Expose system property for dm-verity check_at_most_once
Allow us to check if check_at_most_once is set for any partitions.
This property should be false for any device with a reasonable amount of
RAM and a modern CPU. Enabling check_at_most_once violates AVB best
practices, it should only be allowed on performance limited devices.
Bug: 253033920
Test: Ensure that avbHashtreeNotUsingSha1 CTS test still passes
and that partition.system.verified.check_at_most_once is set.
Change-Id: I8174adf81111cc0df547ea01f81b0dfaca32631f
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
diff --git a/fs_mgr/fs_mgr.cpp b/fs_mgr/fs_mgr.cpp
index 27137a2..1c1ab48 100644
--- a/fs_mgr/fs_mgr.cpp
+++ b/fs_mgr/fs_mgr.cpp
@@ -2191,36 +2191,22 @@
std::vector<std::string> tokens = android::base::Split(target.data, " \t\r\n");
if (tokens[0] != "0" && tokens[0] != "1") {
LOG(WARNING) << "Unrecognized device mapper version in " << target.data;
- return {};
}
// Hashtree algorithm & root digest are the 8th & 9th token in the output.
- return HashtreeInfo{.algorithm = android::base::Trim(tokens[7]),
- .root_digest = android::base::Trim(tokens[8])};
+ return HashtreeInfo{
+ .algorithm = android::base::Trim(tokens[7]),
+ .root_digest = android::base::Trim(tokens[8]),
+ .check_at_most_once = target.data.find("check_at_most_once") != std::string::npos};
}
return {};
}
bool fs_mgr_verity_is_check_at_most_once(const android::fs_mgr::FstabEntry& entry) {
- if (!entry.fs_mgr_flags.avb) {
- return false;
- }
-
- DeviceMapper& dm = DeviceMapper::Instance();
- std::string device = GetVerityDeviceName(entry);
-
- std::vector<DeviceMapper::TargetInfo> table;
- if (dm.GetState(device) == DmDeviceState::INVALID || !dm.GetTableInfo(device, &table)) {
- return false;
- }
- for (const auto& target : table) {
- if (strcmp(target.spec.target_type, "verity") == 0 &&
- target.data.find("check_at_most_once") != std::string::npos) {
- return true;
- }
- }
- return false;
+ auto hashtree_info = fs_mgr_get_hashtree_info(entry);
+ if (!hashtree_info) return false;
+ return hashtree_info->check_at_most_once;
}
std::string fs_mgr_get_super_partition_name(int slot) {
diff --git a/fs_mgr/include/fs_mgr.h b/fs_mgr/include/fs_mgr.h
index 29a5e60..43de6d8 100644
--- a/fs_mgr/include/fs_mgr.h
+++ b/fs_mgr/include/fs_mgr.h
@@ -71,6 +71,8 @@
std::string algorithm;
// The root digest of the merkle tree.
std::string root_digest;
+ // If check_at_most_once is enabled.
+ bool check_at_most_once;
};
// fs_mgr_mount_all() updates fstab entries that reference device-mapper.
diff --git a/init/builtins.cpp b/init/builtins.cpp
index c8cb253..7cb8b11 100644
--- a/init/builtins.cpp
+++ b/init/builtins.cpp
@@ -879,6 +879,8 @@
SetProperty("partition." + partition + ".verified.hash_alg", hashtree_info->algorithm);
SetProperty("partition." + partition + ".verified.root_digest",
hashtree_info->root_digest);
+ SetProperty("partition." + partition + ".verified.check_at_most_once",
+ hashtree_info->check_at_most_once ? "1" : "0");
}
}