DM-verity

key有多种我只取一把,像我们老大就是多把key排列组合,不行,不能泄密,感觉6.0刚换block-based现在7.0又来update engine,事情多的一匹


之前file-based的方式是mount起来/system,然后modify掉,现在不用mount了 block-based 直接对system分区的device进行烧写,我们的system的device是mmcblk0p1,自己的device可以在fstab上面看


system.img会构成这个样子

(----info>len real system size-- ) ( ---------------------------------------------------------------metadata--------------------------------------------------------)

1024B supper block system & megic number 4B protocol_version 4B signature 256B table_length 4B table sizeof(table_length) 204B


大体流程:

1、releasetools  编译 system.img+metadata(就是编译的时候将metadata贴在system.img的屁股后面,生成带有metadata的system.img),salt在 

android/build/tools/releasetools/build_image.py

FIXED_SALT ="aee087a5be3b982978c923f566a94613496b417f2af592639bc80d141e34dfe7"


2、将system.img烧进去,这个东西在编译出的zip 包里面 system.new.dat,system.patch.dat  system.transfer.list ,包里面带的updater,会将这三个东西烧进去,具体的东西可以在system.transfer.list 上面看,block的大小一般是4092,看system.transfer.list可以一目了然,注意:BoardConfigCommon.mk  BOARD_SYSTEMIMAGE_PARTITION_SIZE大小一定要和自己分配的mmcblk0p1的大小一致,或者小一点也可以,不然update的时候就会卡到一半的循环,原因是mmcblk0p1装不下, 运行的方式和file-based的一样,都是recovery+updater这套软件。



3、init.rc 调用fs_mgr的function去ioctl device_mapper的驱动做验证,其实整个verity的核心就在fs_mgr,ro.secure=1设置了之后,fs_mgr在mount  system之前会去验证签名和metadata的salt,对了!之前编译system.img时,verity_key会生成在root下面,fs_mgr签名验证不过的话就会触发slideshow显示,另外,如果metadata验证不ok的话,现在我是让它不断重启的,肯定不能再mount上system,官方的话会重启一次后设置成为logging的模式,意思就是重启一次之后还是能mount上system,只不过logging模式打开了之后,slideshow就会被运行,所以之后每次系统启动都会是显示警告图片!这个功能需要ramoops驱动支持,就是一切kernel panic的Log不掉电记录,另外还有一个verirty的分区是做一下mode 或者其它参数的备份,很小的,分个几M就可以了。



一、開啟

---a/image_file/components/packages/package5/root/default.prop  2016-11-26 07:53:21.247176960 +0800

+++b/image_file/components/packages/package5/root/default.prop    2016-11-21 03:34:24.849487137 +0800

@@ -1,10 +1,12 @@

 #

 #ADDITIONAL_DEFAULT_PROPERTIES

 #

-ro.secure=0

+ro.secure=1

 

二、生成

Salt:

Paht:android/build/tools/releasetools/build_image.py

FIXED_SALT= "aee087a5be3b982978c923f566a94613496b417f2af592639bc80d141e34dfe7"

 

Verity_key:

1、cd  android/build/target/product/secuity

2android/development/tools/make_key verity '/C=CN/ST=GuangDong/L=ShenZhen/O=Company/OU=Department/CN=YourName/emailAddress=YourE-mailAddress'

在android/build/target/product/secuity生成 verity.x509.pem 和verity.pk8

3android/out/host/linux-x86/bin/generate_verity_key  -convert verity.x509.pem  verity_key

4、mv  ./verity_key.pub  ./verity_key

 

Verity_key:是打包簽名system.img的key,

 '/C=CN/ST=GuangDong/L=ShenZhen/O=Company/OU=Department/CN=YourName/emailAddress=YourE-mailAddress'

 

C   ---> Country Name

ST  ---> State or Province Name

L   ---> Locality Name

O   ---> Organization Name

OU  ---> Organizational Unit Name

CN  ---> Common Name

 

修改這個參數可以獲得不同的key。

 

 

修改/android/device/realtek/kylin/device.mk

+++ android/device/realtek/kylin/device.mk        2016-09-2619:03:24.846122420 +0800

@@ -441,6 +441,17 @@

 #PRODUCT_LOCALES := en_US zh_TW zh_CN

 #endif

 

+# add verity dependencies

+$(call inherit-product,build/target/product/verity.mk)

+PRODUCT_SUPPORTS_BOOT_SIGNER := false

+PRODUCT_SYSTEM_VERITY_PARTITION :=/dev/block/mmcblk0p1

+

+PRODUCT_PACKAGES += \

+   slideshow \

+    verity_warning_images

+

+

+

 PRODUCT_COPY_FILES +=device/realtek/kylin/venus_IR_input.kl:system/usr/keylayout/venus_IR_input.kl

