xref: /aosp_15_r20/system/core/fs_mgr/libfs_avb/fs_avb_util.cpp (revision 00c7fec1bb09f3284aad6a6f96d2f63dfc3650ad) 
1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "fs_avb/fs_avb_util.h"
18 
19 #include <memory>
20 #include <string>
21 #include <vector>
22 
23 #include <android-base/logging.h>
24 #include <android-base/strings.h>
25 #include <fstab/fstab.h>
26 #include <libavb/libavb.h>
27 #include <libdm/dm.h>
28 
29 #include "avb_util.h"
30 #include "util.h"
31 
32 namespace android {
33 namespace fs_mgr {
34 
35 // Given a FstabEntry, loads and verifies the vbmeta, to extract the Avb Hashtree descriptor.
LoadAndVerifyVbmeta(const FstabEntry & fstab_entry,const std::string & expected_public_key_blob,std::string * out_public_key_data,std::string * out_avb_partition_name,VBMetaVerifyResult * out_verify_result)36 std::unique_ptr<VBMetaData> LoadAndVerifyVbmeta(const FstabEntry& fstab_entry,
37                                                 const std::string& expected_public_key_blob,
38                                                 std::string* out_public_key_data,
39                                                 std::string* out_avb_partition_name,
40                                                 VBMetaVerifyResult* out_verify_result) {
41     // Derives partition_name from blk_device to query the corresponding AVB HASHTREE descriptor
42     // to setup dm-verity. The partition_names in AVB descriptors are without A/B suffix.
43     std::string avb_partition_name = DeriveAvbPartitionName(fstab_entry, fs_mgr_get_slot_suffix(),
44                                                             fs_mgr_get_other_slot_suffix());
45     if (out_avb_partition_name) {
46         *out_avb_partition_name = avb_partition_name;
47     }
48 
49     // Updates fstab_entry->blk_device from <partition> to /dev/block/dm-<N> if
50     // it's a logical partition.
51     std::string device_path = fstab_entry.blk_device;
52     if (fstab_entry.fs_mgr_flags.logical &&
53         !android::base::StartsWith(fstab_entry.blk_device, "/")) {
54         dm::DeviceMapper& dm = dm::DeviceMapper::Instance();
55         if (!dm.GetDmDevicePathByName(fstab_entry.blk_device, &device_path)) {
56             LERROR << "Failed to resolve logical device path for: " << fstab_entry.blk_device;
57             return nullptr;
58         }
59     }
60 
61     return LoadAndVerifyVbmetaByPath(device_path, avb_partition_name, expected_public_key_blob,
62                                      true /* allow_verification_error */,
63                                      false /* rollback_protection */, false /* is_chained_vbmeta */,
64                                      out_public_key_data, nullptr /* out_verification_disabled */,
65                                      out_verify_result);
66 }
67 
68 // Given a path, loads and verifies the vbmeta, to extract the Avb Hashtree descriptor.
GetHashtreeDescriptor(const std::string & avb_partition_name,VBMetaData && vbmeta)69 std::unique_ptr<FsAvbHashtreeDescriptor> GetHashtreeDescriptor(
70         const std::string& avb_partition_name, VBMetaData&& vbmeta) {
71     if (!vbmeta.size()) return nullptr;
72 
73     std::vector<VBMetaData> vbmeta_images;
74     vbmeta_images.emplace_back(std::move(vbmeta));
75     return GetHashtreeDescriptor(avb_partition_name, vbmeta_images);
76 }
77 
GetHashDescriptor(const std::string & partition_name,const std::vector<VBMetaData> & vbmeta_images)78 std::unique_ptr<FsAvbHashDescriptor> GetHashDescriptor(
79         const std::string& partition_name, const std::vector<VBMetaData>& vbmeta_images) {
80     bool found = false;
81     const uint8_t* desc_partition_name;
82     auto hash_desc = std::make_unique<FsAvbHashDescriptor>();
83 
84     for (const auto& vbmeta : vbmeta_images) {
85         size_t num_descriptors;
86         std::unique_ptr<const AvbDescriptor*[], decltype(&avb_free)> descriptors(
87                 avb_descriptor_get_all(vbmeta.data(), vbmeta.size(), &num_descriptors), avb_free);
88 
89         if (!descriptors || num_descriptors < 1) {
90             continue;
91         }
92 
93         for (size_t n = 0; n < num_descriptors && !found; n++) {
94             AvbDescriptor desc;
95             if (!avb_descriptor_validate_and_byteswap(descriptors[n], &desc)) {
96                 LWARNING << "Descriptor[" << n << "] is invalid";
97                 continue;
98             }
99             if (desc.tag == AVB_DESCRIPTOR_TAG_HASH) {
100                 desc_partition_name = (const uint8_t*)descriptors[n] + sizeof(AvbHashDescriptor);
101                 if (!avb_hash_descriptor_validate_and_byteswap((AvbHashDescriptor*)descriptors[n],
102                                                                hash_desc.get())) {
103                     continue;
104                 }
105                 if (hash_desc->partition_name_len != partition_name.length()) {
106                     continue;
107                 }
108                 // Notes that desc_partition_name is not NUL-terminated.
109                 std::string hash_partition_name((const char*)desc_partition_name,
110                                                 hash_desc->partition_name_len);
111                 if (hash_partition_name == partition_name) {
112                     found = true;
113                 }
114             }
115         }
116 
117         if (found) break;
118     }
119 
120     if (!found) {
121         LERROR << "Hash descriptor not found: " << partition_name;
122         return nullptr;
123     }
124 
125     hash_desc->partition_name = partition_name;
126 
127     const uint8_t* desc_salt = desc_partition_name + hash_desc->partition_name_len;
128     hash_desc->salt = BytesToHex(desc_salt, hash_desc->salt_len);
129 
130     const uint8_t* desc_digest = desc_salt + hash_desc->salt_len;
131     hash_desc->digest = BytesToHex(desc_digest, hash_desc->digest_len);
132 
133     return hash_desc;
134 }
135 
136 // Given a path, loads and verifies the vbmeta, to extract the Avb Hash descriptor.
GetHashDescriptor(const std::string & avb_partition_name,VBMetaData && vbmeta)137 std::unique_ptr<FsAvbHashDescriptor> GetHashDescriptor(const std::string& avb_partition_name,
138                                                        VBMetaData&& vbmeta) {
139     if (!vbmeta.size()) return nullptr;
140 
141     std::vector<VBMetaData> vbmeta_images;
142     vbmeta_images.emplace_back(std::move(vbmeta));
143     return GetHashDescriptor(avb_partition_name, vbmeta_images);
144 }
145 
GetAvbPropertyDescriptor(const std::string & key,const std::vector<VBMetaData> & vbmeta_images)146 std::string GetAvbPropertyDescriptor(const std::string& key,
147                                      const std::vector<VBMetaData>& vbmeta_images) {
148     size_t value_size;
149     for (const auto& vbmeta : vbmeta_images) {
150         const char* value = avb_property_lookup(vbmeta.data(), vbmeta.size(), key.data(),
151                                                 key.size(), &value_size);
152         if (value != nullptr) {
153             return {value, value_size};
154         }
155     }
156     return "";
157 }
158 
159 }  // namespace fs_mgr
160 }  // namespace android
161