On-device signing: use properties to indicate state.
We want to make parts of the on-device signing daemon asynchronous to
optimize boot time; but in order to not keep the current keystore boot
stage open for too long, odsign will be divided in 2 stages:
1. stage where the signing key is available
2. stage where the signing key is no longer available
Work done in stage 1 is:
1) Retrieving the signing key and verifying its properties
2) Inserting the public key cert in the fs-verity keyring
3) Retrieving odsign metadata and verifying its integrity
4) Generating new compilation artifacts and sign them, if needed
Work done in phase 2 is:
1) Verify existing compilation artifacts, and delete them if invalid
One consequence of this work split is that if we determine existing
artifacts are invalid in phase 2 (eg, the signature doesn't match, or a
file is not in fs-verity), we no longer have access to the key in order
to be able to sign new files. So in those cases, we just delete the
files and boot without artifacts, and will try again on the next boot.
This shouldn't happen unless the artifacts become corrupted somehow.
Reaching stage 2 is indicated by setting the odsign.status property to
'key_use_done'.
Finally, we use the odsign.verification_success property to indicate
whether the artifacts in data were successfully verified; this is
another condition ART can use to determine whether it should use these
artifacts. This covers malicious cases where there are modified
artifacts on /data, and the odsign daemon is prevented from deleting
them. Through the prop, it can still convey that they should not be
used.
Bug: 165630556
Test: inspect properties on boot
Change-Id: Ic0c75cb90c15627a6666741acd5249ddea80c7be
1 file changed