fs_mgr_update_verity_state() is invoked by 'verity_update_state' in
init.rc. It will then set property "partition.system.verified" and
"partition.vendor.verified" to verify_mode. We should support this for
AVB as well.
Also change the order of static libs in init to fix the build error
after this change:
system/extras/ext4_utils/ext4_crypt.cpp:69: error: undefined reference to 'property_get'
Bug: 35416769
Test: Mount /system and /vendor with vboot 2.0 (AVB), check the following properties exist.
- [partition.system.verified]: [2]
- [partition.vendor.verified]: [2]
Test: Mount /system and /vendor with vboot 1.0, check the following properties exist.
- [partition.system.verified]: [0]
- [partition.vendor.verified]: [0]
Change-Id: I4328d66a8cb93f26e7960e620a0b2292d5f15900
Several changes in this CL:
- Moves class FsManagerAvbHandle to public API
- Adds a parameter 'wait_for_verity_dev' for FsManagerAvbHandle::SetUpAvb()
to allow not to wait for verity device gets created
- Adds FsManagerAvbHandle::AvbHashtreeDisabled() to query whether AVB is disabled
- Adds fs_mgr_is_avb() to query whether a fstab_rec has MF_AVB flag
Bug: 33254008
Test: test AVB on bullhead
Change-Id: I89c43ca574ae632db8a700fc2590a1f80212c993
Adds two classes FsManagerAvbhandle and FsManagerAvbVerifier to replace the
following functions or struct:
- fs_mgr_load_vbmeta_images() -> FsManagerAvbhandle::Open()
- fs_mgr_unload_vbmeta_images() -> deleted
- fs_mgr_setup_avb() -> FsManagerAvbhandle::SetUpAvb()
- androidboot_vbmeta -> FsManagerAvbVerifier
- load_vbmeta_prop() -> FsManagerAvbVerifier::Create()
- verify_vbmeta_images() -> FsManagerAvbVerifier::VerifyVbmetaImages()
And only invokes FsManagerAvbhandle::Open() when there is a fstab entry having
'avb' flag (need HASHTREE descriptor). fs_mgr_is_avb_used() can be
removed as it only checks system property "ro.boot.vbmeta.hash_alg" to
decide whether vbmeta needs to be loaded, which might not be accurate.
For example, there are only HASH descriptors in the verified chain but
no HASHTREE descriptors. In this case, the fs_mgr doesn't have to do
anything because it only takes care of HASHTREE descriptors.
Also adds a new class FsManagerAvbOps to provide the C++ binding
FsManagerAvbOps::AvbSlotVerify() for libavb->avb_slot_verify().
Bug: 33254008
Test: test AVB on bullhead
Change-Id: I8fe15ba01c277152630a2a5c1c5c7f25fbf34030
The function returns "_a" or "_b" based on two possible values in
kernel cmdline:
- androidboot.slot = a or b OR
- androidboot.slot_suffix = _a or _b
Bug: 33254008
Bug: 36533366
Test: boot sailfish
Change-Id: Ia0a524e4145ebf61af5821f42ecad212c95ed748
- Old tool will set it to 10 while mke2fs will set it to -1.
- For now, only tag it.
- TODO: possibly add different policy per image tool version.
bug: 32246772
Test: check dmesg after reboot
Change-Id: Ib763f8ba64957412d2b02a9d6e3fc2bfcf55851e
fs_mgr_avb_ops->read_from_partition() relies on the by-name prefix to
get the device file when reading a partition. Previously we store the
fstab struct and use fs_mgr_get_entry_for_mount_point() for every read.
It's better to do that once and store the by-name prefix for later use.
Bug: 33254008
Test: test AVB on bullhead
Change-Id: Ie999851b529f984e29ccbf39fb52a8220056fe0c
get_hashtree_descriptor() currently restricts HASHTREE descriptor to be
either in /vbmeta or in the same partition for dm-verity setup.
Also allows it to be from /boot partition because the top-level vbmeta
might be appended at /boot in legacy devices without /vbmeta.
Bug: 35880930
Test: test AVB on bullhead with top-level vbmeta being at /boot
Change-Id: I1ebd16a3c9f17bced6055146e8843b5918a737eb
Currently there is no client requires fs_mgr_read_fstab_with_dt() so
remove this API. Devices with fstab entries in device tree should use
fs_mgr_read_fstab_default() to get default fstab, or just use
fs_mgr_read_fstab_dt() to get those in device tree.
