Commit graph

219 commits

Author SHA1 Message Date
Sami Tolvanen
907ec7daa7 Merge "fs_mgr: support upstream dm-verity without error correction" 2015-12-10 20:13:02 +00:00
Sami Tolvanen
0d1214c68e Merge "Set up dm-verity in EIO mode instead of logging mode" 2015-12-10 20:12:49 +00:00
Sami Tolvanen
ff980d22d1 fs_mgr: support upstream dm-verity without error correction
Set up dm-verity even if kernel configuration doesn't have
CONFIG_DM_VERITY_FEC set. Fall back to the always safe EIO
mode if dm-verity doesn't support feature arguments.

Bug: 21893453
Change-Id: I4812bd74801c0abc8da479230f48b752858f9cd8
2015-12-10 01:01:29 +00:00
Elliott Hughes
4f71319df0 Track rename of base/ to android-base/.
Change-Id: Idf9444fece4aa89c93e15640de59a91f6e758ccf
2015-12-04 22:00:26 -08:00
Sami Tolvanen
90f52df257 Set up dm-verity in EIO mode instead of logging mode
If the device is corrupted, set up dm-verity in EIO mode instead of
logging mode. This prevents corrupted blocks from being returned to
user space. Note that restart mode is used by default and a warning
will be displayed to the user after corruption is first detected.

Bug: 19277516
Change-Id: I38966d73eb814836bc34b4bad1192583e5010b36
2015-12-02 14:38:01 +00:00
Sami Tolvanen
25b230c62c fs_mgr: set partition.*.verified property even without state
Set properties on verity_update_state even if verity state management
is not used.

Bug: 24865045
Change-Id: Ic68a9e1a230c959eeb2a769260ff7d8e100cb1e1
(cherry picked from 0eb0516665678aec7712d88b51c96aaf8b312060)
2015-10-30 13:14:38 +00:00
Sami Tolvanen
99e3a927e8 Error correction: Use libfec in fs_mgr
Use libfec to read and parse verity metadata to protect against data
corruption.

Bug: 21893453
Change-Id: I3a3543e0d999316707302b3be8735a7133d22946
2015-10-14 22:12:04 +01:00
Sami Tolvanen
0923453462 Revert "Error correction: Use libfec in fs_mgr"
This reverts commit 3de3a0f351.

Change-Id: I1f121cbc4431b8d8ff146eab29832a8dda1eb8ba
2015-10-14 19:46:16 +00:00
Sami Tolvanen
3de3a0f351 Error correction: Use libfec in fs_mgr
Use libfec to read and parse verity metadata to protect against data
corruption.

Bug: 21893453
Change-Id: Ieee6a1441e2f68148ba635235216e36c69b13db1
2015-10-13 15:53:25 +01:00
Johan Redestig
67b3cad9a0 Switch to android::base::ReadFully
The if (read(...size) != size) pattern is unreliable, switch
to the android base ReadFully which wraps read in a loop.

Change-Id: I2324e4c45da3c9b53b18df6eb09ce69a6604b5d1
2015-10-13 14:49:38 +00:00
Elliott Hughes
246c18caf5 Switch fs_mgr_verity.c to C++.
This is the minimal change just to keep it building, and doesn't
attempt to clean up any of the code.

Change-Id: I975710322ae33d8946497df25bf85b2fe28976a4
2015-10-09 11:52:00 -07:00
Sami Tolvanen
049399e570 am ad2a5a89: Merge "fs_mgr: trigger dm-verity error handling for invalid signatures"
* commit 'ad2a5a89a680804b927fc123e952c5bb5e75b9c8':
  fs_mgr: trigger dm-verity error handling for invalid signatures
2015-09-30 20:04:51 +00:00
Sami Tolvanen
1ada14904d fs_mgr: trigger dm-verity error handling for invalid signatures
Currently, the device doesn't mount verified partitions if the
verity table signature is invalid, which usually means it fails to
boot. This change instead sets up dm-verity with an invalid root
hash and triggers device-specific error handling to recover from
the corruption.

