1 /*
2  * Copyright (C) 2019 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <ostream>
20 #include <string>
21 #include <vector>
22 
23 #include <fstab/fstab.h>
24 #include <libavb/libavb.h>
25 #include <libdm/dm.h>
26 
27 #include "fs_avb/types.h"
28 
29 namespace android {
30 namespace fs_mgr {
31 
32 struct ChainInfo {
33     std::string partition_name;
34     std::string public_key_blob;
35 
ChainInfoChainInfo36     ChainInfo(const std::string& chain_partition_name, const std::string& chain_public_key_blob)
37         : partition_name(chain_partition_name), public_key_blob(chain_public_key_blob) {}
38 };
39 
40 std::string GetAvbPropertyDescriptor(const std::string& key,
41                                      const std::vector<VBMetaData>& vbmeta_images);
42 
43 std::unique_ptr<FsAvbHashDescriptor> GetHashDescriptor(
44         const std::string& partition_name, const std::vector<VBMetaData>& vbmeta_images);
45 
46 // AvbHashtreeDescriptor to dm-verity table setup.
47 std::unique_ptr<FsAvbHashtreeDescriptor> GetHashtreeDescriptor(
48         const std::string& partition_name, const std::vector<VBMetaData>& vbmeta_images);
49 
50 bool ConstructVerityTable(const FsAvbHashtreeDescriptor& hashtree_desc,
51                           const std::string& blk_device, android::dm::DmTable* table);
52 
53 bool HashtreeDmVeritySetup(FstabEntry* fstab_entry, const FsAvbHashtreeDescriptor& hashtree_desc,
54                            bool wait_for_verity_dev);
55 
56 // Searches a Avb hashtree descriptor in vbmeta_images for fstab_entry, to enable dm-verity.
57 bool LoadAvbHashtreeToEnableVerity(FstabEntry* fstab_entry, bool wait_for_verity_dev,
58                                    const std::vector<VBMetaData>& vbmeta_images,
59                                    const std::string& ab_suffix, const std::string& ab_other_suffix);
60 
61 // Converts AVB partition name to a device partition name.
62 std::string AvbPartitionToDevicePatition(const std::string& avb_partition_name,
63                                          const std::string& ab_suffix,
64                                          const std::string& ab_other_suffix);
65 
66 // Converts by-name symlink to AVB partition name.
67 std::string DeriveAvbPartitionName(const FstabEntry& fstab_entry, const std::string& ab_suffix,
68                                    const std::string& ab_other_suffix);
69 
70 // AvbFooter and AvbMetaImage maninpulations.
71 off64_t GetTotalSize(int fd);
72 
73 std::unique_ptr<AvbFooter> GetAvbFooter(int fd);
74 
75 std::unique_ptr<VBMetaData> VerifyVBMetaData(int fd, const std::string& partition_name,
76                                              const std::string& expected_public_key_blob,
77                                              std::string* out_public_key_data,
78                                              VBMetaVerifyResult* out_verify_result);
79 
80 VBMetaVerifyResult VerifyVBMetaSignature(const VBMetaData& vbmeta,
81                                          const std::string& expected_public_key_blob,
82                                          std::string* out_public_key_data);
83 
84 bool ValidatePublicKeyBlob(const uint8_t* key, size_t length, const std::string& expected_key_blob);
85 
86 bool ValidatePublicKeyBlob(const std::string& key_blob_to_validate,
87                            const std::vector<std::string>& expected_key_paths);
88 
89 // Detects if whether a partition contains a rollback image.
90 bool RollbackDetected(const std::string& partition_name, uint64_t rollback_index);
91 
92 // Extracts chain partition info.
93 std::vector<ChainInfo> GetChainPartitionInfo(const VBMetaData& vbmeta, bool* fatal_error);
94 
95 // Loads the single vbmeta from a given path.
96 std::unique_ptr<VBMetaData> LoadAndVerifyVbmetaByPath(
97         const std::string& image_path, const std::string& partition_name,
98         const std::string& expected_public_key_blob, bool allow_verification_error,
99         bool rollback_protection, bool is_chained_vbmeta, std::string* out_public_key_data,
100         bool* out_verification_disabled, VBMetaVerifyResult* out_verify_result);
101 
102 // Loads the top-level vbmeta and all its chained vbmeta images.
103 // The actual device path is constructed at runtime by:
104 // partition_name, ab_suffix, ab_other_suffix, and device_path_constructor.
105 VBMetaVerifyResult LoadAndVerifyVbmetaByPartition(
106     const std::string& partition_name, const std::string& ab_suffix,
107     const std::string& ab_other_suffix, const std::string& expected_public_key_blob,
108     bool allow_verification_error, bool load_chained_vbmeta, bool rollback_protection,
109     std::function<std::string(const std::string&)> device_path_constructor, bool is_chained_vbmeta,
110     std::vector<VBMetaData>* out_vbmeta_images);
111 
112 }  // namespace fs_mgr
113 }  // namespace android
114