1 From fabdd30b4cf9ee341dabbbd51b2a1e3335d7d4cd Mon Sep 17 00:00:00 2001 2 From: David Zeuthen <zeuthen (a] google.com> 3 Date: Tue, 24 Jan 2017 13:17:01 -0500 4 Subject: [PATCH 2/2] ANDROID: AVB error handler to invalidate vbmeta 5 partition. 6 7 If androidboot.vbmeta.device is set and points to a device with vbmeta 8 magic, this header will be overwritten upon an irrecoverable dm-verity 9 error. The side-effect of this is that the slot will fail to verify on 10 next reboot, effectively triggering the boot loader to fallback to 11 another slot. This work both if the vbmeta struct is at the start of a 12 partition or if there's an AVB footer at the end. 13 14 This code is based on drivers/md/dm-verity-chromeos.c from ChromiumOS. 15 16 Example: 17 18 [ 0.000000] Kernel command line: rootfstype=ext4 init=/init console=ttyS0,115200 androidboot.console=ttyS0 androidboot.hardware=uefi_x86_64 enforcing=0 androidboot.selinux=permissive androidboot.debuggable=1 buildvariant=eng dm="1 vroot none ro 1,0 2080496 verity 1 PARTUUID=6779df46-78f6-4c69-bf53-59bb1fbf126b PARTUUID=6779df46-78f6-4c69-bf53-59bb1fbf126b 4096 4096 260062 260062 sha1 4f76354c86e430e27426d584a726f2fbffecae32 7e4085342d634065269631ac9a199e1a43f4632c 1 ignore_zero_blocks" root=0xfd00 androidboot.vbmeta.device=PARTUUID=b865935d-38fb-4c4e-b8b4-70dc67321552 androidboot.slot_suffix=_a androidboot.vbmeta.device_state=unlocked androidboot.vbmeta.hash_alg=sha256 androidboot.vbmeta.size=3200 androidboot.vbmeta.digest=14fe41c2b3696c31b7ad5eae7877d7d188995e1ab122c604aaaf4785850b91f7 skip_initramfs 19 [...] 20 [ 0.612802] device-mapper: verity-avb: AVB error handler initialized with vbmeta device: PARTUUID=b865935d-38fb-4c4e-b8b4-70dc67321552 21 [...] 22 [ 1.213804] device-mapper: init: attempting early device configuration. 23 [ 1.214752] device-mapper: init: adding target '0 2080496 verity 1 PARTUUID=6779df46-78f6-4c69-bf53-59bb1fbf126b PARTUUID=6779df46-78f6-4c69-bf53-59bb1fbf126b 4096 4096 260062 260062 sha1 4f76354c86e430e27426d584a726f2fbffecae32 7e4085342d634065269631ac9a199e1a43f4632c 1 ignore_zero_blocks' 24 [ 1.217643] device-mapper: init: dm-0 is ready 25 [ 1.226694] device-mapper: verity: 8:6: data block 0 is corrupted 26 [ 1.227666] device-mapper: verity-avb: AVB error handler called for PARTUUID=b865935d-38fb-4c4e-b8b4-70dc67321552 27 [ 1.234308] device-mapper: verity-avb: invalidate_vbmeta: found vbmeta partition 28 [ 1.235848] device-mapper: verity-avb: invalidate_vbmeta: completed. 29 [...] 30 31 Bug: 31622239 32 Test: Manually tested (other arch). 33 Change-Id: Idf6be32d6a3d28e15de9302aa26ad6a516d663aa 34 Signed-off-by: David Zeuthen <zeuthen (a] google.com> 35 --- 36 drivers/md/Kconfig | 11 ++ 37 drivers/md/Makefile | 4 + 38 drivers/md/dm-verity-avb.c | 229 ++++++++++++++++++++++++++++++++++++++++++ 39 drivers/md/dm-verity-target.c | 6 +- 40 drivers/md/dm-verity.h | 1 + 41 5 files changed, 250 insertions(+), 1 deletion(-) 42 create mode 100644 drivers/md/dm-verity-avb.c 43 44 diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig 45 index 9eb08a43cd27..6f2fde5d98e7 100644 46 --- a/drivers/md/Kconfig 47 +++ b/drivers/md/Kconfig 48 @@ -515,6 +515,17 @@ config DM_LOG_WRITES 49 50 If unsure, say N. 51 52 +config DM_VERITY_AVB 53 + tristate "Support AVB specific verity error behavior" 54 + depends on DM_VERITY 55 + ---help--- 56 + Enables Android Verified Boot platform-specific error 57 + behavior. In particular, it will modify the vbmeta partition 58 + specified on the kernel command-line when non-transient error 59 + occurs (followed by a panic). 60 + 61 + If unsure, say N. 62 + 63 config DM_ANDROID_VERITY 64 bool "Android verity target support" 65 depends on DM_VERITY=y 66 diff --git a/drivers/md/Makefile b/drivers/md/Makefile 67 index 32b5d0a90d60..c22cc74c9fa8 100644 68 --- a/drivers/md/Makefile 69 +++ b/drivers/md/Makefile 70 @@ -69,3 +69,7 @@ endif 71 ifeq ($(CONFIG_DM_VERITY_FEC),y) 72 dm-verity-objs += dm-verity-fec.o 73 endif 74 + 75 +ifeq ($(CONFIG_DM_VERITY_AVB),y) 76 +dm-verity-objs += dm-verity-avb.o 77 +endif 78 diff --git a/drivers/md/dm-verity-avb.c b/drivers/md/dm-verity-avb.c 79 new file mode 100644 80 index 000000000000..727aacbb1480 81 --- /dev/null 82 +++ b/drivers/md/dm-verity-avb.c 83 @@ -0,0 +1,229 @@ 84 +/* 85 + * Copyright (C) 2017 Google. 86 + * 87 + * This file is released under the GPLv2. 88 + * 89 + * Based on drivers/md/dm-verity-chromeos.c 90 + */ 91 + 92 +#include <linux/device-mapper.h> 93 +#include <linux/module.h> 94 +#include <linux/mount.h> 95 + 96 +#define DM_MSG_PREFIX "verity-avb" 97 + 98 +/* Set via module parameters. */ 99 +static char avb_vbmeta_device[64]; 100 +static char avb_invalidate_on_error[4]; 101 + 102 +static void invalidate_vbmeta_endio(struct bio *bio) 103 +{ 104 + if (bio->bi_error) 105 + DMERR("invalidate_vbmeta_endio: error %d", bio->bi_error); 106 + complete(bio->bi_private); 107 +} 108 + 109 +static int invalidate_vbmeta_submit(struct bio *bio, 110 + struct block_device *bdev, 111 + int rw, int access_last_sector, 112 + struct page *page) 113 +{ 114 + DECLARE_COMPLETION_ONSTACK(wait); 115 + 116 + bio->bi_private = &wait; 117 + bio->bi_end_io = invalidate_vbmeta_endio; 118 + bio->bi_bdev = bdev; 119 + bio->bi_rw = rw; 120 + 121 + bio->bi_iter.bi_sector = 0; 122 + if (access_last_sector) { 123 + sector_t last_sector; 124 + 125 + last_sector = (i_size_read(bdev->bd_inode)>>SECTOR_SHIFT) - 1; 126 + bio->bi_iter.bi_sector = last_sector; 127 + } 128 + if (!bio_add_page(bio, page, PAGE_SIZE, 0)) { 129 + DMERR("invalidate_vbmeta_submit: bio_add_page error"); 130 + return -EIO; 131 + } 132 + 133 + submit_bio(rw, bio); 134 + /* Wait up to 2 seconds for completion or fail. */ 135 + if (!wait_for_completion_timeout(&wait, msecs_to_jiffies(2000))) 136 + return -EIO; 137 + return 0; 138 +} 139 + 140 +static int invalidate_vbmeta(dev_t vbmeta_devt) 141 +{ 142 + int ret = 0; 143 + struct block_device *bdev; 144 + struct bio *bio; 145 + struct page *page; 146 + fmode_t dev_mode; 147 + /* Ensure we do synchronous unblocked I/O. We may also need 