1 /* 2 * Copyright (C) 2013 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include <inttypes.h> 18 #include <stdio.h> 19 #include <stdlib.h> 20 #include <string.h> 21 #include <unistd.h> 22 #include <fcntl.h> 23 #include <ctype.h> 24 #include <sys/mount.h> 25 #include <sys/stat.h> 26 #include <errno.h> 27 #include <sys/types.h> 28 #include <sys/wait.h> 29 #include <libgen.h> 30 #include <time.h> 31 32 #include <private/android_filesystem_config.h> 33 #include <cutils/properties.h> 34 #include <logwrap/logwrap.h> 35 36 #include "mincrypt/rsa.h" 37 #include "mincrypt/sha.h" 38 #include "mincrypt/sha256.h" 39 40 #include "ext4_sb.h" 41 #include "squashfs_utils.h" 42 43 #include "fs_mgr_priv.h" 44 #include "fs_mgr_priv_verity.h" 45 46 #define FSTAB_PREFIX "/fstab." 47 48 #define VERITY_METADATA_SIZE 32768 49 #define VERITY_TABLE_RSA_KEY "/verity_key" 50 51 #define METADATA_MAGIC 0x01564c54 52 #define METADATA_TAG_MAX_LENGTH 63 53 #define METADATA_EOD "eod" 54 55 #define VERITY_LASTSIG_TAG "verity_lastsig" 56 57 #define VERITY_STATE_TAG "verity_state" 58 #define VERITY_STATE_HEADER 0x83c0ae9d 59 #define VERITY_STATE_VERSION 1 60 61 #define VERITY_KMSG_RESTART "dm-verity device corrupted" 62 #define VERITY_KMSG_BUFSIZE 1024 63 64 #define __STRINGIFY(x) #x 65 #define STRINGIFY(x) __STRINGIFY(x) 66 67 struct verity_state { 68 uint32_t header; 69 uint32_t version; 70 int32_t mode; 71 }; 72 73 extern struct fs_info info; 74 75 static RSAPublicKey *load_key(char *path) 76 { 77 FILE *f; 78 RSAPublicKey *key; 79 80 key = malloc(sizeof(RSAPublicKey)); 81 if (!key) { 82 ERROR("Can't malloc key\n"); 83 return NULL; 84 } 85 86 f = fopen(path, "r"); 87 if (!f) { 88 ERROR("Can't open '%s'\n", path); 89 free(key); 90 return NULL; 91 } 92 93 if (!fread(key, sizeof(*key), 1, f)) { 94 ERROR("Could not read key!"); 95 fclose(f); 96 free(key); 97 return NULL; 98 } 99 100 if (key->len != RSANUMWORDS) { 101 ERROR("Invalid key length %d\n", key->len); 102 fclose(f); 103 free(key); 104 return NULL; 105 } 106 107 fclose(f); 108 return key; 109 } 110 111 static int verify_table(char *signature, char *table, int table_length) 112 { 113 RSAPublicKey *key; 114 uint8_t hash_buf[SHA256_DIGEST_SIZE]; 115 int retval = -1; 116 117 // Hash the table 118 SHA256_hash((uint8_t*)table, table_length, hash_buf); 119 120 // Now get the public key from the keyfile 121 key = load_key(VERITY_TABLE_RSA_KEY); 122 if (!key) { 123 ERROR("Couldn't load verity keys"); 124 goto out; 125 } 126 127 // verify the result 128 if (!RSA_verify(key, 129 (uint8_t*) signature, 130 RSANUMBYTES, 131 (uint8_t*) hash_buf, 132 SHA256_DIGEST_SIZE)) { 133 ERROR("Couldn't verify table."); 134 goto out; 135 } 136 137 retval = 0; 138 139 out: 140 free(key); 141 return retval; 142 } 143 144 static int squashfs_get_target_device_size(char *blk_device, uint64_t *device_size) 145 { 146 struct squashfs_info sq_info; 147 148 if (squashfs_parse_sb(blk_device, &sq_info) >= 0) { 149 *device_size = sq_info.bytes_used_4K_padded; 150 return 0; 151 } else { 152 return -1; 153 } 154 } 155 156 static int ext4_get_target_device_size(char *blk_device, uint64_t *device_size) 157 { 158 int data_device; 159 struct ext4_super_block sb; 160 struct fs_info info; 161 162 info.len = 0; /* Only len is set to 0 to ask the device