Remove the old CompOS key management
We no long persist keys on behalf of CompOS, so a lot of code is
redundant and can be removed.
Bug: 218494522
Test: Run staged-compile, reboot & watch odsign
Ignore-AOSP-First: Avoiding merge conflicts
Merged-In: Ia649165630048a3b625e6c7aa84e8b5d18d2a8da
Change-Id: Ia649165630048a3b625e6c7aa84e8b5d18d2a8da
diff --git a/ondevice-signing/odsign_main.cpp b/ondevice-signing/odsign_main.cpp
index 8cf398e..fc55846 100644
--- a/ondevice-signing/odsign_main.cpp
+++ b/ondevice-signing/odsign_main.cpp
@@ -57,18 +57,11 @@
const std::string kArtArtifactsDir = "/data/misc/apexdata/com.android.art/dalvik-cache";
constexpr const char* kOdrefreshPath = "/apex/com.android.art/bin/odrefresh";
-constexpr const char* kCompOsVerifyPath = "/apex/com.android.compos/bin/compos_verify_key";
+constexpr const char* kCompOsVerifyPath = "/apex/com.android.compos/bin/compos_verify";
constexpr bool kForceCompilation = false;
constexpr bool kUseCompOs = true;
-constexpr const char* kNewCompOsVerifyPath = "/apex/com.android.compos/bin/compos_verify";
-const std::string kCompOsCert = "/data/misc/odsign/compos_key.cert";
-
-const std::string kCompOsCurrentPublicKey =
- "/data/misc/apexdata/com.android.compos/current/key.pubkey";
-const std::string kCompOsPendingPublicKey =
- "/data/misc/apexdata/com.android.compos/pending/key.pubkey";
const std::string kCompOsPendingArtifactsDir = "/data/misc/apexdata/com.android.art/compos-pending";
const std::string kCompOsInfo = kArtArtifactsDir + "/compos.info";
const std::string kCompOsInfoSignature = kCompOsInfo + ".signature";
@@ -145,7 +138,7 @@
bool compOsPresent() {
// We must have the CompOS APEX
- return access(kNewCompOsVerifyPath, X_OK) == 0;
+ return access(kCompOsVerifyPath, X_OK) == 0;
}
Result<void> verifyExistingRootCert(const SigningKey& key) {
@@ -344,13 +337,8 @@
return {};
}
-Result<std::vector<uint8_t>> addCompOsCertToFsVerityKeyring(const SigningKey& /*signingKey*/) {
- // TODO(b/218494522): Remove this and usages of compos_key.
- return {};
-}
-
-Result<OdsignInfo> getComposInfo(const std::vector<uint8_t>& /*compos_key*/) {
- const char* const argv[] = {kNewCompOsVerifyPath, "--instance", "current"};
+Result<OdsignInfo> getComposInfo() {
+ const char* const argv[] = {kCompOsVerifyPath, "--instance", "current"};
int result =
logwrap_fork_execvp(arraysize(argv), argv, nullptr, false, LOG_ALOG, false, nullptr);
if (result != 0) {
@@ -377,8 +365,7 @@
return compos_info;
}
-art::odrefresh::ExitCode checkCompOsPendingArtifacts(const std::vector<uint8_t>& compos_key,
- const SigningKey& signing_key,
+art::odrefresh::ExitCode checkCompOsPendingArtifacts(const SigningKey& signing_key,
bool* digests_verified) {
if (!directoryHasContent(kCompOsPendingArtifactsDir)) {
// No pending CompOS artifacts, all that matters is the current ones.
@@ -414,7 +401,7 @@
// Make sure the artifacts we have are genuinely produced by the current
// instance of CompOS.
- auto compos_info = getComposInfo(compos_key);
+ auto compos_info = getComposInfo();
if (!compos_info.ok()) {
LOG(WARNING) << compos_info.error();
} else {
@@ -527,21 +514,9 @@
}
}
- art::odrefresh::ExitCode odrefresh_status = art::odrefresh::ExitCode::kCompilationRequired;
bool digests_verified = false;
-
- if (useCompOs) {
- auto compos_key = addCompOsCertToFsVerityKeyring(*key);
- if (!compos_key.ok()) {
- LOG(WARNING) << compos_key.error();
- odrefresh_status = checkArtifacts();
- } else {
- odrefresh_status =
- checkCompOsPendingArtifacts(compos_key.value(), *key, &digests_verified);
- }
- } else {
- odrefresh_status = checkArtifacts();
- }
+ art::odrefresh::ExitCode odrefresh_status =
+ useCompOs ? checkCompOsPendingArtifacts(*key, &digests_verified) : checkArtifacts();
// The artifacts dir doesn't necessarily need to exist; if the existing
// artifacts on the system partition are valid, those can be used.