 PRODUCT_COPY_FILES +=device/realtek/kylin/venus_IR_input.kcm:system/usr/keychars/venus_IR_input.kcm

 

build sytem.bin

--- a/image_file/components/bin/runCmd.pl  2016-11-04 12:00:50.704055922 +0800

+++ b/image_file/components/bin/runCmd.pl        2016-11-18 11:21:27.564614249 +0800

@@ -26,6 +26,9 @@

 my$SIMG2IMG     ="../bin/simg2img";

 my$E2FSCK_PATH  ="../bin/e2fsck";

 my$RESIZE2FS_PATH = "../bin/resize2fs";

+my $MKSYSTEM_PATH ="build/tools/releasetools/build_image.py";

+my $SYSTEMIMG_INFO ="out/target/product/kylin32/obj/PACKAGING/systemimage_intermediates/system_image_info.txt";

+

 

 ###global variables

 my$cur_path = `pwd`;

@@ -287,6 +290,15 @@

        {

           print "\ngLinux rootfs done.\n";

        }

+       elsif($label_name eq "system")

+       {

+          chdir '../../../android' or die "can not chdir to android :$!";      

+          system("$MKSYSTEM_PATH $package_path/$partitions_by_labels{$label_name}{\"label\"}$SYSTEMIMG_INFO $tmp_path/system.img$package_path/$partitions_by_labels{$label_name}{\"label\"};sync;");

+          chdir '../image_file/components/tmp/' or die "can not chdir to tmp: $!";

+          system("$SIMG2IMG $tmp_path/system.img $tmp_path/system.bin;sync");

+          copy_binary_to_target("$tmp_path/system.bin","$tmp_path/pkgfile/$package/");

+           

+       }

        else

        {

 

build  rtk_kylin32-ota-eng.xxx.zip

1  cp -r android/build/tools/releasetools android/device/realtek/kylin/releasetools

 

2、修改/android/build/core/Makefile

 

+++ android/build/core/Makefile@@ -1722,76 +1721,22 @@

 

 $(INTERNAL_OTA_PACKAGE_TARGET): KEY_CERT_PAIR:= $(DEFAULT_KEY_CERT_PAIR)

 

+

+

+

+

 $(INTERNAL_OTA_PACKAGE_TARGET):$(BUILT_TARGET_FILES_PACKAGE) $(DISTTOOLS)

        @echo "Package OTA: $@"

-#      $(hide)PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATHMKBOOTIMG=$(MKBOOTIMG) \

-#         ./build/tools/releasetools/ota_from_target_files-v \

-#         --block \

-#         -p $(HOST_OUT) \

-#         $(if $(OEM_OTA_CONFIG), -o$(OEM_OTA_CONFIG)) \

-#         $(BUILT_TARGET_FILES_PACKAGE) $@

-        if[ '$(ENABLE_SIGN)' = 'y' ]; then \

-                 echo"Enter EnableSign" && rm -rf $(signed_intermediates)/*&& mkdir -p $(signed_intermediates) && \

-                 echo`./build/tools/releasetools/sign_target_files_apks -d $(SIGN_KEYPATH)$(SIGN_EXCLUDEAPK_CMD) $(BUILT_TARGET_FILES_PACKAGE)$(BUILT_SIGNED_TARGET_FILES_PACKAGE)` && \

-                 cd$(signed_intermediates) && echo `unzip $(sign_name).zip 'SYSTEM/*'`&& cd -; \

-                 if[ -f ./$(recovery_scripts_extras)/ota_from_target_files ]; then \

-                           echo"Enter device local ota_from_target_files-".$(recovery_scripts_extras); \

-                           if[ -f ./$(recovery_scripts_extras)/extra.py ]; then \

-                                    echo`./$(recovery_scripts_extras)/ota_from_target_files -v \

-                                    -p$(HOST_OUT) -n\

-                                    -k$(KEY_CERT_PAIR) \

-                                    -e$(recovery_scripts_extras)/extra.py \

-                                    $(BUILT_SIGNED_TARGET_FILES_PACKAGE)$@`; \

-                           else\

-                                    echo`./$(recovery_scripts_extras)/ota_from_target_files -v \

-                                    -p$(HOST_OUT) -n\

-                                    -k$(KEY_CERT_PAIR) \

-                                    $(BUILT_SIGNED_TARGET_FILES_PACKAGE)$@`; \

-                           fi;\

-                 else\

-                           if[ -f ./$(recovery_scripts_extras)/extra.py ]; then \

-                                    echo`./build/tools/releasetools/ota_from_target_files -v \