148 + * sync_bdev() on completion, but it really shouldn't. 149 + */ 150 + int rw = REQ_SYNC | REQ_SOFTBARRIER | REQ_NOIDLE; 151 + int access_last_sector = 0; 152 + 153 + DMINFO("invalidate_vbmeta: acting on device %d:%d", 154 + MAJOR(vbmeta_devt), MINOR(vbmeta_devt)); 155 + 156 + /* First we open the device for reading. */ 157 + dev_mode = FMODE_READ | FMODE_EXCL; 158 + bdev = blkdev_get_by_dev(vbmeta_devt, dev_mode, 159 + invalidate_vbmeta); 160 + if (IS_ERR(bdev)) { 161 + DMERR("invalidate_kernel: could not open device for reading"); 162 + dev_mode = 0; 163 + ret = -ENOENT; 164 + goto failed_to_read; 165 + } 166 + 167 + bio = bio_alloc(GFP_NOIO, 1); 168 + if (!bio) { 169 + ret = -ENOMEM; 170 + goto failed_bio_alloc; 171 + } 172 + 173 + page = alloc_page(GFP_NOIO); 174 + if (!page) { 175 + ret = -ENOMEM; 176 + goto failed_to_alloc_page; 177 + } 178 + 179 + access_last_sector = 0; 180 + ret = invalidate_vbmeta_submit(bio, bdev, rw, access_last_sector, page); 181 + if (ret) { 182 + DMERR("invalidate_vbmeta: error reading"); 183 + goto failed_to_submit_read; 184 + } 185 + 186 + /* We have a page. Let's make sure it looks right. */ 187 + if (memcmp("AVB0", page_address(page), 4) == 0) { 188 + /* Stamp it. */ 189 + memcpy(page_address(page), "AVE0", 4); 190 + DMINFO("invalidate_vbmeta: found vbmeta partition"); 191 + } else { 192 + /* Could be this is on a AVB footer, check. Also, since the 193 + * AVB footer is in the last 64 bytes, adjust for the fact that 194 + * we're dealing with 512-byte sectors. 195 + */ 196 + size_t offset = (1<<SECTOR_SHIFT) - 64; 197 + 198 + access_last_sector = 1; 199 + ret = invalidate_vbmeta_submit(bio, bdev, rw, 200 + access_last_sector, page); 201 + if (ret) { 202 + DMERR("invalidate_vbmeta: error reading"); 203 + goto failed_to_submit_read; 204 + } 205 + if (memcmp("AVBf", page_address(page) + offset, 4) != 0) { 206 + DMERR("invalidate_vbmeta on non-vbmeta partition"); 207 + ret = -EINVAL; 208 + goto invalid_header; 209 + } 210 + /* Stamp it. */ 211 + memcpy(page_address(page) + offset, "AVE0", 4); 212 + DMINFO("invalidate_vbmeta: found vbmeta footer partition"); 213 + } 214 + 215 + /* Now rewrite the changed page - the block dev was being 216 + * changed on read. Let's reopen here. 217 + */ 218 + blkdev_put(bdev, dev_mode); 219 + dev_mode = FMODE_WRITE | FMODE_EXCL; 220 + bdev = blkdev_get_by_dev(vbmeta_devt, dev_mode, 221 + invalidate_vbmeta); 222 + if (IS_ERR(bdev)) { 223 + DMERR("invalidate_vbmeta: could not open device for writing"); 224 + dev_mode = 0; 225 + ret = -ENOENT; 226 + goto failed_to_write; 227 + } 228 + 229 + /* We re-use the same bio to do the write after the read. Need to reset 230 + * it to initialize bio->bi_remaining. 231 + */ 232 + bio_reset(bio); 233 + 234 + rw |= REQ_WRITE; 235 + ret = invalidate_vbmeta_submit(bio, bdev, rw, access_last_sector, page); 236 + if (ret) { 237 + DMERR("invalidate_vbmeta: error writing"); 238 + goto failed_to_submit_write; 239 + } 240 + 241 + DMERR("invalidate_vbmeta: completed."); 242 + ret = 0; 243 +failed_to_submit_write: 244 +failed_to_write: 245 +invalid_header: 246 + __free_page(page); 247 +failed_to_submit_read: 248 + /* Technically, we'll leak a page with the pending bio, but 249 + * we're about to reboot anyway. 