Remove the old interface that runs compiler with flags
Bug: 210998077
Test: atest ComposHostTestCases
Change-Id: I50bb4cb96e0eb4033c531d47f6620ba8ede78553
diff --git a/compos/src/compilation.rs b/compos/src/compilation.rs
index 9a23bf5..6db31b6 100644
--- a/compos/src/compilation.rs
+++ b/compos/src/compilation.rs
@@ -14,31 +14,27 @@
* limitations under the License.
*/
-use anyhow::{anyhow, bail, Context, Result};
-use log::{debug, error, info, warn};
+use anyhow::{bail, Context, Result};
+use log::{debug, info, warn};
use minijail::{self, Minijail};
use regex::Regex;
use std::env;
use std::ffi::OsString;
-use std::fs::{read_dir, File};
-use std::os::unix::io::{AsRawFd, RawFd};
+use std::fs::read_dir;
+use std::os::unix::io::AsRawFd;
use std::path::{self, Path, PathBuf};
use std::process::Command;
use crate::artifact_signer::ArtifactSigner;
use crate::compos_key_service::Signer;
-use crate::fsverity;
use authfs_aidl_interface::aidl::com::android::virt::fs::{
AuthFsConfig::{
AuthFsConfig, InputDirFdAnnotation::InputDirFdAnnotation,
- InputFdAnnotation::InputFdAnnotation, OutputDirFdAnnotation::OutputDirFdAnnotation,
- OutputFdAnnotation::OutputFdAnnotation,
+ OutputDirFdAnnotation::OutputDirFdAnnotation,
},
- IAuthFs::IAuthFs,
IAuthFsService::IAuthFsService,
};
use authfs_aidl_interface::binder::{ParcelFileDescriptor, Strong};
-use compos_aidl_interface::aidl::com::android::compos::FdAnnotation::FdAnnotation;
use compos_common::odrefresh::ExitCode;
const FD_SERVER_PORT: i32 = 3264; // TODO: support dynamic port
@@ -47,23 +43,6 @@
/// meaningless in the current process.
pub type PseudoRawFd = i32;
-pub enum CompilerOutput {
- /// Fs-verity digests of output files, if the compiler finishes successfully.
- Digests {
- oat: fsverity::Sha256Digest,
- vdex: fsverity::Sha256Digest,
- image: fsverity::Sha256Digest,
- },
- /// Exit code returned by the compiler, if not 0.
- ExitCode(i8),
-}
-
-struct CompilerOutputParcelFds {
- oat: ParcelFileDescriptor,
- vdex: ParcelFileDescriptor,
- image: ParcelFileDescriptor,
-}
-
pub struct OdrefreshContext<'a> {
system_dir_fd: i32,
output_dir_fd: i32,
@@ -259,131 +238,6 @@
Ok(())
}
-/// Runs the compiler with given flags with file descriptors described in `fd_annotation` retrieved
-/// via `authfs_service`. Returns exit code of the compiler process.
-pub fn compile_cmd(
- compiler_path: &Path,
- compiler_args: &[String],
- authfs_service: Strong<dyn IAuthFsService>,
- fd_annotation: &FdAnnotation,
-) -> Result<CompilerOutput> {
- // Mount authfs (via authfs_service). The authfs instance unmounts once the `authfs` variable
- // is out of scope.
- let authfs_config = build_authfs_config(fd_annotation);
- let authfs = authfs_service.mount(&authfs_config)?;
-
- // The task expects to receive FD numbers that match its flags (e.g. --zip-fd=42) prepared
- // on the host side. Since the local FD opened from authfs (e.g. /authfs/42) may not match
- // the task's expectation, prepare a FD mapping and let minijail prepare the correct FD
- // setup.
