idsig: create merkle tree
The idsig crate is for creating an idsig file from an apk. It will be
used by virtualization service when a VM is first created. From the
input APK, the corresponding idsig file is generated and passed to the
VM as a partition. Inside the VM, a dm-verity block device is created
for the APK whose merkle tree is backed by the idsig file.
If it's the VM's first boot, the APK (still on top of dm-verity) is
verified using the APK signature scheme V2 or V3. This involves a full
scanning of the APK. Therefore, a successful V2/V3 verification means
that the merkle tree and the root hash in the idsig file is also
trustful, because otherwise there must have been an I/O error during the
scanning, or the V2/V3 verification must has failed.
Subsequent boots don't involve the lengthy V2/V3 verification. Instead,
we use the root hash that is stored to the instance disk during the
first boot. We don't use the root hash read from the idsig file which
might have been compromised and therefore shouldn't be used without the
V2/V3 verification.
As the first step, the idsig crate is created. It currently has routines
for the generation of merkle tree. Later, apksigv4.rs which implements
the idsig file format will be moved from apkdmverity to here. Then
finally, virtualization service will use this to actually create an
idsig file when necessary.
Bug: 193504400
Test: cargo test
Change-Id: I242dd8c6d74fd3098831ce820dd989871939e911
2021-08-11 06:58:07 +00:00
|
|
|
#!/bin/bash
|
|
|
|
|
2021-12-20 08:11:49 +00:00
|
|
|
sizes="512 4K 1M 10000000 272629760"
|
idsig: create merkle tree
The idsig crate is for creating an idsig file from an apk. It will be
used by virtualization service when a VM is first created. From the
input APK, the corresponding idsig file is generated and passed to the
VM as a partition. Inside the VM, a dm-verity block device is created
for the APK whose merkle tree is backed by the idsig file.
If it's the VM's first boot, the APK (still on top of dm-verity) is
verified using the APK signature scheme V2 or V3. This involves a full
scanning of the APK. Therefore, a successful V2/V3 verification means
that the merkle tree and the root hash in the idsig file is also
trustful, because otherwise there must have been an I/O error during the
scanning, or the V2/V3 verification must has failed.
Subsequent boots don't involve the lengthy V2/V3 verification. Instead,
we use the root hash that is stored to the instance disk during the
first boot. We don't use the root hash read from the idsig file which
might have been compromised and therefore shouldn't be used without the
V2/V3 verification.
As the first step, the idsig crate is created. It currently has routines
for the generation of merkle tree. Later, apksigv4.rs which implements
the idsig file format will be moved from apkdmverity to here. Then
finally, virtualization service will use this to actually create an
idsig file when necessary.
Bug: 193504400
Test: cargo test
Change-Id: I242dd8c6d74fd3098831ce820dd989871939e911
2021-08-11 06:58:07 +00:00
|
|
|
for size in $sizes; do
|
|
|
|
echo $size
|
|
|
|
dd if=/dev/random of=input.$size bs=$size count=1
|
|
|
|
fsverity digest input.$size \
|
|
|
|
--hash-alg=sha256 \
|
|
|
|
--salt=010203040506 \
|
|
|
|
--block-size=4096 \
|
|
|
|
--out-merkle-tree input.$size.hash \
|
|
|
|
--out-descriptor input.$size.descriptor
|
|
|
|
done
|