microdroid_manager: verify APK/APEXes
Even though libapkverify doesn't do much verification for now, having it in use would make CI detect errors in the future. TODO: - zipfuse should wait until APK is verified. - boot should abort when verification fails. Bug: 190343842 Test: MicrodroidHostTestCases Change-Id: I221be1c7d9a0bfcd312593d3958f950311b67af5
This commit is contained in:
parent
5d94bfcd79
commit
19c1d6c70e
|
@ -0,0 +1,19 @@
|
||||||
|
package {
|
||||||
|
default_applicable_licenses: ["Android-Apache-2.0"],
|
||||||
|
}
|
||||||
|
|
||||||
|
rust_library {
|
||||||
|
name: "libapkverify",
|
||||||
|
host_supported: true,
|
||||||
|
crate_name: "apkverify",
|
||||||
|
srcs: ["src/lib.rs"],
|
||||||
|
prefer_rlib: true,
|
||||||
|
edition: "2018",
|
||||||
|
rustlibs: [
|
||||||
|
"libanyhow",
|
||||||
|
"libbyteorder",
|
||||||
|
"libbytes",
|
||||||
|
"liblog_rust",
|
||||||
|
"libzip",
|
||||||
|
],
|
||||||
|
}
|
|
@ -1,11 +0,0 @@
|
||||||
[package]
|
|
||||||
name = "apkverify"
|
|
||||||
version = "0.1.0"
|
|
||||||
authors = ["Jooyung Han <jooyung@google.com>"]
|
|
||||||
edition = "2018"
|
|
||||||
|
|
||||||
[dependencies]
|
|
||||||
anyhow = { path = "../../../../external/rust/crates/anyhow" }
|
|
||||||
bytes = { path = "../../../../external/rust/crates/bytes" }
|
|
||||||
byteorder = { path = "../../../../external/rust/crates/byteorder" }
|
|
||||||
zip = { version = "0.5", path = "../../../../external/rust/crates/zip" }
|
|
|
@ -128,19 +128,19 @@ fn find_signature_scheme_block(buf: Bytes, block_id: u32) -> Result<Bytes> {
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn is_supported_signature_algorithm(algorithm_id: u32) -> bool {
|
pub fn is_supported_signature_algorithm(algorithm_id: u32) -> bool {
|
||||||
match algorithm_id {
|
matches!(
|
||||||
|
algorithm_id,
|
||||||
SIGNATURE_RSA_PSS_WITH_SHA256
|
SIGNATURE_RSA_PSS_WITH_SHA256
|
||||||
| SIGNATURE_RSA_PSS_WITH_SHA512
|
| SIGNATURE_RSA_PSS_WITH_SHA512
|
||||||
| SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256
|
| SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA256
|
||||||
| SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512
|
| SIGNATURE_RSA_PKCS1_V1_5_WITH_SHA512
|
||||||
| SIGNATURE_ECDSA_WITH_SHA256
|
| SIGNATURE_ECDSA_WITH_SHA256
|
||||||
| SIGNATURE_ECDSA_WITH_SHA512
|
| SIGNATURE_ECDSA_WITH_SHA512
|
||||||
| SIGNATURE_DSA_WITH_SHA256
|
| SIGNATURE_DSA_WITH_SHA256
|
||||||
| SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256
|
| SIGNATURE_VERITY_RSA_PKCS1_V1_5_WITH_SHA256
|
||||||
| SIGNATURE_VERITY_ECDSA_WITH_SHA256
|
| SIGNATURE_VERITY_ECDSA_WITH_SHA256
|
||||||
| SIGNATURE_VERITY_DSA_WITH_SHA256 => true,
|
| SIGNATURE_VERITY_DSA_WITH_SHA256
|
||||||
_ => false,
|
)
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
fn to_content_digest_algorithm(algorithm_id: u32) -> Result<u32> {
|
fn to_content_digest_algorithm(algorithm_id: u32) -> Result<u32> {
|
||||||
|
|
|
@ -16,6 +16,9 @@
|
||||||
|
|
||||||
//! Verifies APK Signature Scheme V3
|
//! Verifies APK Signature Scheme V3
|
||||||
|
|
||||||
|
// TODO(jooyung) remove this
|
||||||
|
#![allow(dead_code)]
|
||||||
|
|
||||||
use anyhow::{anyhow, bail, Result};
|
use anyhow::{anyhow, bail, Result};
|
||||||
use bytes::Bytes;
|
use bytes::Bytes;
|
||||||
use std::fs::File;
|
use std::fs::File;
|
||||||
|
|
|
@ -10,6 +10,7 @@ rust_defaults {
|
||||||
prefer_rlib: true,
|
prefer_rlib: true,
|
||||||
rustlibs: [
|
rustlibs: [
|
||||||
"libanyhow",
|
"libanyhow",
|
