Needed here to enable submitting the equivalent fix in AOSP.
Generalize keystorekey for non odsign use cases
Allow passing in variables like key location, alias, namespace,
and bootlevel.
Bug: 199914227
Ignore-AOSP-First: Cherry-pick to fix merge conflict with security fix.
Test: Boot device, verify that key is created, and artifacts are signed
by odsign. Reboot verify that the key is validated and artifacts are not
resigned.
(cherry picked from commit 2bc6196960e467467321267357e3e8f3a5feb6d8)
Merged-In:I4da6c732e93e1b5a43ade89291d544b8bf92121b
Change-Id: I3915f04d15b4d32ca7d6ecebbd5cd7754960b894
diff --git a/ondevice-signing/KeystoreHmacKey.cpp b/ondevice-signing/KeystoreHmacKey.cpp
index 09677d7..916cbbc 100644
--- a/ondevice-signing/KeystoreHmacKey.cpp
+++ b/ondevice-signing/KeystoreHmacKey.cpp
@@ -49,17 +49,14 @@
using android::base::unique_fd;
-// Keystore boot level that the odsign key uses
-static const int kOdsignBootLevel = 30;
-
-static KeyDescriptor getHmacKeyDescriptor() {
+static KeyDescriptor getHmacKeyDescriptor(const android::String16& keyAlias, int64_t keyNspace) {
// AIDL parcelable objects don't have constructor
static KeyDescriptor descriptor;
static std::once_flag flag;
std::call_once(flag, [&]() {
descriptor.domain = Domain::SELINUX;
- descriptor.alias = String16("ondevice-signing-hmac");
- descriptor.nspace = 101; // odsign_key
+ descriptor.alias = keyAlias + android::String16("-hmac");
+ descriptor.nspace = keyNspace;
});
return descriptor;
@@ -106,7 +103,7 @@
KeyParameter boot_level;
boot_level.tag = Tag::MAX_BOOT_LEVEL;
- boot_level.value = KeyParameterValue::make<KeyParameterValue::integer>(kOdsignBootLevel);
+ boot_level.value = KeyParameterValue::make<KeyParameterValue::integer>(mKeyBootLevel);
params.push_back(boot_level);
KeyMetadata metadata;
@@ -133,7 +130,7 @@
// Make sure this is an early boot key
for (const auto& auth : keyEntryResponse.metadata.authorizations) {
if (auth.keyParameter.tag == Tag::MAX_BOOT_LEVEL) {
- if (auth.keyParameter.value.get<KeyParameterValue::integer>() == kOdsignBootLevel) {
+ if (auth.keyParameter.value.get<KeyParameterValue::integer>() == mKeyBootLevel) {
keyValid = true;
break;
}
@@ -152,9 +149,9 @@
}
}
-KeystoreHmacKey::KeystoreHmacKey() {
- mDescriptor = getHmacKeyDescriptor();
-}
+KeystoreHmacKey::KeystoreHmacKey(const android::String16& keyAlias, int64_t keyNspace,
+ int keyBootLevel)
+ : mDescriptor(getHmacKeyDescriptor(keyAlias, keyNspace)), mKeyBootLevel(keyBootLevel) {}
static std::vector<KeyParameter> getVerifyOpParameters() {
std::vector<KeyParameter> opParameters;
diff --git a/ondevice-signing/KeystoreHmacKey.h b/ondevice-signing/KeystoreHmacKey.h
index 782969a..1a815a3 100644
--- a/ondevice-signing/KeystoreHmacKey.h
+++ b/ondevice-signing/KeystoreHmacKey.h
@@ -31,7 +31,7 @@
using KeyDescriptor = ::android::system::keystore2::KeyDescriptor;
public:
- KeystoreHmacKey();
+ KeystoreHmacKey(const android::String16& keyAlias, int64_t keyNspace, int keyBootLevel);
android::base::Result<void> initialize(android::sp<IKeystoreService> service,
android::sp<IKeystoreSecurityLevel> securityLevel);
android::base::Result<std::string> sign(const std::string& message) const;
@@ -44,4 +44,6 @@
KeyDescriptor mDescriptor;
android::sp<IKeystoreService> mService;
android::sp<IKeystoreSecurityLevel> mSecurityLevel;
+
+ int mKeyBootLevel;
};
diff --git a/ondevice-signing/KeystoreKey.cpp b/ondevice-signing/KeystoreKey.cpp
index 03bb6d5..6ce65d6 100644
--- a/ondevice-signing/KeystoreKey.cpp
+++ b/ondevice-signing/KeystoreKey.cpp
@@ -50,27 +50,24 @@
using android::base::Error;
using android::base::Result;
