diff options
author | Elliott Hughes | 2014-12-09 19:05:20 -0600 |
---|---|---|
committer | Gerrit Code Review | 2014-12-09 19:05:20 -0600 |
commit | 18237c77c80c34919211e5984a40d27b03992759 (patch) | |
tree | 7eda12cfa1070bd52ab977b78ebb7f9c593e739c | |
parent | b471f5249b8a8c627e8d7e96705d111cafdca50d (diff) | |
parent | 982089d83879c768eac3fd36f19665463a550b53 (diff) | |
download | platform-system-core-18237c77c80c34919211e5984a40d27b03992759.tar.gz platform-system-core-18237c77c80c34919211e5984a40d27b03992759.tar.xz platform-system-core-18237c77c80c34919211e5984a40d27b03992759.zip |
Merge "Add adb enable-verity"
-rw-r--r-- | adb/Android.mk | 2 | ||||
-rw-r--r-- | adb/adb.h | 4 | ||||
-rw-r--r-- | adb/commandline.c | 6 | ||||
-rw-r--r-- | adb/remount_service.c | 67 | ||||
-rw-r--r-- | adb/services.c | 4 | ||||
-rw-r--r-- | adb/set_verity_enable_state_service.c (renamed from adb/disable_verity_service.c) | 52 |
6 files changed, 104 insertions, 31 deletions
diff --git a/adb/Android.mk b/adb/Android.mk index 99a7ce61d..8ebcbf0d2 100644 --- a/adb/Android.mk +++ b/adb/Android.mk | |||
@@ -110,7 +110,7 @@ LOCAL_SRC_FILES := \ | |||
110 | jdwp_service.c \ | 110 | jdwp_service.c \ |
111 | framebuffer_service.c \ | 111 | framebuffer_service.c \ |
112 | remount_service.c \ | 112 | remount_service.c \ |
113 | disable_verity_service.c \ | 113 | set_verity_enable_state_service.c \ |
114 | usb_linux_client.c | 114 | usb_linux_client.c |
115 | 115 | ||
116 | LOCAL_CFLAGS := \ | 116 | LOCAL_CFLAGS := \ |
@@ -328,8 +328,10 @@ int handle_forward_request(const char* service, transport_type ttype, char* seri | |||
328 | 328 | ||
329 | #if !ADB_HOST | 329 | #if !ADB_HOST |
330 | void framebuffer_service(int fd, void *cookie); | 330 | void framebuffer_service(int fd, void *cookie); |
331 | // Allow enable-verity to write to system and vendor block devices | ||
332 | int make_system_and_vendor_block_devices_writable(); | ||
331 | void remount_service(int fd, void *cookie); | 333 | void remount_service(int fd, void *cookie); |
332 | void disable_verity_service(int fd, void* cookie); | 334 | void set_verity_enabled_state_service(int fd, void* cookie); |
333 | #endif | 335 | #endif |
334 | 336 | ||
335 | /* packet allocator */ | 337 | /* packet allocator */ |
diff --git a/adb/commandline.c b/adb/commandline.c index 21945d9eb..49f1b9585 100644 --- a/adb/commandline.c +++ b/adb/commandline.c | |||
@@ -190,10 +190,11 @@ void help() | |||
190 | "\n" | 190 | "\n" |
191 | " adb restore <file> - restore device contents from the <file> backup archive\n" | 191 | " adb restore <file> - restore device contents from the <file> backup archive\n" |
192 | "\n" | 192 | "\n" |
193 | " adb disable-verity - disable dm-verity checking on USERDEBUG builds\n" | ||
194 | " adb enable-verity - re-enable dm-verity checking on USERDEBUG builds\n" | ||
193 | " adb keygen <file> - generate adb public/private key. The private key is stored in <file>,\n" | 195 | " adb keygen <file> - generate adb public/private key. The private key is stored in <file>,\n" |
194 | " and the public key is stored in <file>.pub. Any existing files\n" | 196 | " and the public key is stored in <file>.pub. Any existing files\n" |
195 | " are overwritten.\n" | 197 | " are overwritten.\n" |
196 | " adb disable-verity - disable dm-verity checking on USERDEBUG builds\n" | ||
197 | " adb help - show this help message\n" | 198 | " adb help - show this help message\n" |
198 | " adb version - show version num\n" | 199 | " adb version - show version num\n" |
199 | "\n" | 200 | "\n" |
@@ -1446,7 +1447,8 @@ top: | |||
