#!/system/bin/sh
|
|
# Copyright (C) 2019 The Android Open Source Project
|
#
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
# you may not use this file except in compliance with the License.
|
# You may obtain a copy of the License at
|
#
|
# http://www.apache.org/licenses/LICENSE-2.0
|
#
|
# Unless required by applicable law or agreed to in writing, software
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
# See the License for the specific language governing permissions and
|
# limitations under the License.
|
#
|
|
alias log_info="log -t art_apex -p i"
|
alias log_error="log -t art_apex -p f"
|
|
log_info "=== ART pre-boot integrity checks ==="
|
|
# Measure (and enable) fsverity to see if things are installed. Enable is not
|
# idempotent, and we'd need to parse the error string to see whether it says
|
# data was installed. Rather do a two-step.
|
FILES=`find /data/dalvik-cache -type f -a -name 'system@framework@boot*' -o name 'system@framework@*jar*'`
|
|
if [ ! -f "/system/bin/fsverity" ] ; then
|
log_error "Device is not fsverity-enabled."
|
rm -f $FILES
|
exit 0
|
fi
|
|
for FILE in $FILES ; do
|
if [ ! -f "$FILE" ] ; then
|
continue # May have deleted already.
|
fi
|
|
# Check for fsverity protection.
|
fsverity measure $FILE || \
|
ENABLE_MSG=`fsverity enable $FILE 2>&1` || \
|
{
|
# No installed data, can't enable - clean up.
|
# Note: to avoid side effects, only delete the tested files. To avoid
|
# understanding arches here, delete all, even if that may delete
|
# too aggressively.
|
log_error "Enable failed: $ENABLE_MSG" ;
|
rm -f $FILES ;
|
exit 1 ;
|
}
|
|
# Check for integrity.
|
INTEGRITY_MSG=`dd if=$FILE of=/dev/null bs=4k 2>&1` || \
|
{ log_error "Integrity failed: $INTEGRITY_MSG" ; rm -f $FILES ; exit 2 ; }
|
done
|