Bug: 35811655
Test: normal boot sailfish
Test: run factory data reset in sailfish
Test: recovery boot sailfish
Test: adb sideload in sailfish
Change-Id: I1579d81cea7366cf3867cfe5ad56feb36cbb7246
fs_mgr might try to get a non-existing config through fs_mgr_get_boot_config()
on a device (e.g., for backward compatibility). Lower the log level to INFO
so it won't appear on the recovery screen.
Bug: 35811655
Test: recovery boot sailfish
Change-Id: I81497259aff3691740170abeef932d363b52be35
recovery boot: /etc/recovery.fstab
normal boot: use the first one found by the order:
/odm/etc/fstab.{hardware} ->
/vendor/etc/fstab.{hardware} ->
/fstab.{hardware}
Bug: 35811655
Bug: 36637553
Test: Sideload OTA installation in sailfish
Change-Id: I3e260e077afa5a37fb65246246c824e9379e68c8
fs_mgr_get_boot_config() returns true/false but the return value check
in current fs_mgr_avb is for 0/1. This was introduced during a refactoring.
Check true/false for the return value.
Bug: 33254008
Test: manual test AVB on bullhead
Change-Id: I72c366627214df4a99c4d9cf1eb577e94f7afb31
avb_ops->read_from_partition() should return
AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION if the requested partition does
not exist. Then libavb will try to load top-level vbmeta from /boot partition.
Two related changes in external/avb:
https://android-review.googlesource.com/#/c/344907/https://android-review.googlesource.com/#/c/348731/
Bug: 35880930
Test: test AVB on bullhead with top-level vbmeta being at /boot
Change-Id: I80355ba5ae4d29a6f102714cd2f7c2550b238f27
androidboot.slot_suffix is being deprecated for a androidboot.slot.
Bootloader must pass slot used to boot into the androidboot.slot which
does not include the '_' character
Test: boot android
Bug: 36533366
Change-Id: I6137bd08418f67a88120c8609eda10b2ada4607d
Signed-off-by: Fernando Lugo <flugo@google.com>
Right now all platforms supporting A/B have not fixed
androidboot.slot_suffix kernel command line parameter. To avoid breaking
all those platform allow using legacy support bootloaders get fixed.
Bug: 36533366
Test: boot
Change-Id: I0ad349f262d0b7f4897f3e184cb053b1440b2d5b
Signed-off-by: Fernando Lugo <flugo@google.com>
In the new A/B partition support suffixes don't have "_". So, fix fs_mgr
code that assumes it has "_"
Bug: 36533366
Test: boot
Change-Id: I0f528cf1e8fecacb1b4ae34f6dc42e18ebe777bb
Signed-off-by: Fernando Lugo <flugo@google.com>
Devices having no early mount enabled won't have fstab in device tree.
Lower the log level to INFO when fstab is absent there.
Bug: 35811655
Test: boot into recovery mode in a device without fstab in dt
Change-Id: I4b1e0e6554f50b8118770d00aa8f54be86aca858
mount_with_alternatives should set errno to match the 1st mount failure.
Bug: N/A
Test: run `fs_mgr -a <fake_fstab>` and check dmesg log
Change-Id: If4148d327f75c659b843e95f85568ea49c5d0180
Signed-off-by: NIEJuhu <niejuhu@xiaomi.com>
fstab contains device- and soc- specific content that should reside in
/odm or /vendor partition. This change searches the fstab.${ro.hardware}
file from /odm/etc, /vendor/etc and /, then use the first one found.
Bug: 35811655
Test: boot sailfish
Change-Id: I82f89b41a849faedb64072a7cfc52d7424e1aaa1
With the early mount support in init, fstab entries of verified partitions
(e.g., /system, /vendor) will be moved into device tree in kernel image.
Those early mount fstab entries will be removed from the fstab file to
prevent duplicated and/or inconsistent settings.
This change adds a new function: fs_mgr_read_fstab_with_dt(), to return
the combined results from both places. It also removes
fs_mgr_read_fstab_file() from the public APIs and makes it as an
internal function.
Bug: 35811655
Test: early mount /vendor with dm-verity on sailfish
Change-Id: I2fba3614685bf9f852a789cda6f53013e2164e60
- This is to collect data to understand if e2fsck -f option
can be dropped wholly based on information from fs.
