tree 5e48be3f7cef2bd69eeb0e525fb49c492b09a760
parent dc678e8d3c2a13e2be3802739d0e678185577d7b
author David Zeuthen <zeuthen@google.com> 1494282641 -0400
committer David Zeuthen <zeuthen@google.com> 1494526830 -0400

libavb: Allow specifying dm-verity error handling.

Currently AVB only supports one error mode for handling dm-verity
errors which is to invalidate the slot in question and restart the
device. On the next reboot the bootloader is expected to boot the
other slot or enter some kind of repair state.

While this may be suitable for some devices / form-factors it doesn't
allow for the workflow described in "Recovering from dm-verity errors"
as described in

 https://source.android.com/security/verifiedboot/verified-boot

This CL adds support for specifying the error mode by allowing passing
through the verity error handling mode to avb_slot_verify(). Initially
four error handling modes are supported

 * AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE means that the HLOS
   will invalidate the current slot and restart (current behavior).

 * AVB_HASHTREE_ERROR_MODE_RESTART means that the OS will restart
   (without the current slot being invalidated).

 * AVB_HASHTREE_ERROR_MODE_EIO means that an EIO error will be
   returned to the application.

 * AVB_HASHTREE_ERROR_MODE_LOGGING means that errors will be logged
   and corrupt data may be returned to applications. This mode should
   be used ONLY for diagnostics and debugging. It cannot be used
   unless also allow verification errors (e.g. only UNLOCKED mode).

The passed-in value combined with whether dm-verity is disabled in the
top-level vbmeta maps to androidboot.veritymode being either
'enforcing', 'eio', or 'logging' and
androidboot.vbmeta.invalidate_on_error maybe being set to 'yes'.

In a nutshell this CL simply sets androidboot.veritymode and
androidboot.vbmeta.invalidate_on_error based on whatever hashtree
error mode is passed by the caller of avb_slot_verify().

This CL also introduces $(ANDROID_VERITY_MODE) which is now used by
avbtool in the dm="..." string and libavb will replace this with
'restart_on_corruption', 'ignore_corruption', etc. depending on the
error handling mode passed to avb_slot_verity().

A related CL for drivers/md/dm-verity-avb.c will support
androidboot.vbmeta.invalidate_on_error to only invalidate if this is
set to 'yes'.

The README.md file has been updated with a section to discuss
dm-verity error handling and what it entails.

Since we're changing avb_slot_verify() with this CL also use this
opportunity to change the |allow_verification_mode| boolean parameter
into a flag. This will make it easier to add features to libavb in the
future without breaking API again.

Also update the toy UEFI bootloader in examples/uefi to use this new
API and make it use AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE.

Bug: 38157502
Test: New unit tests and all unit tests pass.
Test: Manually tested all dm-verity error modes on UEFI-based bootloader.
Change-Id: I0e6639839ce696e815ac6e8fad8dfb2212390ddd