From fd99a318fe630b49ba35f9a19a1866e8b1a42b7e Mon Sep 17 00:00:00 2001
From: Yabin Cui <yabinc@google.com>
Date: Thu, 9 Jun 2016 14:09:39 -0700
Subject: Verify wipe package when wiping A/B device in recovery.

To increase the security of wiping A/B devices, let uncrypt write
wipe package in misc partition. Then recovery verifies the wipe
package before wiping the device.

Based on the original cherrypick, this CL also has additional changes to
address the LOG statements and libziparchive changes.

Bug: 29159185
Test: Build and boot into recovery.

Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168
(cherry picked from commit 6faf0265c9b58db2c15b53f6d29025629d52f882)
---
 recovery.cpp | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 71 insertions(+), 2 deletions(-)

(limited to 'recovery.cpp')

diff --git a/recovery.cpp b/recovery.cpp
index dc17c9527..683d101f5 100644
--- a/recovery.cpp
+++ b/recovery.cpp
@@ -86,6 +86,7 @@ static const struct option OPTIONS[] = {
   { "reason", required_argument, NULL, 'r' },
   { "security", no_argument, NULL, 'e'},
   { "wipe_ab", no_argument, NULL, 0 },
+  { "wipe_package_size", required_argument, NULL, 0 },
   { NULL, 0, NULL, 0 },
 };
 
@@ -902,12 +903,76 @@ static bool secure_wipe_partition(const std::string& partition) {
     return true;
 }
 
+// Check if the wipe package matches expectation:
+// 1. verify the package.
+// 2. check metadata (ota-type, pre-device and serial number if having one).
+static bool check_wipe_package(size_t wipe_package_size) {
+    if (wipe_package_size == 0) {
+        LOG(ERROR) << "wipe_package_size is zero";
+        return false;
+    }
+    std::string wipe_package;
+    std::string err_str;
+    if (!read_wipe_package(&wipe_package, wipe_package_size, &err_str)) {
+        PLOG(ERROR) << "Failed to read wipe package";
+        return false;
+    }
+    if (!verify_package(reinterpret_cast<const unsigned char*>(wipe_package.data()),
+                        wipe_package.size())) {
+        LOG(ERROR) << "Failed to verify package";
+        return false;
+    }
+
+    // Extract metadata
+    ZipArchiveHandle zip;
+    int err = OpenArchiveFromMemory(reinterpret_cast<void*>(&wipe_package[0]),
+                                    wipe_package.size(), "wipe_package", &zip);
+    if (err != 0) {
+        LOG(ERROR) << "Can't open wipe package : " << ErrorCodeString(err);
+        return false;
+    }
+    std::string metadata;
+    if (!read_metadata_from_package(&zip, &metadata)) {
+        CloseArchive(zip);
+        return false;
+    }
+    CloseArchive(zip);
+
+    // Check metadata
+    std::vector<std::string> lines = android::base::Split(metadata, "\n");
+    bool ota_type_matched = false;
+    bool device_type_matched = false;
+    bool has_serial_number = false;
+    bool serial_number_matched = false;
+    for (const auto& line : lines) {
+        if (line == "ota-type=BRICK") {
+            ota_type_matched = true;
+        } else if (android::base::StartsWith(line, "pre-device=")) {
+            std::string device_type = line.substr(strlen("pre-device="));
+            char real_device_type[PROPERTY_VALUE_MAX];
+            property_get("ro.build.product", real_device_type, "");
+            device_type_matched = (device_type == real_device_type);
+        } else if (android::base::StartsWith(line, "serialno=")) {
+            std::string serial_no = line.substr(strlen("serialno="));
+            char real_serial_no[PROPERTY_VALUE_MAX];
+            property_get("ro.serialno", real_serial_no, "");
+            has_serial_number = true;
+            serial_number_matched = (serial_no == real_serial_no);
+        }
+    }
+    return ota_type_matched && device_type_matched && (!has_serial_number || serial_number_matched);
+}
+
 // Wipe the current A/B device, with a secure wipe of all the partitions in
 // RECOVERY_WIPE.
-static bool wipe_ab_device() {
+static bool wipe_ab_device(size_t wipe_package_size) {
     ui->SetBackground(RecoveryUI::ERASING);
     ui->SetProgressType(RecoveryUI::INDETERMINATE);
 
+    if (!check_wipe_package(wipe_package_size)) {
+        LOG(ERROR) << "Failed to verify wipe package";
+        return false;
+    }
     std::string partition_list;
     if (!android::base::ReadFileToString(RECOVERY_WIPE, &partition_list)) {
         LOG(ERROR) << "failed to read \"" << RECOVERY_WIPE << "\"";
@@ -1426,6 +1491,7 @@ int main(int argc, char **argv) {
     bool should_wipe_data = false;
     bool should_wipe_cache = false;
     bool should_wipe_ab = false;
+    size_t wipe_package_size = 0;
     bool show_text = false;
     bool sideload = false;
     bool sideload_auto_reboot = false;
@@ -1462,6 +1528,9 @@ int main(int argc, char **argv) {
             if (strcmp(OPTIONS[option_index].name, "wipe_ab") == 0) {
                 should_wipe_ab = true;
                 break;
+            } else if (strcmp(OPTIONS[option_index].name, "wipe_package_size") == 0) {
+                android::base::ParseUint(optarg, &wipe_package_size);
+                break;
             }
             break;
         }
@@ -1607,7 +1676,7 @@ int main(int argc, char **argv) {
             status = INSTALL_ERROR;
         }
     } else if (should_wipe_ab) {
-        if (!wipe_ab_device()) {
+        if (!wipe_ab_device(wipe_package_size)) {
             status = INSTALL_ERROR;
         }
     } else if (sideload) {
-- 
cgit v1.2.3