Merge "Remove per-file CompOS signature support"
diff --git a/ondevice-signing/Android.bp b/ondevice-signing/Android.bp
index 42d3074..bdc94b7 100644
--- a/ondevice-signing/Android.bp
+++ b/ondevice-signing/Android.bp
@@ -87,7 +87,6 @@
static_libs: [
"libc++fs",
- "lib_compos_proto",
],
shared_libs: [
@@ -121,7 +120,6 @@
"libc++fs",
"libsigningutils",
"lib_odsign_proto",
- "lib_compos_proto",
],
shared_libs: [
"android.system.keystore2-V1-cpp",
diff --git a/ondevice-signing/CertUtils.cpp b/ondevice-signing/CertUtils.cpp
index d67bea6..8fe0816 100644
--- a/ondevice-signing/CertUtils.cpp
+++ b/ondevice-signing/CertUtils.cpp
@@ -352,7 +352,7 @@
return extractPublicKey(X509_get_pubkey(cert.value().get()));
}
-Result<std::vector<uint8_t>> extractRsaPublicKey(EVP_PKEY* pkey) {
+static Result<std::vector<uint8_t>> extractRsaPublicKey(EVP_PKEY* pkey) {
RSA* rsa = EVP_PKEY_get0_RSA(pkey);
if (rsa == nullptr) {
return Error() << "The public key is not an RSA key";
diff --git a/ondevice-signing/VerityUtils.cpp b/ondevice-signing/VerityUtils.cpp
index 54490bd..b3b7520 100644
--- a/ondevice-signing/VerityUtils.cpp
+++ b/ondevice-signing/VerityUtils.cpp
@@ -75,7 +75,7 @@
return 0;
}
-Result<std::vector<uint8_t>> createDigest(int fd) {
+static Result<std::vector<uint8_t>> createDigest(int fd) {
struct stat filestat;
int ret = fstat(fd, &filestat);
if (ret < 0) {
@@ -148,7 +148,7 @@
return std::vector<uint8_t>(signed_digest->begin(), signed_digest->end());
}
-Result<void> enableFsVerity(int fd, std::span<uint8_t> pkcs7) {
+static Result<void> enableFsVerity(int fd, std::span<uint8_t> pkcs7) {
struct fsverity_enable_arg arg = {.version = 1};
arg.sig_ptr = reinterpret_cast<uint64_t>(pkcs7.data());
@@ -165,7 +165,7 @@
return {};
}
-Result<std::string> enableFsVerity(int fd, const SigningKey& key) {
+static Result<std::string> enableFsVerity(int fd, const SigningKey& key) {
auto digest = createDigest(fd);
if (!digest.ok()) {
return Error() << digest.error();
@@ -190,20 +190,7 @@
return toHex(digest.value());
}
-Result<std::string> enableFsVerity(const std::string& path, const SigningKey& key) {
- unique_fd fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_CLOEXEC)));
- if (!fd.ok()) {
- return ErrnoError() << "Failed to open " << path;
- }
-
- auto enableStatus = enableFsVerity(fd.get(), key);
- if (!enableStatus.ok()) {
- return Error() << path << ": " << enableStatus.error();
- }
- return enableStatus;
-}
-
-Result<std::string> isFileInVerity(int fd) {
+static Result<std::string> isFileInVerity(int fd) {
auto d = makeUniqueWithTrailingData<fsverity_digest>(FS_VERITY_MAX_DIGEST_SIZE);
d->digest_size = FS_VERITY_MAX_DIGEST_SIZE;
auto ret = ioctl(fd, FS_IOC_MEASURE_VERITY, d.get());
@@ -217,7 +204,7 @@
return toHex({&d->digest[0], &d->digest[d->digest_size]});
}
-Result<std::string> isFileInVerity(const std::string& path) {
+static Result<std::string> isFileInVerity(const std::string& path) {
unique_fd fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_CLOEXEC)));
if (!fd.ok()) {
return ErrnoError() << "Failed to open " << path;
diff --git a/ondevice-signing/odsign_main.cpp b/ondevice-signing/odsign_main.cpp
index ec4a997..2885176 100644
--- a/ondevice-signing/odsign_main.cpp
+++ b/ondevice-signing/odsign_main.cpp
