History log of /system/core/fs_mgr/fs_mgr_verity.cpp
Revision Date Author Comments (<<< Hide modified files) (Show modified files >>>)
744361fc57f90f6dbfe11122bc9a80e661b2e2a5 11-Oct-2017 Bowgo Tsai <bowgotsai@google.com> fs_mgr: removing is_device_secure()

Previously there is no vboot 1.0 metadata for ENG builds. It relies on
is_device_secure() to query "ro.secure" and skip setting up dm-verity
if the value is 0 (meaning ENG build).

This change will be submitted together with other changes to add vboot
1.0 metadata for ENG builds with a "disable magic". The resulting
metadata will be the same as triggering an "adb disable-verity" on an
USERDEBUG image.

Bug: 63056044
Test: boot sailfish eng/userdebug builds

Change-Id: I35eef771e1b30bfc6d01b8ed76b40c942fe7b783
/system/core/fs_mgr/fs_mgr_verity.cpp
b67489419911875d8791de87996c39b61740e781 19-Jul-2017 Bowgo Tsai <bowgotsai@google.com> fs_mgr_verity: allow verification error when the device is unlocked

On a A/B device, the image combination in VTS is:
- system.img (userdebug): provided by Google (system as root)
- vendor.img (user): provided by the OEM

The generic system.img provided by Google doesn't have /verity_key.
So verified boot will fail when it tries to verify the signature of
vendor.img. This CL allows signature verification error (including
no verity_key) when the device is unlocked.

This CL also changes the return value to FS_MGR_SETUP_VERITY_SKIPPED when
signature verification failed in logging mode. Otherwise, first stage
mount will fail because it assumes verity device initialization should be
successful when receiving FS_MGR_SETUP_VERITY_SUCCESS.

Bug: 63821912
Test: boot generic system.img on a A/B device
Change-Id: I33e5ef753913ae9f0c8b02c518ae94d4c8505611
/system/core/fs_mgr/fs_mgr_verity.cpp
4ca2a30368a0ae150a97a07b997ddaaf3df88d4d 06-Jul-2017 Treehugger Robot <treehugger-gerrit@google.com> Merge "fs_mgr: Adding logs when failing to wait for a device file"
9d344969b03fd19a6f5c485ddd7c8dd22b7d3a9d 13-Jun-2017 Jinguang Dong <dongjinguang@huawei.com> fs_mgr: Adding logs when failing to wait for a device file

During mount operations, fs_mgr_wait_for_file() is invoked to
ensure the device file exists before starting to mount it. Adding
logs when the wait fails and also skip mounting as it won't be
successful. Also merge fs_mgr_test_access() and wait_for_file()
as fs_mgr_wait_for_file().

Test: Boot device and manually trigger the timeout issue
Test: Check and confirm whether timeout log info is inside ksmg.

Change-Id: Ide6d7fdca41e03e169e4400f91b7dea327985aaf
/system/core/fs_mgr/fs_mgr_verity.cpp
d1fe3bdbd6bcdc7f268f045e6b3b77de4d837a21 05-Jul-2017 Bowgo Tsai <bowgotsai@google.com> fs_mgr: allow no verity metadata when the device is unlocked.

To boot with generic system.img for project Treble, we should allow no verity
metadata when the device is unlocked. The previous fix checks system property
"ro.boot.flash.locked" but it's unavailable during first stage mount.
This CL checks "androidboot.verifiedbootstate" in kernel command line instead.

Bug: 63268209
Test: boot sailfish without metadata on /vendor

Change-Id: Ifd1dbeb2a2f09cd06903ecdd59bc94b3905a3fbd
/system/core/fs_mgr/fs_mgr_verity.cpp
cab56c0ba53bf702a7df10eb39755af0b5525088 27-Jun-2017 Mark Salyzyn <salyzyn@google.com> fs_mgr: check console-ramoops-0

On later kernels /sys/fs/pstore/console-ramoops becomes
/sys/fs/pstore/console-ramoops-0

Test: none
Bug: 63058217
Change-Id: If1422e4df09b68c44f16608b1d191aeb6378c66b
/system/core/fs_mgr/fs_mgr_verity.cpp
95366e97ddff7fcfc095481f69bbd7f699715c99 21-Jun-2017 Sandeep Patil <sspatil@google.com> fs_mgr: differentiate if fs_mgr_set_verity() was skipped or disabled

In case of non-secure builds (eng variant) fs_mgr_setup_verity() skips
verity checks regardless of fstab options. This is slightly different
than 'adb disable-verity' where it would first read the verity metadata
to check if verity is disabled.