- Ideally e2fsck should not fix fs if it was clean shutdown
or if it is not enabling quota.
- The log is added to /dev/fscklogs/log and other system components
can collect it later.
TODO: add mechanism to distinguish old vs new fs generation tool.
bug: 32246772
Test: reboot and check saved logs under different shutdown conditions (clean, non-clean)
Change-Id: Id00fad4c5f8ebbb9f9908164a1026e415df06721
To start Treble VTS test, a single AOSP system.img will be flashed onto
the device. The size of AOSP system.img might be different than the
system partition size on device, making locating verity metadata fail
(at the last fixed size of the partition).
This change allows disabling dm-verity on system partition when the
device is unlocked (orange device state) with invalid metadata.
BUG: 35603549
Test: Boot bullhead with a different-sized system.img, checks verity is
not enabled via:
"adb shell getprop | grep partition.system.verified"
Change-Id: Id89d023e82c78ff1902ab7a528431cf7f65e49ad
During early mount property area is not initialized, and as a result an
'eng' build will always incorrectly be detected as a 'secure' build by
early mount code path resulting into verity error and consequent boot
loop.
The change here makes sure the is_device_secure() check works with /
without properties based on the 'eng' build based build flag so the
early mount code works fine both ways.
Bug: 35791581
Bug: 27805372
Test: Boot sailfish-{eng,userdebug} builds successfully w/ early
mount enabled
Change-Id: Icd101ccad56b669f49b60bbb3005d5be9f53b02b
Signed-off-by: Sandeep Patil <sspatil@google.com>
If Device tree values are read for comparison, they produce false
negatives with std::strings due to trailing '\0'. This change
consolidates the triming of trailing null into a single helper function
to be used everywhere fs_mgr reads DT values for comparison or other
reasons where it wishes to have the trailing null trimmed.
b/27805372
Test: Boot sailfish w/ early mount /vendor
Change-Id: If71efc830dc440323df764c7461867e71ed6515b
Signed-off-by: Sandeep Patil <sspatil@google.com>
Fixes the compatible check in fs_mgr_boot_config by consolidating the
check in a single privately exported function within fs_mgr (i.e.
is_dt_compatible()).
b/27805372
Test: Boot sailfish w/ early mount
Change-Id: Ie2d1646b81cf9eba8d16828ca8cf2c75156c294c
Signed-off-by: Sandeep Patil <sspatil@google.com>
With init parsing fstab fragments from kernel separately, the fs_mgr
would completely miss the device tree entries. That leads to things like
'adb remount' to go through without warning for verity even if /system
is verified. This happens because 'verity_update_state' completely
misses the partitions passed to android through the device tree.
solution is to teach fs_mgr about device tree fstab entries and add 2
new public APIs.
1. fs_mgr_read_fstab_dt() - reads device tree and returns fstab
generated from it.
2. fs_mgr_read_fstab_default() - reads both device tree fstab and
/fstab.{ro.hardware} and returns the combined table.
This also reduces the hardcoded /fstab.{ro.hardware} occurence only to
fs_mgr and for eveyone who wants to read the "default" fstab must be
changed to call fs_mgr_read_fstab_default() instead. e.g. adb.
b/27805372
Test: Angler was used since it has 2 early mounted partitions instead of
one. 1 verified and 1 unverified.
- Boot angler successfully without early mount
- Boot angler successfully with /vendor early mount and test if 'adb
remount' warns us about verity
- Boot angler successfully with both /system and /vendor early mounted
and ensure 'adb remount' warns us about verity.
- check partitions.system.verified status after /system early mount ot
ensure it is set to VERITY_MODE_DEFAULT.
- 'adb disable-verity' with early mounted /system doesn't work due to
missing changes in adb
TODO:
change adb to use the new fs_mgr_read_fstab_default() API
Change-Id: I82038d87c7a44488e938acce2cc1082c08f6f73a
Signed-off-by: Sandeep Patil <sspatil@google.com>
depending on when fs_mgr is trying to read the configuration passed into
the kernel commandline, it may be able to read it successfully.
Specially in the case when init has not initialized properties.