250 + */ 251 +failed_to_alloc_page: 252 + bio_put(bio); 253 +failed_bio_alloc: 254 + if (dev_mode) 255 + blkdev_put(bdev, dev_mode); 256 +failed_to_read: 257 + return ret; 258 +} 259 + 260 +void dm_verity_avb_error_handler(void) 261 +{ 262 + dev_t dev; 263 + 264 + DMINFO("AVB error handler called for %s", avb_vbmeta_device); 265 + 266 + if (strcmp(avb_invalidate_on_error, "yes") != 0) { 267 + DMINFO("Not configured to invalidate"); 268 + return; 269 + } 270 + 271 + if (avb_vbmeta_device[0] == '\0') { 272 + DMERR("avb_vbmeta_device parameter not set"); 273 + goto fail_no_dev; 274 + } 275 + 276 + dev = name_to_dev_t(avb_vbmeta_device); 277 + if (!dev) { 278 + DMERR("No matching partition for device: %s", 279 + avb_vbmeta_device); 280 + goto fail_no_dev; 281 + } 282 + 283 + invalidate_vbmeta(dev); 284 + 285 +fail_no_dev: 286 + ; 287 +} 288 + 289 +static int __init dm_verity_avb_init(void) 290 +{ 291 + DMINFO("AVB error handler initialized with vbmeta device: %s", 292 + avb_vbmeta_device); 293 + return 0; 294 +} 295 + 296 +static void __exit dm_verity_avb_exit(void) 297 +{ 298 +} 299 + 300 +module_init(dm_verity_avb_init); 301 +module_exit(dm_verity_avb_exit); 302 + 303 +MODULE_AUTHOR("David Zeuthen <zeuthen (a] google.com>"); 304 +MODULE_DESCRIPTION("AVB-specific error handler for dm-verity"); 305 +MODULE_LICENSE("GPL"); 306 + 307 +/* Declare parameter with no module prefix */ 308 +#undef MODULE_PARAM_PREFIX 309 +#define MODULE_PARAM_PREFIX "androidboot.vbmeta." 310 +module_param_string(device, avb_vbmeta_device, sizeof(avb_vbmeta_device), 0); 311 +module_param_string(invalidate_on_error, avb_invalidate_on_error, 312 + sizeof(avb_invalidate_on_error), 0); 313 diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c 314 index c7e97cf6e7fb..e34cf53bd068 100644 315 --- a/drivers/md/dm-verity-target.c 316 +++ b/drivers/md/dm-verity-target.c 317 @@ -233,8 +233,12 @@ out: 318 if (v->mode == DM_VERITY_MODE_LOGGING) 319 return 0; 320 321 - if (v->mode == DM_VERITY_MODE_RESTART) 322 + if (v->mode == DM_VERITY_MODE_RESTART) { 323 +#ifdef CONFIG_DM_VERITY_AVB 324 + dm_verity_avb_error_handler(); 325 +#endif 326 kernel_restart("dm-verity device corrupted"); 327 + } 328 329 return 1; 330 } 331 diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h 332 index 75effca400a3..a90d1d416107 100644 333 --- a/drivers/md/dm-verity.h 334 +++ b/drivers/md/dm-verity.h 335 @@ -136,4 +136,5 @@ extern void verity_io_hints(struct dm_target *ti, struct queue_limits *limits); 336 extern void verity_dtr(struct dm_target *ti); 337 extern int verity_ctr(struct dm_target *ti, unsigned argc, char **argv); 338 extern int verity_map(struct dm_target *ti, struct bio *bio); 339 +extern void dm_verity_avb_error_handler(void); 340 #endif /* DM_VERITY_H */ 341 -- 342 2.14.1.581.gf28d330327-goog 343 344
