Merge "Keystore VTS for module hash" into main
diff --git a/fsverity_init/Android.bp b/fsverity_init/Android.bp
deleted file mode 100644
index 212aac4..0000000
--- a/fsverity_init/Android.bp
+++ /dev/null
@@ -1,41 +0,0 @@
-package {
- // See: http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // all of the 'license_kinds' from "system_security_license"
- // to get the below license kinds:
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_security_license"],
-}
-
-cc_binary {
- name: "fsverity_init",
- srcs: [
- "fsverity_init.cpp",
- ],
- static_libs: [
- "aconfig_fsverity_init_c_lib",
- "libmini_keyctl_static",
- ],
- shared_libs: [
- "libbase",
- "libkeyutils",
- "liblog",
- ],
- cflags: [
- "-Werror",
- "-Wall",
- "-Wextra",
- ],
-}
-
-aconfig_declarations {
- name: "aconfig_fsverity_init",
- package: "android.security.flag",
- container: "system",
- srcs: ["flags.aconfig"],
-}
-
-cc_aconfig_library {
- name: "aconfig_fsverity_init_c_lib",
- aconfig_declarations: "aconfig_fsverity_init",
-}
diff --git a/fsverity_init/OWNERS b/fsverity_init/OWNERS
deleted file mode 100644
index f9e7b25..0000000
--- a/fsverity_init/OWNERS
+++ /dev/null
@@ -1,5 +0,0 @@
-alanstokes@google.com
-ebiggers@google.com
-jeffv@google.com
-jiyong@google.com
-victorhsieh@google.com
diff --git a/fsverity_init/flags.aconfig b/fsverity_init/flags.aconfig
deleted file mode 100644
index 495c71c..0000000
--- a/fsverity_init/flags.aconfig
+++ /dev/null
@@ -1,10 +0,0 @@
-package: "android.security.flag"
-container: "system"
-
-flag {
- name: "deprecate_fsverity_init"
- namespace: "hardware_backed_security"
- description: "Feature flag for deprecate fsverity_init"
- bug: "290064770"
- is_fixed_read_only: true
-}
diff --git a/fsverity_init/fsverity_init.cpp b/fsverity_init/fsverity_init.cpp
deleted file mode 100644
index 717beeb..0000000
--- a/fsverity_init/fsverity_init.cpp
+++ /dev/null
@@ -1,112 +0,0 @@
-/*
- * Copyright (C) 2019 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-//
-// fsverity_init is a tool for loading X.509 certificates into the kernel keyring used by the
-// fsverity builtin signature verification kernel feature
-// (https://www.kernel.org/doc/html/latest/filesystems/fsverity.html#built-in-signature-verification).
-// Starting in Android 14, Android has actually stopped using this feature, as it was too inflexible
-// and caused problems. It has been replaced by userspace signature verification. Also, some uses
-// of fsverity in Android are now for integrity-only use cases.
-//
-// Regardless, there may exist fsverity files on-disk that were created by Android 13 or earlier.
-// These files still have builtin signatures. If the kernel is an older kernel that still has
-// CONFIG_FS_VERITY_BUILTIN_SIGNATURES enabled, these files cannot be opened unless the
-// corresponding key is in the ".fs-verity" keyring. Therefore, this tool still has to exist and be
-// used to load keys into the kernel, even though this has no security purpose anymore.
-//
-// This tool can be removed as soon as all supported kernels are guaranteed to have
-// CONFIG_FS_VERITY_BUILTIN_SIGNATURES disabled, or alternatively as soon as support for upgrades
-// from Android 13 or earlier is no longer required.