1446 | if(!strcmp(argv[0], "remount") || !strcmp(argv[0], "reboot") | 1447 | if(!strcmp(argv[0], "remount") || !strcmp(argv[0], "reboot") |
1447 | || !strcmp(argv[0], "reboot-bootloader") | 1448 | || !strcmp(argv[0], "reboot-bootloader") |
1448 | || !strcmp(argv[0], "tcpip") || !strcmp(argv[0], "usb") | 1449 | || !strcmp(argv[0], "tcpip") || !strcmp(argv[0], "usb") |
1449 | || !strcmp(argv[0], "root") || !strcmp(argv[0], "disable-verity")) { | 1450 | || !strcmp(argv[0], "root") || !strcmp(argv[0], "disable-verity") |
1451 | || !strcmp(argv[0], "enable-verity")) { | ||
1450 | char command[100]; | 1452 | char command[100]; |
1451 | if (!strcmp(argv[0], "reboot-bootloader")) | 1453 | if (!strcmp(argv[0], "reboot-bootloader")) |
1452 | snprintf(command, sizeof(command), "reboot:bootloader"); | 1454 | snprintf(command, sizeof(command), "reboot:bootloader"); |
diff --git a/adb/remount_service.c b/adb/remount_service.c index 36367a73f..05d31691e 100644 --- a/adb/remount_service.c +++ b/adb/remount_service.c | |||
@@ -79,29 +79,57 @@ static int hasVendorPartition() | |||
79 | return false; | 79 | return false; |
80 | } | 80 | } |
81 | 81 | ||
82 | static int make_block_device_writable(const char* dir) | ||
83 | { | ||
84 | char *dev = 0; | ||
85 | int fd = -1; | ||
86 | int OFF = 0; | ||
87 | int rc = -1; | ||
88 | |||
89 | dev = find_mount(dir); | ||
90 | if (!dev) | ||
91 | goto errout; | ||
92 | |||
93 | fd = unix_open(dev, O_RDONLY | O_CLOEXEC); | ||
94 | if (fd < 0) | ||
95 | goto errout; | ||
96 | |||
97 | if (ioctl(fd, BLKROSET, &OFF)) { | ||
98 | goto errout; | ||
99 | } | ||
100 | |||
101 | rc = 0; | ||
102 | |||
103 | errout: | ||
104 | if (fd >= 0) { | ||
105 | adb_close(fd); | ||
106 | } | ||
107 | |||
108 | if (dev) { | ||
109 | free(dev); | ||
110 | } | ||
111 | return rc; | ||
112 | } | ||
113 | |||
82 | /* Init mounts /system as read only, remount to enable writes. */ | 114 | /* Init mounts /system as read only, remount to enable writes. */ |
83 | static int remount(const char* dir, int* dir_ro) | 115 | static int remount(const char* dir, int* dir_ro) |
84 | { | 116 | { |
85 | char *dev; | 117 | char *dev; |
86 | int fd; | ||
87 | int OFF = 0; | 118 | int OFF = 0; |
88 | 119 | ||
89 | if (dir_ro == 0) { | 120 | if (dir_ro == 0) { |
90 | return 0; | 121 | return 0; |
91 | } | 122 | } |
92 | 123 | ||
124 | if (make_block_device_writable(dir)) { | ||
125 | return -1; | ||
126 | } | ||
127 | |||
93 | dev = find_mount(dir); | 128 | dev = find_mount(dir); |
94 | 129 | ||
95 | if (!dev) | 130 | if (!dev) |
96 | return -1; | 131 | return -1; |
97 | 132 | ||
98 | fd = unix_open(dev, O_RDONLY | O_CLOEXEC); | ||
99 | if (fd < 0) | ||
100 | return -1; | ||
101 | |||
102 | ioctl(fd, BLKROSET, &OFF); | ||
103 | adb_close(fd); | ||
104 | |||
105 | *dir_ro = mount(dev, dir, "none", MS_REMOUNT, NULL); | 133 | *dir_ro = mount(dev, dir, "none", MS_REMOUNT, NULL); |
106 | 134 | ||
107 | free(dev); | 135 | free(dev); |
@@ -114,6 +142,28 @@ static void write_string(int fd, const char* str) | |||
114 | writex(fd, str, strlen(str)); | 142 | writex(fd, str, strlen(str)); |
115 | } | 143 | } |
116 | 144 | ||
145 | int make_system_and_vendor_block_devices_writable(int fd) | ||
146 | { | ||
147 | char buffer[200]; | ||
148 | if (make_block_device_writable("/system")) { | ||
149 | snprintf(buffer, sizeof(buffer), | ||
150 | "Failed to make system block device writable %s\n", | ||
151 | strerror(errno)); | ||
152 | write_string(fd, buffer); | ||
153 | return -1; | ||
154 | } | ||
155 | |||
156 | if (hasVendorPartition() && make_block_device_writable("/vendor")) { | ||
157 | snprintf(buffer, sizeof(buffer), | ||
158 | "Failed to make vendor block device writable: %s\n", | ||
