Closed thestinger closed 7 years ago
anestisb
commented
7 years ago Awesome, one less thing to worry about. Do you have any automated method to verify at build (post-build) that verity is properly enforced? Or are you checking it manually prior to public release?
thestinger
commented
7 years ago @anestisb https://github.com/CopperheadOS/platform_packages_apps_Settings/commit/3c3e409bb5d54613fbe73fd046598ac2c4d8735a doesn't really verify it but it checks what the operating system says via properties. It sets a property if vendor verified boot is enforced.
thestinger
commented
7 years ago getprop partition.vendor.verified should be enough to check though, it should be 2.
anestisb
commented
7 years ago I mostly had in mind if there is some quick test to check verity status prior to flashing on actual device. In your case since you always build the kernel from scratch you can fully control it. However, I'm not sure to what extend the prebuilt Pixel kernels have the expected setup and no small changes slip across future updates.
thestinger
commented
7 years ago You could extract the device tree and use dtc -I dtb -O dts fdt.extracted to decompile it, and check for that vendor entry with verity.
thestinger
commented
7 years ago Also worth noting that the signing keys for the verity keyring are built into the kernel these days and don't get replaced by the build signing step. They have built-in public keys for sailfish and marlin, and a shared internal development key and the shared AOSP test key. It's actually mandatory to build a kernel in order to sign builds with a different key now.
thestinger
commented
7 years ago https://github.com/CopperheadOS/kernel_google_marlin/commit/f1d09ddfb7465a9b68ed6517fefea3952c86cf34 is where I add our keys. The build signing scripts only replace keyid on the kernel cmdline which selects the proper key used to sign the verity trees for vendor/system. If the kernel isn't rebuilt and AOSP test keys are replaced, it fails to boot since the keyid isn't found. Extremely annoying change... on Nexus you can sign a build while using the prebuilt kernel with no issue.
Documented that here: https://copperhead.co/android/docs/building#generating-release-signing-keys. Google doesn't document that stuff anywhere AFAIK.
Google removed the vendor partition from fstab and put it in the device tree as part of Treble, where it has verity enabled:
https://android.googlesource.com/kernel/msm.git/+/31dc3c7d67fa22330856a982b2cd1e6b97feda21
They also moved fstab from root to vendor, so this is installing it to the old location.
Nexus devices still need this hack.