xref: /aosp_15_r20/system/security/fsverity_init/fsverity_init.cpp (revision e1997b9af69e3155ead6e072d106a0077849ffba) 
1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 //
18 // fsverity_init is a tool for loading X.509 certificates into the kernel keyring used by the
19 // fsverity builtin signature verification kernel feature
20 // (https://www.kernel.org/doc/html/latest/filesystems/fsverity.html#built-in-signature-verification).
21 // Starting in Android 14, Android has actually stopped using this feature, as it was too inflexible
22 // and caused problems.  It has been replaced by userspace signature verification.  Also, some uses
23 // of fsverity in Android are now for integrity-only use cases.
24 //
25 // Regardless, there may exist fsverity files on-disk that were created by Android 13 or earlier.
26 // These files still have builtin signatures.  If the kernel is an older kernel that still has
27 // CONFIG_FS_VERITY_BUILTIN_SIGNATURES enabled, these files cannot be opened unless the
28 // corresponding key is in the ".fs-verity" keyring.  Therefore, this tool still has to exist and be
29 // used to load keys into the kernel, even though this has no security purpose anymore.
30 //
31 // This tool can be removed as soon as all supported kernels are guaranteed to have
32 // CONFIG_FS_VERITY_BUILTIN_SIGNATURES disabled, or alternatively as soon as support for upgrades
33 // from Android 13 or earlier is no longer required.
34 //
35 
36 #define LOG_TAG "fsverity_init"
37 
38 #include <sys/types.h>
39 
40 #include <filesystem>
41 #include <string>
42 
43 #include <android-base/file.h>
44 #include <android-base/logging.h>
45 #include <android-base/strings.h>
46 #include <android_security_flag.h>
47 #include <log/log.h>
48 #include <mini_keyctl_utils.h>
49 
LoadKeyFromFile(key_serial_t keyring_id,const char * keyname,const std::string & path)50 void LoadKeyFromFile(key_serial_t keyring_id, const char* keyname, const std::string& path) {
51     LOG(INFO) << "LoadKeyFromFile path=" << path << " keyname=" << keyname;
52     std::string content;
53     if (!android::base::ReadFileToString(path, &content)) {
54         LOG(ERROR) << "Failed to read key from " << path;
55         return;
56     }
57     if (add_key("asymmetric", keyname, content.c_str(), content.size(), keyring_id) < 0) {
58         PLOG(ERROR) << "Failed to add key from " << path;
59     }
60 }
61 
LoadKeyFromDirectory(key_serial_t keyring_id,const char * keyname_prefix,const char * dir)62 void LoadKeyFromDirectory(key_serial_t keyring_id, const char* keyname_prefix, const char* dir) {
63     if (!std::filesystem::exists(dir)) {
64         return;
65     }
66     int counter = 0;
67     for (const auto& entry : std::filesystem::directory_iterator(dir)) {
68         if (!android::base::EndsWithIgnoreCase(entry.path().c_str(), ".der")) continue;
69         std::string keyname = keyname_prefix + std::to_string(counter);
70         counter++;
71         LoadKeyFromFile(keyring_id, keyname.c_str(), entry.path());
72     }
73 }
74 
LoadKeyFromVerifiedPartitions(key_serial_t keyring_id)75 void LoadKeyFromVerifiedPartitions(key_serial_t keyring_id) {
76     // NB: Directories need to be synced with FileIntegrityService.java in
77     // frameworks/base.
78     LoadKeyFromDirectory(keyring_id, "fsv_system_", "/system/etc/security/fsverity");
79     LoadKeyFromDirectory(keyring_id, "fsv_product_", "/product/etc/security/fsverity");
80 }
81 
main(int argc,const char ** argv)82 int main(int argc, const char** argv) {
83     if (android::security::flag::deprecate_fsverity_init()) {
84         // Don't load keys to the built-in fs-verity keyring in kernel. This will make existing
85         // files not readable. We expect to only enable the flag when there are no such files or
86         // when failure is ok (e.g. with a fallback).
87         return 0;
88     }
89 
90     if (argc < 2) {
91         LOG(ERROR) << "Not enough arguments";
92         return -1;
93     }
94 
95     key_serial_t keyring_id = android::GetKeyringId(".fs-verity");
96     if (keyring_id < 0) {
97         // This is expected on newer kernels.  See comment at the beginning of this file.
98         LOG(DEBUG) << "no initialization required";
99         return 0;
100     }
101 
102     const std::string_view command = argv[1];
103 
104     if (command == "--load-verified-keys") {
105         LoadKeyFromVerifiedPartitions(keyring_id);
106     } else {
107         LOG(ERROR) << "Unknown argument(s).";
108         return -1;
109     }
110 
111     return 0;
112 }
113