adb: Allow disabling verity on eng builds when using AVB.

Unlike VB1.0, if a device is using AVB then dm-verity is used on any build (userdebug, eng, etc.). Therefore, we should allow disabling verity on any build (except USER), not just userdebug. This bug was pointed out in https://android-review.googlesource.com/#/c/371372/ Bug: 34124301 Test: Manually tested on -eng build on device using AVB. Change-Id: I314550c13d7458d5d1ef68eb06f98849e11fbe15
2017-05-17 10:36:35 -04:00 · 2017-05-17 10:36:35 -04:00 · abddbc2cdf
parent b03d5a4ba6
commit abddbc2cdf
1 changed files with 23 additions and 12 deletions
--- a/adb/set_verity_enable_state_service.cpp
+++ b/adb/set_verity_enable_state_service.cpp
@ -139,25 +139,36 @@ void set_verity_enabled_state_service(int fd, void* cookie) {
    bool any_changed = false;

    bool enable = (cookie != NULL);
-    if (!kAllowDisableVerity) {
-        WriteFdFmt(fd, "%s-verity only works for userdebug builds\n",
-                   enable ? "enable" : "disable");
+
+    // Figure out if we're using VB1.0 or VB2.0 (aka AVB) - by
+    // contract, androidboot.vbmeta.digest is set by the bootloader
+    // when using AVB).
+    bool using_avb = !android::base::GetProperty("ro.boot.vbmeta.digest", "").empty();
+
+    // If using AVB, dm-verity is used on any build so we want it to
+    // be possible to disable/enable on any build (except USER). For
+    // VB1.0 dm-verity is only enabled on certain builds.
+    if (!using_avb) {
+        if (!kAllowDisableVerity) {
+            WriteFdFmt(fd, "%s-verity only works for userdebug builds\n",
+                       enable ? "enable" : "disable");
+        }
+
+        if (!android::base::GetBoolProperty("ro.secure", false)) {
+            WriteFdFmt(fd, "verity not enabled - ENG build\n");
+            return;
+        }
    }

-    if (!android::base::GetBoolProperty("ro.secure", false)) {
-        WriteFdFmt(fd, "verity not enabled - ENG build\n");
-        return;
-    }
+    // Should never be possible to disable dm-verity on a USER build
+    // regardless of using AVB or VB1.0.
    if (!__android_log_is_debuggable()) {
        WriteFdFmt(fd, "verity cannot be disabled/enabled - USER build\n");
        return;
    }

-    // Figure out if we're using VB1.0 or VB2.0 (aka AVB).
-    std::string vbmeta_hash = android::base::GetProperty("ro.boot.vbmeta.digest", "");
-    if (vbmeta_hash != "") {
-        // Yep, the system is using AVB (by contract, androidboot.vbmeta.hash is
-        // set by the bootloader when using AVB).
+    if (using_avb) {
+        // Yep, the system is using AVB.
        AvbOps* ops = avb_ops_user_new();
        if (ops == nullptr) {
            WriteFdFmt(fd, "Error getting AVB ops\n");