159 | strerror(errno)); | ||
160 | write_string(fd, buffer); | ||
161 | return -1; | ||
162 | } | ||
163 | |||
164 | return 0; | ||
165 | } | ||
166 | |||
117 | void remount_service(int fd, void *cookie) | 167 | void remount_service(int fd, void *cookie) |
118 | { | 168 | { |
119 | char buffer[200]; | 169 | char buffer[200]; |
@@ -167,4 +217,3 @@ void remount_service(int fd, void *cookie) | |||
167 | 217 | ||
168 | adb_close(fd); | 218 | adb_close(fd); |
169 | } | 219 | } |
170 | |||
diff --git a/adb/services.c b/adb/services.c index 1aeb37655..d5a464277 100644 --- a/adb/services.c +++ b/adb/services.c | |||
@@ -472,7 +472,9 @@ int service_to_fd(const char *name) | |||
472 | } | 472 | } |
473 | } | 473 | } |
474 | } else if(!strncmp(name, "disable-verity:", 15)) { | 474 | } else if(!strncmp(name, "disable-verity:", 15)) { |
475 | ret = create_service_thread(disable_verity_service, NULL); | 475 | ret = create_service_thread(set_verity_enabled_state_service, (void*)0); |
476 | } else if(!strncmp(name, "enable-verity:", 15)) { | ||
477 | ret = create_service_thread(set_verity_enabled_state_service, (void*)1); | ||
476 | #endif | 478 | #endif |
477 | } | 479 | } |
478 | if (ret >= 0) { | 480 | if (ret >= 0) { |
diff --git a/adb/disable_verity_service.c b/adb/set_verity_enable_state_service.c index ed3da5210..6692ab757 100644 --- a/adb/disable_verity_service.c +++ b/adb/set_verity_enable_state_service.c | |||
@@ -78,11 +78,13 @@ static int get_target_device_size(int fd, const char *blk_device, | |||
78 | return 0; | 78 | return 0; |
79 | } | 79 | } |
80 | 80 | ||
81 | static int disable_verity(int fd, const char *block_device, | 81 | /* Turn verity on/off */ |
82 | const char* mount_point) | 82 | static int set_verity_enabled_state(int fd, const char *block_device, |
83 | const char* mount_point, bool enable) | ||
83 | { | 84 | { |
84 | uint32_t magic_number; | 85 | uint32_t magic_number; |
85 | const uint32_t voff = VERITY_METADATA_MAGIC_DISABLE; | 86 | const uint32_t new_magic = enable ? VERITY_METADATA_MAGIC_NUMBER |
87 | : VERITY_METADATA_MAGIC_DISABLE; | ||
86 | uint64_t device_length; | 88 | uint64_t device_length; |
87 | int device; | 89 | int device; |
88 | int retval = -1; | 90 | int retval = -1; |
@@ -114,12 +116,18 @@ static int disable_verity(int fd, const char *block_device, | |||
114 | goto errout; | 116 | goto errout; |
115 | } | 117 | } |
116 | 118 | ||
117 | if (magic_number == VERITY_METADATA_MAGIC_DISABLE) { | 119 | if (!enable && magic_number == VERITY_METADATA_MAGIC_DISABLE) { |
118 | write_console(fd, "Verity already disabled on %s\n", mount_point); | 120 | write_console(fd, "Verity already disabled on %s\n", mount_point); |
119 | goto errout; | 121 | goto errout; |
120 | } | 122 | } |
121 | 123 | ||
122 | if (magic_number != VERITY_METADATA_MAGIC_NUMBER) { | 124 | if (enable && magic_number == VERITY_METADATA_MAGIC_NUMBER) { |
125 | write_console(fd, "Verity already enabled on %s\n", mount_point); | ||
126 | goto errout; | ||
127 | } | ||
128 | |||
129 | if (magic_number != VERITY_METADATA_MAGIC_NUMBER | ||
130 | && magic_number != VERITY_METADATA_MAGIC_DISABLE) { | ||
123 | write_console(fd, | 131 | write_console(fd, |
124 | "Couldn't find verity metadata at offset %"PRIu64"!\n", | 132 | "Couldn't find verity metadata at offset %"PRIu64"!\n", |
125 | device_length); | 133 | device_length); |
@@ -132,13 +140,17 @@ static int disable_verity(int fd, const char *block_device, | |||
132 | goto errout; | 140 | goto errout; |
133 | } | 141 | } |
134 | 142 | ||
135 | if (adb_write(device, &voff, sizeof(voff)) != sizeof(voff)) { | 143 | if (adb_write(device, &new_magic, sizeof(new_magic)) != sizeof(new_magic)) { |