for real size. */ 163 164 data_device = TEMP_FAILURE_RETRY(open(blk_device, O_RDONLY | O_CLOEXEC)); 165 if (data_device == -1) { 166 ERROR("Error opening block device (%s)", strerror(errno)); 167 return -1; 168 } 169 170 if (TEMP_FAILURE_RETRY(lseek64(data_device, 1024, SEEK_SET)) < 0) { 171 ERROR("Error seeking to superblock"); 172 close(data_device); 173 return -1; 174 } 175 176 if (TEMP_FAILURE_RETRY(read(data_device, &sb, sizeof(sb))) != sizeof(sb)) { 177 ERROR("Error reading superblock"); 178 close(data_device); 179 return -1; 180 } 181 182 ext4_parse_sb(&sb, &info); 183 *device_size = info.len; 184 185 close(data_device); 186 return 0; 187 } 188 189 static int get_fs_size(char *fs_type, char *blk_device, uint64_t *device_size) { 190 if (!strcmp(fs_type, "ext4")) { 191 if (ext4_get_target_device_size(blk_device, device_size) < 0) { 192 ERROR("Failed to get ext4 fs size on %s.", blk_device); 193 return -1; 194 } 195 } else if (!strcmp(fs_type, "squashfs")) { 196 if (squashfs_get_target_device_size(blk_device, device_size) < 0) { 197 ERROR("Failed to get squashfs fs size on %s.", blk_device); 198 return -1; 199 } 200 } else { 201 ERROR("%s: Unsupported filesystem for verity.", fs_type); 202 return -1; 203 } 204 return 0; 205 } 206 207 static int read_verity_metadata(uint64_t device_size, char *block_device, char **signature, 208 char **table) 209 { 210 unsigned magic_number; 211 unsigned table_length; 212 int protocol_version; 213 int device; 214 int retval = FS_MGR_SETUP_VERITY_FAIL; 215 216 *signature = NULL; 217 218 if (table) { 219 *table = NULL; 220 } 221 222 device = TEMP_FAILURE_RETRY(open(block_device, O_RDONLY | O_CLOEXEC)); 223 if (device == -1) { 224 ERROR("Could not open block device %s (%s).\n", block_device, strerror(errno)); 225 goto out; 226 } 227 228 if (TEMP_FAILURE_RETRY(lseek64(device, device_size, SEEK_SET)) < 0) { 229 ERROR("Could not seek to start of verity metadata block.\n"); 230 goto out; 231 } 232 233 // check the magic number 234 if (TEMP_FAILURE_RETRY(read(device, &magic_number, sizeof(magic_number))) != 235 sizeof(magic_number)) { 236 ERROR("Couldn't read magic number!\n"); 237 goto out; 238 } 239 240 #ifdef ALLOW_ADBD_DISABLE_VERITY 241 if (magic_number == VERITY_METADATA_MAGIC_DISABLE) { 242 retval = FS_MGR_SETUP_VERITY_DISABLED; 243 INFO("Attempt to cleanly disable verity - only works in USERDEBUG"); 244 goto out; 245 } 246 #endif 247 248 if (magic_number != VERITY_METADATA_MAGIC_NUMBER) { 249 ERROR("Couldn't find verity metadata at offset %"PRIu64"!\n", device_size); 250 goto out; 251 } 252 253 // check the protocol version 254 if (TEMP_FAILURE_RETRY(read(device, &protocol_version, 255 sizeof(protocol_version))) != sizeof(protocol_version)) { 256 ERROR("Couldn't read verity metadata protocol version!\n"); 257 goto out; 258 } 259 if (protocol_version != 0) { 260 ERROR("Got unknown verity metadata protocol version %d!\n", protocol_version); 261 goto out; 262 } 263 264 // get the signature 265 *signature = (char*) malloc(RSANUMBYTES); 266 if (!*signature) { 267 ERROR("Couldn't allocate memory for signature!\n"); 268 goto out; 269 } 270 if (TEMP_FAILURE_RETRY(read(device, *signature, RSANUMBYTES)) != RSANUMBYTES) { 271 ERROR("Couldn't read signature from verity metadata!