Merge changes from topic "revert-1665499-revert-1660531-max-boot-level-crypto-KFMCEDKSIV-WPIHELCRFI"

* changes:
  Revert^2 "Set earlyBootEnded before apex starts"
  Revert^2 "Expose AID_KEYSTORE"
This commit is contained in:
Paul Crowley 2021-04-16 15:51:27 +00:00 committed by Gerrit Code Review
commit 61abbef4e4
2 changed files with 29 additions and 17 deletions

View File

@ -363,8 +363,9 @@ rust_bindgen {
local_include_dirs: ["include"], local_include_dirs: ["include"],
bindgen_flags: [ bindgen_flags: [
"--whitelist-function", "multiuser_get_app_id", "--whitelist-function", "multiuser_get_app_id",
"--whitelist-function", "multiuser_get_user_id",
"--whitelist-function", "multiuser_get_uid", "--whitelist-function", "multiuser_get_uid",
"--whitelist-function", "multiuser_get_user_id",
"--whitelist-var", "AID_KEYSTORE",
"--whitelist-var", "AID_USER_OFFSET", "--whitelist-var", "AID_USER_OFFSET",
], ],
} }

View File

@ -471,9 +471,6 @@ on init
chmod 0664 /sys/module/lowmemorykiller/parameters/minfree chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
start lmkd start lmkd
# Set an initial boot level - start at 10 in case we need to add earlier ones.
setprop keystore.boot_level 10
# Start essential services. # Start essential services.
start servicemanager start servicemanager
start hwservicemanager start hwservicemanager
@ -630,8 +627,6 @@ on late-fs
write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1 write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1
on post-fs-data on post-fs-data
# Boot level 30 - at this point daemons like apexd and odsign run
setprop keystore.boot_level 30
mark_post_data mark_post_data
@ -652,6 +647,9 @@ on post-fs-data
mkdir /data/bootchart 0755 shell shell encryption=Require mkdir /data/bootchart 0755 shell shell encryption=Require
bootchart start bootchart start
# Avoid predictable entropy pool. Carry over entropy from previous boot.
copy /data/system/entropy.dat /dev/urandom
mkdir /data/vendor 0771 root root encryption=Require mkdir /data/vendor 0771 root root encryption=Require
mkdir /data/vendor_ce 0771 root root encryption=None mkdir /data/vendor_ce 0771 root root encryption=None
mkdir /data/vendor_de 0771 root root encryption=None mkdir /data/vendor_de 0771 root root encryption=None
@ -667,6 +665,25 @@ on post-fs-data
# Make sure that apexd is started in the default namespace # Make sure that apexd is started in the default namespace
enter_default_mount_ns enter_default_mount_ns
# set up keystore directory structure first so that we can end early boot
# and start apexd
mkdir /data/misc 01771 system misc encryption=Require
mkdir /data/misc/keystore 0700 keystore keystore
# work around b/183668221
restorecon /data/misc /data/misc/keystore
# Boot level 30
# odsign signing keys have MAX_BOOT_LEVEL=30
# This is currently the earliest boot level, but we start at 30
# to leave room for earlier levels.
setprop keystore.boot_level 30
# Now that /data is mounted and we have created /data/misc/keystore,
# we can tell keystore to stop allowing use of early-boot keys,
# and access its database for the first time to support creation and
# use of MAX_BOOT_LEVEL keys.
exec - system system -- /system/bin/vdc keymaster earlyBootEnded
# /data/apex is now available. Start apexd to scan and activate APEXes. # /data/apex is now available. Start apexd to scan and activate APEXes.
mkdir /data/apex 0755 root system encryption=None mkdir /data/apex 0755 root system encryption=None
mkdir /data/apex/active 0755 root system mkdir /data/apex/active 0755 root system
@ -678,11 +695,7 @@ on post-fs-data
mkdir /data/apex/ota_reserved 0700 root system encryption=Require mkdir /data/apex/ota_reserved 0700 root system encryption=Require
start apexd start apexd
# Avoid predictable entropy pool. Carry over entropy from previous boot. # create rest of basic filesystem structure
copy /data/system/entropy.dat /dev/urandom
# create basic filesystem structure
mkdir /data/misc 01771 system misc encryption=Require
mkdir /data/misc/recovery 0770 system log mkdir /data/misc/recovery 0770 system log
copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1 copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1
chmod 0440 /data/misc/recovery/ro.build.fingerprint.1 chmod 0440 /data/misc/recovery/ro.build.fingerprint.1
@ -706,7 +719,6 @@ on post-fs-data
mkdir /data/misc/nfc 0770 nfc nfc mkdir /data/misc/nfc 0770 nfc nfc
mkdir /data/misc/nfc/logs 0770 nfc nfc mkdir /data/misc/nfc/logs 0770 nfc nfc
mkdir /data/misc/credstore 0700 credstore credstore mkdir /data/misc/credstore 0700 credstore credstore
mkdir /data/misc/keystore 0700 keystore keystore
mkdir /data/misc/gatekeeper 0700 system system mkdir /data/misc/gatekeeper 0700 system system
mkdir /data/misc/keychain 0771 system system mkdir /data/misc/keychain 0771 system system
mkdir /data/misc/net 0750 root shell mkdir /data/misc/net 0750 root shell
@ -916,14 +928,13 @@ on post-fs-data
# odsign to be done with the key # odsign to be done with the key
wait_for_prop odsign.key.done 1 wait_for_prop odsign.key.done 1
# After apexes are mounted, tell keymaster early boot has ended, so it will
# stop allowing use of early-boot keys
exec - system system -- /system/bin/vdc keymaster earlyBootEnded
# Lock the fs-verity keyring, so no more keys can be added # Lock the fs-verity keyring, so no more keys can be added
exec -- /system/bin/fsverity_init --lock exec -- /system/bin/fsverity_init --lock
setprop keystore.boot_level 40 # Bump the boot level to 1000000000; this prevents further on-device signing.
# This is a special value that shuts down the thread which listens for
# further updates.
setprop keystore.boot_level 1000000000
# Allow apexd to snapshot and restore device encrypted apex data in the case # Allow apexd to snapshot and restore device encrypted apex data in the case
# of a rollback. This should be done immediately after DE_user data keys # of a rollback. This should be done immediately after DE_user data keys