/*
* Copyright (C) 2018 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.android.server.security;
import static android.system.OsConstants.PROT_READ;
import static android.system.OsConstants.PROT_WRITE;
import android.annotation.NonNull;
import android.os.SharedMemory;
import android.system.ErrnoException;
import android.system.Os;
import android.util.apk.ApkSignatureVerifier;
import android.util.apk.ByteBufferFactory;
import android.util.apk.SignatureNotFoundException;
import android.util.Pair;
import android.util.Slog;
import java.io.FileDescriptor;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.DigestException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
/** Provides fsverity related operations. */
abstract public class VerityUtils {
private static final String TAG = "VerityUtils";
private static final boolean DEBUG = false;
/**
* Generates Merkle tree and fsverity metadata.
*
* @return {@code SetupResult} that contains the {@code EsetupResultCode}, and when success, the
* {@code FileDescriptor} to read all the data from.
*/
public static SetupResult generateApkVeritySetupData(@NonNull String apkPath) {
if (DEBUG) Slog.d(TAG, "Trying to install apk verity to " + apkPath);
SharedMemory shm = null;
try {
byte[] signedRootHash = ApkSignatureVerifier.getVerityRootHash(apkPath);
if (signedRootHash == null) {
if (DEBUG) {
Slog.d(TAG, "Skip verity tree generation since there is no root hash");
}
return SetupResult.skipped();
}
Pair<SharedMemory, Integer> result = generateApkVerityIntoSharedMemory(apkPath,
signedRootHash);
shm = result.first;
int contentSize = result.second;
FileDescriptor rfd = shm.getFileDescriptor();
if (rfd == null || !rfd.valid()) {
return SetupResult.failed();
}
return SetupResult.ok(Os.dup(rfd), contentSize);
} catch (IOException | SecurityException | DigestException | NoSuchAlgorithmException |
SignatureNotFoundException | ErrnoException e) {
Slog.e(TAG, "Failed to set up apk verity: ", e);
return SetupResult.failed();
} finally {
if (shm != null) {
shm.close();
}
}
}
/**
* {@see ApkSignatureVerifier#generateFsverityRootHash(String)}.
*/
public static byte[] generateFsverityRootHash(@NonNull String apkPath)
throws NoSuchAlgorithmException, DigestException, IOException {
return ApkSignatureVerifier.generateFsverityRootHash(apkPath);
}
/**
* {@see ApkSignatureVerifier#getVerityRootHash(String)}.
*/
public static byte[] getVerityRootHash(@NonNull String apkPath)
throws IOException, SignatureNotFoundException, SecurityException {
return ApkSignatureVerifier.getVerityRootHash(apkPath);
}
/**
* Returns a pair of {@code SharedMemory} and {@code Integer}. The {@code SharedMemory} contains
* Merkle tree and fsverity headers for the given apk, in the form that can immediately be used
* for fsverity setup. The data is aligned to the beginning of {@code SharedMemory}, and has
* length equals to the returned {@code Integer}.
*/
private static Pair<SharedMemory, Integer> generateApkVerityIntoSharedMemory(
String apkPath, byte[] expectedRootHash)
throws IOException, SecurityException, DigestException, NoSuchAlgorithmException,
SignatureNotFoundException {
TrackedShmBufferFactory shmBufferFactory = new TrackedShmBufferFactory();
byte[] generatedRootHash = ApkSignatureVerifier.generateApkVerity(apkPath,
shmBufferFactory);
// We only generate Merkle tree once here, so it's important to make sure the root hash
// matches the signed one in the apk.
if (!Arrays.equals(expectedRootHash, generatedRootHash)) {
throw new SecurityException("Locally generated verity root hash does not match");
}
int contentSize = shmBufferFactory.getBufferLimit();
SharedMemory shm = shmBufferFactory.releaseSharedMemory();
if (shm == null) {
throw new IllegalStateException("Failed to generate verity tree into shared memory");
}
if (!shm.setProtect(PROT_READ)) {
throw new SecurityException("Failed to set up shared memory correctly");
}
return Pair.create(shm, contentSize);
}
public static class SetupResult {
/** Result code if verity is set up correctly. */
private static final int RESULT_OK = 1;
/** Result code if the apk does not contain a verity root hash. */
private static final int RESULT_SKIPPED = 2;
/** Result code if the setup failed. */
private static final int RESULT_FAILED = 3;
private final int mCode;
private final FileDescriptor mFileDescriptor;
private final int mContentSize;
public static SetupResult ok(@NonNull FileDescriptor fileDescriptor, int contentSize) {
return new SetupResult(RESULT_OK, fileDescriptor, contentSize);
}
public static SetupResult skipped() {
return new SetupResult(RESULT_SKIPPED, null, -1);
}
public static SetupResult failed() {
return new SetupResult(RESULT_FAILED, null, -1);
}
private SetupResult(int code, FileDescriptor fileDescriptor, int contentSize) {
this.mCode = code;
this.mFileDescriptor = fileDescriptor;
this.mContentSize = contentSize;
}
public boolean isFailed() {
return mCode == RESULT_FAILED;
}
public boolean isOk() {
return mCode == RESULT_OK;
}
public @NonNull FileDescriptor getUnownedFileDescriptor() {
return mFileDescriptor;
}
public int getContentSize() {
return mContentSize;
}
}
/** A {@code ByteBufferFactory} that creates a shared memory backed {@code ByteBuffer}. */
private static class TrackedShmBufferFactory implements ByteBufferFactory {
private SharedMemory mShm;
private ByteBuffer mBuffer;
@Override
public ByteBuffer create(int capacity) throws SecurityException {
try {
if (DEBUG) Slog.d(TAG, "Creating shared memory for apk verity");
// NB: This method is supposed to be called once according to the contract with
// ApkSignatureSchemeV2Verifier.
if (mBuffer != null) {
throw new IllegalStateException("Multiple instantiation from this factory");
}
mShm = SharedMemory.create("apkverity", capacity);
if (!mShm.setProtect(PROT_READ | PROT_WRITE)) {
throw new SecurityException("Failed to set protection");
}
mBuffer = mShm.mapReadWrite();
return mBuffer;
} catch (ErrnoException e) {
throw new SecurityException("Failed to set protection", e);
}
}
public SharedMemory releaseSharedMemory() {
if (mBuffer != null) {
SharedMemory.unmap(mBuffer);
mBuffer = null;
}
SharedMemory tmp = mShm;
mShm = null;
return tmp;
}
public int getBufferLimit() {
return mBuffer == null ? -1 : mBuffer.limit();
}
}
}