\n"); 272 goto out; 273 } 274 275 if (!table) { 276 retval = FS_MGR_SETUP_VERITY_SUCCESS; 277 goto out; 278 } 279 280 // get the size of the table 281 if (TEMP_FAILURE_RETRY(read(device, &table_length, sizeof(table_length))) != 282 sizeof(table_length)) { 283 ERROR("Couldn't get the size of the verity table from metadata!\n"); 284 goto out; 285 } 286 287 // get the table + null terminator 288 *table = malloc(table_length + 1); 289 if (!*table) { 290 ERROR("Couldn't allocate memory for verity table!\n"); 291 goto out; 292 } 293 if (TEMP_FAILURE_RETRY(read(device, *table, table_length)) != 294 (ssize_t)table_length) { 295 ERROR("Couldn't read the verity table from metadata!\n"); 296 goto out; 297 } 298 299 (*table)[table_length] = 0; 300 retval = FS_MGR_SETUP_VERITY_SUCCESS; 301 302 out: 303 if (device != -1) 304 close(device); 305 306 if (retval != FS_MGR_SETUP_VERITY_SUCCESS) { 307 free(*signature); 308 *signature = NULL; 309 310 if (table) { 311 free(*table); 312 *table = NULL; 313 } 314 } 315 316 return retval; 317 } 318 319 static void verity_ioctl_init(struct dm_ioctl *io, char *name, unsigned flags) 320 { 321 memset(io, 0, DM_BUF_SIZE); 322 io->data_size = DM_BUF_SIZE; 323 io->data_start = sizeof(struct dm_ioctl); 324 io->version[0] = 4; 325 io->version[1] = 0; 326 io->version[2] = 0; 327 io->flags = flags | DM_READONLY_FLAG; 328 if (name) { 329 strlcpy(io->name, name, sizeof(io->name)); 330 } 331 } 332 333 static int create_verity_device(struct dm_ioctl *io, char *name, int fd) 334 { 335 verity_ioctl_init(io, name, 1); 336 if (ioctl(fd, DM_DEV_CREATE, io)) { 337 ERROR("Error creating device mapping (%s)", strerror(errno)); 338 return -1; 339 } 340 return 0; 341 } 342 343 static int get_verity_device_name(struct dm_ioctl *io, char *name, int fd, char **dev_name) 344 { 345 verity_ioctl_init(io, name, 0); 346 if (ioctl(fd, DM_DEV_STATUS, io)) { 347 ERROR("Error fetching verity device number (%s)", strerror(errno)); 348 return -1; 349 } 350 int dev_num = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 351 if (asprintf(dev_name, "/dev/block/dm-%u", dev_num) < 0) { 352 ERROR("Error getting verity block device name (%s)", strerror(errno)); 353 return -1; 354 } 355 return 0; 356 } 357 358 static int load_verity_table(struct dm_ioctl *io, char *name, uint64_t device_size, int fd, char *table, 359 int mode) 360 { 361 char *verity_params; 362 char *buffer = (char*) io; 363 size_t bufsize; 364 365 verity_ioctl_init(io, name, DM_STATUS_TABLE_FLAG); 366 367 struct dm_target_spec *tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 368 369 // set tgt arguments here 370 io->target_count = 1; 371 tgt->status=0; 372 tgt->sector_start=0; 373 tgt->length=device_size/512; 374 strcpy(tgt->target_type, "verity"); 375 376 // build the verity params here 377 verity_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 378 bufsize = DM_BUF_SIZE - (verity_params - buffer); 379 380 if (mode == VERITY_MODE_EIO) { 381 // allow operation with older dm-verity drivers that are unaware 382 // of the mode parameter by omitting it; this also means that we 383 // cannot use logging mode with these drivers, they always cause 384 // an I/O error for corrupted blocks 385 strcpy(verity_params, table); 386 } else if (snprintf(verity_params, bufsize, "%s %d", table, mode) < 0) { 387 return -1; 