Bug: 24256506
Change-Id: I6d693306fa0e7459c5500b028e433df61ecea6fb
(cherry picked from commit 47caa5c386)
2015-09-25 15:01:33 +01:00
David Zeuthen
77557e9091 am d906b297: Merge "fs_mgr: Error out if unable to determine slot_suffix"
* commit 'd906b2973b9f708b34d4df90a2496753f83199ec':
  fs_mgr: Error out if unable to determine slot_suffix
2015-09-14 15:39:49 +00:00
David Zeuthen
d906b2973b Merge "fs_mgr: Error out if unable to determine slot_suffix" 2015-09-14 15:33:35 +00:00
David Zeuthen
bd0231c96b fs_mgr: Error out if unable to determine slot_suffix
Instead of falling back to suffix _a, we now error out if neither the
kernel commandline nor the misc partition specifies the suffix. It's
cleaner this way.

Change-Id: I3f58928a664433504ebdf8d0ee05a319be5097cf
2015-09-11 12:53:18 -04:00
David Zeuthen
80364b94bc am 6ca11db7: Merge "fs_mgr: Fix ENOMEM behavior when dealing with slotselect."
* commit '6ca11db7b7dc5e141c767b38328c3838a3b90b60':
  fs_mgr: Fix ENOMEM behavior when dealing with slotselect.
2015-09-09 22:52:32 +00:00
David Zeuthen
744a8f87d9 fs_mgr: Fix ENOMEM behavior when dealing with slotselect.
Change-Id: I5460a8d31baa0d4817ff5fcbd9aac272071937f4
2015-09-09 18:03:13 -04:00
David Zeuthen
1c7060e055 resolved conflicts for d8eed7ff to stage-aosp-master
Change-Id: I7fb3ddc07d798f0f98075b9fab0bb88c88249455
2015-09-09 12:40:16 -04:00
David Zeuthen
227ef3c5d2 fs_mgr: Use slot_suffix field from bootloader_message.
This will make fs_mgr look in the misc partition for the A/B suffix to
use if one of more fstab entries is using the slotselect option and the
bootloader doesn't specify the suffix.

Change-Id: I24233195f60dd352bf8e7ac32b0d95dcd3323156
2015-09-08 15:54:32 -04:00
Daniel Rosenberg
eb65ce0a24 resolved conflicts for merge of 7c4ed6af to stage-aosp-master
Change-Id: I52d0f66a6ad329daf19267be817c5a6d7118e7c4
2015-09-01 12:47:48 -07:00
Daniel Rosenberg
7c4ed6af79 Merge "fs_mgr: Add support for A/B partitions" 2015-09-01 19:24:09 +00:00
Daniel Rosenberg
8bb2f36abd fs_mgr: Add support for A/B partitions
Allow partitions to be marked as A/B partitions
using the slotselect flag in fstab. The partitions
can be identified by appending the correct suffix
to the block device listed in the fstab. The suffix
is provided by the bootloader through a command line
parameter or the device tree, and can be found in
ro.boot.slot_suffix or read from the boot_control HAL.

Change-Id: I6846d80e857f95bfb8f282f4ab81167394613bbe
Signed-off-by: Daniel Rosenberg <drosen@google.com>
2015-08-31 15:18:05 -07:00
Yusuke Sato
2ef82cffad am d1b11a04: am e656be33: Merge "Add |opts| argument to android_fork_execvp_ext"
* commit 'd1b11a04903be74ba6a47307d8c3ef2731e3f4ab':
  Add |opts| argument to android_fork_execvp_ext
2015-08-19 22:31:08 +00:00
Yusuke Sato
d81c3c6c45 Add |opts| argument to android_fork_execvp_ext
to allow the caller to send data to the child's stdin.

Bug: 21725996
Change-Id: I818f5cf61045286c8d64a91b6d50f05740329be1
2015-08-19 11:00:37 -07:00
Daniel Rosenberg
88f82b6650 am 39087653: am 13d62278: Merge "Skip mounting /, just mark block device as ro if needed."
* commit '390876539ec12115268710762d86d8c4c5738c25':
  Skip mounting /, just mark block device as ro if needed.
2015-08-04 01:07:07 +00:00
Daniel Rosenberg
31a4fafc15 Skip mounting /, just mark block device as ro if needed.
Change-Id: I7fbb636d296abc1caab6c7bf88017684c9df7759
2015-08-04 00:47:04 +00:00
Yusuke Sato
7c842b57fe am ab64465d: am 0e3ce82b: Merge "Use fsck.f2fs -a instead of -f for faster boot"
* commit 'ab64465d1f16f414c0bde5e3c4707c32b8220bbc':
  Use fsck.f2fs -a instead of -f for faster boot
2015-07-21 18:25:57 +00:00
Yusuke Sato
0e3ce82b94 Merge "Use fsck.f2fs -a instead of -f for faster boot" 2015-07-21 16:06:40 +00:00
Sami Tolvanen
5f2b3b4be8 am 6c3b205c: am 759717ee: Merge "Update partition.*.verified even with ro.boot.veritymode set"
* commit '6c3b205c408f92101ddfa053cb134371e951a9a7':
  Update partition.*.verified even with ro.boot.veritymode set
2015-07-15 21:27:38 +00:00
Yusuke Sato
0df08271fb Use fsck.f2fs -a instead of -f for faster boot
and run fsck with -f on clean shutdown instead.

