DO NOT MERGE Start update_verifier early in late-fs.
We used to start update_verifier after mounting userdata (post-fs-data),
as part of zygote-start. This leads to issues in practice for security
updates, where an A/B device falls back into the old slot (for any
reason, which unrelates to this change) but failing to boot due to
upgraded key blob. It essentially breaks the fallback capability offered
by A/B OTA.
This CL mitigates the issue by starting update_verifier early, before
mounting userdata. This avoids the device from falling back to the old
slot with an already-upgraded key blob. update_verifier loses the
opportunity of verifying _all_ the updated blocks based on the info
that's stored in userdata. Instead it will only trigger the minimal
read to finish the work of marking a successful boot. This is a
trade-off in P to avoid putting the device in a bad state after
fallback, which will be improved in Q by better handling the fallback
path in vold.
Bug: 131176531
Test: Flash and boot crosshatch. Check the start of update_verifier and
it marks a successful boot.
Change-Id: I3f4c4333ff38772a9a93c9d027d497db11de1d63
This commit is contained in:
Tao Bao
parent
6f2198b33c
commit
79cfc7d5a8
1 changed files with 4 additions and 10 deletions
|
|
@ -381,6 +381,10 @@ on late-fs
|
|||
# HALs required before storage encryption can get unlocked (FBE/FDE)
|
||||
class_start early_hal
|
||||
|
||||
# Check and mark a successful boot, before mounting userdata with mount_all.
|
||||
# No-op for non-A/B device.
|
||||
exec_start update_verifier_nonencrypted
|
||||
|
||||
on post-fs-data
|
||||
# We chown/chmod /data again so because mount is run as root + defaults
|
||||
chown system system /data
|
||||
|
|
@ -558,22 +562,16 @@ on post-fs-data
|
|||
# It is recommended to put unnecessary data/ initialization from post-fs-data
|
||||
# to start-zygote in device's init.rc to unblock zygote start.
|
||||
on zygote-start && property:ro.crypto.state=unencrypted
|
||||
# A/B update verifier that marks a successful boot.
|
||||
exec_start update_verifier_nonencrypted
|
||||
start netd
|
||||
start zygote
|
||||
start zygote_secondary
|
||||
|
||||
on zygote-start && property:ro.crypto.state=unsupported
|
||||
# A/B update verifier that marks a successful boot.
|
||||
exec_start update_verifier_nonencrypted
|
||||
start netd
|
||||
start zygote
|
||||
start zygote_secondary
|
||||
|
||||
on zygote-start && property:ro.crypto.state=encrypted && property:ro.crypto.type=file
|
||||
# A/B update verifier that marks a successful boot.
|
||||
exec_start update_verifier_nonencrypted
|
||||
start netd
|
||||
start zygote
|
||||
start zygote_secondary
|
||||
|
|
@ -700,15 +698,11 @@ on property:vold.decrypt=trigger_post_fs_data
|
|||
trigger zygote-start
|
||||
|
||||
on property:vold.decrypt=trigger_restart_min_framework
|
||||
# A/B update verifier that marks a successful boot.
|
||||
exec_start update_verifier
|
||||
class_start main
|
||||
|
||||
on property:vold.decrypt=trigger_restart_framework
|
||||
stop surfaceflinger
|
||||
start surfaceflinger
|
||||
# A/B update verifier that marks a successful boot.
|
||||
exec_start update_verifier
|
||||
class_start main
|
||||
class_start late_start
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue