1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "fs_avb/fs_avb_util.h"
18 
19 #include <memory>
20 #include <string>
21 #include <vector>
22 
23 #include <android-base/strings.h>
24 #include <fstab/fstab.h>
25 #include <libavb/libavb.h>
26 #include <libdm/dm.h>
27 
28 #include "avb_util.h"
29 #include "util.h"
30 
31 namespace android {
32 namespace fs_mgr {
33 
34 // Given a FstabEntry, loads and verifies the vbmeta, to extract the Avb Hashtree descriptor.
LoadAndVerifyVbmeta(const FstabEntry & fstab_entry,const std::string & expected_public_key_blob,std::string * out_public_key_data,std::string * out_avb_partition_name,VBMetaVerifyResult * out_verify_result)35 std::unique_ptr<VBMetaData> LoadAndVerifyVbmeta(const FstabEntry& fstab_entry,
36                                                 const std::string& expected_public_key_blob,
37                                                 std::string* out_public_key_data,
38                                                 std::string* out_avb_partition_name,
39                                                 VBMetaVerifyResult* out_verify_result) {
40     // Derives partition_name from blk_device to query the corresponding AVB HASHTREE descriptor
41     // to setup dm-verity. The partition_names in AVB descriptors are without A/B suffix.
42     std::string avb_partition_name = DeriveAvbPartitionName(fstab_entry, fs_mgr_get_slot_suffix(),
43                                                             fs_mgr_get_other_slot_suffix());
44     if (out_avb_partition_name) {
45         *out_avb_partition_name = avb_partition_name;
46     }
47 
48     // Updates fstab_entry->blk_device from <partition> to /dev/block/dm-<N> if
49     // it's a logical partition.
50     std::string device_path = fstab_entry.blk_device;
51     if (fstab_entry.fs_mgr_flags.logical &&
52         !android::base::StartsWith(fstab_entry.blk_device, "/")) {
53         dm::DeviceMapper& dm = dm::DeviceMapper::Instance();
54         if (!dm.GetDmDevicePathByName(fstab_entry.blk_device, &device_path)) {
55             LERROR << "Failed to resolve logical device path for: " << fstab_entry.blk_device;
56             return nullptr;
57         }
58     }
59 
60     return LoadAndVerifyVbmetaByPath(device_path, avb_partition_name, expected_public_key_blob,
61                                      true /* allow_verification_error */,
62                                      false /* rollback_protection */, false /* is_chained_vbmeta */,
63                                      out_public_key_data, nullptr /* out_verification_disabled */,
64                                      out_verify_result);
65 }
66 
67 // Given a path, loads and verifies the vbmeta, to extract the Avb Hashtree descriptor.
GetHashtreeDescriptor(const std::string & avb_partition_name,VBMetaData && vbmeta)68 std::unique_ptr<FsAvbHashtreeDescriptor> GetHashtreeDescriptor(
69         const std::string& avb_partition_name, VBMetaData&& vbmeta) {
70     if (!vbmeta.size()) return nullptr;
71 
72     std::vector<VBMetaData> vbmeta_images;
73     vbmeta_images.emplace_back(std::move(vbmeta));
74     return GetHashtreeDescriptor(avb_partition_name, vbmeta_images);
75 }
76 
GetHashDescriptor(const std::string & partition_name,const std::vector<VBMetaData> & vbmeta_images)77 std::unique_ptr<FsAvbHashDescriptor> GetHashDescriptor(
78         const std::string& partition_name, const std::vector<VBMetaData>& vbmeta_images) {
79     bool found = false;
80     const uint8_t* desc_partition_name;
81     auto hash_desc = std::make_unique<FsAvbHashDescriptor>();
82 
83     for (const auto& vbmeta : vbmeta_images) {
84         size_t num_descriptors;
85         std::unique_ptr<const AvbDescriptor*[], decltype(&avb_free)> descriptors(
86                 avb_descriptor_get_all(vbmeta.data(), vbmeta.size(), &num_descriptors), avb_free);
87 
88         if (!descriptors || num_descriptors < 1) {
89             continue;
90         }
91 
92         for (size_t n = 0; n < num_descriptors && !found; n++) {
93             AvbDescriptor desc;
94             if (!avb_descriptor_validate_and_byteswap(descriptors[n], &desc)) {
95                 LWARNING << "Descriptor[" << n << "] is invalid";
96                 continue;
97             }
98             if (desc.tag == AVB_DESCRIPTOR_TAG_HASH) {
99                 desc_partition_name = (const uint8_t*)descriptors[n] + sizeof(AvbHashDescriptor);
100                 if (!avb_hash_descriptor_validate_and_byteswap((AvbHashDescriptor*)descriptors[n],
101                                                                hash_desc.get())) {
102                     continue;
103                 }
104                 if (hash_desc->partition_name_len != partition_name.length()) {
105                     continue;
106                 }
107                 // Notes that desc_partition_name is not NUL-terminated.
108                 std::string hash_partition_name((const char*)desc_partition_name,
109                                                 hash_desc->partition_name_len);
110                 if (hash_partition_name == partition_name) {
111                     found = true;
112                 }
113             }
114         }
115 
116         if (found) break;
117     }
118 
119     if (!found) {
120         LERROR << "Hash descriptor not found: " << partition_name;
121         return nullptr;
122     }
123 
124     hash_desc->partition_name = partition_name;
125 
126     const uint8_t* desc_salt = desc_partition_name + hash_desc->partition_name_len;
127     hash_desc->salt = BytesToHex(desc_salt, hash_desc->salt_len);
128 
129     const uint8_t* desc_digest = desc_salt + hash_desc->salt_len;
130     hash_desc->digest = BytesToHex(desc_digest, hash_desc->digest_len);
131 
132     return hash_desc;
133 }
134 
135 // Given a path, loads and verifies the vbmeta, to extract the Avb Hash descriptor.
GetHashDescriptor(const std::string & avb_partition_name,VBMetaData && vbmeta)136 std::unique_ptr<FsAvbHashDescriptor> GetHashDescriptor(const std::string& avb_partition_name,
137                                                        VBMetaData&& vbmeta) {
138     if (!vbmeta.size()) return nullptr;
139 
140     std::vector<VBMetaData> vbmeta_images;
141     vbmeta_images.emplace_back(std::move(vbmeta));
142     return GetHashDescriptor(avb_partition_name, vbmeta_images);
143 }
144 
GetAvbPropertyDescriptor(const std::string & key,const std::vector<VBMetaData> & vbmeta_images)145 std::string GetAvbPropertyDescriptor(const std::string& key,
146                                      const std::vector<VBMetaData>& vbmeta_images) {
147     size_t value_size;
148     for (const auto& vbmeta : vbmeta_images) {
149         const char* value = avb_property_lookup(vbmeta.data(), vbmeta.size(), key.data(),
150                                                 key.size(), &value_size);
151         if (value != nullptr) {
152             return {value, value_size};
153         }
154     }
155     return "";
156 }
157 
158 }  // namespace fs_mgr
159 }  // namespace android
160