So, this change adds a new return value of FS_MGR_SETUP_VERITY_SKIPPED
instead of piggy backing on the FS_MGR_SETUP_VERITY_DISABLED.

Bug: 62864413
Test: Boot sailfish

Change-Id: I42bf2bdce0ecb18b4c3b568e2bc96bf1590dfb35
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/core/fs_mgr/fs_mgr_verity.cpp
c3eca505cd169cfd0d5bef7ad365bad84ff8227b 08-Jun-2017 Bowgo Tsai <bowgotsai@google.com> fs_mgr_verity: support updating actual block device path in verity table

The value of PRODUCT_{SYSTEM,VENDOR}_VERITY_PARTITION will be included
in the verity metadata of an image. For example:

PRODUCT_VENDOR_VERITY_PARTITION := /dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor

This makes the image cannot be shared for devices with different by-name
prefix:
/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor
/dev/block/platform/soc.0/7824900.sdhci/by-name/vendor

This change supports using a generic PRODUCT_{SYSTEM,VENDOR}_VERITY_PARTITION to
build image and replace it with the actual path at run time:

PRODUCT_VENDOR_VERITY_PARTITION := /dev/block/bootdevice/by-name/vendor ==>
/dev/block/platform/soc.0/7824900.sdhci/by-name/vendor

Bug: 62171170
Test: Boot sailfish with PRODUCT_VENDOR_VERITY_PARTITION := /dev/block/bootdevice/by-name/vendor
Change-Id: I2789d2a025e80a628a1b4e7419818065c209fb7f
/system/core/fs_mgr/fs_mgr_verity.cpp
77cbfd6341a7a500fdb8e2f3cc4a4f721254f10e 08-May-2017 Bowgo Tsai <bowgotsai@google.com> fs_mgr_verity: fix androidboot.veritymode=enforcing doesn't work

Should set verity mode to VERITY_MODE_DEFAULT when
androidboot.veritymode=enforcing.

Bug: 38103331
Test: `adb shell getprop partition.system.verified` returns 2 when veritymode=enforcing
Test: `adb shell getprop partition.vendor.verified` returns 2 when veritymode=enforcing
Change-Id: I2f34eb6509f91989ce726e540cf2c0d353347ede
/system/core/fs_mgr/fs_mgr_verity.cpp
aaf70e77dc232fde152249bb6f66a227eab35a10 01-Mar-2017 Bowgo Tsai <bowgotsai@google.com> fs_mgr: support AVB in fs_mgr_update_verity_state()

fs_mgr_update_verity_state() is invoked by 'verity_update_state' in
init.rc. It will then set property "partition.system.verified" and
"partition.vendor.verified" to verify_mode. We should support this for
AVB as well.

Also change the order of static libs in init to fix the build error
after this change:
system/extras/ext4_utils/ext4_crypt.cpp:69: error: undefined reference to 'property_get'

Bug: 35416769
Test: Mount /system and /vendor with vboot 2.0 (AVB), check the following properties exist.
- [partition.system.verified]: [2]
- [partition.vendor.verified]: [2]
Test: Mount /system and /vendor with vboot 1.0, check the following properties exist.
- [partition.system.verified]: [0]
- [partition.vendor.verified]: [0]

Change-Id: I4328d66a8cb93f26e7960e620a0b2292d5f15900
/system/core/fs_mgr/fs_mgr_verity.cpp
e989a22553bc8a6229e379ac215a9281f9d1f846 20-Mar-2017 Mark Salyzyn <salyzyn@google.com> fs_mgr: remove private/android_filesystem_config.h

Test: compile
Bug: 33241851
Change-Id: I3807871dcdfe5c751b1eea6e57c1ff5aac15806e
/system/core/fs_mgr/fs_mgr_verity.cpp
7ad3159db9be8fcb7246fbb750884f5a9edf368f 06-Mar-2017 Bowgo Tsai <bowgotsai@google.com> fs_mgr: allow disable dm-verity when the device is unlocked without metadata

To start Treble VTS test, a single AOSP system.img will be flashed onto
the device. The size of AOSP system.img might be different than the
system partition size on device, making locating verity metadata fail
(at the last fixed size of the partition).

This change allows disabling dm-verity on system partition when the
device is unlocked (orange device state) with invalid metadata.

BUG: 35603549

Test: Boot bullhead with a different-sized system.img, checks verity is
not enabled via:

"adb shell getprop | grep partition.system.verified"

Change-Id: Id89d023e82c78ff1902ab7a528431cf7f65e49ad
/system/core/fs_mgr/fs_mgr_verity.cpp
e7a1b3757faa3d354ad3f423fa078132a9a84dd4 27-Feb-2017 Sandeep Patil <sspatil@google.com> fs_mgr: make is_device_secure() work even in the absence of properties.

During early mount property area is not initialized, and as a result an
'eng' build will always incorrectly be detected as a 'secure' build by
early mount code path resulting into verity error and consequent boot
loop.

The change here makes sure the is_device_secure() check works with /
without properties based on the 'eng' build based build flag so the
early mount code works fine both ways.

Bug: 35791581
Bug: 27805372

Test: Boot sailfish-{eng,userdebug} builds successfully w/ early
mount enabled

Change-Id: Icd101ccad56b669f49b60bbb3005d5be9f53b02b
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/core/fs_mgr/fs_mgr_verity.cpp
c20c0c2cdd593f6b54bf467167a5f2ed3c602ab8 24-Feb-2017 Sandeep Patil <sspatil@google.com> early_mount: fs_mgr: move all fstab logic into fs_mgr

With init parsing fstab fragments from kernel separately, the fs_mgr
would completely miss the device tree entries. That leads to things like
'adb remount' to go through without warning for verity even if /system
is verified. This happens because 'verity_update_state' completely
misses the partitions passed to android through the device tree.

solution is to teach fs_mgr about device tree fstab entries and add 2
new public APIs.

1. fs_mgr_read_fstab_dt() - reads device tree and returns fstab
generated from it.

2. fs_mgr_read_fstab_default() - reads both device tree fstab and
/fstab.{ro.hardware} and returns the combined table.

This also reduces the hardcoded /fstab.{ro.hardware} occurence only to
fs_mgr and for eveyone who wants to read the "default" fstab must be
changed to call fs_mgr_read_fstab_default() instead. e.g. adb.

b/27805372

Test: Angler was used since it has 2 early mounted partitions instead of
one. 1 verified and 1 unverified.
- Boot angler successfully without early mount
- Boot angler successfully with /vendor early mount and test if 'adb
remount' warns us about verity
- Boot angler successfully with both /system and /vendor early mounted
and ensure 'adb remount' warns us about verity.
- check partitions.system.verified status after /system early mount ot
ensure it is set to VERITY_MODE_DEFAULT.
- 'adb disable-verity' with early mounted /system doesn't work due to
missing changes in adb

TODO:
change adb to use the new fs_mgr_read_fstab_default() API

Change-Id: I82038d87c7a44488e938acce2cc1082c08f6f73a
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/core/fs_mgr/fs_mgr_verity.cpp
9de748f74558abf047045302b6fc46af7629eedb 17-Feb-2017 Sandeep Patil <sspatil@google.com> fs_mgr: add a generic fs_mgr_get_boot_config internal API

depending on when fs_mgr is trying to read the configuration passed into
the kernel commandline, it may be able to read it successfully.
Specially in the case when init has not initialized properties.

This change adds a new fs_mgr_get_boot_config() API to be used by all
fs_mgr code in order to get filesystem parameters specified in kernel
command line or device tree. This way the fs_mgr code doesn't have to
handle the "early" cases separately anywhere.