- let fd_mapping =
- open_authfs_files_for_fd_mapping(&authfs, &authfs_config).context("Open on authfs")?;
-
- let jail =
- spawn_jailed_task(compiler_path, compiler_args, fd_mapping).context("Spawn dex2oat")?;
- let jail_result = jail.wait();
-
- let parcel_fds = parse_compiler_args(&authfs, compiler_args)?;
- let oat_file: &File = parcel_fds.oat.as_ref();
- let vdex_file: &File = parcel_fds.vdex.as_ref();
- let image_file: &File = parcel_fds.image.as_ref();
-
- match jail_result {
- Ok(()) => Ok(CompilerOutput::Digests {
- oat: fsverity::measure(oat_file.as_raw_fd())?,
- vdex: fsverity::measure(vdex_file.as_raw_fd())?,
- image: fsverity::measure(image_file.as_raw_fd())?,
- }),
- Err(minijail::Error::ReturnCode(exit_code)) => {
- error!("dex2oat failed with exit code {}", exit_code);
- Ok(CompilerOutput::ExitCode(exit_code as i8))
- }
- Err(e) => {
- bail!("Unexpected minijail error: {}", e)
- }
- }
-}
-
-fn parse_compiler_args(
- authfs: &Strong<dyn IAuthFs>,
- args: &[String],
-) -> Result<CompilerOutputParcelFds> {
- const OAT_FD_PREFIX: &str = "--oat-fd=";
- const VDEX_FD_PREFIX: &str = "--output-vdex-fd=";
- const IMAGE_FD_PREFIX: &str = "--image-fd=";
- const APP_IMAGE_FD_PREFIX: &str = "--app-image-fd=";
-
- let mut oat = None;
- let mut vdex = None;
- let mut image = None;
-
- for arg in args {
- if let Some(value) = arg.strip_prefix(OAT_FD_PREFIX) {
- let fd = value.parse::<RawFd>().context("Invalid --oat-fd flag")?;
- debug_assert!(oat.is_none());
- oat = Some(authfs.openFile(fd, false)?);
- } else if let Some(value) = arg.strip_prefix(VDEX_FD_PREFIX) {
- let fd = value.parse::<RawFd>().context("Invalid --output-vdex-fd flag")?;
- debug_assert!(vdex.is_none());
- vdex = Some(authfs.openFile(fd, false)?);
- } else if let Some(value) = arg.strip_prefix(IMAGE_FD_PREFIX) {
- let fd = value.parse::<RawFd>().context("Invalid --image-fd flag")?;
- debug_assert!(image.is_none());
- image = Some(authfs.openFile(fd, false)?);
- } else if let Some(value) = arg.strip_prefix(APP_IMAGE_FD_PREFIX) {
- let fd = value.parse::<RawFd>().context("Invalid --app-image-fd flag")?;
- debug_assert!(image.is_none());
- image = Some(authfs.openFile(fd, false)?);
- }
- }
-
- Ok(CompilerOutputParcelFds {
- oat: oat.ok_or_else(|| anyhow!("Missing --oat-fd"))?,
- vdex: vdex.ok_or_else(|| anyhow!("Missing --vdex-fd"))?,
- image: image.ok_or_else(|| anyhow!("Missing --image-fd or --app-image-fd"))?,
- })
-}
-
-fn build_authfs_config(fd_annotation: &FdAnnotation) -> AuthFsConfig {
- AuthFsConfig {
- port: FD_SERVER_PORT,
- inputFdAnnotations: fd_annotation
- .input_fds
- .iter()
- .map(|fd| InputFdAnnotation { fd: *fd })
- .collect(),
- outputFdAnnotations: fd_annotation
- .output_fds
- .iter()
- .map(|fd| OutputFdAnnotation { fd: *fd })
- .collect(),
- ..Default::default()
- }
-}
-
-fn open_authfs_files_for_fd_mapping(
- authfs: &Strong<dyn IAuthFs>,
- config: &AuthFsConfig,
-) -> Result<Vec<(ParcelFileDescriptor, PseudoRawFd)>> {
- let mut fd_mapping = Vec::new();
-
- let results: Result<Vec<_>> = config
- .inputFdAnnotations
- .iter()
- .map(|annotation| Ok((authfs.openFile(annotation.fd, false)?, annotation.fd)))
- .collect();
- fd_mapping.append(&mut results?);
-
- let results: Result<Vec<_>> = config
- .outputFdAnnotations
- .iter()
- .map(|annotation| Ok((authfs.openFile(annotation.fd, true)?, annotation.fd)))
- .collect();
- fd_mapping.append(&mut results?);
-
- Ok(fd_mapping)
-}
-
fn spawn_jailed_task(
executable: &Path,
args: &[String],
diff --git a/compos/src/compsvc.rs b/compos/src/compsvc.rs
index 28bf5d9..356cc7e 100644
--- a/compos/src/compsvc.rs
+++ b/compos/src/compsvc.rs
@@ -26,14 +26,12 @@
use std::path::PathBuf;
use std::sync::RwLock;
-use crate::compilation::{compile_cmd, odrefresh, CompilerOutput, OdrefreshContext};
+use crate::compilation::{odrefresh, OdrefreshContext};
use crate::compos_key_service::{CompOsKeyService, Signer};
use crate::dice::Dice;
-use crate::fsverity;
use authfs_aidl_interface::aidl::com::android::virt::fs::IAuthFsService::IAuthFsService;
use compos_aidl_interface::aidl::com::android::compos::{
CompOsKeyData::CompOsKeyData,
- CompilationResult::CompilationResult,
FdAnnotation::FdAnnotation,
ICompOsService::{BnCompOsService, ICompOsService},
};
@@ -43,12 +41,10 @@
use compos_common::odrefresh::ODREFRESH_PATH;
const AUTHFS_SERVICE_NAME: &str = "authfs_service";
-const DEX2OAT_PATH: &str = "/apex/com.android.art/bin/dex2oat64";
/// Constructs a binder object that implements ICompOsService.
