| commit | bb4a98771df6583b7a39d128f4d2068fc4f3c425 | [log] [tgz] |
|---|---|---|
| author | Jiyong Park <jiyong@google.com> | Mon Sep 06 15:59:21 2021 +0900 |
| committer | Jiyong Park <jiyong@google.com> | Wed Sep 08 00:07:12 2021 +0900 |
| tree | 7f34593258246efe5fa05ffa59f5ccefd03bd784 | |
| parent | e1fd1c8888811ebf0bed1cb5ae22528e581e1b5d [diff] |
APK roothash is trusted This CL completes the APK verification story in microdroid. Previously, the roothash of an APK that apkdmverity uses came from the idsig file. That file (and thus roothash in it) is untrusted because it's not signed by anyone. It is generated by virtualization service when the VM is created. With this CL, the roothash becomes trustful. Specifically, the roothash is from the instance disk which is encrypted and signed using the per-VM secret key. When the roothash in the instance disk is none, which could happen during the initial boot of the VM, we do the full APK verification (by scanning every bits), and save the roothash in the instance disk. In the subsequent boots, we skip the full APK verification, but instead compare the roothash with the saved one. If they differ, the boot is halted. 1) The start of apkdmverity and zipfuse is controlled by microdroid_manager. This is to NOT start them before the roothash is read from the instance disk. Previously, this was impossible because they are started by init while microdroid_manager is running in background. 2) apkdmverity now uses the bootstrap bionic libraries, because it is started far before APEXd activates APEXes. 3) microdroid_manager passes the roothash (read from instance disk) to apkdmverity via a new system property `microdroid_manager.apk_roothash`. This is preferred over to letting microdroid_manager directly execute apkdmverity and pass the roothash as a commandline argument. We don't want to allow microdroid_manager to fork/exec an executable other than app payload; there already is a selinux neverallow rule for it. 4) microdroid_manager waits for a new sysprop `linkerconfig.ready` to become `true` before it executes an app payload. Previously, this was implied because microdroid_manager waits for /mnt/apk which is created by zipfuse which in turn is executed after the linkerconfig is ready. Since zipfuse now is started much earlier, we no longer can rely on the implicit dependency. Bug: 193504400 Test: atest MicrodroidHostTestCases Test: run `adb shell /apex/com.android.virt/bin/vm run-app /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json` ... two times. In the first run: microdroid_manager[128]: payload verification successful. took 85.705852ms microdroid_manager[128]: Updating APK roothash: A4BC793C78E1A... In the second run: microdroid_manager[128]: payload verification successful. took 56.789795ms microdroid_manager[128]: Saved roothash is trustful. Not updating When the same command is invoked after the apk is intentionally modified, it fails as expected: init: Service 'microdroid_manager' (pid 128) exited with status 1 oneshot service took 0.202000 seconds in background Bug: 193504400 Change-Id: I469116d806cf3dae66fe41c04fdfd6bdb843edab
This repository contains userspace services related to running virtual machines on Android, especially protected virtual machines. See the getting started documentation and Microdroid README for more information.