Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 799ce6ecdd07e37f57111e6d5523c5d8fe06f426^! / .
commit799ce6ecdd07e37f57111e6d5523c5d8fe06f426[log] [tgz]
authorMartijn Coenen <maco@google.com>Tue Feb 23 10:14:41 2021 +0100
committerMartijn Coenen <maco@google.com>Tue Feb 23 10:18:20 2021 +0100
tree03d00517eb545b0bc01a511a63dddf26709331f5
parentb6afe1329045cf08c038482bb06da514e5bc7a94 [diff]
odsign: Only try to insert certificate in keyring once.

If this fails, we previously tried to generate a new key, and tried to
insert the cert again. But since we already verified the cert is
well-formed, trying with a new key makes little sense, and in fact
increases boot time on devices that don't support fs-verity.

Bug: 180880942
Test: inspect logs
Change-Id: I6d164489f9a840928ce669e0e38a86148a69c973

diff --git a/ondevice-signing/odsign_main.cpp b/ondevice-signing/odsign_main.cpp
index 2ef9511..b019bb9 100644
--- a/ondevice-signing/odsign_main.cpp
+++ b/ondevice-signing/odsign_main.cpp

@@ -91,7 +91,7 @@
     return KeymasterSigningKey::loadFromBlobAndVerify(kSigningKeyBlob);
 }
 
-Result<void> verifyAndLoadExistingCert(const KeymasterSigningKey& key) {
+Result<void> verifyExistingCert(const KeymasterSigningKey& key) {
     if (access(kSigningKeyCert.c_str(), F_OK) < 0) {
         return ErrnoError() << "Key certificate not found: " << kSigningKeyCert;
     }
@@ -109,11 +109,6 @@
                        << " does not match signing public key.";
     }
 
-    auto cert_add_result = addCertToFsVerityKeyring(kSigningKeyCert);
-    if (!cert_add_result.ok()) {
-        return cert_add_result.error();
-    }
-
     // At this point, we know the cert matches
     return {};
 }
@@ -174,7 +169,7 @@
         LOG(INFO) << "Found and verified existing key: " << kSigningKeyBlob;
     }
 
-    auto existing_cert = verifyAndLoadExistingCert(key.value());
+    auto existing_cert = verifyExistingCert(key.value());
     if (!existing_cert.ok()) {
         LOG(WARNING) << existing_cert.error().message();
 
@@ -185,15 +180,15 @@
             // TODO apparently the key become invalid - delete the blob / cert
             return -1;
         }
-        auto cert_add_result = addCertToFsVerityKeyring(kSigningKeyCert);
-        if (!cert_add_result.ok()) {
-            LOG(ERROR) << "Failed to add certificate to fs-verity keyring: "
-                       << cert_add_result.error().message();
-            return -1;
-        }
     } else {
         LOG(INFO) << "Found and verified existing public key certificate: " << kSigningKeyCert;
     }
+    auto cert_add_result = addCertToFsVerityKeyring(kSigningKeyCert);
+    if (!cert_add_result.ok()) {
+        LOG(ERROR) << "Failed to add certificate to fs-verity keyring: "
+                   << cert_add_result.error().message();
+        return -1;
+    }
 
     auto verityStatus = verifyAllFilesInVerity(kArtArtifactsDir);
     if (!verityStatus.ok()) {