-//
-
-#define LOG_TAG "fsverity_init"
-
-#include <sys/types.h>
-
-#include <filesystem>
-#include <string>
-
-#include <android-base/file.h>
-#include <android-base/logging.h>
-#include <android-base/strings.h>
-#include <android_security_flag.h>
-#include <log/log.h>
-#include <mini_keyctl_utils.h>
-
-void LoadKeyFromFile(key_serial_t keyring_id, const char* keyname, const std::string& path) {
- LOG(INFO) << "LoadKeyFromFile path=" << path << " keyname=" << keyname;
- std::string content;
- if (!android::base::ReadFileToString(path, &content)) {
- LOG(ERROR) << "Failed to read key from " << path;
- return;
- }
- if (add_key("asymmetric", keyname, content.c_str(), content.size(), keyring_id) < 0) {
- PLOG(ERROR) << "Failed to add key from " << path;
- }
-}
-
-void LoadKeyFromDirectory(key_serial_t keyring_id, const char* keyname_prefix, const char* dir) {
- if (!std::filesystem::exists(dir)) {
- return;
- }
- int counter = 0;
- for (const auto& entry : std::filesystem::directory_iterator(dir)) {
- if (!android::base::EndsWithIgnoreCase(entry.path().c_str(), ".der")) continue;
- std::string keyname = keyname_prefix + std::to_string(counter);
- counter++;
- LoadKeyFromFile(keyring_id, keyname.c_str(), entry.path());
- }
-}
-
-void LoadKeyFromVerifiedPartitions(key_serial_t keyring_id) {
- // NB: Directories need to be synced with FileIntegrityService.java in
- // frameworks/base.
- LoadKeyFromDirectory(keyring_id, "fsv_system_", "/system/etc/security/fsverity");
- LoadKeyFromDirectory(keyring_id, "fsv_product_", "/product/etc/security/fsverity");
-}
-
-int main(int argc, const char** argv) {
- if (android::security::flag::deprecate_fsverity_init()) {
- // Don't load keys to the built-in fs-verity keyring in kernel. This will make existing
- // files not readable. We expect to only enable the flag when there are no such files or
- // when failure is ok (e.g. with a fallback).
- return 0;
- }
-
- if (argc < 2) {
- LOG(ERROR) << "Not enough arguments";
- return -1;
- }
-
- key_serial_t keyring_id = android::GetKeyringId(".fs-verity");
- if (keyring_id < 0) {
- // This is expected on newer kernels. See comment at the beginning of this file.
- LOG(DEBUG) << "no initialization required";
- return 0;
- }
-
- const std::string_view command = argv[1];
-
- if (command == "--load-verified-keys") {
- LoadKeyFromVerifiedPartitions(keyring_id);
- } else {
- LOG(ERROR) << "Unknown argument(s).";
- return -1;
- }
-
- return 0;
-}
diff --git a/keystore2/selinux/src/lib.rs b/keystore2/selinux/src/lib.rs
index d57a99a..1f1e692 100644
--- a/keystore2/selinux/src/lib.rs
+++ b/keystore2/selinux/src/lib.rs
@@ -247,34 +247,6 @@
}
}
-/// Safe wrapper around libselinux `getpidcon`. It initializes the `Context::Raw` variant of the
-/// returned `Context`.
-///
-/// ## Return
-/// * Ok(Context::Raw()) if successful.
-/// * Err(Error::sys()) if getpidcon succeeded but returned a NULL pointer.
-/// * Err(io::Error::last_os_error()) if getpidcon failed.
-pub fn getpidcon(pid: selinux::pid_t) -> Result<Context> {
- init_logger_once();
- let _lock = LIB_SELINUX_LOCK.lock().unwrap();
-
- let mut con: *mut c_char = ptr::null_mut();
- match unsafe { selinux::getpidcon(pid, &mut con) } {
- 0 => {
- if !con.is_null() {
- Ok(Context::Raw(con))
- } else {
- Err(anyhow!(Error::sys(format!(
- "getpidcon returned a NULL context for pid {}",
- pid
- ))))
- }
- }
- _ => Err(anyhow!(io::Error::last_os_error()))
- .context(format!("getpidcon failed for pid {}", pid)),
- }
-}
-
/// Safe wrapper around selinux_check_access.
///
/// ## Return
@@ -796,12 +768,4 @@
check_keystore_perm!(reset);
check_keystore_perm!(unlock);
}
-
- #[test]
- fn test_getpidcon() {
- // Check that `getpidcon` of our pid is equal to what `getcon` returns.
- // And by using `unwrap` we make sure that both also have to return successfully
- // fully to pass the test.
