commit 5588e4958bfda09dcbe4b441af262ebbbd48b1af
author Martijn Coenen <maco@google.com> Thu Feb 25 14:33:44 2021 +0100
committer Martijn Coenen <maco@google.com> Mon Mar 08 16:31:51 2021 +0100
tree a2b83fe9bee9558e9c3b5955fb8fe59c62e39655
parent 5142b59e8f2c54c60e137ba6f7c1e4ba94f7b4fe

Support devices without fs-verity.

On devices that don't have fs-verity, we now use so-called "full
verification": after the artifacts are generated, we compute their
digests, and store the files along with their digests in a new proto
file, along with a signature using the same (early boot) key.

Then, once we reboot, load in the same proto file, verify the signature,
and re-compute the digests to make sure they match the ones in the proto
(since those are digests we can trust).

Note that the current implementation still skips the crucial verify step,
because the current implementation is not very efficient, and we want to
avoid regressing boot time.

At the same time, this proto file is still useful even for devices that
do have fs-verity, because fs-verity itself doesn't protect against
files being moved around; so even when we do have fs-verity, make sure
the root hash of each file is the same as it was when we compiled the
artifacts the first time.

Bug: 165630556
Test: Local
Change-Id: If2b736fcc14256e183c931722f95b0f18ca17703

ondevice-signing/VerityUtils.cpp

diff --git a/ondevice-signing/VerityUtils.cpp b/ondevice-signing/VerityUtils.cpp
index b4a6a54..3d0b85a 100644
--- a/ondevice-signing/VerityUtils.cpp
+++ b/ondevice-signing/VerityUtils.cpp
@@ -30,6 +30,8 @@
 #include "CertUtils.h"
 #include "KeymasterSigningKey.h"
 
+#define FS_VERITY_MAX_DIGEST_SIZE 64
+
 using android::base::ErrnoError;
 using android::base::Error;
 using android::base::Result;
@@ -50,13 +52,21 @@
     __u8 digest[];
 };
 
+static std::string toHex(const std::vector<uint8_t>& data) {
+    std::stringstream ss;
+    for (auto it = data.begin(); it != data.end(); ++it) {
+        ss << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned>(*it);
+    }
+    return ss.str();
+}
+
 static int read_callback(void* file, void* buf, size_t count) {
     int* fd = (int*)file;
     if (TEMP_FAILURE_RETRY(read(*fd, buf, count)) < 0) return errno ? -errno : -EIO;
     return 0;
 }
 
-static Result<std::vector<uint8_t>> createDigest(const std::string& path) {
+Result<std::vector<uint8_t>> createDigest(const std::string& path) {
     struct stat filestat;
     unique_fd fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_CLOEXEC)));
 
@@ -94,7 +104,7 @@
     return std::vector<uint8_t>(signed_digest->begin(), signed_digest->end());
 }
 
-Result<void> enableFsVerity(const std::string& path, const KeymasterSigningKey& key) {
+Result<std::string> enableFsVerity(const std::string& path, const KeymasterSigningKey& key) {
     auto digest = createDigest(path);
     if (!digest.ok()) {
         return digest.error();
@@ -121,10 +131,13 @@
         return ErrnoError() << "Failed to call FS_IOC_ENABLE_VERITY on " << path;
     }
 
-    return {};
+    // Return the root hash as a hex string
+    return toHex(digest.value());
 }
 
-Result<void> addFilesToVerityRecursive(const std::string& path, const KeymasterSigningKey& key) {
+Result<std::map<std::string, std::string>>
+addFilesToVerityRecursive(const std::string& path, const KeymasterSigningKey& key) {
+    std::map<std::string, std::string> digests;
     std::error_code ec;
 
     auto it = std::filesystem::recursive_directory_iterator(path, ec);
@@ -137,14 +150,18 @@
             if (!result.ok()) {
                 return result.error();
             }
+            digests[it->path()] = *result;
         }
         ++it;
     }
+    if (ec) {
+        return Error() << "Failed to iterate " << path << ": " << ec;
+    }
 
-    return {};
+    return digests;
 }
 
-Result<bool> isFileInVerity(const std::string& path) {
+Result<std::string> isFileInVerity(const std::string& path) {
     unsigned int flags;
 
     unique_fd fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_CLOEXEC)));
@@ -156,11 +173,24 @@
     if (ret < 0) {
         return ErrnoError() << "Failed to FS_IOC_GETFLAGS for " << path;
     }
+    if (!(flags & FS_VERITY_FL)) {
+        return Error() << "File is not in fs-verity: " << path;
+    }
 
-    return (flags & FS_VERITY_FL);
+    struct fsverity_digest* d;
+    d = (struct fsverity_digest*)malloc(sizeof(*d) + FS_VERITY_MAX_DIGEST_SIZE);
+    d->digest_size = FS_VERITY_MAX_DIGEST_SIZE;
+    ret = ioctl(fd, FS_IOC_MEASURE_VERITY, d);
+    if (ret < 0) {
+        return ErrnoError() << "Failed to FS_IOC_MEASURE_VERITY for " << path;
+    }
+    std::vector<uint8_t> digest_vector(&d->digest[0], &d->digest[d->digest_size]);
+
+    return toHex(digest_vector);
 }
 
-Result<void> verifyAllFilesInVerity(const std::string& path) {
+Result<std::map<std::string, std::string>> verifyAllFilesInVerity(const std::string& path) {
+    std::map<std::string, std::string> digests;
     std::error_code ec;
 
     auto it = std::filesystem::recursive_directory_iterator(path, ec);
@@ -173,12 +203,13 @@
             if (!result.ok()) {
                 return result.error();
             }
-            if (!*result) {
-                return Error() << "File " << it->path() << " not in fs-verity";
-            }
+            digests[it->path()] = *result;
         }  // TODO reject other types besides dirs?
         ++it;
     }
+    if (ec) {
+        return Error() << "Failed to iterate " << path << ": " << ec;
+    }
 
-    return {};
+    return digests;
 }