||||||
|
"libapkverify",
|
||||||
"libkernlog",
|
"libkernlog",
|
||||||
"liblibc",
|
"liblibc",
|
||||||
"liblog_rust",
|
"liblog_rust",
|
||||||
|
|
|
@ -17,7 +17,8 @@
|
||||||
mod ioutil;
|
mod ioutil;
|
||||||
mod metadata;
|
mod metadata;
|
||||||
|
|
||||||
use anyhow::{anyhow, bail, Result};
|
use anyhow::{anyhow, bail, Context, Result};
|
||||||
|
use apkverify::verify;
|
||||||
use log::{error, info, warn};
|
use log::{error, info, warn};
|
||||||
use microdroid_payload_config::{Task, TaskType, VmPayloadConfig};
|
use microdroid_payload_config::{Task, TaskType, VmPayloadConfig};
|
||||||
use rustutils::system_properties::PropertyWatcher;
|
use rustutils::system_properties::PropertyWatcher;
|
||||||
|
@ -30,12 +31,19 @@ use std::time::Duration;
|
||||||
use vsock::VsockStream;
|
use vsock::VsockStream;
|
||||||
|
|
||||||
const WAIT_TIMEOUT: Duration = Duration::from_secs(10);
|
const WAIT_TIMEOUT: Duration = Duration::from_secs(10);
|
||||||
|
const DM_MOUNTED_APK_PATH: &str = "/dev/block/mapper/microdroid-apk";
|
||||||
|
|
||||||
fn main() -> Result<()> {
|
fn main() -> Result<()> {
|
||||||
kernlog::init()?;
|
kernlog::init()?;
|
||||||
info!("started.");
|
info!("started.");
|
||||||
|
|
||||||
let metadata = metadata::load()?;
|
let metadata = metadata::load()?;
|
||||||
|
|
||||||
|
if let Err(err) = verify_payloads() {
|
||||||
|
error!("failed to verify payload: {}", err);
|
||||||
|
// TODO(jooyung): should stop the boot process if verification fails
|
||||||
|
}
|
||||||
|
|
||||||
if !metadata.payload_config_path.is_empty() {
|
if !metadata.payload_config_path.is_empty() {
|
||||||
let config = load_config(Path::new(&metadata.payload_config_path))?;
|
let config = load_config(Path::new(&metadata.payload_config_path))?;
|
||||||
|
|
||||||
|
@ -56,6 +64,19 @@ fn main() -> Result<()> {
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO(jooyung): v2/v3 full verification can be slow. Consider multithreading.
|
||||||
|
fn verify_payloads() -> Result<()> {
|
||||||
|
// We don't verify APEXes since apexd does.
|
||||||
|
|
||||||
|
// should wait APK to be dm-verity mounted by apkdmverity
|
||||||
|
ioutil::wait_for_file(DM_MOUNTED_APK_PATH, WAIT_TIMEOUT)?;
|
||||||
|
verify(DM_MOUNTED_APK_PATH).context(format!("failed to verify {}", DM_MOUNTED_APK_PATH))?;
|
||||||
|
|
||||||
|
info!("payload verification succeeded.");
|
||||||
|
// TODO(jooyung): collect public keys and store them in instance.img
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
|
|
||||||
fn load_config(path: &Path) -> Result<VmPayloadConfig> {
|
fn load_config(path: &Path) -> Result<VmPayloadConfig> {
|
||||||
info!("loading config from {:?}...", path);
|
info!("loading config from {:?}...", path);
|
||||||
let file = ioutil::wait_for_file(path, WAIT_TIMEOUT)?;
|
let file = ioutil::wait_for_file(path, WAIT_TIMEOUT)?;
|
||||||
|
|
|
@ -85,7 +85,12 @@ fn make_metadata_file(
|
||||||
version: 1,
|
version: 1,
|
||||||
apexes: apexes
|
apexes: apexes
|
||||||
.iter()
|
.iter()
|
||||||
.map(|apex| ApexPayload { name: apex.name.clone(), ..Default::default() })
|
.enumerate()
|
||||||
|
.map(|(i, apex)| ApexPayload {
|
||||||
|
name: apex.name.clone(),
|
||||||
|
partition_name: format!("microdroid-apex-{}", i),
|
||||||
|
..Default::default()
|
||||||
|
})
|
||||||
.collect(),
|
.collect(),
|
||||||
apk: Some(ApkPayload {
|
apk: Some(ApkPayload {
|
||||||
name: "apk".to_owned(),
|
name: "apk".to_owned(),
|
||||||
|
|
Loading…
Reference in New Issue