diff options
| author | Victor Hsieh <victorhsieh@google.com> | 2020-02-26 12:39:15 -0800 |
|---|---|---|
| committer | Victor Hsieh <victorhsieh@google.com> | 2020-03-09 12:43:52 -0700 |
| commit | d8f95847b3a078c31a9acfa25ee8f43bccc4f96b (patch) | |
| tree | 276b3a4a1c3da690a1de1e2630c4dd34513f1b8d | |
| parent | 9851ffaa2e5da9bbb344ccfaa95c58b961fae729 (diff) | |
| download | security-d8f95847b3a078c31a9acfa25ee8f43bccc4f96b.tar.gz | |
Stop reading fs-verity certificate from keystore
We punting support for extra certificate to S.
Test: boot
Bug: 112038744
Change-Id: I3bc342a7df0c47c02494ef6fdae24e7ad00a8507
Merged-In: I3bc342a7df0c47c02494ef6fdae24e7ad00a8507
| -rw-r--r-- | fsverity_init/Android.bp | 1 | ||||
| -rw-r--r-- | fsverity_init/fsverity_init.cpp | 32 | ||||
| -rw-r--r-- | keystore/permissions.cpp | 2 |
3 files changed, 0 insertions, 35 deletions
diff --git a/fsverity_init/Android.bp b/fsverity_init/Android.bp index 407849d5..3c9ade00 100644 --- a/fsverity_init/Android.bp +++ b/fsverity_init/Android.bp @@ -9,7 +9,6 @@ cc_binary { ], shared_libs: [ "libbase", - "libkeystore_binder", "libkeyutils", "liblog", "liblogwrap", diff --git a/fsverity_init/fsverity_init.cpp b/fsverity_init/fsverity_init.cpp index 70523756..e2a8bf70 100644 --- a/fsverity_init/fsverity_init.cpp +++ b/fsverity_init/fsverity_init.cpp @@ -19,20 +19,14 @@ #include <sys/types.h> #include <filesystem> -#include <memory> #include <string> -#include <vector> #include <android-base/file.h> #include <android-base/logging.h> #include <android-base/properties.h> #include <android-base/strings.h> -#include <keystore/keystore_client.h> -#include <keystore/keystore_client_impl.h> -#include <keystore/keystore_get.h> #include <log/log.h> #include <mini_keyctl_utils.h> -#include <private/android_filesystem_config.h> bool LoadKeyToKeyring(key_serial_t keyring_id, const char* desc, const char* data, size_t size) { key_serial_t key = add_key("asymmetric", desc, data, size, keyring_id); @@ -61,31 +55,6 @@ void LoadKeyFromVerifiedPartitions(key_serial_t keyring_id) { } } -std::unique_ptr<keystore::KeystoreClient> CreateKeystoreInstance() { - return std::unique_ptr<keystore::KeystoreClient>( - static_cast<keystore::KeystoreClient*>(new keystore::KeystoreClientImpl)); -} - -void LoadKeysFromKeystore(key_serial_t keyring_id) { - auto client = CreateKeystoreInstance(); - - std::vector<std::string> aliases; - if (client == nullptr || !client->listKeysOfUid("FSV_", AID_FSVERITY_CERT, &aliases)) { - LOG(ERROR) << "Failed to list key"; - return; - } - - // Always try to load all keys even if some fails to load. The rest may still - // be important to have. - for (auto& alias : aliases) { - auto blob = client->getKey(alias, AID_FSVERITY_CERT); - if (!LoadKeyToKeyring(keyring_id, "fsv_user", reinterpret_cast<char*>(blob->data()), - blob->size())) { - LOG(ERROR) << "Failed to load key " << alias << " from keyring"; - } - } -} - int main(int /*argc*/, const char** /*argv*/) { key_serial_t keyring_id = android::GetKeyringId(".fs-verity"); if (keyring_id < 0) { @@ -100,7 +69,6 @@ int main(int /*argc*/, const char** /*argv*/) { } LoadKeyFromVerifiedPartitions(keyring_id); - LoadKeysFromKeystore(keyring_id); if (!android::base::GetBoolProperty("ro.debuggable", false)) { if (keyctl_restrict_keyring(keyring_id, nullptr, nullptr) < 0) { diff --git a/keystore/permissions.cpp b/keystore/permissions.cpp index 8b9e28da..2cd42cf2 100644 --- a/keystore/permissions.cpp +++ b/keystore/permissions.cpp @@ -57,8 +57,6 @@ struct user_euid { user_euid user_euids[] = {{AID_VPN, AID_SYSTEM}, {AID_WIFI, AID_SYSTEM}, {AID_ROOT, AID_SYSTEM}, - {AID_FSVERITY_CERT, AID_ROOT}, - {AID_FSVERITY_CERT, AID_SYSTEM}, #ifdef GRANT_ROOT_ALL_PERMISSIONS // Allow VTS tests to act on behalf of the wifi user |