-// Keystore boot level that the odsign key uses
-static const int kOdsignBootLevel = 30;
-
-const std::string kPublicKeySignature = "/data/misc/odsign/publickey.signature";
-
-static KeyDescriptor getKeyDescriptor() {
+static KeyDescriptor getKeyDescriptor(const android::String16& keyAlias, int64_t keyNspace) {
// AIDL parcelable objects don't have constructor
static KeyDescriptor descriptor;
static std::once_flag flag;
std::call_once(flag, [&]() {
descriptor.domain = Domain::SELINUX;
- descriptor.alias = String16("ondevice-signing");
- descriptor.nspace = 101; // odsign_key
+ descriptor.alias = keyAlias;
+ descriptor.nspace = keyNspace;
});
return descriptor;
}
-KeystoreKey::KeystoreKey() {
- mDescriptor = getKeyDescriptor();
-}
+KeystoreKey::KeystoreKey(std::string signedPubKeyPath, const android::String16& keyAlias,
+ int64_t keyNspace, int keyBootLevel)
+ : mDescriptor(getKeyDescriptor(keyAlias, keyNspace)),
+ mHmacKey(keyAlias, keyNspace, keyBootLevel), mSignedPubKeyPath(std::move(signedPubKeyPath)),
+ mKeyBootLevel(keyBootLevel) {}
Result<std::vector<uint8_t>> KeystoreKey::createKey() {
std::vector<KeyParameter> params;
@@ -113,7 +110,7 @@
KeyParameter boot_level;
boot_level.tag = Tag::MAX_BOOT_LEVEL;
- boot_level.value = KeyParameterValue::make<KeyParameterValue::integer>(kOdsignBootLevel);
+ boot_level.value = KeyParameterValue::make<KeyParameterValue::integer>(mKeyBootLevel);
params.push_back(boot_level);
KeyMetadata metadata;
@@ -137,7 +134,7 @@
return Error() << "Failed to sign public key.";
}
- if (!android::base::WriteStringToFile(*signature, kPublicKeySignature)) {
+ if (!android::base::WriteStringToFile(*signature, mSignedPubKeyPath)) {
return Error() << "Can't write public key signature.";
}
@@ -206,7 +203,7 @@
bool foundBootLevel = false;
for (const auto& auth : keyEntryResponse.metadata.authorizations) {
if (auth.keyParameter.tag == Tag::MAX_BOOT_LEVEL) {
- if (auth.keyParameter.value.get<KeyParameterValue::integer>() == kOdsignBootLevel) {
+ if (auth.keyParameter.value.get<KeyParameterValue::integer>() == mKeyBootLevel) {
foundBootLevel = true;
break;
}
@@ -232,7 +229,7 @@
std::string publicKeyString = {publicKey->begin(), publicKey->end()};
std::string signature;
- if (!android::base::ReadFileToString(kPublicKeySignature, &signature)) {
+ if (!android::base::ReadFileToString(mSignedPubKeyPath, &signature)) {
return Error() << "Can't find signature for public key.";
}
@@ -256,13 +253,15 @@
return *existingKey;
}
-Result<SigningKey*> KeystoreKey::getInstance() {
- static KeystoreKey keystoreKey;
+Result<SigningKey*> KeystoreKey::getInstance(const std::string& signedPubKeyPath,
+ const android::String16& keyAlias, int64_t keyNspace,
+ int keyBootLevel) {
+ auto keystoreKey = new KeystoreKey(signedPubKeyPath, keyAlias, keyNspace, keyBootLevel);
- if (!keystoreKey.initialize()) {
+ if (!keystoreKey->initialize()) {
return Error() << "Failed to initialize keystore key.";
} else {
- return &keystoreKey;
+ return keystoreKey;
}
}
diff --git a/ondevice-signing/KeystoreKey.h b/ondevice-signing/KeystoreKey.h
index f2fbb70..3c9a0ab 100644
--- a/ondevice-signing/KeystoreKey.h
+++ b/ondevice-signing/KeystoreKey.h
@@ -36,13 +36,16 @@
public:
virtual ~KeystoreKey(){};
- static android::base::Result<SigningKey*> getInstance();
+ static android::base::Result<SigningKey*> getInstance(const std::string& signedPubKeyPath,
+ const android::String16& keyAlias,
+ int64_t KeyNspace, int keyBootLevel);
virtual android::base::Result<std::string> sign(const std::string& message) const;
virtual android::base::Result<std::vector<uint8_t>> getPublicKey() const;