136 | write_console(fd, "Could not set verity disabled flag on device %s\n", | 144 | write_console(fd, "Could not set verity %s flag on device %s with error %s\n", |
137 | block_device); | 145 | enable ? "enabled" : "disabled", |
146 | block_device, | ||
147 | strerror(errno)); | ||
138 | goto errout; | 148 | goto errout; |
139 | } | 149 | } |
140 | 150 | ||
141 | write_console(fd, "Verity disabled on %s\n", mount_point); | 151 | write_console(fd, "Verity %s on %s\n", |
152 | enable ? "enabled" : "disabled", | ||
153 | mount_point); | ||
142 | retval = 0; | 154 | retval = 0; |
143 | errout: | 155 | errout: |
144 | if (device != -1) | 156 | if (device != -1) |
@@ -146,13 +158,14 @@ errout: | |||
146 | return retval; | 158 | return retval; |
147 | } | 159 | } |
148 | 160 | ||
149 | void disable_verity_service(int fd, void* cookie) | 161 | void set_verity_enabled_state_service(int fd, void* cookie) |
150 | { | 162 | { |
163 | bool enable = (cookie != NULL); | ||
151 | #ifdef ALLOW_ADBD_DISABLE_VERITY | 164 | #ifdef ALLOW_ADBD_DISABLE_VERITY |
152 | char fstab_filename[PROPERTY_VALUE_MAX + sizeof(FSTAB_PREFIX)]; | 165 | char fstab_filename[PROPERTY_VALUE_MAX + sizeof(FSTAB_PREFIX)]; |
153 | char propbuf[PROPERTY_VALUE_MAX]; | 166 | char propbuf[PROPERTY_VALUE_MAX]; |
154 | int i; | 167 | int i; |
155 | bool any_disabled = false; | 168 | bool any_changed = false; |
156 | 169 | ||
157 | property_get("ro.secure", propbuf, "0"); | 170 | property_get("ro.secure", propbuf, "0"); |
158 | if (strcmp(propbuf, "1")) { | 171 | if (strcmp(propbuf, "1")) { |
@@ -162,7 +175,7 @@ void disable_verity_service(int fd, void* cookie) | |||
162 | 175 | ||
163 | property_get("ro.debuggable", propbuf, "0"); | 176 | property_get("ro.debuggable", propbuf, "0"); |
164 | if (strcmp(propbuf, "1")) { | 177 | if (strcmp(propbuf, "1")) { |
165 | write_console(fd, "verity cannot be disabled - USER build\n"); | 178 | write_console(fd, "verity cannot be disabled/enabled - USER build\n"); |
166 | goto errout; | 179 | goto errout; |
167 | } | 180 | } |
168 | 181 | ||
@@ -176,22 +189,27 @@ void disable_verity_service(int fd, void* cookie) | |||
176 | goto errout; | 189 | goto errout; |
177 | } | 190 | } |
178 | 191 | ||
192 | if (enable && make_system_and_vendor_block_devices_writable(fd)) { | ||
193 | goto errout; | ||
194 | } | ||
195 | |||
179 | /* Loop through entries looking for ones that vold manages */ | 196 | /* Loop through entries looking for ones that vold manages */ |
180 | for (i = 0; i < fstab->num_entries; i++) { | 197 | for (i = 0; i < fstab->num_entries; i++) { |
181 | if(fs_mgr_is_verified(&fstab->recs[i])) { | 198 | if(fs_mgr_is_verified(&fstab->recs[i])) { |
182 | if (!disable_verity(fd, fstab->recs[i].blk_device, | 199 | if (!set_verity_enabled_state(fd, fstab->recs[i].blk_device, |
183 | fstab->recs[i].mount_point)) { | 200 | fstab->recs[i].mount_point, enable)) { |
184 | any_disabled = true; | 201 | any_changed = true; |
185 | } | 202 | } |
186 | } | 203 | } |
187 | } | 204 | } |
188 | 205 | ||
189 | if (any_disabled) { | 206 | if (any_changed) { |
190 | write_console(fd, | 207 | write_console(fd, |
191 | "Now reboot your device for settings to take effect\n"); | 208 | "Now reboot your device for settings to take effect\n"); |
192 | } | 209 | } |
193 | #else | 210 | #else |
194 | write_console(fd, "disable-verity only works for userdebug builds\n"); | 211 | write_console(fd, "%s-verity only works for userdebug builds\n", |
212 | disabling ? "disable" : "enable"); | ||
195 | #endif | 213 | #endif |
196 | 214 | ||
197 | errout: | 215 | errout: |