diff options
author | Eric Biggers <ebiggers@google.com> | 2023-07-06 17:10:28 +0000 |
---|---|---|
committer | Eric Biggers <ebiggers@google.com> | 2023-07-06 18:35:30 +0000 |
commit | 31b4751a4d5ab89657a56989c74d80aef580790e (patch) | |
tree | fe9ea219e75c8afe79b14c6afa134bc45a243971 /fsverity_init | |
parent | 5024ce5b46f4b80f9a184e158f25446bef5686f2 (diff) | |
download | security-31b4751a4d5ab89657a56989c74d80aef580790e.tar.gz |
fsverity_init: cleanly support kernels without builtin sig support
Since Android no longer uses fsverity builtin signatures, it's planned
to start configuring the kernel without
CONFIG_FS_VERITY_BUILTIN_SIGNATURES. Therefore, make fsverity_init
cleanly handle the case of CONFIG_FS_VERITY_BUILTIN_SIGNATURES being
disabled. Also document why fsverity_init still has to exist at all.
Bug: 290064770
Test: Booted Cuttlefish with android-mainline kernel with
CONFIG_FS_VERITY_BUILTIN_SIGNATURES disabled. Checked logcat for
message indicating that 'fsverity_init --load-verified-keys'
exited with status 0.
Change-Id: I0e232c9f4fb80f790ccafb03c10bb5dd5f24fe24
Diffstat (limited to 'fsverity_init')
-rw-r--r-- | fsverity_init/fsverity_init.cpp | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/fsverity_init/fsverity_init.cpp b/fsverity_init/fsverity_init.cpp index acae9729..4761b533 100644 --- a/fsverity_init/fsverity_init.cpp +++ b/fsverity_init/fsverity_init.cpp @@ -14,6 +14,25 @@ * limitations under the License. */ +// +// fsverity_init is a tool for loading X.509 certificates into the kernel keyring used by the +// fsverity builtin signature verification kernel feature +// (https://www.kernel.org/doc/html/latest/filesystems/fsverity.html#built-in-signature-verification). +// Starting in Android 14, Android has actually stopped using this feature, as it was too inflexible +// and caused problems. It has been replaced by userspace signature verification. Also, some uses +// of fsverity in Android are now for integrity-only use cases. +// +// Regardless, there may exist fsverity files on-disk that were created by Android 13 or earlier. +// These files still have builtin signatures. If the kernel is an older kernel that still has +// CONFIG_FS_VERITY_BUILTIN_SIGNATURES enabled, these files cannot be opened unless the +// corresponding key is in the ".fs-verity" keyring. Therefore, this tool still has to exist and be +// used to load keys into the kernel, even though this has no security purpose anymore. +// +// This tool can be removed as soon as all supported kernels are guaranteed to have +// CONFIG_FS_VERITY_BUILTIN_SIGNATURES disabled, or alternatively as soon as support for upgrades +// from Android 13 or earlier is no longer required. +// + #define LOG_TAG "fsverity_init" #include <sys/types.h> @@ -90,8 +109,9 @@ int main(int argc, const char** argv) { key_serial_t keyring_id = android::GetKeyringId(".fs-verity"); if (keyring_id < 0) { - LOG(ERROR) << "Failed to find .fs-verity keyring id"; - return -1; + // This is expected on newer kernels. See comment at the beginning of this file. + LOG(DEBUG) << "no initialization required"; + return 0; } const std::string_view command = argv[1]; |