From 997d738dda66df669837cb27b39e09ed12316e47 Mon Sep 17 00:00:00 2001 From: Nathan Huckleberry Date: Fri, 21 Oct 2022 20:55:49 +0000 Subject: [PATCH] Expose system property for dm-verity check_at_most_once Allow us to check if check_at_most_once is set for any partitions. This property should be false for any device with a reasonable amount of RAM and a modern CPU. Enabling check_at_most_once violates AVB best practices, it should only be allowed on performance limited devices. Bug: 253033920 Test: Ensure that avbHashtreeNotUsingSha1 CTS test still passes and that partition.system.verified.check_at_most_once is set. Change-Id: I8174adf81111cc0df547ea01f81b0dfaca32631f Signed-off-by: Nathan Huckleberry --- fs_mgr/fs_mgr.cpp | 28 +++++++--------------------- fs_mgr/include/fs_mgr.h | 2 ++ init/builtins.cpp | 2 ++ 3 files changed, 11 insertions(+), 21 deletions(-) diff --git a/fs_mgr/fs_mgr.cpp b/fs_mgr/fs_mgr.cpp index 27137a298..1c1ab48d4 100644 --- a/fs_mgr/fs_mgr.cpp +++ b/fs_mgr/fs_mgr.cpp @@ -2191,36 +2191,22 @@ std::optional fs_mgr_get_hashtree_info(const android::fs_mgr::Fsta std::vector tokens = android::base::Split(target.data, " \t\r\n"); if (tokens[0] != "0" && tokens[0] != "1") { LOG(WARNING) << "Unrecognized device mapper version in " << target.data; - return {}; } // Hashtree algorithm & root digest are the 8th & 9th token in the output. - return HashtreeInfo{.algorithm = android::base::Trim(tokens[7]), - .root_digest = android::base::Trim(tokens[8])}; + return HashtreeInfo{ + .algorithm = android::base::Trim(tokens[7]), + .root_digest = android::base::Trim(tokens[8]), + .check_at_most_once = target.data.find("check_at_most_once") != std::string::npos}; } return {}; } bool fs_mgr_verity_is_check_at_most_once(const android::fs_mgr::FstabEntry& entry) { - if (!entry.fs_mgr_flags.avb) { - return false; - } - - DeviceMapper& dm = DeviceMapper::Instance(); - std::string device = GetVerityDeviceName(entry); - - std::vector table; - if (dm.GetState(device) == DmDeviceState::INVALID || !dm.GetTableInfo(device, &table)) { - return false; - } - for (const auto& target : table) { - if (strcmp(target.spec.target_type, "verity") == 0 && - target.data.find("check_at_most_once") != std::string::npos) { - return true; - } - } - return false; + auto hashtree_info = fs_mgr_get_hashtree_info(entry); + if (!hashtree_info) return false; + return hashtree_info->check_at_most_once; } std::string fs_mgr_get_super_partition_name(int slot) { diff --git a/fs_mgr/include/fs_mgr.h b/fs_mgr/include/fs_mgr.h index 29a5e60e6..43de6d84c 100644 --- a/fs_mgr/include/fs_mgr.h +++ b/fs_mgr/include/fs_mgr.h @@ -71,6 +71,8 @@ struct HashtreeInfo { std::string algorithm; // The root digest of the merkle tree. std::string root_digest; + // If check_at_most_once is enabled. + bool check_at_most_once; }; // fs_mgr_mount_all() updates fstab entries that reference device-mapper. diff --git a/init/builtins.cpp b/init/builtins.cpp index c8cb25300..7cb8b1149 100644 --- a/init/builtins.cpp +++ b/init/builtins.cpp @@ -879,6 +879,8 @@ static Result do_verity_update_state(const BuiltinArguments& args) { SetProperty("partition." + partition + ".verified.hash_alg", hashtree_info->algorithm); SetProperty("partition." + partition + ".verified.root_digest", hashtree_info->root_digest); + SetProperty("partition." + partition + ".verified.check_at_most_once", + hashtree_info->check_at_most_once ? "1" : "0"); } }