Test:
Tested angler boot with both /system and /vendor mounted in init
first stage.
Tested sailfish to make sure /vendor can be continued to be
mounted early without verity

Change-Id: I9a44cdfc32681f714c5d73ae55c3deda95c02545
/system/core/fs_mgr/fs_mgr_verity.cpp
4129f20aafe07431a5950271cf7b9014bee53550 16-Feb-2017 Sandeep Patil <sspatil@google.com> fs_mgr: make fs_mgr_setup_verity public API

Consequently this removes the 'early' version of the exact same API.
This is to be used by early mount code where we need to do
1. setup verity
2. create verity device
3. mount partition
as separate steps since that happens during init first stage.

b/27805372

Test: Boot sailfish successfully

Change-Id: I01abecfdfa210d3e240a291ddcb3d2e9ed39ede6
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/core/fs_mgr/fs_mgr_verity.cpp
d2462570b8dffd2e83dfb9c6e60f8f39697659b5 15-Feb-2017 Sandeep Patil <sspatil@google.com> fs_mgr: fix the fs_mgr_setup_verity param name

The 'verify_dev' parameter for fs_mgr_setup_verity is confusing, since
it doesn't necessarily control the "verification" part of the function.
Instead, it merely allows the caller to skip the
wait_for_dm_verity_device part of the function. So, rename that
parameter for what it is.

b/27805372

Test: Boot sailfish

Change-Id: I024e02fd728f5cd5bb333d9c3b512861731fa215
Signed-off-by: Sandeep Patil <sspatil@google.com>
/system/core/fs_mgr/fs_mgr_verity.cpp
183ca56ce22fa59d8b1a1372051b28984d1ab91c 28-Jan-2017 Treehugger Robot <treehugger-gerrit@google.com> Merge "fs_mgr: Switch to LOG()/PLOG() defined in <android-base/logging.h>"
47878de7d12c7e438fcc584183b44893e91b4a28 23-Jan-2017 bowgotsai <bowgotsai@google.com> fs_mgr: Switch to LOG()/PLOG() defined in <android-base/logging.h>

This is the minimal change just to replace KLOG_{INFO, WARNING, ERROR}
defined in <cutils/klog.h> to LOG()/PLOG() defined in
<android-base/logging.h>.

The logging.h uses program invocation name as the tag when logging.
e.g., init logs will have "init: ..." at the beginning in each line.
To facilitate debugging, this commit adds [libfs_mgr] after the tag,
and the resulting output will like this:

[ 11.278002] init: [libfs_mgr]Enabling dm-verity for system (mode 2)
[ 11.283309] init: [libfs_mgr]loading verity table: '1 /dev/block/platform/soc.0/f9824900.sdhci/by-name/system ...'
[ 11.337884] init: [libfs_mgr]Not running /system/bin/tune2fs on /dev/block/dm-0 (executable not in system image)
[ 11.362281] init: [libfs_mgr]__mount(source=/dev/block/dm-0,target=/system,type=ext4)=0
[ 11.376331] init: [libfs_mgr]Requested quota status is match on /dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor
[ 11.398237] init: [libfs_mgr]__mount(source=/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor,target=/vendor,type=ext4)=0
[ 11.410735] init: [libfs_mgr]Requested quota status is match on /dev/block/platform/soc.0/f9824900.sdhci/by-name/userdata
[ 11.426783] init: [libfs_mgr]check_fs(): mount(/dev/block/platform/soc.0/f9824900.sdhci/by-name/userdata,/data,ext4)=-1: Invalid argument
[ 11.439154] init: [libfs_mgr]Running /system/bin/e2fsck on /dev/block/platform/soc.0/f9824900.sdhci/by-name/userdata

Bug: 34336098
Test: check device can boot

Change-Id: Idcbaca1050e2d8eabe1e4510a0af03aa0312d03a
/system/core/fs_mgr/fs_mgr_verity.cpp
ce25baf06fe8ba80b0a4c7ff65fba9e1b1b7a67f 25-Jan-2017 bowgotsai <bowgotsai@google.com> fs_mgr_verity: correct dm_target_spec->next

dm_target_spec->next should be set to the next multiple of 8.
It doesn't matter before because dm_ioctl->target_count is set to 1 so
only the first dm_target_spec will be processed.