388 } 389 390 // set next target boundary 391 verity_params += strlen(verity_params) + 1; 392 verity_params = (char*) (((unsigned long)verity_params + 7) & ~8); 393 tgt->next = verity_params - buffer; 394 395 // send the ioctl to load the verity table 396 if (ioctl(fd, DM_TABLE_LOAD, io)) { 397 ERROR("Error loading verity table (%s)", strerror(errno)); 398 return -1; 399 } 400 401 return 0; 402 } 403 404 static int resume_verity_table(struct dm_ioctl *io, char *name, int fd) 405 { 406 verity_ioctl_init(io, name, 0); 407 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 408 ERROR("Error activating verity device (%s)", strerror(errno)); 409 return -1; 410 } 411 return 0; 412 } 413 414 static int test_access(char *device) { 415 int tries = 25; 416 while (tries--) { 417 if (!access(device, F_OK) || errno != ENOENT) { 418 return 0; 419 } 420 usleep(40 * 1000); 421 } 422 return -1; 423 } 424 425 static int check_verity_restart(const char *fname) 426 { 427 char buffer[VERITY_KMSG_BUFSIZE + 1]; 428 int fd; 429 int rc = 0; 430 ssize_t size; 431 struct stat s; 432 433 fd = TEMP_FAILURE_RETRY(open(fname, O_RDONLY | O_CLOEXEC)); 434 435 if (fd == -1) { 436 if (errno != ENOENT) { 437 ERROR("Failed to open %s (%s)\n", fname, strerror(errno)); 438 } 439 goto out; 440 } 441 442 if (fstat(fd, &s) == -1) { 443 ERROR("Failed to fstat %s (%s)\n", fname, strerror(errno)); 444 goto out; 445 } 446 447 size = VERITY_KMSG_BUFSIZE; 448 449 if (size > s.st_size) { 450 size = s.st_size; 451 } 452 453 if (lseek(fd, s.st_size - size, SEEK_SET) == -1) { 454 ERROR("Failed to lseek %jd %s (%s)\n", (intmax_t)(s.st_size - size), fname, 455 strerror(errno)); 456 goto out; 457 } 458 459 if (TEMP_FAILURE_RETRY(read(fd, buffer, size)) != size) { 460 ERROR("Failed to read %zd bytes from %s (%s)\n", size, fname, 461 strerror(errno)); 462 goto out; 463 } 464 465 buffer[size] = '\0'; 466 467 if (strstr(buffer, VERITY_KMSG_RESTART) != NULL) { 468 rc = 1; 469 } 470 471 out: 472 if (fd != -1) { 473 close(fd); 474 } 475 476 return rc; 477 } 478 479 static int was_verity_restart() 480 { 481 static const char *files[] = { 482 "/sys/fs/pstore/console-ramoops", 483 "/proc/last_kmsg", 484 NULL 485 }; 486 int i; 487 488 for (i = 0; files[i]; ++i) { 489 if (check_verity_restart(files[i])) { 490 return 1; 491 } 492 } 493 494 return 0; 495 } 496 497 static int metadata_add(FILE *fp, long start, const char *tag, 498 unsigned int length, off64_t *offset) 499 { 500 if (fseek(fp, start, SEEK_SET) < 0 || 501 fprintf(fp, "%s %u\n", tag, length) < 0) { 502 return -1; 503 } 504 505 *offset = ftell(fp); 506 507 if (fseek(fp, length, SEEK_CUR) < 0 || 508 fprintf(fp, METADATA_EOD " 0\n") < 0) { 509 return -1; 510 } 511 512 return 0; 513 } 514 515 static int metadata_find(const char *fname, const char *stag, 516 unsigned int slength, off64_t *offset) 517 { 518 FILE *fp = NULL; 519 char tag[METADATA_TAG_MAX_LENGTH + 1]; 520 int rc = -1; 521 int n; 522 long start = 0x4000; /* skip cryptfs metadata area */ 523 uint32_t magic; 524 unsigned int length = 0; 525 526 if (!fname) { 527 return -1; 528 } 529 530 fp = fopen(fname, "r+"); 531 532 if (!fp) { 533 ERROR("Failed to open %s (%s)\n", fname, strerror(errno)); 534 goto out; 535 } 536 537 /* check magic */ 538 if (fseek(fp, start, SEEK_SET) < 0 || 539 fread(&magic, sizeof(magic), 1, fp) != 1) { 540 ERROR("Failed to read magic from %s (%s)\n", fname, strerror(errno)); 541 goto out; 542 } 543 544 if (magic != METADATA_MAGIC) { 545 magic = METADATA_MAGIC; 546 547 if (fseek(fp, start, SEEK_SET) < 0 || 548 fwrite(&magic, sizeof(magic), 1, fp) != 1) { 549 ERROR("Failed to write magic to %s (%s)\n", fname, strerror(errno)); 550 goto out; 551 } 552 553 rc = metadata_add(fp, start + sizeof(magic), stag, slength, offset); 554 if (rc < 0) { 555 ERROR("Failed to add metadata to %s: %s\n", fname, strerror(errno)); 556 } 557 558 goto out; 559 } 560 561 start += sizeof(magic); 562 563 while (1) { 564 n = fscanf(fp, "%" STRINGIFY(METADATA_TAG_MAX_LENGTH) "s %u\n", 565 tag, &length); 566 567 if (n == 2 && strcmp(tag, METADATA_EOD)) { 568 /* found a tag */ 569 start = ftell(fp); 570 571 if (!strcmp(tag, stag) && length == slength) { 572 *offset = start; 573 rc = 0; 574 goto out; 575 } 576 577 start += length; 578 579 if (fseek(fp, length, SEEK_CUR) < 0) { 580 ERROR("Failed to seek %s (%s)\n", fname, strerror(errno)); 581 goto out; 582 } 583 } else { 584 rc = metadata_add(fp, start, stag, slength, offset); 585 if (rc < 0) { 586 ERROR("Failed to write metadata to %s: %s\n", fname, 587 strerror(errno)); 588 } 589 goto out; 590 } 591 } 592 593 out: 594 if (fp) { 595 fflush(fp); 596 fclose(fp); 597 } 598 599 return rc; 600 } 601 602 static int write_verity_state(const char *fname, off64_t offset, int32_t mode) 603 { 604 int fd; 605 int rc = -1; 606 struct verity_state s = { VERITY_STATE_HEADER, VERITY_STATE_VERSION, mode }; 607 608 fd = TEMP_FAILURE_RETRY(open(fname, O_WRONLY | O_SYNC | O_CLOEXEC)); 609 610 if (fd == -1) { 611 ERROR("Failed to open %s (%s)\n", fname, strerror(errno)); 612 goto out; 613 } 614 615 if (TEMP_FAILURE_RETRY(pwrite64(fd, &s, sizeof(s), offset)) != sizeof(s)) { 616 ERROR("Failed to write %zu bytes to %s to offset %" PRIu64 " (%s)\n", 617 sizeof(s), fname, offset, strerror(errno)); 618 goto out; 619 } 620 621 rc = 0; 622 623 out: 624 if (fd != -1) { 625 close(fd); 626 } 627 628 return rc; 629 } 630 631 static int read_verity_state(const char *fname, off64_t offset, int *mode) 632 { 633 int fd = -1; 634 int rc = -1; 635 struct verity_state s; 636 637 fd = TEMP_FAILURE_RETRY(open(fname, O_RDONLY | O_CLOEXEC)); 638 639 if (fd == -1) { 640 ERROR("Failed to open %s (%s)\n", fname, strerror(errno)); 641 goto out; 642 } 643 644 if (TEMP_FAILURE_RETRY(pread64(fd, &s, sizeof(s), offset)) != sizeof(s)) { 645 ERROR("Failed to read %zu bytes from %s offset %" PRIu64 " (%s)\n", 646 sizeof(s), fname, offset, strerror(errno)); 647 goto out; 648 } 649 650 if (s.header != VERITY_STATE_HEADER) { 651 /* space allocated, but no state written. write default state */ 652 *mode = VERITY_MODE_DEFAULT; 653 rc = write_verity_state(fname, offset, *mode); 654 goto out; 655 } 656 657 if (s.version != VERITY_STATE_VERSION) { 658 ERROR("Unsupported verity state version (%u)\n", s.version); 659 goto out; 660 } 661 662 if (s.mode < VERITY_MODE_EIO || 663 s.mode > VERITY_MODE_LAST) { 664 ERROR("Unsupported verity mode (%u)\n", s.mode); 665 goto out; 666 } 667 668 *mode = s.mode; 669 rc = 0; 670 671 out: 672 if (fd != -1) { 673 close(fd); 674 } 675 676 return rc; 677 } 678 679 static int compare_last_signature(struct