From 1171d3a12b13ca3f1d4301985cf068076e55ae26 Mon Sep 17 00:00:00 2001 From: Tao Bao Date: Sat, 5 Dec 2015 21:21:27 -0800 Subject: Add update_verifier for A/B OTA update. update_verifier checks the integrity of the updated system and vendor partitions on the first boot post an A/B OTA update. It marks the current slot as having booted successfully if it passes the verification. This CL doesn't perform any actual verification work which will be addressed in follow-up CLs. Bug: 26039641 Change-Id: Ia5504ed25b799b48b5886c2fc68073a360127f42 --- Android.mk | 1 + update_verifier/Android.mk | 24 +++++++++++ update_verifier/update_verifier.cpp | 84 +++++++++++++++++++++++++++++++++++++ 3 files changed, 109 insertions(+) create mode 100644 update_verifier/Android.mk create mode 100644 update_verifier/update_verifier.cpp diff --git a/Android.mk b/Android.mk index e43d55f66..c2896f3fc 100644 --- a/Android.mk +++ b/Android.mk @@ -134,4 +134,5 @@ include $(LOCAL_PATH)/minui/Android.mk \ $(LOCAL_PATH)/edify/Android.mk \ $(LOCAL_PATH)/uncrypt/Android.mk \ $(LOCAL_PATH)/updater/Android.mk \ + $(LOCAL_PATH)/update_verifier/Android.mk \ $(LOCAL_PATH)/applypatch/Android.mk diff --git a/update_verifier/Android.mk b/update_verifier/Android.mk new file mode 100644 index 000000000..0bb054777 --- /dev/null +++ b/update_verifier/Android.mk @@ -0,0 +1,24 @@ +# Copyright (C) 2015 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +LOCAL_PATH := $(call my-dir) + +include $(CLEAR_VARS) + +LOCAL_CLANG := true +LOCAL_SRC_FILES := update_verifier.cpp +LOCAL_MODULE := update_verifier +LOCAL_SHARED_LIBRARIES := libcutils libhardware + +include $(BUILD_EXECUTABLE) diff --git a/update_verifier/update_verifier.cpp b/update_verifier/update_verifier.cpp new file mode 100644 index 000000000..9ba792b86 --- /dev/null +++ b/update_verifier/update_verifier.cpp @@ -0,0 +1,84 @@ +/* + * Copyright (C) 2015 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/* + * This program verifies the integrity of the partitions after an A/B OTA + * update. It gets invoked by init, and will only perform the verification if + * it's the first boot post an A/B OTA update. + * + * It relies on dm-verity to capture any corruption on the partitions being + * verified. dm-verity must be in enforcing mode, so that it will reboot the + * device on dm-verity failures. When that happens, the bootloader should + * mark the slot as unbootable and stops trying. We should never see a device + * started in dm-verity logging mode but with isSlotBootable equals to 0. + * + * The current slot will be marked as having booted successfully if the + * verifier reaches the end after the verification. + * + * TODO: The actual verification part will be added later after we have the + * A/B OTA package format in place. + */ + +#include +#include + +#include + +#define LOG_TAG "update_verifier" +#define INFO(x...) KLOG_INFO(LOG_TAG, x) +#define ERROR(x...) KLOG_ERROR(LOG_TAG, x) + +int main(int argc, char** argv) { + klog_init(); + klog_set_level(6); + for (int i = 1; i < argc; i++) { + INFO("Started with arg %d: %s\n", i, argv[i]); + } + + const hw_module_t* hw_module; + if (hw_get_module("bootctrl", &hw_module) != 0) { + ERROR("Error getting bootctrl module.\n"); + return -1; + } + + boot_control_module_t* module = reinterpret_cast( + const_cast(hw_module)); + module->init(module); + + unsigned current_slot = module->getCurrentSlot(module); + int bootable = module->isSlotBootable(module, current_slot); + INFO("Booting slot %u: isSlotBootable=%d\n", current_slot, bootable); + + if (bootable == 0) { + // The current slot has not booted successfully. + + // TODO: Add the actual verification after we have the A/B OTA package + // format in place. + + // TODO: Assert the dm-verity mode. Bootloader should never boot a newly + // flashed slot (isSlotBootable == 0) with dm-verity logging mode. + + int ret = module->markBootSuccessful(module); + if (ret != 0) { + ERROR("Error marking booted successfully: %s\n", strerror(-ret)); + return -1; + } + INFO("Marked slot %u as booted successfully.\n", current_slot); + } + + INFO("Leaving update_verifier.\n"); + return 0; +} -- cgit v1.2.3