This change adds a new fs_mgr_get_boot_config() API to be used by all
fs_mgr code in order to get filesystem parameters specified in kernel
command line or device tree. This way the fs_mgr code doesn't have to
handle the "early" cases separately anywhere.
Test:
Tested angler boot with both /system and /vendor mounted in init
first stage.
Tested sailfish to make sure /vendor can be continued to be
mounted early without verity
Change-Id: I9a44cdfc32681f714c5d73ae55c3deda95c02545
While technically possible, the verification at boot basically will
block init for as long as the entire partition is read while nothing
else is running. Disallow that as this is not going to be used anywhere.
Bug: 27805372
Test: boot angler with verifyatboot fs_mgr option for early mounted
vendor partition. That resulted in a panic() as expected.
Change-Id: I9da5caa163cae8bce6dbfb630f0ed5605ea044a0
Signed-off-by: Sandeep Patil <sspatil@google.com>
Consequently this removes the 'early' version of the exact same API.
This is to be used by early mount code where we need to do
1. setup verity
2. create verity device
3. mount partition
as separate steps since that happens during init first stage.
b/27805372
Test: Boot sailfish successfully
Change-Id: I01abecfdfa210d3e240a291ddcb3d2e9ed39ede6
Signed-off-by: Sandeep Patil <sspatil@google.com>
The 'verify_dev' parameter for fs_mgr_setup_verity is confusing, since
it doesn't necessarily control the "verification" part of the function.
Instead, it merely allows the caller to skip the
wait_for_dm_verity_device part of the function. So, rename that
parameter for what it is.
b/27805372
Test: Boot sailfish
Change-Id: I024e02fd728f5cd5bb333d9c3b512861731fa215
Signed-off-by: Sandeep Patil <sspatil@google.com>
This is to be used in early mount case where we will have a fully
prepared fstab_rec. fs_mgr_do_mount() does a lot more checks and
spends time preparing verity / avb devices before it does the actual
mount.
b/33254008
Test: Boot sailfish
Change-Id: I4481b5af8d900c8b7e3355b7513c325d8f2ecff2
Signed-off-by: Sandeep Patil <sspatil@google.com>
The .clang-format is a symlink to ../init/.clang-format, which is merged
recently. As init is the major user of fs_mgr, it's better to keep the
style consistent.
Only recent newly-added files written by me are formatted. For other
files, let's format them gradually to keep 'git blame' intact.
Bug: None
Test: Device can boot with AVB
Change-Id: I5c72f23b38534d5bcef3e4f9f0f477fa40496433
'slot_suffix' for A/B devices *must* be provided in kernel command line
or in device tree. The removed code was unnecessarily looking it up in
the 'misc' partition.
b/33254008
Test: Boot sailfish
Change-Id: I329af2d9a98c34a941596779eb78d14337b864e5
Signed-off-by: Sandeep Patil <sspatil@google.com>
This reverts commit 22e8199175.
- revert for now. will collect more data to check safety.
bug: 32246772
Test: reboots
Change-Id: Ibbb39005c64b26e9990c271b0b949feafae17773
* changes:
init: fstab: add support to read fstab entries from device tree
init: early_mount: add support to mount non-verity partitions early
init: remove the existing early_mount code
init: refactor: add support for doing early coldboot
ueventd: make selinux labeling optional for device creation
This is done by parsing 'androidboot.fstab=<fstab>' kernel cmdline
option to get the fstab file that *only* specifies partitions to be
mounted early (i.e. in init's first stage).
Note that, the same fstab file may not be used as an argument to
mount_all later in the boot as that will cause fs_mgr to fail with
EBUSY.
TODO:
- Possibly add a new mount_mode so the same fstab can be used for
early_mount, 'mount_all --early/--late' etc.
- Add support for dm-verity enabled partitions to mount early.
- Add support for getting fstab arguments through DT instead of kernel
cmdline.
Bug: 27805372
Test:
Boot angler by passing a seperate fstab file using the kernel
cmdline option to mount vendor partition early, remove the vendor
partition entry from the main fstab file for the test.
Boot sailfish by passing a seperate fstab entry via device tree
to mount vendor partition early. Remove vendor partition entry from
the main fstab file for the test
Change-Id: I18785b893c54c8cee960ab44d5e8f83e5d624aa8
Signed-off-by: Sandeep Patil <sspatil@google.com>
Remove polling_vbmeta_blk_device() as it tries to get /vbmeta entry
from fstab. Also move the polling of a partition inside read_from_partition()
in fs_mgr_avb_ops.cpp as it's where the reads happen.