With -f, fsck.f2fs always performs a full scan of the /data
partition regardless of whether the partition is clean or not.
The full scan takes more than 2 seconds on volantis-userdebug
and delays the OS boot.

With -a, the command does almost nothing when the partition
is clean and finishes within 20-30ms on volantis-userdebug.
When the partition has an error or its check point has
CP_FSCK_FLAG (aka "need_fsck"), the command does exactly the
same full scan as -f to fix it.

Bug: 21853106
Change-Id: I126263caf34c0f5bb8f5e6794454d4e72526ce38
2015-07-15 10:13:51 -07:00
Sami Tolvanen
2f42554f18 Update partition.*.verified even with ro.boot.veritymode set
We need to have partition.*.verified properties even when bootloader
is managing dm-verity mode, because we may have failed to set up the
verified partition and need a property to indicate this.

This means we still need to run fs_mgr_update_verity_state and walk
through all the partitions to verify the device mapper status, just
without updating verity mode.

Bug: 22489805
Change-Id: Iaf28185adb8b80e5452447e54e1f4e4417a34168
2015-07-15 09:11:13 +00:00
Thierry Strudel
a0fbb90885 am 8703bea1: Merge "fs_config: replace getenv(\'OUT\') by new fs_config parameter" into mnc-dev
* commit '8703bea1807326fef9835bc474e7a7288c725925':
  fs_config: replace getenv('OUT') by new fs_config parameter
  fs_mgr: Use ro.boot.veritymode
2015-07-10 18:44:51 +00:00
Thierry Strudel
df33ffadd2 fs_config: replace getenv('OUT') by new fs_config parameter
Using a getenv('OUT') in such a deep down function is a wrong design
choice. Replacing with explicit parameter that may be NULL in case
device specific files can be accessed from /.
Since TARGET_COPY_OUT_SYSTEM may be defined to something different than
system we also ensure that we use a path relative to TARGET_OUT to
compute path to fs_config_* files.

Bug: 21989305
Bug: 22048934
Change-Id: Id91bc183b29beac7379d1117ad83bd3346e6897b
Signed-off-by: Thierry Strudel <tstrudel@google.com>
2015-07-09 21:47:07 -07:00
Sami Tolvanen
3fd58ae7e5 fs_mgr: Use ro.boot.veritymode
If verity state is managed by bootloader, it will pass the verity
mode to the kernel in the androidboot.veritymode command line
parameter. Init copies the value to the ro.boot.veritymode property.

Check for ro.boot.veritymode in fs_mgr and use the value to set
dm-verity mode. If this property is not set, store verity state in
metadata as before, if a storage location is specified in fstab.

Bug: 21605676
Change-Id: Ife3c978c133248432c302583d3b70e179605fe42
(cherry picked from commit ac5c1224cf)
2015-07-08 07:54:24 +00:00
Elliott Hughes
182e561932 am 450a24a5: am c604ccfa: Merge "Only pass nomblk_io_submit option when mounting ext4"
* commit '450a24a598b816b71dddde121460dc4fd3fdd3fd':
  Only pass nomblk_io_submit option when mounting ext4
2015-06-11 02:31:53 +00:00
Elliott Hughes
c604ccfadd Merge "Only pass nomblk_io_submit option when mounting ext4" 2015-06-11 01:22:57 +00:00
Sami Tolvanen
62481cf7d1 am ecad7587: am 4e359e1d: Merge "fs_mgr: Use ro.boot.veritymode"
* commit 'ecad7587ace0bb702b33fdc278d6705ff968aac8':
  fs_mgr: Use ro.boot.veritymode
2015-06-10 20:36:31 +00:00
Sami Tolvanen
ac5c1224cf fs_mgr: Use ro.boot.veritymode
If verity state is managed by bootloader, it will pass the verity
mode to the kernel in the androidboot.veritymode command line
parameter. Init copies the value to the ro.boot.veritymode property.