Bug: None
Test: check device can boot with dm-verity
Change-Id: I96b9b0307a40b05640db06d1c614c16d8144bb47
/system/core/fs_mgr/fs_mgr_verity.cpp
47aa2a75201b9cb53c6464304b82db492073d622 09-Jan-2017 bowgotsai <bowgotsai@google.com> fs_mgr: use std::string for function parameters in fs_mgr_dm_ioctl.cpp

Make the code more C++-ish by replacing char* or char** with
std::string&.

Bug: 31264231
Test: check device can boot with dm-verity
Change-Id: Ie3ca3f449b52959d1a7b2887d722eb5ce366c4f9
/system/core/fs_mgr/fs_mgr_verity.cpp
3de625d109f47e04bf7bf9d0db3cfc9f2718964d 11-Nov-2016 bowgotsai <bowgotsai@google.com> fs_mgr: moves common functions out of fs_mgr_verity.cpp

This commits moves some common functions out of fs_mgr_verity.cpp to be
reused by other verified boot flows. It includes:
- Move common functions into fs_mgr.c
- Move dm_ioctl related functions to a new file: fs_mgr_dm_ioctl.cpp

Bug: 31264231
Test: check device can boot with dm-verity

Change-Id: Iaa0d8031efbaae12aa28f872f62d3fc3d3763b51
/system/core/fs_mgr/fs_mgr_verity.cpp
17f248d2e4847943ccc52bd2eb01b49310e68701 12-Nov-2016 Prashant Malani <pmalani@google.com> fs_mgr: Fix disable-verity for verifyatboot partitions

This allows a remount to be performed on partitions which have been
verified at boot, without causing the verity service to complain of
"corrupted" blocks that could have been modified as a result of a
remount (while the verity checksum remained unchanged).

(cherry picked from commit dd78ae75ff91f19106a4c3944fe3170602ac2334)

Bug: 32638755
Test: Compile
Change-Id: I77cf7dd20ee5c5f5dac80f73f292e32583fe5906
/system/core/fs_mgr/fs_mgr_verity.cpp
2cdc67eed50da046b1e78728f2563fc3db6f8927 28-Oct-2016 Prashant Malani <pmalani@google.com> fs_mgr: Add support for at-boot verification

Running dm-verity on heavily accessed partitions leads to performance
slowdowns, especially on low-RAM and slow-CPU devices.

This patch introduces a flag to allow an entire verified partition to be
read once at boot, to check for corruptions. If the reads are
successful, we can mount the partition as raw & read-only, and if not,
we can revert to mounting it as a verity partition, just like before.

Usage of this flag will entail a slowdown of time-to-boot, but should
lead to improvements in runtime performance.

(cherry picked from commit 34543c03e6319d102bc0b1e3ca54808ff398e676)

Bug: 32433608
Test: Compile
Change-Id: I97717683a00ad6fa347e63b72b1a9bf1d2946315
/system/core/fs_mgr/fs_mgr_verity.cpp
ecfce13ce2e9e2dfdadf51bb0948b9e5dce6e5e2 16-Dec-2016 Hung-ying Tyan <tyanh@google.com> fs_mgr: add verify_dev flag to fs_mgr_setup_verity()

Bug: 33682519
Test: Tested on bullhead with https://android-review.googlesource.com/#/c/315463.
Change-Id: Ie12230c6f77a2834c179e44b59817292d58726f7
/system/core/fs_mgr/fs_mgr_verity.cpp
496e667966906f63bf09040d339cd5b717e2e7f0 27-Oct-2016 Wei Wang <wvw@google.com> Merge "Make sure wait for the dm device"
am: d70a5feb60

Change-Id: If1e188c32548995413e49c1f7edece8d2c526bb2
dba750e0e0d0cc996c70d7699cd35e34226565de 26-Oct-2016 Wei Wang <wvw@google.com> Make sure wait for the dm device

Bug: 32408249
Test: on m/s
Change-Id: I65fa4fec94c82ef51d2c8d0aabf9e90b8448f27f
/system/core/fs_mgr/fs_mgr_verity.cpp
1263097328ef8c21fbbed22b006430e507502ffd 18-Aug-2016 Hung-ying Tyan <tyanh@google.com> Merge "Mount /vendor and /odm early" am: 35569e9d68 am: 46bfc918d0
am: d1f49a43fd

