Remove old key management
Delete a load of no longer needed code.
We no longer support persisting keys in the host. CompOS no longer
accesses DICE directly (compos_key_helper handles that).
We retain the instance image files, but rename pending to current
(it's created before reboot with the staged APEXes and used after
reboot with the current APEXes, but there's no point renaming it).
Remove the attempt to start an existing instance when running
compilation - it is slow, and vanishingly unlikely to work.
Sadly this also deletes all the CompOS unit tests. (But there are some
new ones in compos_key_tests.)
Bug: 218494522
Test: Manual; atest ComposTestCase; atest CompOsSigningHostTest
Change-Id: I0175270341d5dcad614106432b7d2650229cf8a6
diff --git a/compos/src/compsvc.rs b/compos/src/compsvc.rs
index df36ed9..3a794ee 100644
--- a/compos/src/compsvc.rs
+++ b/compos/src/compsvc.rs
@@ -19,60 +19,35 @@
//! actual compiler.
use anyhow::{bail, Context, Result};
-use binder_common::new_binder_exception;
-use compos_common::binder::to_binder_result;
-use log::warn;
use std::default::Default;
use std::fs::read_dir;
use std::path::{Path, PathBuf};
-use std::sync::RwLock;
use crate::artifact_signer::ArtifactSigner;
use crate::compilation::{odrefresh, OdrefreshContext};
use crate::compos_key;
-use crate::dice::Dice;
-use crate::signing_key::DiceSigningKey;
-use authfs_aidl_interface::aidl::com::android::virt::fs::IAuthFsService::IAuthFsService;
-use compos_aidl_interface::aidl::com::android::compos::{
- CompOsKeyData::CompOsKeyData,
- ICompOsService::{BnCompOsService, CompilationMode::CompilationMode, ICompOsService},
+use compos_aidl_interface::aidl::com::android::compos::ICompOsService::{
+ BnCompOsService, CompilationMode::CompilationMode, ICompOsService,
};
-use compos_aidl_interface::binder::{
- BinderFeatures, ExceptionCode, Interface, Result as BinderResult, Strong,
-};
+use compos_aidl_interface::binder::{BinderFeatures, Interface, Result as BinderResult, Strong};
+use compos_common::binder::to_binder_result;
use compos_common::odrefresh::ODREFRESH_PATH;
const AUTHFS_SERVICE_NAME: &str = "authfs_service";
/// Constructs a binder object that implements ICompOsService.
pub fn new_binder() -> Result<Strong<dyn ICompOsService>> {
- let service = CompOsService {
- odrefresh_path: PathBuf::from(ODREFRESH_PATH),
- signing_key: DiceSigningKey::new(Dice::new()?),
- key_blob: RwLock::new(Vec::new()),
- };
+ let service = CompOsService { odrefresh_path: PathBuf::from(ODREFRESH_PATH) };
Ok(BnCompOsService::new_binder(service, BinderFeatures::default()))
}
struct CompOsService {
odrefresh_path: PathBuf,
- signing_key: DiceSigningKey,
- key_blob: RwLock<Vec<u8>>,
}
impl Interface for CompOsService {}
impl ICompOsService for CompOsService {
- fn initializeSigningKey(&self, key_blob: &[u8]) -> BinderResult<()> {
- let mut w = self.key_blob.write().unwrap();
- if w.is_empty() {
- *w = Vec::from(key_blob);
- Ok(())
- } else {
- Err(new_binder_exception(ExceptionCode::ILLEGAL_STATE, "Cannot re-initialize the key"))
- }
- }
-
fn odrefresh(
&self,
compilation_mode: CompilationMode,
@@ -83,14 +58,6 @@
zygote_arch: &str,
system_server_compiler_filter: &str,
) -> BinderResult<i8> {
- let key = &*self.key_blob.read().unwrap();
- if key.is_empty() {
- return Err(new_binder_exception(
- ExceptionCode::ILLEGAL_STATE,
- "Key is not initialized",
- ));
- }
-
let context = to_binder_result(OdrefreshContext::new(
compilation_mode,
system_dir_fd,
@@ -101,7 +68,7 @@
system_server_compiler_filter,
))?;
- let authfs_service = get_authfs_service()?;
+ let authfs_service = authfs_aidl_interface::binder::get_interface(AUTHFS_SERVICE_NAME)?;
let exit_code = to_binder_result(
odrefresh(&self.odrefresh_path, context, authfs_service, |output_dir| {
// authfs only shows us the files we created, so it's ok to just sign everything
@@ -116,28 +83,11 @@
Ok(exit_code as i8)
}
- fn generateSigningKey(&self) -> BinderResult<CompOsKeyData> {
- to_binder_result(self.signing_key.generate())
- }
-
- fn verifySigningKey(&self, key_blob: &[u8], public_key: &[u8]) -> BinderResult<bool> {
- Ok(if let Err(e) = self.signing_key.verify(key_blob, public_key) {
- warn!("Signing key verification failed: {:?}", e);
- false
- } else {
- true
- })
- }
-
fn getPublicKey(&self) -> BinderResult<Vec<u8>> {
to_binder_result(compos_key::get_public_key())
}
}
-fn get_authfs_service() -> BinderResult<Strong<dyn IAuthFsService>> {
- Ok(authfs_aidl_interface::binder::get_interface(AUTHFS_SERVICE_NAME)?)
-}
-
fn add_artifacts(target_dir: &Path, artifact_signer: &mut ArtifactSigner) -> Result<()> {
for entry in
read_dir(&target_dir).with_context(|| format!("Traversing {}", target_dir.display()))?