Skip to content

Commit

Permalink
libfs_avb: Disable dm-verity when AVB is permissive
Browse files Browse the repository at this point in the history 
When the bootloader is unlocked (i.e. AVB is permissive), enforcing
dm-verity on system partitions is meaningless because the bootloader
doesn't enforce verification on the root of the high-level verified boot
chain: the kernel. As a result, mounting system partitions with
dm-verity (hashtree verification) is futile when the code performing
verification has not been verified in the first place; users can also
disable dm-verity manually by flashing vbmeta with `fastboot flash
--disable-verity vbmeta vbmeta.img`.

For user and developer convenience, disable dm-verity automatically when
the bootloader is unlocked by checking for permissive AVB. This makes it
possible to ship enforcing vbmeta images for security-conscious users to
lock their bootloader and reap the benefits of verified boot, while
still allowing users with unlocked bootloaders to modify system
partitions.

Change-Id: Ie88362cfbda75561ef450e00fdc82ade221facb5
  • Loading branch information
@kdrag0n
kdrag0n committed Jun 7, 2022
1 parent 112cbfc commit df89d06
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions fs_mgr/libfs_avb/fs_avb.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -241,7 +241,8 @@ AvbUniquePtr AvbHandle::LoadAndVerifyVbmeta(
bool verification_disabled = ((AvbVBMetaImageFlags)vbmeta_header->flags &
AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED);
bool hashtree_disabled =
((AvbVBMetaImageFlags)vbmeta_header->flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED);
((AvbVBMetaImageFlags)vbmeta_header->flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED) ||
allow_verification_error;
if (verification_disabled) {
avb_handle->status_ = AvbHandleStatus::kVerificationDisabled;
} else if (hashtree_disabled) {
Expand Down Expand Up @@ -457,7 +458,8 @@ AvbUniquePtr AvbHandle::Open() {
// - vbmeta struct in all partitions are still processed, just disable
// dm-verity in the user space.
bool hashtree_disabled =
((AvbVBMetaImageFlags)vbmeta_header.flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED);
((AvbVBMetaImageFlags)vbmeta_header.flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED) ||
allow_verification_error;

if (verification_disabled) {
avb_handle->status_ = AvbHandleStatus::kVerificationDisabled;
Expand Down

0 comments on commit df89d06

Please sign in to comment.