Change-Id: I6dc53f60771ad0e660e248efdc1b13734fba3061
99c4a8a6b3852c33828b03cbd0aef0c625957a39 01-Feb-2016 Hung-ying Tyan <tyanh@google.com> Mount /vendor and /odm early

Right now these two partitions are mounted in the fs stage of the init
process. As a result, many vendor/ODM files needed earlier in the boot
process (e.g., init.<hardware>.rc, fstab.<hardware>.rc,
uevent.<hardware>.rc, SELinux policy files etc) can only live on the root
partition.

To prevent vendors/ODMs from polluting the root partition, this patch makes
it possible to mount the vendor and ODM partitions in the first stage of the
init process. The fstab info of both partitions to be mounted early is
composed from new kernel cmdline arguments android.early.prefix and
android.early.fstab.

For example, with:
android.early.prefix=/sys/devices/1010000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0/
android.early.fstab=mmcblk0p10+/odm+ext4+ro+verify\nmmcblk0p09+/vendor+ext4+ro+verify

the final fstab string will be:
/sys/devices/1010000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0/mmcblk0p10 /odm ext4 ro verify
/sys/devices/1010000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0/mmcblk0p09 /vendor ext4 ro verify

The android.early.prefix is optional. When it is missing, the final fstab
string will be directly converted from android.early.fstab.

This patch also makes sure that the early mounted partitions are dm-verity
enabled so that they are trust worthy to store system files.

BUG=27805372

Change-Id: I3cf32482a5ec65445ba3aedab2164c7ba8f12694
/system/core/fs_mgr/fs_mgr_verity.cpp
3afa5a9afa68ea87b65f98bbf3ea7b4e876d718f 28-Jul-2016 Chih-Hung Hsieh <chh@google.com> Merge \\\"Fix clang-tidy performance warnings in fs_mgr.\\\" am: 44c909d467 am: be25035ddb
am: aa0628ec50

Change-Id: I28c0f3cf75c1e225b3d24b77934d055dd9edf854
73da05d35403a0c3909edcf5744e99b8f786a61f 28-Jul-2016 Chih-Hung Hsieh <chh@google.com> Fix clang-tidy performance warnings in fs_mgr.

* Use const reference type for for-loop index variables
to avoid unnecessary copy.

Bug: 30413223
Change-Id: I5514384ef3af77c00aa3e8417acd8d70981e0afb
Test: build with WITH_TIDY=1
/system/core/fs_mgr/fs_mgr_verity.cpp
6de58ac5d70253f307604d28e7c21bcf8889e295 20-Jun-2016 Sami Tolvanen <samitolvanen@google.com> fs_mgr_verity: fix verity_update_state for A/B devices
am: 9af867e7bd

Change-Id: I676d0ece31d3cc23701923e5cda2be2155d0c00e
9af867e7bd0b7ea6c01666ee32188d9e09f94d26 18-Jun-2016 Sami Tolvanen <samitolvanen@google.com> fs_mgr_verity: fix verity_update_state for A/B devices

Use the correct device name when system is mounted as root, and
validate dm-verity status to avoid confusing it with dm-linear.

Bug: 29277442
Change-Id: I36e115189f9a9430bad4bf89f26a376bcb8e8168
/system/core/fs_mgr/fs_mgr_verity.cpp
98f1ea00e5c14083f4524de5c571aa7f6721ebc1 03-Jun-2016 Sami Tolvanen <samitolvanen@google.com> fs_mgr: validate corrected signatures

If signature verification fails and we have an error corrected
signature available, attempt to verify that instead.

