ART: Add fsverity to ART preinstall
Add a pass that installs fsverity signatures into boot
classpath components.
Bug: 125474642
Test: m
Test: manual
Change-Id: I68c78deefd5a168e4f6f785f424e5e795d128f7e
diff --git a/build/apex/art_preinstall_hook_boot.sh b/build/apex/art_preinstall_hook_boot.sh
index 9656cc9..c462603 100644
--- a/build/apex/art_preinstall_hook_boot.sh
+++ b/build/apex/art_preinstall_hook_boot.sh
@@ -73,3 +73,8 @@
--no-inline-from=core-oj.jar \
--abort-on-hard-verifier-error \
--force-determinism || { log_error "Dex2oat failed" ; exit 102 ; }
+
+FILES=`find /data/dalvik-cache/$DEX2OAT_TARGET_ARCH -type f`
+for FILE in $FILES ; do
+ setup_fsverity $FILE || exit 103
+done
diff --git a/build/apex/art_prepostinstall_utils.sh b/build/apex/art_prepostinstall_utils.sh
index b52b45e..bc21b76 100644
--- a/build/apex/art_prepostinstall_utils.sh
+++ b/build/apex/art_prepostinstall_utils.sh
@@ -47,3 +47,20 @@
ARCHES=`echo $ARCHES | uniq`
return 0
}
+
+function setup_fsverity {
+ local file=$1
+ local signature_file="/apex/com.android.runtime.signatures/etc/$file.sig"
+ # Setup.
+ log -t art_apex "fsverity setup for $file"
+ SETUP_MSG=`fsverity setup $file --signature=$signature_file --hash=sha256 2>&1` || \
+ { log_error "Setup failed: $SETUP_MSG" ; return 300 ; }
+ # Enable.
+ log -t art_apex "fsverity enable for $file"
+ ENABLE_MSG=`fsverity enable $file 2>&1` || \
+ { log_error "Enable failed: $ENABLE_MSG" ; return 301 ; }
+ # Test integrity.
+ INTEGRITY_MSG=`dd if=$file of=/dev/null bs=4k 2>&1` || \
+ { log_error "Integrity failed: $INTEGRITY_MSG" ; return 302 ; }
+ return 0
+}