pub fn new_binder() -> Result<Strong<dyn ICompOsService>> {
let service = CompOsService {
- dex2oat_path: PathBuf::from(DEX2OAT_PATH),
odrefresh_path: PathBuf::from(ODREFRESH_PATH),
key_service: CompOsKeyService::new()?,
key_blob: RwLock::new(Vec::new()),
@@ -57,21 +53,12 @@
}
struct CompOsService {
- dex2oat_path: PathBuf,
odrefresh_path: PathBuf,
key_service: CompOsKeyService,
key_blob: RwLock<Vec<u8>>,
}
impl CompOsService {
- fn generate_raw_fsverity_signature(
- &self,
- fsverity_digest: &fsverity::Sha256Digest,
- ) -> BinderResult<Vec<u8>> {
- let formatted_digest = fsverity::to_formatted_digest(fsverity_digest);
- to_binder_result(self.new_signer()?.sign(&formatted_digest[..]))
- }
-
fn new_signer(&self) -> BinderResult<Signer> {
let key = &*self.key_blob.read().unwrap();
if key.is_empty() {
@@ -126,34 +113,6 @@
Ok(exit_code as i8)
}
- fn compile_cmd(
- &self,
- args: &[String],
- fd_annotation: &FdAnnotation,
- ) -> BinderResult<CompilationResult> {
- let authfs_service = get_authfs_service()?;
- let output = to_binder_result(
- compile_cmd(&self.dex2oat_path, args, authfs_service, fd_annotation)
- .context("Compilation failed"),
- )?;
- match output {
- CompilerOutput::Digests { oat, vdex, image } => {
- let oat_signature = self.generate_raw_fsverity_signature(&oat)?;
- let vdex_signature = self.generate_raw_fsverity_signature(&vdex)?;
- let image_signature = self.generate_raw_fsverity_signature(&image)?;
- Ok(CompilationResult {
- exitCode: 0,
- oatSignature: oat_signature,
- vdexSignature: vdex_signature,
- imageSignature: image_signature,
- })
- }
- CompilerOutput::ExitCode(exit_code) => {
- Ok(CompilationResult { exitCode: exit_code, ..Default::default() })
- }
- }
- }
-
fn compile(&self, _marshaled: &[u8], _fd_annotation: &FdAnnotation) -> BinderResult<i8> {
Err(new_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION, "Not yet implemented"))
}
diff --git a/compos/src/fsverity.rs b/compos/src/fsverity.rs
index a1e2314..f5df5f7 100644
--- a/compos/src/fsverity.rs
+++ b/compos/src/fsverity.rs
@@ -20,20 +20,8 @@
use std::io;
use std::os::unix::io::RawFd;
-/// Magic used in fs-verity digest
-const FS_VERITY_MAGIC: &[u8; 8] = b"FSVerity";
-
-/// Hash algorithm to use from linux/fsverity.h
-const FS_VERITY_HASH_ALG_SHA256: u8 = 1;
-
const SHA256_HASH_SIZE: usize = 32;
-/// Size of `struct fsverity_formatted_digest` with SHA-256 in bytes.
-const FORMATTED_SHA256_DIGEST_SIZE: usize = 12 + SHA256_HASH_SIZE;
-
-/// Bytes of `struct fsverity_formatted_digest` in Linux with SHA-256.
-pub type FormattedSha256Digest = [u8; FORMATTED_SHA256_DIGEST_SIZE];
-
/// Bytes of SHA256 digest
pub type Sha256Digest = [u8; SHA256_HASH_SIZE];
@@ -56,12 +44,3 @@
Ok(buf)
}
}
-
-pub fn to_formatted_digest(digest: &Sha256Digest) -> FormattedSha256Digest {
- let mut formatted_digest: FormattedSha256Digest = [0; FORMATTED_SHA256_DIGEST_SIZE];
- formatted_digest[0..8].copy_from_slice(FS_VERITY_MAGIC);
- formatted_digest[8..10].copy_from_slice(&(FS_VERITY_HASH_ALG_SHA256 as u16).to_le_bytes());
- formatted_digest[10..12].copy_from_slice(&(SHA256_HASH_SIZE as u16).to_le_bytes());
- formatted_digest[12..].copy_from_slice(digest);
- formatted_digest
-}