Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 246a7f13acfa1580b2d529b1c6eb6f6711cba5e3^! / .
commit246a7f13acfa1580b2d529b1c6eb6f6711cba5e3[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Thu Jun 10 14:30:53 2021 +0100
committerAlan Stokes <alanstokes@google.com>Fri Jun 11 10:01:33 2021 +0100
tree76e17143b5a3148c0fff93c9c0e8fb23deb3d8ab
parent21f7f98fe885e841049ec46161ac899ab7e1d553 [diff]
Improved error checking for fsverity_init/odsign.

When attempting to load a non-existent cert I got:
  06-10 12:48:11.939   662   662 E fsverity_init: Failed to add key: Invalid argument
  06-10 12:48:11.940   662   662 E fsverity_init: Failed to load key from stdin
  06-10 12:48:11.941   648   648 I odsign  : Added CompOs key to fs-verity keyring
Which looks like everything worked when nothing did.

Added more error checks on both sides.

Test: Presubmits
Test: Manual
Change-Id: Ib2b17ce75e58dafb0ad6905106e35b11b55e91d0

diff --git a/fsverity_init/fsverity_init.cpp b/fsverity_init/fsverity_init.cpp
index 7ab4097..7bc6022 100644
--- a/fsverity_init/fsverity_init.cpp
+++ b/fsverity_init/fsverity_init.cpp

@@ -37,15 +37,17 @@
     return true;
 }
 
-void LoadKeyFromStdin(key_serial_t keyring_id, const char* keyname) {
+bool LoadKeyFromStdin(key_serial_t keyring_id, const char* keyname) {
     std::string content;
     if (!android::base::ReadFdToString(STDIN_FILENO, &content)) {
         LOG(ERROR) << "Failed to read key from stdin";
-        return;
+        return false;
     }
     if (!LoadKeyToKeyring(keyring_id, keyname, content.c_str(), content.size())) {
         LOG(ERROR) << "Failed to load key from stdin";
+        return false;
     }
+    return true;
 }
 
 void LoadKeyFromFile(key_serial_t keyring_id, const char* keyname, const std::string& path) {
@@ -101,7 +103,9 @@
             LOG(ERROR) << "--load-extra-key requires <key_name> argument.";
             return -1;
         }
-        LoadKeyFromStdin(keyring_id, argv[2]);
+        if (!LoadKeyFromStdin(keyring_id, argv[2])) {
+            return -1;
+        }
     } else if (command == "--lock") {
         // Requires files backed by fs-verity to be verified with a key in .fs-verity
         // keyring.

diff --git a/ondevice-signing/VerityUtils.cpp b/ondevice-signing/VerityUtils.cpp
index 25f949c..318345a 100644
--- a/ondevice-signing/VerityUtils.cpp
+++ b/ondevice-signing/VerityUtils.cpp

@@ -247,6 +247,9 @@
     const char* const argv[] = {kFsVerityInitPath, "--load-extra-key", keyName};
 
     int fd = open(path.c_str(), O_RDONLY | O_CLOEXEC);
+    if (fd == -1) {
+        return ErrnoError() << "Failed to open " << path;
+    }
     pid_t pid = fork();
     if (pid == 0) {
         dup2(fd, STDIN_FILENO);
@@ -271,10 +274,8 @@
     if (!WIFEXITED(status)) {
         return Error() << kFsVerityInitPath << ": abnormal process exit";
     }
-    if (WEXITSTATUS(status)) {
-        if (status != 0) {
-            return Error() << kFsVerityInitPath << " exited with " << status;
-        }
+    if (WEXITSTATUS(status) != 0) {
+        return Error() << kFsVerityInitPath << " exited with " << WEXITSTATUS(status);
     }
 
     return {};