Needs changes from
Ie913c21ba1d07d6df4c6feeb7226b2ec963f4d19

Bug: 28943429
Change-Id: I7d48701916fe430b17aa05acb120f22a1802733d
(cherry picked from commit 830126637ae4e5198df075fba57c1e498624dab6)
/system/core/fs_mgr/fs_mgr_verity.cpp
725ca56851b9a54c4baa07e22ac42587124af085 07-Jun-2016 Mattias Nissler <mnissler@google.com> Merge "fs_mgr: Remove incorrect free() on error paths in load_key()" am: 35d84096e9
am: 6f29ec0197

* commit '6f29ec0197a1b146d302b3e158c258bfef4566f7':
fs_mgr: Remove incorrect free() on error paths in load_key()

Change-Id: Ic01cbaf499e494f4edcc3e4261139d2b365d3a59
31404e58e99e833a13ed282bf331df037d2714a8 07-Jun-2016 Mattias Nissler <mnissler@google.com> fs_mgr: Remove incorrect free() on error paths in load_key()

This fixes a bug introduced by
https://android-review.googlesource.com/#/c/212781/ which would make
fs_mgr crash when hitting one of the error paths.

Bug: 28585197
Change-Id: I40e6612e2eb3e6f584e70c608afc6d4378d73c4f
/system/core/fs_mgr/fs_mgr_verity.cpp
4171b2b72423d0f6555ee4638dbfb7d95b023996 07-Jun-2016 Sami Tolvanen <samitolvanen@google.com> resolve merge conflicts of eacbb82 to nyc-dev-plus-aosp

Change-Id: Ia3077f826c1d422932b62684ae0d53935abfe807
d6f5af35d5a006e7ccc561c51b80403bb1c4db42 07-Jun-2016 Sami Tolvanen <samitolvanen@google.com> Merge "fs_mgr: validate corrected signatures" into nyc-dev
am: eacbb824c9

* commit 'eacbb824c9ee2ccec9e1de641d03e7370888eabc':
fs_mgr: validate corrected signatures

Change-Id: I3986a59d498a22769611216f5ed475f31332b2c9
830126637ae4e5198df075fba57c1e498624dab6 03-Jun-2016 Sami Tolvanen <samitolvanen@google.com> fs_mgr: validate corrected signatures

If signature verification fails and we have an error corrected
signature available, attempt to verify that instead.

Needs changes from
Ie913c21ba1d07d6df4c6feeb7226b2ec963f4d19

Bug: 28943429
Change-Id: I7d48701916fe430b17aa05acb120f22a1802733d
/system/core/fs_mgr/fs_mgr_verity.cpp
32cabf25aae4166f5fc08a75be41a2e4b4160ee4 26-Apr-2016 Jeremy Compostella <jeremy.compostella@intel.com> fs_mgr: update block device reference in verity metadata

The dm-verity metadata contains the block device path that is given to
the dm-android-verity driver. If the device is using slot A/B, this
path is missing the slot suffix.

This patch makes fs_mgr replace all the block device path reference
with the one including the active slot suffix.

Change-Id: Ib624d0d18b12a8a287cac7f15605a2e0fb7c97c6
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>

Bug: 28845874
/system/core/fs_mgr/fs_mgr_verity.cpp
dfd2478bd172c3e6242cee5e0a7dcea2c4ee3056 26-Apr-2016 Jeremy Compostella <jeremy.compostella@intel.com> fs_mgr: update block device reference in verity metadata

The dm-verity metadata contains the block device path that is given to
the dm-android-verity driver. If the device is using slot A/B, this
path is missing the slot suffix.

This patch makes fs_mgr replace all the block device path reference
with the one including the active slot suffix.

Change-Id: Ib624d0d18b12a8a287cac7f15605a2e0fb7c97c6
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
/system/core/fs_mgr/fs_mgr_verity.cpp
097b6bbc76231f4148c9dd28b6ea0c1189d40fc3 31-Mar-2016 Mattias Nissler <mnissler@google.com> Switch fs_mgr and adb to libcrypto_utils.

Update code and dependencies to use BoringSSL + libcrypto_utils
instead of mincrypt.

Change-Id: Ic75164bd50c84b81b6310e27a67d4b3c174984f9
/system/core/fs_mgr/fs_mgr_verity.cpp
907ec7daa761624012476e540d8fe473b67b94bf 10-Dec-2015 Sami Tolvanen <samitolvanen@google.com> Merge "fs_mgr: support upstream dm-verity without error correction"
0d1214c68ea95543468b09f7ae27bd65c8c8d7c0 10-Dec-2015 Sami Tolvanen <samitolvanen@google.com> Merge "Set up dm-verity in EIO mode instead of logging mode"
ff980d22d1c322173bed6289fd9448d8b5e58144 10-Dec-2015 Sami Tolvanen <samitolvanen@google.com> fs_mgr: support upstream dm-verity without error correction

Set up dm-verity even if kernel configuration doesn't have
CONFIG_DM_VERITY_FEC set. Fall back to the always safe EIO
mode if dm-verity doesn't support feature arguments.