Check for ro.boot.veritymode in fs_mgr and use the value to set
dm-verity mode. If this property is not set, store verity state in
metadata as before, if a storage location is specified in fstab.

Change-Id: Ife3c978c133248432c302583d3b70e179605fe42
2015-06-10 17:40:29 +01:00
Oreste Salerno
6ed84c986f Only pass nomblk_io_submit option when mounting ext4
This option only exists for ext4 filesystems, so it shouldn't be
used when mounting ext2/ext3.
This bug would cause the mount system call in check_fs to always fail
with ext2/ext3 filesystems.

Change-Id: I3c8938029357a4a4170355118b6757f61ff4b227
2015-06-09 16:38:35 +00:00
Paul Lawrence
0a423d994a DO NOT MERGE Securely encrypt the master key
(chery-picked from commit 806d10be23)

Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I6a8a18f43ae837e330e2785bd26c2c306ae1816b
2015-05-29 17:39:16 +00:00
Elliott Hughes
af02e2403a am 9fc83437: Don\'t use TEMP_FAILURE_RETRY on close in system/core.
* commit '9fc834377297cb2dcc418e4ce7e38e89dd09812b':
  Don't use TEMP_FAILURE_RETRY on close in system/core.
2015-05-27 20:51:25 +00:00
Elliott Hughes
9fc8343772 Don't use TEMP_FAILURE_RETRY on close in system/core.
Bug: http://b/20501816
Change-Id: I1839b48ee4f891b8431ecb809e37a4566a5b3e50
(cherry picked from commit 47b0134ec2)
2015-05-27 13:27:06 -07:00
Elliott Hughes
47b0134ec2 Don't use TEMP_FAILURE_RETRY on close in system/core.
Bug: http://b/20501816
Change-Id: I1839b48ee4f891b8431ecb809e37a4566a5b3e50
2015-05-15 19:16:40 -07:00
Iliyan Malchev
355bd1fd98 am b33118ac: am 2557cd21: am 8b448629: am 16092b7a: Merge "fs_mgr: allow for zramsize to be specified as percentage of total memory" into lmp-mr1-dev
* commit 'b33118ac7603b459d690f524e0c64161f8ab5c0d':
  fs_mgr: allow for zramsize to be specified as percentage of total memory
2015-05-13 17:29:05 +00:00
Iliyan Malchev
b33118ac76 am 2557cd21: am 8b448629: am 16092b7a: Merge "fs_mgr: allow for zramsize to be specified as percentage of total memory" into lmp-mr1-dev
* commit '2557cd21f0af31d6dafee24d649f83314d2896d4':
  fs_mgr: allow for zramsize to be specified as percentage of total memory
2015-05-13 17:07:53 +00:00
Iliyan Malchev
2557cd21f0 am 8b448629: am 16092b7a: Merge "fs_mgr: allow for zramsize to be specified as percentage of total memory" into lmp-mr1-dev
* commit '8b4486294053ea96ac50d8c07d4fc23729ef7c52':
  fs_mgr: allow for zramsize to be specified as percentage of total memory
2015-05-12 23:55:40 +00:00
Iliyan Malchev
16092b7a48 Merge "fs_mgr: allow for zramsize to be specified as percentage of total memory" into lmp-mr1-dev 2015-05-12 23:25:51 +00:00
Elliott Hughes
0b3a8a7493 am 8b41a4a3: am 9680eaa1: Merge "fs_mgr: remove some dead code"
* commit '8b41a4a3ca0e6d1001e5dd92b09282d8ef03c307':
  fs_mgr: remove some dead code
2015-05-07 20:33:57 +00:00
Oleksiy Avramchenko
093dd317ec fs_mgr: remove some dead code
Using logical op on unitialized memory is a bad thing. Good thing
is that this bug is dead because the structure is completely
cleared later via create_verity_device() -> verity_ioctl_init().

Change-Id: Idf5515a888bc6216eda0e23885a789f9b0320bac
2015-05-07 10:18:33 +02:00