fstab_rec *fstab, int *match) 680 { 681 char tag[METADATA_TAG_MAX_LENGTH + 1]; 682 char *signature = NULL; 683 int fd = -1; 684 int rc = -1; 685 uint8_t curr[SHA256_DIGEST_SIZE]; 686 uint8_t prev[SHA256_DIGEST_SIZE]; 687 off64_t offset = 0; 688 uint64_t device_size; 689 690 *match = 1; 691 692 // get verity filesystem size 693 if (get_fs_size(fstab->fs_type, fstab->blk_device, &device_size) < 0) { 694 ERROR("Failed to get filesystem size\n"); 695 goto out; 696 } 697 698 if (read_verity_metadata(device_size, fstab->blk_device, &signature, NULL) < 0) { 699 ERROR("Failed to read verity signature from %s\n", fstab->mount_point); 700 goto out; 701 } 702 703 SHA256_hash(signature, RSANUMBYTES, curr); 704 705 if (snprintf(tag, sizeof(tag), VERITY_LASTSIG_TAG "_%s", 706 basename(fstab->mount_point)) >= (int)sizeof(tag)) { 707 ERROR("Metadata tag name too long for %s\n", fstab->mount_point); 708 goto out; 709 } 710 711 if (metadata_find(fstab->verity_loc, tag, SHA256_DIGEST_SIZE, 712 &offset) < 0) { 713 goto out; 714 } 715 716 fd = TEMP_FAILURE_RETRY(open(fstab->verity_loc, O_RDWR | O_SYNC | O_CLOEXEC)); 717 718 if (fd == -1) { 719 ERROR("Failed to open %s: %s\n", fstab->verity_loc, strerror(errno)); 720 goto out; 721 } 722 723 if (TEMP_FAILURE_RETRY(pread64(fd, prev, sizeof(prev), 724 offset)) != sizeof(prev)) { 725 ERROR("Failed to read %zu bytes from %s offset %" PRIu64 " (%s)\n", 726 sizeof(prev), fstab->verity_loc, offset, strerror(errno)); 727 goto out; 728 } 729 730 *match = !memcmp(curr, prev, SHA256_DIGEST_SIZE); 731 732 if (!*match) { 733 /* update current signature hash */ 734 if (TEMP_FAILURE_RETRY(pwrite64(fd, curr, sizeof(curr), 735 offset)) != sizeof(curr)) { 736 ERROR("Failed to write %zu bytes to %s offset %" PRIu64 " (%s)\n", 737 sizeof(curr), fstab->verity_loc, offset, strerror(errno)); 738 goto out; 739 } 740 } 741 742 rc = 0; 743 744 out: 745 free(signature); 746 747 if (fd != -1) { 748 close(fd); 749 } 750 751 return rc; 752 } 753 754 static int get_verity_state_offset(struct fstab_rec *fstab, off64_t *offset) 755 { 756 char tag[METADATA_TAG_MAX_LENGTH + 1]; 757 758 if (snprintf(tag, sizeof(tag), VERITY_STATE_TAG "_%s", 759 basename(fstab->mount_point)) >= (int)sizeof(tag)) { 760 ERROR("Metadata tag name too long for %s\n", fstab->mount_point); 761 return -1; 762 } 763 764 return metadata_find(fstab->verity_loc, tag, sizeof(struct verity_state), 765 offset); 766 } 767 768 static int load_verity_state(struct fstab_rec *fstab, int *mode) 769 { 770 char propbuf[PROPERTY_VALUE_MAX]; 771 int match = 0; 772 off64_t offset = 0; 773 774 /* use the kernel parameter if set */ 775 property_get("ro.boot.veritymode", propbuf, ""); 776 777 if (*propbuf != '\0') { 778 if (!strcmp(propbuf, "enforcing")) { 779 *mode = VERITY_MODE_DEFAULT; 780 return 0; 781 } else if (!strcmp(propbuf, "logging")) { 782 *mode = VERITY_MODE_LOGGING; 783 return 0; 784 } else { 785 INFO("Unknown value %s for veritymode; ignoring", propbuf); 786 } 787 } 788 789 if (get_verity_state_offset(fstab, &offset) < 0) { 790 /* fall back to stateless behavior */ 791 *mode = VERITY_MODE_EIO; 792 return 0; 793 } 794 795 if (was_verity_restart()) { 796 /* device was restarted after dm-verity detected a corrupted 797 * block, so switch to logging mode */ 798 *mode = VERITY_MODE_LOGGING; 799 return write_verity_state(fstab->verity_loc, offset, *mode); 800 } 801 802 if (!compare_last_signature(fstab, &match) && !match) { 803 /* partition has been reflashed, reset dm-verity state */ 804 *mode = VERITY_MODE_DEFAULT; 805 return write_verity_state(fstab->verity_loc, offset, *mode); 806 } 807 808 return read_verity_state(fstab->verity_loc, offset, mode); 809 } 810 811 int fs_mgr_load_verity_state(int *mode) 812 { 813 char fstab_filename[PROPERTY_VALUE_MAX + sizeof(FSTAB_PREFIX)]; 814 char propbuf[PROPERTY_VALUE_MAX]; 815 int rc = -1; 816 int i; 817 int current; 818 struct fstab *fstab = NULL; 819 820 /* return the default mode, unless any of the verified partitions are in 821 * logging mode, in which case return that */ 822 *mode = VERITY_MODE_DEFAULT; 823 824 property_get("ro.hardware", propbuf, ""); 825 snprintf(fstab_filename, sizeof(fstab_filename), FSTAB_PREFIX"%s", propbuf); 826 827 fstab = fs_mgr_read_fstab(fstab_filename); 828 829 if (!fstab) { 830 ERROR("Failed to read %s\n", fstab_filename); 831 goto out; 832 } 833 834 for (i = 0; i < fstab->num_entries; i++) { 835 if (!fs_mgr_is_verified(&fstab->recs[i])) { 836 continue; 837 } 838 839 rc = load_verity_state(&fstab->recs[i], ¤t); 840 if (rc < 0) { 841 continue; 842 } 843 844 if (current == VERITY_MODE_LOGGING) { 845 *mode = current; 846 } 847 } 848 849 rc = 0; 850 851 out: 852 if (fstab) { 853 fs_mgr_free_fstab(fstab); 854 } 855 856 return rc; 857 } 858 859 int fs_mgr_update_verity_state(fs_mgr_verity_state_callback callback) 860 { 861 _Alignas(struct dm_ioctl) char buffer[DM_BUF_SIZE]; 862 char fstab_filename[PROPERTY_VALUE_MAX + sizeof(FSTAB_PREFIX)]; 863 char *mount_point; 864 char propbuf[PROPERTY_VALUE_MAX]; 865 char *status; 866 int fd = -1; 867 int i; 868 int mode; 869 int rc = -1; 870 off64_t offset = 0; 871 struct dm_ioctl *io = (struct dm_ioctl *) buffer; 872 struct fstab *fstab = NULL; 873 874 /* check if we need to store the state */ 875 property_get("ro.boot.veritymode", propbuf, ""); 876 877 if (*propbuf != '\0') { 878 return 0; /* state is kept by the bootloader */ 879 } 880 881 fd = TEMP_FAILURE_RETRY(open("/dev/device-mapper", O_RDWR | O_CLOEXEC)); 882 883 if (fd == -1) { 884 ERROR("Error opening device mapper (%s)\n", strerror(errno)); 885 goto out; 886 } 887 888 property_get("ro.hardware", propbuf, ""); 889 snprintf(fstab_filename, sizeof(fstab_filename), FSTAB_PREFIX"%s", propbuf); 890 891 fstab = fs_mgr_read_fstab(fstab_filename); 892 893 if (!fstab) { 894 ERROR("Failed to read %s\n", fstab_filename); 895 goto out; 896 } 897 898 for (i = 0; i < fstab->num_entries; i++) { 899 if (!fs_mgr_is_verified(&fstab->recs[i])) { 900 continue; 901 } 902 903 if (get_verity_state_offset(&fstab->recs[i], &offset) < 0 || 904 read_verity_state(fstab->recs[i].verity_loc, offset, &mode) < 0) { 905 continue; 906 } 907 908 mount_point = basename(fstab->recs[i].mount_point); 909 verity_ioctl_init(io, mount_point, 0); 910 911 if (ioctl(fd, DM_TABLE_STATUS, io)) { 912 ERROR("Failed to query DM_TABLE_STATUS for %s (%s)\n", mount_point, 913 strerror(errno)); 914 continue; 915 } 916 917 status = &buffer[io->data_start + sizeof(struct dm_target_spec)]; 918 919 if (*status == 'C') { 920 if (write_verity_state(fstab->recs[i].verity_loc, offset, 921 