- assert_eq!(getpidcon(std::process::id() as i32).unwrap(), getcon().unwrap());
- }
}
diff --git a/keystore2/src/fuzzers/keystore2_unsafe_fuzzer.rs b/keystore2/src/fuzzers/keystore2_unsafe_fuzzer.rs
index fb4c9ad..62167fb 100644
--- a/keystore2/src/fuzzers/keystore2_unsafe_fuzzer.rs
+++ b/keystore2/src/fuzzers/keystore2_unsafe_fuzzer.rs
@@ -26,7 +26,7 @@
hmac_sha256, parse_subject_from_certificate, Password, ZVec,
};
use keystore2_hal_names::get_hidl_instances;
-use keystore2_selinux::{check_access, getpidcon, setcon, Backend, Context, KeystoreKeyBackend};
+use keystore2_selinux::{check_access, setcon, Backend, Context, KeystoreKeyBackend};
use libfuzzer_sys::{arbitrary::Arbitrary, fuzz_target};
use std::{ffi::CString, sync::Arc};
@@ -108,9 +108,6 @@
Backend {
namespace: &'a str,
},
- GetPidCon {
- pid: i32,
- },
CheckAccess {
source: &'a [u8],
target: &'a [u8],
@@ -216,9 +213,6 @@
let _res = backend.lookup(namespace);
}
}
- FuzzCommand::GetPidCon { pid } => {
- let _res = getpidcon(pid);
- }
FuzzCommand::CheckAccess { source, target, tclass, perm } => {
let source = get_valid_cstring_data(source);
let target = get_valid_cstring_data(target);
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs
index acca942..7b6ea68 100644
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@@ -221,7 +221,8 @@
&& e.downcast_ref::<Error>()
== Some(&Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE))
{
- log::info!("Call to {} failed for StrongBox as it is not available", name,)
+ log::info!("Call to {} failed for StrongBox as it is not available", name);
+ return Ok(());
} else {
log::error!(
"Call to {} failed for security level {}: {}.",
@@ -252,6 +253,9 @@
Self::watch_apex_info()
.unwrap_or_else(|e| log::error!("watch_apex_info failed: {e:?}"));
});
+ } else {
+ rustutils::system_properties::write("keystore.module_hash.sent", "true")
+ .context(ks_err!("failed to set keystore.module_hash.sent to true"))?;
}
Maintenance::call_on_all_security_levels("earlyBootEnded", |dev| dev.earlyBootEnded(), None)
}
@@ -261,33 +265,24 @@
///
/// Blocks waiting for system property changes, so must be run in its own thread.
fn watch_apex_info() -> Result<()> {
- let prop = "apexd.status";
- log::info!("start monitoring '{prop}' property");
- let mut w = PropertyWatcher::new(prop).context(ks_err!("PropertyWatcher::new failed"))?;
+ let apex_prop = "apexd.status";
+ log::info!("start monitoring '{apex_prop}' property");
+ let mut w =
+ PropertyWatcher::new(apex_prop).context(ks_err!("PropertyWatcher::new failed"))?;
loop {
let value = w.read(|_name, value| Ok(value.to_string()));
- // The status for apexd moves from "starting" to "activated" to "ready"; the apex
- // info file should be populated for either of the latter two states, so cope with
- // both in case we miss a state change.
- log::info!("property '{prop}' is now '{value:?}'");
- if matches!(value.as_deref(), Ok("activated") | Ok("ready")) {
- match Self::read_apex_info() {
- Ok(modules) => {
- Self::set_module_info(modules)
- .context(ks_err!("failed to set module info"))?;
- break;
- }
- Err(e) => {
- log::error!(
- "failed to read apex info, try again on next state change: {e:?}"
- );
- }
- }
+ log::info!("property '{apex_prop}' is now '{value:?}'");
+ if matches!(value.as_deref(), Ok("activated")) {
+ let modules =
+ Self::read_apex_info().context(ks_err!("failed to read apex info"))?;
+ Self::set_module_info(modules).context(ks_err!("failed to set module info"))?;
+ rustutils::system_properties::write("keystore.module_hash.sent", "true")
+ .context(ks_err!("failed to set keystore.module_hash.sent to true"))?;
+ break;
}
-
- log::info!("await a change to '{prop}'...");
+ log::info!("await a change to '{apex_prop}'...");
w.wait(None).context(ks_err!("property wait failed"))?;
- log::info!("await a change to '{prop}'...notified");
+ log::info!("await a change to '{apex_prop}'...notified");
}
Ok(())
}