Chang 2019-05-06 15:20:16 +08:00 committed by Bowgo Tsai
parent fc78be2935
commit 705fd7f52c
1 changed files with 16 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
fs_mgr/libfs_avb/fs_avb.cpp
View file

@ -338,6 +338,7 @@ AvbUniquePtr AvbHandle::LoadAndVerifyVbmeta() {
nullptr /* custom_device_path */);
}
// TODO(b/128807537): removes this function.
AvbUniquePtr AvbHandle::Open() {
bool is_device_unlocked = IsDeviceUnlocked();
@ -353,25 +354,28 @@ AvbUniquePtr AvbHandle::Open() {
AvbSlotVerifyResult verify_result =
avb_ops.AvbSlotVerify(fs_mgr_get_slot_suffix(), flags, &avb_handle->vbmeta_images_);
// Only allow two verify results:
// Only allow the following verify results:
// - AVB_SLOT_VERIFY_RESULT_OK.
// - AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION (for UNLOCKED state).
// If the device is UNLOCKED, i.e., |allow_verification_error| is true for
// AvbSlotVerify(), then the following return values are all non-fatal:
// * AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION
// * AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED
// * AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX
// The latter two results were checked by bootloader prior to start fs_mgr so
// we just need to handle the first result here. See *dummy* operations in
// FsManagerAvbOps and the comments in external/avb/libavb/avb_slot_verify.h
// for more details.
// - AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION (UNLOCKED only).
// Might occur in either the top-level vbmeta or a chained vbmeta.
// - AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED (UNLOCKED only).
// Could only occur in a chained vbmeta. Because we have *dummy* operations in
// FsManagerAvbOps such that avb_ops->validate_vbmeta_public_key() used to validate
// the public key of the top-level vbmeta always pass in userspace here.
//
// The following verify result won't happen, because the *dummy* operation
// avb_ops->read_rollback_index() always returns the minimum value zero. So rollbacked
// vbmeta images, which should be caught in the bootloader stage, won't be detected here.
// - AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX
switch (verify_result) {
case AVB_SLOT_VERIFY_RESULT_OK:
avb_handle->status_ = AvbHandleStatus::kSuccess;
break;
case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION:
case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED:
if (!is_device_unlocked) {
LERROR << "ERROR_VERIFICATION isn't allowed when the device is LOCKED";
LERROR << "ERROR_VERIFICATION / PUBLIC_KEY_REJECTED isn't allowed "
<< "if the device is LOCKED";
return nullptr;
}
avb_handle->status_ = AvbHandleStatus::kVerificationError;