Validate artifacts before calling odrefresh --compile.
Odrefresh supports partial compilation, by only re-generating the files
that are needed. This means that we need to verify already existing
artifacts before calling odrefresh, because otherwise we won't know
whether files that aren't in fs-verity have been generated by odrefresh,
or by an attacker that managed to compromise the filesystem on a
previous boot cycle.
To make this change without adding additional boot time, we need to
switch back to calling odrefresh in two phases again: first, we call
`odrefresh --check` to determine whether odrefresh needs to generate new
artifacts. In either case we will need to verify existing artifacts, but
if `odrefresh --check` said that it won't need to generate any new ones,
we can say we're done with the key after retrieving the digests, which
allows boot to continue in parallel with verification.
Test: atest odsign_e2e_tests
Ignore-AOSP-First: Security fix
(cherry picked from commit 7bf6e0a053307a0918965da9be6560e77d6cfe59)
1 file changed