From fd99a318fe630b49ba35f9a19a1866e8b1a42b7e Mon Sep 17 00:00:00 2001 From: Yabin Cui Date: Thu, 9 Jun 2016 14:09:39 -0700 Subject: Verify wipe package when wiping A/B device in recovery. To increase the security of wiping A/B devices, let uncrypt write wipe package in misc partition. Then recovery verifies the wipe package before wiping the device. Based on the original cherrypick, this CL also has additional changes to address the LOG statements and libziparchive changes. Bug: 29159185 Test: Build and boot into recovery. Change-Id: I186691bab1928d3dc036bc5542abd64a81bc2168 (cherry picked from commit 6faf0265c9b58db2c15b53f6d29025629d52f882) --- bootloader.cpp | 134 ---------------------------- install.cpp | 66 ++++++++------ install.h | 17 ++-- recovery.cpp | 73 ++++++++++++++- uncrypt/include/bootloader_message_writer.h | 35 -------- uncrypt/uncrypt.cpp | 19 +++- 6 files changed, 140 insertions(+), 204 deletions(-) delete mode 100644 bootloader.cpp delete mode 100644 uncrypt/include/bootloader_message_writer.h diff --git a/bootloader.cpp b/bootloader.cpp deleted file mode 100644 index dad0bab30..000000000 --- a/bootloader.cpp +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Copyright (C) 2008 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include -#include - -#include "bootloader.h" -#include "roots.h" - -static int get_bootloader_message_block(bootloader_message* out, const Volume* v); -static int set_bootloader_message_block(const bootloader_message* in, const Volume* v); - -int get_bootloader_message(bootloader_message* out) { - Volume* v = volume_for_path("/misc"); - if (v == nullptr) { - LOG(ERROR) << "Cannot load volume /misc!"; - return -1; - } - if (strcmp(v->fs_type, "emmc") == 0) { - return get_bootloader_message_block(out, v); - } - LOG(ERROR) << "unknown misc partition fs_type \"" << v->fs_type << "\""; - return -1; -} - -int set_bootloader_message(const bootloader_message* in) { - Volume* v = volume_for_path("/misc"); - if (v == nullptr) { - LOG(ERROR) << "Cannot load volume /misc!"; - return -1; - } - if (strcmp(v->fs_type, "emmc") == 0) { - return set_bootloader_message_block(in, v); - } - LOG(ERROR) << "unknown misc partition fs_type \"" << v->fs_type << "\""; - return -1; -} - -// ------------------------------------ -// for misc partitions on block devices -// ------------------------------------ - -static void wait_for_device(const char* fn) { - int tries = 0; - int ret; - do { - ++tries; - struct stat buf; - ret = stat(fn, &buf); - if (ret == -1) { - printf("failed to stat \"%s\" try %d: %s\n", fn, tries, strerror(errno)); - sleep(1); - } - } while (ret && tries < 10); - - if (ret) { - printf("failed to stat \"%s\"\n", fn); - } -} - -static int get_bootloader_message_block(bootloader_message* out, - const Volume* v) { - wait_for_device(v->blk_device); - FILE* f = fopen(v->blk_device, "rb"); - if (f == nullptr) { - PLOG(ERROR) << "failed to open \"" << v->blk_device << "\""; - return -1; - } - bootloader_message temp; - int count = fread(&temp, sizeof(temp), 1, f); - if (count != 1) { - PLOG(ERROR) << "failed to read \"" << v->blk_device << "\""; - return -1; - } - if (fclose(f) != 0) { - PLOG(ERROR) << "failed to close \"" << v->blk_device << "\""; - return -1; - } - memcpy(out, &temp, sizeof(temp)); - return 0; -} - -static int set_bootloader_message_block(const bootloader_message* in, - const Volume* v) { - wait_for_device(v->blk_device); - android::base::unique_fd fd(open(v->blk_device, O_WRONLY | O_SYNC)); - if (fd == -1) { - PLOG(ERROR) << "failed to open \"" << v->blk_device << "\""; - return -1; - } - - size_t written = 0; - const uint8_t* start = reinterpret_cast(in); - size_t total = sizeof(*in); - while (written < total) { - ssize_t wrote = TEMP_FAILURE_RETRY(write(fd, start + written, total - written)); - if (wrote == -1) { - PLOG(ERROR) << "failed to write " << total << " bytes, " << written - << " bytes written"; - return -1; - } - written += wrote; - } - - if (fsync(fd) == -1) { - PLOG(ERROR) << "failed to fsync \"" << v->blk_device << "\""; - return -1; - } - return 0; -} diff --git a/install.cpp b/install.cpp index c98715231..0f9088a7a 100644 --- a/install.cpp +++ b/install.cpp @@ -71,22 +71,33 @@ static int parse_build_number(const std::string& str) { return -1; } -// Read the build.version.incremental of src/tgt from the metadata and log it to last_install. -static void read_source_target_build(ZipArchiveHandle zip, std::vector& log_buffer) { +bool read_metadata_from_package(ZipArchiveHandle zip, std::string* meta_data) { ZipString metadata_path(METADATA_PATH); ZipEntry meta_entry; + if (meta_data == nullptr) { + LOG(ERROR) << "string* meta_data can't be nullptr"; + return false; + } if (FindEntry(zip, metadata_path, &meta_entry) != 0) { LOG(ERROR) << "Failed to find " << METADATA_PATH << " in update package"; - return; + return false; } - std::string meta_data(meta_entry.uncompressed_length, '\0'); - if (ExtractToMemory(zip, &meta_entry, reinterpret_cast(&meta_data[0]), + meta_data->resize(meta_entry.uncompressed_length, '\0'); + if (ExtractToMemory(zip, &meta_entry, reinterpret_cast(&(*meta_data)[0]), meta_entry.uncompressed_length) != 0) { LOG(ERROR) << "Failed to read metadata in update package"; - return; + return false; } + return true; +} +// Read the build.version.incremental of src/tgt from the metadata and log it to last_install. +static void read_source_target_build(ZipArchiveHandle zip, std::vector& log_buffer) { + std::string meta_data; + if (!read_metadata_from_package(zip, &meta_data)) { + return; + } // Examples of the pre-build and post-build strings in metadata: // pre-build-incremental=2943039 // post-build-incremental=2951741 @@ -301,33 +312,16 @@ really_install_package(const char *path, bool* wipe_cache, bool needs_mount, return INSTALL_CORRUPT; } - // Load keys. - std::vector loadedKeys; - if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) { - LOG(ERROR) << "Failed to load keys"; - sysReleaseMap(&map); - return INSTALL_CORRUPT; - } - LOG(INFO) << loadedKeys.size() << " key(s) loaded from " << PUBLIC_KEYS_FILE; - // Verify package. - ui->Print("Verifying update package...\n"); - - auto t0 = std::chrono::system_clock::now(); - int err = verify_file(map.addr, map.length, loadedKeys); - std::chrono::duration duration = std::chrono::system_clock::now() - t0; - ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err); - if (err != VERIFY_SUCCESS) { - LOG(ERROR) << "signature verification failed"; + if (!verify_package(map.addr, map.length)) { log_buffer.push_back(android::base::StringPrintf("error: %d", kZipVerificationFailure)); - sysReleaseMap(&map); return INSTALL_CORRUPT; } // Try to open the package. ZipArchiveHandle zip; - err = OpenArchiveFromMemory(map.addr, map.length, path, &zip); + int err = OpenArchiveFromMemory(map.addr, map.length, path, &zip); if (err != 0) { LOG(ERROR) << "Can't open " << path << " : " << ErrorCodeString(err); log_buffer.push_back(android::base::StringPrintf("error: %d", kZipOpenFailure)); @@ -403,3 +397,25 @@ install_package(const char* path, bool* wipe_cache, const char* install_file, return result; } + +bool verify_package(const unsigned char* package_data, size_t package_size) { + std::vector loadedKeys; + if (!load_keys(PUBLIC_KEYS_FILE, loadedKeys)) { + LOG(ERROR) << "Failed to load keys"; + return false; + } + LOG(INFO) << loadedKeys.size() << " key(s) loaded from " << PUBLIC_KEYS_FILE; + + // Verify package. + ui->Print("Verifying update package...\n"); + auto t0 = std::chrono::system_clock::now(); + int err = verify_file(const_cast(package_data), package_size, loadedKeys); + std::chrono::duration duration = std::chrono::system_clock::now() - t0; + ui->Print("Update package verification took %.1f s (result %d).\n", duration.count(), err); + if (err != VERIFY_SUCCESS) { + LOG(ERROR) << "Signature verification failed"; + LOG(ERROR) << "error: " << kZipVerificationFailure; + return false; + } + return true; +} diff --git a/install.h b/install.h index 66764f542..7f66a51ca 100644 --- a/install.h +++ b/install.h @@ -17,11 +17,10 @@ #ifndef RECOVERY_INSTALL_H_ #define RECOVERY_INSTALL_H_ -#include "common.h" +#include +#include -#ifdef __cplusplus -extern "C" { -#endif +#include "common.h" enum { INSTALL_SUCCESS, INSTALL_ERROR, INSTALL_CORRUPT, INSTALL_NONE, INSTALL_SKIPPED, INSTALL_RETRY }; @@ -31,8 +30,12 @@ enum { INSTALL_SUCCESS, INSTALL_ERROR, INSTALL_CORRUPT, INSTALL_NONE, INSTALL_SK int install_package(const char* root_path, bool* wipe_cache, const char* install_file, bool needs_mount, int retry_count); -#ifdef __cplusplus -} -#endif +// Verify the package by ota keys. Return true if the package is verified successfully, +// otherwise return false. +bool verify_package(const unsigned char* package_data, size_t package_size); + +// Read meta data file of the package, write its content in the string pointed by meta_data. +// Return true if succeed, otherwise return false. +bool read_metadata_from_package(ZipArchiveHandle zip, std::string* meta_data); #endif // RECOVERY_INSTALL_H_ diff --git a/recovery.cpp b/recovery.cpp index dc17c9527..683d101f5 100644 --- a/recovery.cpp +++ b/recovery.cpp @@ -86,6 +86,7 @@ static const struct option OPTIONS[] = { { "reason", required_argument, NULL, 'r' }, { "security", no_argument, NULL, 'e'}, { "wipe_ab", no_argument, NULL, 0 }, + { "wipe_package_size", required_argument, NULL, 0 }, { NULL, 0, NULL, 0 }, }; @@ -902,12 +903,76 @@ static bool secure_wipe_partition(const std::string& partition) { return true; } +// Check if the wipe package matches expectation: +// 1. verify the package. +// 2. check metadata (ota-type, pre-device and serial number if having one). +static bool check_wipe_package(size_t wipe_package_size) { + if (wipe_package_size == 0) { + LOG(ERROR) << "wipe_package_size is zero"; + return false; + } + std::string wipe_package; + std::string err_str; + if (!read_wipe_package(&wipe_package, wipe_package_size, &err_str)) { + PLOG(ERROR) << "Failed to read wipe package"; + return false; + } + if (!verify_package(reinterpret_cast(wipe_package.data()), + wipe_package.size())) { + LOG(ERROR) << "Failed to verify package"; + return false; + } + + // Extract metadata + ZipArchiveHandle zip; + int err = OpenArchiveFromMemory(reinterpret_cast(&wipe_package[0]), + wipe_package.size(), "wipe_package", &zip); + if (err != 0) { + LOG(ERROR) << "Can't open wipe package : " << ErrorCodeString(err); + return false; + } + std::string metadata; + if (!read_metadata_from_package(&zip, &metadata)) { + CloseArchive(zip); + return false; + } + CloseArchive(zip); + + // Check metadata + std::vector lines = android::base::Split(metadata, "\n"); + bool ota_type_matched = false; + bool device_type_matched = false; + bool has_serial_number = false; + bool serial_number_matched = false; + for (const auto& line : lines) { + if (line == "ota-type=BRICK") { + ota_type_matched = true; + } else if (android::base::StartsWith(line, "pre-device=")) { + std::string device_type = line.substr(strlen("pre-device=")); + char real_device_type[PROPERTY_VALUE_MAX]; + property_get("ro.build.product", real_device_type, ""); + device_type_matched = (device_type == real_device_type); + } else if (android::base::StartsWith(line, "serialno=")) { + std::string serial_no = line.substr(strlen("serialno=")); + char real_serial_no[PROPERTY_VALUE_MAX]; + property_get("ro.serialno", real_serial_no, ""); + has_serial_number = true; + serial_number_matched = (serial_no == real_serial_no); + } + } + return ota_type_matched && device_type_matched && (!has_serial_number || serial_number_matched); +} + // Wipe the current A/B device, with a secure wipe of all the partitions in // RECOVERY_WIPE. -static bool wipe_ab_device() { +static bool wipe_ab_device(size_t wipe_package_size) { ui->SetBackground(RecoveryUI::ERASING); ui->SetProgressType(RecoveryUI::INDETERMINATE); + if (!check_wipe_package(wipe_package_size)) { + LOG(ERROR) << "Failed to verify wipe package"; + return false; + } std::string partition_list; if (!android::base::ReadFileToString(RECOVERY_WIPE, &partition_list)) { LOG(ERROR) << "failed to read \"" << RECOVERY_WIPE << "\""; @@ -1426,6 +1491,7 @@ int main(int argc, char **argv) { bool should_wipe_data = false; bool should_wipe_cache = false; bool should_wipe_ab = false; + size_t wipe_package_size = 0; bool show_text = false; bool sideload = false; bool sideload_auto_reboot = false; @@ -1462,6 +1528,9 @@ int main(int argc, char **argv) { if (strcmp(OPTIONS[option_index].name, "wipe_ab") == 0) { should_wipe_ab = true; break; + } else if (strcmp(OPTIONS[option_index].name, "wipe_package_size") == 0) { + android::base::ParseUint(optarg, &wipe_package_size); + break; } break; } @@ -1607,7 +1676,7 @@ int main(int argc, char **argv) { status = INSTALL_ERROR; } } else if (should_wipe_ab) { - if (!wipe_ab_device()) { + if (!wipe_ab_device(wipe_package_size)) { status = INSTALL_ERROR; } } else if (sideload) { diff --git a/uncrypt/include/bootloader_message_writer.h b/uncrypt/include/bootloader_message_writer.h deleted file mode 100644 index e0ca3f44a..000000000 --- a/uncrypt/include/bootloader_message_writer.h +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (C) 2016 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#ifndef BOOTLOADER_MESSAGE_WRITER_H -#define BOOTLOADER_MESSAGE_WRITER_H - -#ifdef __cplusplus -#include -#include - -bool clear_bootloader_message(std::string* err); - -bool write_bootloader_message(const std::vector& options, std::string* err); - -#else -#include - -// C Interface. -bool write_bootloader_message(const char* options); -#endif - -#endif // BOOTLOADER_MESSAGE_WRITER_H diff --git a/uncrypt/uncrypt.cpp b/uncrypt/uncrypt.cpp index 8b4d8ef8c..a5d692bbb 100644 --- a/uncrypt/uncrypt.cpp +++ b/uncrypt/uncrypt.cpp @@ -528,14 +528,31 @@ static bool setup_bcb(const int socket) { return false; } LOG(INFO) << " received command: [" << content << "] (" << content.size() << ")"; + std::vector options = android::base::Split(content, "\n"); + std::string wipe_package; + for (auto& option : options) { + if (android::base::StartsWith(option, "--wipe_package=")) { + std::string path = option.substr(strlen("--wipe_package=")); + if (!android::base::ReadFileToString(path, &wipe_package)) { + PLOG(ERROR) << "failed to read " << path; + return false; + } + option = android::base::StringPrintf("--wipe_package_size=%zu", wipe_package.size()); + } + } // c8. setup the bcb command std::string err; - if (!write_bootloader_message({content}, &err)) { + if (!write_bootloader_message(options, &err)) { LOG(ERROR) << "failed to set bootloader message: " << err; write_status_to_socket(-1, socket); return false; } + if (!wipe_package.empty() && !write_wipe_package(wipe_package, &err)) { + PLOG(ERROR) << "failed to set wipe package: " << err; + write_status_to_socket(-1, socket); + return false; + } // c10. send "100" status write_status_to_socket(100, socket); return true; -- cgit v1.2.3