TrebleDroid · danielzhang130 · Mar 25, 2024
diff --git a/fs_mgr/Android.bp b/fs_mgr/Android.bp
@@ -68,6 +68,7 @@ cc_defaults {
         "file_wait.cpp",
         "fs_mgr.cpp",
         "fs_mgr_format.cpp",
+        "fs_mgr_verity.cpp",
         "fs_mgr_dm_linear.cpp",
         "fs_mgr_roots.cpp",
         "fs_mgr_overlayfs_control.cpp",

diff --git a/fs_mgr/fs_mgr.cpp b/fs_mgr/fs_mgr.cpp
@@ -1514,6 +1514,14 @@ MountAllResult fs_mgr_mount_all(Fstab* fstab, int mount_mode) {
                 // Skips mounting the device.
                 continue;
             }
+        } else if ((current_entry.fs_mgr_flags.verify)) {
+            int rc = fs_mgr_setup_verity(&current_entry, true);
+            if (rc == FS_MGR_SETUP_VERITY_DISABLED || rc == FS_MGR_SETUP_VERITY_SKIPPED) {
+                LINFO << "Verity disabled";
+            } else if (rc != FS_MGR_SETUP_VERITY_SUCCESS) {
+                LERROR << "Could not set up verified partition, skipping!";
+                continue;
+            }
         }
 
         int last_idx_inspected;
@@ -1677,6 +1685,13 @@ int fs_mgr_umount_all(android::fs_mgr::Fstab* fstab) {
                 ret |= FsMgrUmountStatus::ERROR_VERITY;
                 continue;
             }
+        } else if ((current_entry.fs_mgr_flags.verify)) {
+            if (!fs_mgr_teardown_verity(&current_entry)) {
+                LERROR << "Failed to tear down verified partition on mount point: "
+                       << current_entry.mount_point;
+                ret |= FsMgrUmountStatus::ERROR_VERITY;
+                continue;
+            }
         }
     }
     return ret;
@@ -1966,6 +1981,14 @@ int fs_mgr_do_mount(Fstab* fstab, const std::string& n_name, const std::string&
                 // Skips mounting the device.
                 continue;
             }
+        } else if (fstab_entry.fs_mgr_flags.verify) {
+            int rc = fs_mgr_setup_verity(&fstab_entry, true);
+            if (rc == FS_MGR_SETUP_VERITY_DISABLED || rc == FS_MGR_SETUP_VERITY_SKIPPED) {
+                LINFO << "Verity disabled";
+            } else if (rc != FS_MGR_SETUP_VERITY_SUCCESS) {
+                LERROR << "Could not set up verified partition, skipping!";
+                continue;
+            }
         }
 
         int retry_count = 2;
@@ -2156,7 +2179,7 @@ bool fs_mgr_swapon_all(const Fstab& fstab) {
 }
 
 bool fs_mgr_is_verity_enabled(const FstabEntry& entry) {
-    if (!entry.fs_mgr_flags.avb) {
+    if (!entry.fs_mgr_flags.verify && !entry.fs_mgr_flags.avb) {
         return false;
     }
 
@@ -2167,12 +2190,17 @@ bool fs_mgr_is_verity_enabled(const FstabEntry& entry) {
         return false;
     }
 
+    const char* status;
     std::vector<DeviceMapper::TargetInfo> table;
     if (!dm.GetTableStatus(mount_point, &table) || table.empty() || table[0].data.empty()) {
-        return false;
+        if (!entry.fs_mgr_flags.verify_at_boot) {
+            return false;
+        }
+        status = "V";
+    } else {
+        status = table[0].data.c_str();
     }
 
-    auto status = table[0].data.c_str();
     if (*status == 'C' || *status == 'V') {
         return true;
     }
@@ -2181,7 +2209,7 @@ bool fs_mgr_is_verity_enabled(const FstabEntry& entry) {
 }
 
 std::optional<HashtreeInfo> fs_mgr_get_hashtree_info(const android::fs_mgr::FstabEntry& entry) {
-    if (!entry.fs_mgr_flags.avb) {
+    if (!entry.fs_mgr_flags.verify && !entry.fs_mgr_flags.avb) {
         return {};
     }
     DeviceMapper& dm = DeviceMapper::Instance();
@@ -2340,25 +2368,6 @@ bool fs_mgr_mount_overlayfs_fstab_entry(const FstabEntry& entry) {
     return true;
 }
 
-bool fs_mgr_load_verity_state(int* mode) {
-    // unless otherwise specified, use EIO mode.
-    *mode = VERITY_MODE_EIO;
-
-    // The bootloader communicates verity mode via the kernel commandline
-    std::string verity_mode;
-    if (!fs_mgr_get_boot_config("veritymode", &verity_mode)) {
-        return false;
-    }
-
-    if (verity_mode == "enforcing") {
-        *mode = VERITY_MODE_DEFAULT;
-    } else if (verity_mode == "logging") {
-        *mode = VERITY_MODE_LOGGING;
-    }
-
-    return true;
-}
-
 bool fs_mgr_filesystem_available(const std::string& filesystem) {
     std::string filesystems;
     if (!android::base::ReadFileToString("/proc/filesystems", &filesystems)) return false;

diff --git a/fs_mgr/fs_mgr_priv.h b/fs_mgr/fs_mgr_priv.h
@@ -89,6 +89,8 @@ bool fs_mgr_is_f2fs(const std::string& blk_device);
 bool fs_mgr_filesystem_available(const std::string& filesystem);
 std::string fs_mgr_get_context(const std::string& mount_point);
 
+bool fs_mgr_teardown_verity(android::fs_mgr::FstabEntry* fstab);
+
 namespace android {
 namespace fs_mgr {