Bug: 21893453
Change-Id: I4812bd74801c0abc8da479230f48b752858f9cd8
/system/core/fs_mgr/fs_mgr_verity.cpp
4f71319df011d796a60a43fc1bc68e16fbf7d321 05-Dec-2015 Elliott Hughes <enh@google.com> Track rename of base/ to android-base/.

Change-Id: Idf9444fece4aa89c93e15640de59a91f6e758ccf
/system/core/fs_mgr/fs_mgr_verity.cpp
90f52df257ab020934558a811bad2ba0bae33c5a 02-Dec-2015 Sami Tolvanen <samitolvanen@google.com> Set up dm-verity in EIO mode instead of logging mode

If the device is corrupted, set up dm-verity in EIO mode instead of
logging mode. This prevents corrupted blocks from being returned to
user space. Note that restart mode is used by default and a warning
will be displayed to the user after corruption is first detected.

Bug: 19277516
Change-Id: I38966d73eb814836bc34b4bad1192583e5010b36
/system/core/fs_mgr/fs_mgr_verity.cpp
25b230c62c8e2f67b16c618382827471f305b3c8 30-Oct-2015 Sami Tolvanen <samitolvanen@google.com> fs_mgr: set partition.*.verified property even without state

Set properties on verity_update_state even if verity state management
is not used.

Bug: 24865045
Change-Id: Ic68a9e1a230c959eeb2a769260ff7d8e100cb1e1
(cherry picked from 0eb0516665678aec7712d88b51c96aaf8b312060)
/system/core/fs_mgr/fs_mgr_verity.cpp
99e3a927e89bd0fa67a13511071260fa02d13fa1 22-May-2015 Sami Tolvanen <samitolvanen@google.com> Error correction: Use libfec in fs_mgr

Use libfec to read and parse verity metadata to protect against data
corruption.

Bug: 21893453
Change-Id: I3a3543e0d999316707302b3be8735a7133d22946
/system/core/fs_mgr/fs_mgr_verity.cpp
092345346212f329010b453f4b1d2cb5292f7876 14-Oct-2015 Sami Tolvanen <samitolvanen@google.com> Revert "Error correction: Use libfec in fs_mgr"

This reverts commit 3de3a0f351ee07cbd31db56d49cef3fbeb7e633b.

Change-Id: I1f121cbc4431b8d8ff146eab29832a8dda1eb8ba
/system/core/fs_mgr/fs_mgr_verity.cpp
3de3a0f351ee07cbd31db56d49cef3fbeb7e633b 22-May-2015 Sami Tolvanen <samitolvanen@google.com> Error correction: Use libfec in fs_mgr

Use libfec to read and parse verity metadata to protect against data
corruption.

Bug: 21893453
Change-Id: Ieee6a1441e2f68148ba635235216e36c69b13db1
/system/core/fs_mgr/fs_mgr_verity.cpp
67b3cad9a0de47f0afd5aaf9471661383acd2531 08-Oct-2015 Johan Redestig <johan.redestig@sonymobile.com> Switch to android::base::ReadFully

The if (read(...size) != size) pattern is unreliable, switch
to the android base ReadFully which wraps read in a loop.

Change-Id: I2324e4c45da3c9b53b18df6eb09ce69a6604b5d1
/system/core/fs_mgr/fs_mgr_verity.cpp
246c18caf5193e2243dfcbf434e6340039b64f8c 09-Oct-2015 Elliott Hughes <enh@google.com> Switch fs_mgr_verity.c to C++.

This is the minimal change just to keep it building, and doesn't
attempt to clean up any of the code.

Change-Id: I975710322ae33d8946497df25bf85b2fe28976a4
/system/core/fs_mgr/fs_mgr_verity.cpp