VERITY_MODE_LOGGING) < 0) { 922 continue; 923 } 924 } 925 926 if (callback) { 927 callback(&fstab->recs[i], mount_point, mode, *status); 928 } 929 } 930 931 rc = 0; 932 933 out: 934 if (fstab) { 935 fs_mgr_free_fstab(fstab); 936 } 937 938 if (fd) { 939 close(fd); 940 } 941 942 return rc; 943 } 944 945 int fs_mgr_setup_verity(struct fstab_rec *fstab) { 946 947 int retval = FS_MGR_SETUP_VERITY_FAIL; 948 int fd = -1; 949 int mode; 950 951 char *verity_blk_name = 0; 952 char *verity_table = 0; 953 char *verity_table_signature = 0; 954 uint64_t device_size = 0; 955 956 _Alignas(struct dm_ioctl) char buffer[DM_BUF_SIZE]; 957 struct dm_ioctl *io = (struct dm_ioctl *) buffer; 958 char *mount_point = basename(fstab->mount_point); 959 960 // set the dm_ioctl flags 961 io->flags |= 1; 962 io->target_count = 1; 963 964 // get verity filesystem size 965 if (get_fs_size(fstab->fs_type, fstab->blk_device, &device_size) < 0) { 966 return retval; 967 } 968 969 // read the verity block at the end of the block device 970 // send error code up the chain so we can detect attempts to disable verity 971 retval = read_verity_metadata(device_size, 972 fstab->blk_device, 973 &verity_table_signature, 974 &verity_table); 975 if (retval < 0) { 976 goto out; 977 } 978 979 retval = FS_MGR_SETUP_VERITY_FAIL; 980 981 // get the device mapper fd 982 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0) { 983 ERROR("Error opening device mapper (%s)", strerror(errno)); 984 goto out; 985 } 986 987 // create the device 988 if (create_verity_device(io, mount_point, fd) < 0) { 989 ERROR("Couldn't create verity device!"); 990 goto out; 991 } 992 993 // get the name of the device file 994 if (get_verity_device_name(io, mount_point, fd, &verity_blk_name) < 0) { 995 ERROR("Couldn't get verity device number!"); 996 goto out; 997 } 998 999 // verify the signature on the table 1000 if (verify_table(verity_table_signature, 1001 verity_table, 1002 strlen(verity_table)) < 0) { 1003 goto out; 1004 } 1005 1006 if (load_verity_state(fstab, &mode) < 0) { 1007 /* if accessing or updating the state failed, switch to the default 1008 * safe mode. This makes sure the device won't end up in an endless 1009 * restart loop, and no corrupted data will be exposed to userspace 1010 * without a warning. */ 1011 mode = VERITY_MODE_EIO; 1012 } 1013 1014 INFO("Enabling dm-verity for %s (mode %d)\n", mount_point, mode); 1015 1016 // load the verity mapping table 1017 if (load_verity_table(io, mount_point, device_size, fd, verity_table, 1018 mode) < 0) { 1019 goto out; 1020 } 1021 1022 // activate the device 1023 if (resume_verity_table(io, mount_point, fd) < 0) { 1024 goto out; 1025 } 1026 1027 // mark the underlying block device as read-only 1028 fs_mgr_set_blk_ro(fstab->blk_device); 1029 1030 // assign the new verity block device as the block device 1031 free(fstab->blk_device); 1032 fstab->blk_device = verity_blk_name; 1033 verity_blk_name = 0; 1034 1035 // make sure we've set everything up properly 1036 if (test_access(fstab->blk_device) < 0) { 1037 goto out; 1038 } 1039 1040 retval = FS_MGR_SETUP_VERITY_SUCCESS; 1041 1042 out: 1043 if (fd != -1) { 1044 close(fd); 1045 } 1046 1047 free(verity_table); 1048 free(verity_table_signature); 1049 free(verity_blk_name); 1050 1051 return retval; 1052 } 1053