@@ -85,13 +85,15 @@
enum class CompOsInstance { kCurrent, kPending };
-static std::vector<uint8_t> readBytesFromFile(const std::string& path) {
+namespace {
+
+std::vector<uint8_t> readBytesFromFile(const std::string& path) {
std::string str;
android::base::ReadFileToString(path, &str);
return std::vector<uint8_t>(str.begin(), str.end());
}
-static bool rename(const std::string& from, const std::string& to) {
+bool rename(const std::string& from, const std::string& to) {
std::error_code ec;
std::filesystem::rename(from, to, ec);
if (ec) {
@@ -101,7 +103,7 @@
return true;
}
-static int removeDirectory(const std::string& directory) {
+int removeDirectory(const std::string& directory) {
std::error_code ec;
auto num_removed = std::filesystem::remove_all(directory, ec);
if (ec) {
@@ -115,7 +117,7 @@
}
}
-static bool directoryHasContent(const std::string& directory) {
+bool directoryHasContent(const std::string& directory) {
std::error_code ec;
return std::filesystem::is_directory(directory, ec) &&
!std::filesystem::is_empty(directory, ec);
@@ -135,7 +137,7 @@
return static_cast<art::odrefresh::ExitCode>(exit_code);
}
-static std::string toHex(const std::vector<uint8_t>& digest) {
+std::string toHex(const std::vector<uint8_t>& digest) {
std::stringstream ss;
for (auto it = digest.begin(); it != digest.end(); ++it) {
ss << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned>(*it);
@@ -412,7 +414,7 @@
return {};
}
-static Result<void> verifyArtifacts(const SigningKey& key, bool supportsFsVerity) {
+Result<void> verifyArtifacts(const SigningKey& key, bool supportsFsVerity) {
auto signInfo = getOdsignInfo(key);
// Tell init we're done with the key; this is a boot time optimization
// in particular for the no fs-verity case, where we need to do a
@@ -566,6 +568,7 @@
removeDirectory(kArtArtifactsDir);
return art::odrefresh::ExitCode::kCompilationRequired;
}
+} // namespace
int main(int /* argc */, char** argv) {
android::base::InitLogging(argv, android::base::LogdLogger(android::base::SYSTEM));
diff --git a/ondevice-signing/proto/Android.bp b/ondevice-signing/proto/Android.bp
index d6e3354..356e661 100644
--- a/ondevice-signing/proto/Android.bp
+++ b/ondevice-signing/proto/Android.bp
@@ -42,18 +42,3 @@
"com.android.compos",
],
}
-
-cc_library_static {
- name: "lib_compos_proto",
- host_supported: true,
- proto: {
- export_proto_headers: true,
- type: "lite",
- },
- srcs: ["compos_signature.proto"],
- apex_available: [
- "//apex_available:platform",
- "com.android.compos",
- ],
- recovery_available: true,
-}
diff --git a/ondevice-signing/proto/compos_signature.proto b/ondevice-signing/proto/compos_signature.proto
deleted file mode 100644
index 2f7d09f..0000000
--- a/ondevice-signing/proto/compos_signature.proto
+++ /dev/null
@@ -1,30 +0,0 @@
-/*
- * Copyright (C) 2021 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-syntax = "proto3";
-
-package compos.proto;
-
-// Data provided by CompOS to allow validation of a file it generated.
-message Signature {
- // The fs-verity digest (which is derived from the root hash of
- // the Merkle tree) of the file contents.
- bytes digest = 1;
-
- // Signature of a fsverity_formatted_digest structure containing
- // the digest, signed using CompOS's private key.
- bytes signature = 2;
-}