1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <ostream>
20 #include <string>
21 #include <vector>
22 
23 #include <fstab/fstab.h>
24 #include <libavb/libavb.h>
25 #include <libdm/dm.h>
26 
27 #include "fs_avb/types.h"
28 
29 namespace android {
30 namespace fs_mgr {
31 
32 struct ChainInfo {
33     std::string partition_name;
34     std::string public_key_blob;
35 
ChainInfoChainInfo36     ChainInfo(const std::string& chain_partition_name, const std::string& chain_public_key_blob)
37         : partition_name(chain_partition_name), public_key_blob(chain_public_key_blob) {}
38 };
39 
40 // AvbHashtreeDescriptor to dm-verity table setup.
41 std::unique_ptr<FsAvbHashtreeDescriptor> GetHashtreeDescriptor(
42         const std::string& partition_name, const std::vector<VBMetaData>& vbmeta_images);
43 
44 bool ConstructVerityTable(const FsAvbHashtreeDescriptor& hashtree_desc,
45                           const std::string& blk_device, android::dm::DmTable* table);
46 
47 bool HashtreeDmVeritySetup(FstabEntry* fstab_entry, const FsAvbHashtreeDescriptor& hashtree_desc,
48                            bool wait_for_verity_dev);
49 
50 // Searches a Avb hashtree descriptor in vbmeta_images for fstab_entry, to enable dm-verity.
51 bool LoadAvbHashtreeToEnableVerity(FstabEntry* fstab_entry, bool wait_for_verity_dev,
52                                    const std::vector<VBMetaData>& vbmeta_images,
53                                    const std::string& ab_suffix, const std::string& ab_other_suffix);
54 
55 // Converts AVB partition name to a device partition name.
56 std::string AvbPartitionToDevicePatition(const std::string& avb_partition_name,
57                                          const std::string& ab_suffix,
58                                          const std::string& ab_other_suffix);
59 
60 // Converts by-name symlink to AVB partition name.
61 std::string DeriveAvbPartitionName(const FstabEntry& fstab_entry, const std::string& ab_suffix,
62                                    const std::string& ab_other_suffix);
63 
64 // AvbFooter and AvbMetaImage maninpulations.
65 off64_t GetTotalSize(int fd);
66 
67 std::unique_ptr<AvbFooter> GetAvbFooter(int fd);
68 
69 std::unique_ptr<VBMetaData> VerifyVBMetaData(int fd, const std::string& partition_name,
70                                              const std::string& expected_public_key_blob,
71                                              std::string* out_public_key_data,
72                                              VBMetaVerifyResult* out_verify_result);
73 
74 VBMetaVerifyResult VerifyVBMetaSignature(const VBMetaData& vbmeta,
75                                          const std::string& expected_public_key_blob,
76                                          std::string* out_public_key_data);
77 
78 bool ValidatePublicKeyBlob(const uint8_t* key, size_t length, const std::string& expected_key_blob);
79 
80 bool ValidatePublicKeyBlob(const std::string& key_blob_to_validate,
81                            const std::vector<std::string>& expected_key_paths);
82 
83 // Detects if whether a partition contains a rollback image.
84 bool RollbackDetected(const std::string& partition_name, uint64_t rollback_index);
85 
86 // Extracts chain partition info.
87 std::vector<ChainInfo> GetChainPartitionInfo(const VBMetaData& vbmeta, bool* fatal_error);
88 
89 // Loads the single vbmeta from a given path.
90 std::unique_ptr<VBMetaData> LoadAndVerifyVbmetaByPath(
91         const std::string& image_path, const std::string& partition_name,
92         const std::string& expected_public_key_blob, bool allow_verification_error,
93         bool rollback_protection, bool is_chained_vbmeta, std::string* out_public_key_data,
94         bool* out_verification_disabled, VBMetaVerifyResult* out_verify_result);
95 
96 // Loads the top-level vbmeta and all its chained vbmeta images.
97 // The actual device path is constructed at runtime by:
98 // partition_name, ab_suffix, ab_other_suffix, and device_path_constructor.
99 VBMetaVerifyResult LoadAndVerifyVbmetaByPartition(
100     const std::string& partition_name, const std::string& ab_suffix,
101     const std::string& ab_other_suffix, const std::string& expected_public_key_blob,
102     bool allow_verification_error, bool load_chained_vbmeta, bool rollback_protection,
103     std::function<std::string(const std::string&)> device_path_constructor, bool is_chained_vbmeta,
104     std::vector<VBMetaData>* out_vbmeta_images);
105 
106 }  // namespace fs_mgr
107 }  // namespace android
108