private:
- KeystoreKey();
+ KeystoreKey(std::string signedPubKeyPath, const android::String16& keyAlias, int64_t keyNspace,
+ int keyBootLevel);
bool initialize();
android::base::Result<std::vector<uint8_t>> verifyExistingKey();
android::base::Result<std::vector<uint8_t>> createKey();
@@ -53,4 +56,7 @@
android::sp<IKeystoreService> mService;
android::sp<IKeystoreSecurityLevel> mSecurityLevel;
std::vector<uint8_t> mPublicKey;
+
+ std::string mSignedPubKeyPath;
+ int mKeyBootLevel;
};
diff --git a/ondevice-signing/VerityUtils.cpp b/ondevice-signing/VerityUtils.cpp
index 24a46b9..8ea0727 100644
--- a/ondevice-signing/VerityUtils.cpp
+++ b/ondevice-signing/VerityUtils.cpp
@@ -43,6 +43,11 @@
using android::base::unique_fd;
static const char* kFsVerityInitPath = "/system/bin/fsverity_init";
+static const char* kFsVerityProcPath = "/proc/sys/fs/verity";
+
+bool SupportsFsVerity() {
+ return access(kFsVerityProcPath, F_OK) == 0;
+}
static std::string toHex(std::span<const uint8_t> data) {
std::stringstream ss;
@@ -165,7 +170,7 @@
return {};
}
-static Result<std::string> enableFsVerity(int fd, const SigningKey& key) {
+Result<std::string> enableFsVerity(int fd, const SigningKey& key) {
auto digest = createDigest(fd);
if (!digest.ok()) {
return Error() << digest.error();
diff --git a/ondevice-signing/include/VerityUtils.h b/ondevice-signing/include/VerityUtils.h
index 0559c35..0650563 100644
--- a/ondevice-signing/include/VerityUtils.h
+++ b/ondevice-signing/include/VerityUtils.h
@@ -26,6 +26,8 @@
android::base::Result<void> addCertToFsVerityKeyring(const std::string& path, const char* keyName);
android::base::Result<std::vector<uint8_t>> createDigest(const std::string& path);
+android::base::Result<std::string> enableFsVerity(int fd, const SigningKey& key);
+bool SupportsFsVerity();
android::base::Result<std::map<std::string, std::string>>
verifyAllFilesInVerity(const std::string& path);
diff --git a/ondevice-signing/odsign_main.cpp b/ondevice-signing/odsign_main.cpp
index 99653fa..e50388e 100644
--- a/ondevice-signing/odsign_main.cpp
+++ b/ondevice-signing/odsign_main.cpp
@@ -44,6 +44,12 @@
using OdsignInfo = ::odsign::proto::OdsignInfo;
+// Keystore boot level that the odsign key uses
+const int kKeyBootLevel = 30;
+const std::string kPublicKeySignature = "/data/misc/odsign/publickey.signature";
+const android::String16 kKeyAlias{"ondevice-signing"};
+constexpr int kKeyNspace = 101; // odsign_key
+
const std::string kSigningKeyCert = "/data/misc/odsign/key.cert";
const std::string kOdsignInfo = "/data/misc/odsign/odsign.info";
const std::string kOdsignInfoSignature = "/data/misc/odsign/odsign.info.signature";
@@ -52,7 +58,6 @@
constexpr const char* kOdrefreshPath = "/apex/com.android.art/bin/odrefresh";
constexpr const char* kCompOsVerifyPath = "/apex/com.android.compos/bin/compos_verify_key";
-constexpr const char* kFsVerityProcPath = "/proc/sys/fs/verity";
constexpr bool kForceCompilation = false;
constexpr bool kUseCompOs = true;
@@ -483,15 +488,15 @@
LOG(INFO) << "Device doesn't support updatable APEX, exiting.";
return 0;
}
-
- auto keystoreResult = KeystoreKey::getInstance();
+ auto keystoreResult =
+ KeystoreKey::getInstance(kPublicKeySignature, kKeyAlias, kKeyNspace, kKeyBootLevel);
if (!keystoreResult.ok()) {
LOG(ERROR) << "Could not create keystore key: " << keystoreResult.error();
return -1;
}
SigningKey* key = keystoreResult.value();
- bool supportsFsVerity = access(kFsVerityProcPath, F_OK) == 0;
+ bool supportsFsVerity = SupportsFsVerity();
if (!supportsFsVerity) {
LOG(INFO) << "Device doesn't support fsverity. Falling back to full verification.";
}