Merge "Fix handling of user password changes."
diff --git a/fsverity_init/Android.bp b/fsverity_init/Android.bp
new file mode 100644
index 0000000..407849d
--- /dev/null
+++ b/fsverity_init/Android.bp
@@ -0,0 +1,18 @@
+cc_binary {
+ name: "fsverity_init",
+ srcs: [
+ "fsverity_init.cpp",
+ ],
+ static_libs: [
+ "libc++fs",
+ "libmini_keyctl_static",
+ ],
+ shared_libs: [
+ "libbase",
+ "libkeystore_binder",
+ "libkeyutils",
+ "liblog",
+ "liblogwrap",
+ ],
+ cflags: ["-Werror", "-Wall", "-Wextra"],
+}
diff --git a/fsverity_init/fsverity_init.cpp b/fsverity_init/fsverity_init.cpp
new file mode 100644
index 0000000..7052375
--- /dev/null
+++ b/fsverity_init/fsverity_init.cpp
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#define LOG_TAG "fsverity_init"
+
+#include <sys/types.h>
+
+#include <filesystem>
+#include <memory>
+#include <string>
+#include <vector>
+
+#include <android-base/file.h>
+#include <android-base/logging.h>
+#include <android-base/properties.h>
+#include <android-base/strings.h>
+#include <keystore/keystore_client.h>
+#include <keystore/keystore_client_impl.h>
+#include <keystore/keystore_get.h>
+#include <log/log.h>
+#include <mini_keyctl_utils.h>
+#include <private/android_filesystem_config.h>
+
+bool LoadKeyToKeyring(key_serial_t keyring_id, const char* desc, const char* data, size_t size) {
+ key_serial_t key = add_key("asymmetric", desc, data, size, keyring_id);
+ if (key < 0) {
+ PLOG(ERROR) << "Failed to add key";
+ return false;
+ }
+ return true;
+}
+
+void LoadKeyFromVerifiedPartitions(key_serial_t keyring_id) {
+ const char* dir = "/product/etc/security/fsverity";
+ if (!std::filesystem::exists(dir)) {
+ LOG(ERROR) << "no such dir: " << dir;
+ return;
+ }
+ for (const auto& entry : std::filesystem::directory_iterator(dir)) {
+ if (!android::base::EndsWithIgnoreCase(entry.path().c_str(), ".der")) continue;
+ std::string content;
+ if (!android::base::ReadFileToString(entry.path(), &content)) {
+ continue;
+ }
+ if (!LoadKeyToKeyring(keyring_id, "fsv_system", content.c_str(), content.size())) {
+ LOG(ERROR) << "Failed to load key from " << entry.path();
+ }
+ }
+}
+
+std::unique_ptr<keystore::KeystoreClient> CreateKeystoreInstance() {
+ return std::unique_ptr<keystore::KeystoreClient>(
+ static_cast<keystore::KeystoreClient*>(new keystore::KeystoreClientImpl));
+}
+
+void LoadKeysFromKeystore(key_serial_t keyring_id) {
+ auto client = CreateKeystoreInstance();
+
+ std::vector<std::string> aliases;
+ if (client == nullptr || !client->listKeysOfUid("FSV_", AID_FSVERITY_CERT, &aliases)) {
+ LOG(ERROR) << "Failed to list key";
+ return;
+ }
+
+ // Always try to load all keys even if some fails to load. The rest may still
+ // be important to have.
+ for (auto& alias : aliases) {
+ auto blob = client->getKey(alias, AID_FSVERITY_CERT);
+ if (!LoadKeyToKeyring(keyring_id, "fsv_user", reinterpret_cast<char*>(blob->data()),
+ blob->size())) {
+ LOG(ERROR) << "Failed to load key " << alias << " from keyring";
+ }
+ }
+}
+
+int main(int /*argc*/, const char** /*argv*/) {
+ key_serial_t keyring_id = android::GetKeyringId(".fs-verity");
+ if (keyring_id < 0) {
+ LOG(ERROR) << "Failed to find .fs-verity keyring id";
+ return -1;
+ }
+
+ // Requires files backed by fs-verity to be verified with a key in .fs-verity
+ // keyring.