Bug: 31264231
Test: Device can boot with AVB
Change-Id: Id717e160b085eca42eb9bc5eb2fa7e658bea3ad6
This is the minimal change just to replace KLOG_{INFO, WARNING, ERROR}
defined in <cutils/klog.h> to LOG()/PLOG() defined in
<android-base/logging.h>.
The logging.h uses program invocation name as the tag when logging.
e.g., init logs will have "init: ..." at the beginning in each line.
To facilitate debugging, this commit adds [libfs_mgr] after the tag,
and the resulting output will like this:
[ 11.278002] init: [libfs_mgr]Enabling dm-verity for system (mode 2)
[ 11.283309] init: [libfs_mgr]loading verity table: '1 /dev/block/platform/soc.0/f9824900.sdhci/by-name/system ...'
[ 11.337884] init: [libfs_mgr]Not running /system/bin/tune2fs on /dev/block/dm-0 (executable not in system image)
[ 11.362281] init: [libfs_mgr]__mount(source=/dev/block/dm-0,target=/system,type=ext4)=0
[ 11.376331] init: [libfs_mgr]Requested quota status is match on /dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor
[ 11.398237] init: [libfs_mgr]__mount(source=/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor,target=/vendor,type=ext4)=0
[ 11.410735] init: [libfs_mgr]Requested quota status is match on /dev/block/platform/soc.0/f9824900.sdhci/by-name/userdata
[ 11.426783] init: [libfs_mgr]check_fs(): mount(/dev/block/platform/soc.0/f9824900.sdhci/by-name/userdata,/data,ext4)=-1: Invalid argument
[ 11.439154] init: [libfs_mgr]Running /system/bin/e2fsck on /dev/block/platform/soc.0/f9824900.sdhci/by-name/userdata
Bug: 34336098
Test: check device can boot
Change-Id: Idcbaca1050e2d8eabe1e4510a0af03aa0312d03a
dm_target_spec->next should be set to the next multiple of 8.
It doesn't matter before because dm_ioctl->target_count is set to 1 so
only the first dm_target_spec will be processed.
Bug: None
Test: check device can boot with dm-verity
Change-Id: I96b9b0307a40b05640db06d1c614c16d8144bb47
This is the minimal change just to keep it building, and doesn't
attempt to clean up the code.
Bug: 34336098
Test: check device can boot
Change-Id: I5ff897874f1f14a9a5d1f14fedf1b0749e86dbb3
external/avb/libavb provides the new Android Verified Boot (AVB) flow.
It has different verity metadata format than previous formats in
fs_mgr_verity.cpp fs_mgr should support using libavb to read the metadata
(a.k.a. HASHTREE descriptor in AVB) to enable dm-verity in kernel.
Two important files in this commit:
- fs_mgr_avb_ops.c: an implementation of struct AvbOps* for libavb to do
platform dependent I/O operations, e.g., read_from_partition.
- fs_mgr_avb.cpp: it reads the metadata (a.k.a. vbmeta images in AVB) from
all partitions, verifies its integrity against the values of
androidboot.vbmeta.{hash_alg, size, digest} passed from bootloader in
kernel command line. Then enable dm-verity for partitions having the
corresponding HASHTREE descriptor and with an 'avb' fstab flag.
Bug: 31264231
Test: Enable dm-verity on /system partition
Test: Enable dm-verity with FEC on /system partition
Change-Id: I4652806984fe5a30c61be0839135b5ca78323d38
When doing a factory reset in recovery, flash erase & logical block
sizes are needed for tuning the parameters of the new userdata image.
Add flags to allow this information to be stored in recovery.fstab
Test: Factory reset marlin & confirm userdata is rebuilt correctly
Bug: 33243520
Change-Id: I6c4414d4e9026be4a3646523656ac151e93015e7
Signed-off-by: Connor O'Brien <connoro@google.com>
Pointer from strdup is lost hence triggers mem leak warning from
clang, since ptr returned from basename may not point to start of
duplicated string any more.
Switch to use gnu version of basename which doesn't modify input
string so that strdup is no longer necessary.
Bug: 27126348
Test: compile
Change-Id: I937a68c01c223230932c932bffdd35da6503c3c4