+ if (!android::base::WriteStringToFile("1", "/proc/sys/fs/verity/require_signatures")) {
+ PLOG(ERROR) << "Failed to enforce fs-verity signature";
+ }
+
+ LoadKeyFromVerifiedPartitions(keyring_id);
+ LoadKeysFromKeystore(keyring_id);
+
+ if (!android::base::GetBoolProperty("ro.debuggable", false)) {
+ if (keyctl_restrict_keyring(keyring_id, nullptr, nullptr) < 0) {
+ PLOG(ERROR) << "Cannot restrict .fs-verity keyring";
+ }
+ }
+ return 0;
+}
diff --git a/keystore/include/keystore/keystore_client.h b/keystore/include/keystore/keystore_client.h
index d6a4807..d8e63c4 100644
--- a/keystore/include/keystore/keystore_client.h
+++ b/keystore/include/keystore/keystore_client.h
@@ -15,6 +15,8 @@
#ifndef KEYSTORE_KEYSTORE_CLIENT_H_
#define KEYSTORE_KEYSTORE_CLIENT_H_
+#include <memory>
+#include <optional>
#include <set>
#include <string>
#include <vector>
@@ -173,6 +175,13 @@
// caller's key store starting with |prefix|. Returns true on success.
virtual bool listKeys(const std::string& prefix, std::vector<std::string>* key_name_list) = 0;
+ // Provides a |key_name_list| containing all existing key names in the
+ // caller's key store starting with |prefix|. Returns true on success.
+ virtual bool listKeysOfUid(const std::string& prefix, int uid,
+ std::vector<std::string>* key_name_list) = 0;
+
+ virtual std::optional<std::vector<uint8_t>> getKey(const std::string& alias, int uid) = 0;
+
private:
DISALLOW_COPY_AND_ASSIGN(KeystoreClient);
};
diff --git a/keystore/include/keystore/keystore_client_impl.h b/keystore/include/keystore/keystore_client_impl.h
index 0bcef98..6726fe5 100644
--- a/keystore/include/keystore/keystore_client_impl.h
+++ b/keystore/include/keystore/keystore_client_impl.h
@@ -19,6 +19,7 @@
#include <future>
#include <map>
+#include <optional>
#include <string>
#include <vector>
@@ -81,6 +82,9 @@
KeyStoreNativeReturnCode abortOperation(uint64_t handle) override;
bool doesKeyExist(const std::string& key_name) override;
bool listKeys(const std::string& prefix, std::vector<std::string>* key_name_list) override;
+ bool listKeysOfUid(const std::string& prefix, int uid,
+ std::vector<std::string>* key_name_list) override;
+ std::optional<std::vector<uint8_t>> getKey(const std::string& alias, int uid) override;
private:
// Returns an available virtual operation handle.
diff --git a/keystore/keystore_client_impl.cpp b/keystore/keystore_client_impl.cpp
index b9a142e..3fca4c9 100644
--- a/keystore/keystore_client_impl.cpp
+++ b/keystore/keystore_client_impl.cpp
@@ -17,6 +17,7 @@
#include "keystore/keystore_client_impl.h"
#include <future>
+#include <optional>
#include <string>
#include <vector>
@@ -441,9 +442,14 @@
bool KeystoreClientImpl::listKeys(const std::string& prefix,
std::vector<std::string>* key_name_list) {
+ return listKeysOfUid(prefix, kDefaultUID, key_name_list);
+}
+
+bool KeystoreClientImpl::listKeysOfUid(const std::string& prefix, int uid,
+ std::vector<std::string>* key_name_list) {
String16 prefix16(prefix.data(), prefix.size());
std::vector<::android::String16> matches;
- auto binder_result = keystore_->list(prefix16, kDefaultUID, &matches);
+ auto binder_result = keystore_->list(prefix16, uid, &matches);
if (!binder_result.isOk()) return false;
for (const auto& match : matches) {
@@ -453,6 +459,14 @@
return true;
}
+std::optional<std::vector<uint8_t>> KeystoreClientImpl::getKey(const std::string& alias, int uid) {
+ String16 alias16(alias.data(), alias.size());
+ std::vector<uint8_t> output;
+ auto binder_result = keystore_->get(alias16, uid, &output);
+ if (!binder_result.isOk()) return std::nullopt;
+ return output;
+}
+
uint64_t KeystoreClientImpl::getNextVirtualHandle() {
return next_virtual_handle_++;
}