-                                    -p$(HOST_OUT) -n\

-                                    -k$(KEY_CERT_PAIR) \

-                                    -e$(recovery_scripts_extras)/extra.py \

-                                    $(BUILT_SIGNED_TARGET_FILES_PACKAGE)$@`; \

-                           else\

-                                    echo`./build/tools/releasetools/ota_from_target_files -v \

-                                    -p$(HOST_OUT) -n\

-                                    -k$(KEY_CERT_PAIR) \

-                                    $(BUILT_SIGNED_TARGET_FILES_PACKAGE)$@`; \

-                           fi;\

-                 fi;\

-        else\

-        if[ -f ./$(recovery_scripts_extras)/ota_from_target_files ]; then \

-                 echo"Enter device local ota_from_target_files-".$(recovery_scripts_extras); \

-                 if[ -f ./$(recovery_scripts_extras)/extra.py ]; then \

-                           echo`./$(recovery_scripts_extras)/ota_from_target_files -v \

-                           -p$(HOST_OUT) -n\

-                           -k$(KEY_CERT_PAIR) \

-                           -e$(recovery_scripts_extras)/extra.py \

-                           $(BUILT_TARGET_FILES_PACKAGE)$@`; \

-                 else\

-                           echo`./$(recovery_scripts_extras)/ota_from_target_files -v \

-                           -p$(HOST_OUT) -n\

-                           -k$(KEY_CERT_PAIR) \

-                           $(BUILT_TARGET_FILES_PACKAGE)$@`; \

-                 fi;\

-        else\

-                 if[ -f ./$(recovery_scripts_extras)/extra.py ]; then \

-                           echo`./build/tools/releasetools/ota_from_target_files -v \

-                           -p$(HOST_OUT) -n\

-                           -k$(KEY_CERT_PAIR) \

-                           -e$(recovery_scripts_extras)/extra.py \

-                           $(BUILT_TARGET_FILES_PACKAGE)$@`; \

-                 else\

-                           echo`./build/tools/releasetools/ota_from_target_files -v \

-                           -p$(HOST_OUT) -n\

-                           -k$(KEY_CERT_PAIR) \

-                           $(BUILT_TARGET_FILES_PACKAGE)$@`; \

-                 fi;\

-        fi;\

-        fi;

+       $(hide)PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATHMKBOOTIMG=$(MKBOOTIMG) \

+         ./$(recovery_scripts_extras)/ota_from_target_files -v \

+          --block \

+          -p $(HOST_OUT) \

+          -k $(KEY_CERT_PAIR) \

+          $(if $(OEM_OTA_CONFIG), -o$(OEM_OTA_CONFIG)) \

+          $(BUILT_TARGET_FILES_PACKAGE) $@

+

+

+

 .PHONY: otapackage

 

3、修改/android/device/realtek/kylin/common/BoardConfigCommon.mk

 

注意:BOARD_SYSTEMIMAGE_PARTITION_SIZE需要在

android/out/target/product/kylin32/obj/PACKAGING/systemimage_intermediates/system_image_info.txt里面的system_size大小相同,否则update会越界出错。

 

+++ /android/device/realtek/kylin/common/BoardConfigCommon.mk 2016-09-2714:56:22.258392684 +0800

@@ -32,15 +32,29 @@

 

 TARGET_BOARD_PLATFORM := kylin

+

+

+BOARD_CACHEIMAGE_PARTITION_SIZE :=419430400

+BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4

 BOARD_FLASH_BLOCK_SIZE := 4096

 TARGET_USERIMAGES_USE_EXT4 := true

-BOARD_SYSTEMIMAGE_PARTITION_SIZE :=1073741824

+BOARD_SYSTEMIMAGE_PARTITION_SIZE :=696246272

+

 #System

 TARGET_PRELINK_MODULE := true

 TARGET_NO_BOOTLOADER := true

-TARGET_NO_RECOVERY := true

-TARGET_NO_KERNEL := true

+TARGET_NO_RECOVERY := false

+TARGET_NO_KERNEL := false

 TARGET_NO_RADIOIMAGE := true

 USE_OPENGL_RENDERER := true

 BOARD_USES_GENERIC_AUDIO := true

 

4、修改/android/device/realtek/kylin/releasetools/ota_from_target_files

 

+++  android/device/realtek/kylin/releasetools/ota_from_target_files    2016-09-26 20:33:37.262142856 +0800

@@ -647,7 +659,7 @@

  common.ZipWriteStr(output_zip, "boot.img", boot_img.data)

 

  script.ShowProgress(0.05, 5)

- script.WriteRawImage("/boot", "boot.img")

+ #script.WriteRawImage("/boot", "boot.img")

 

5、修改/android/device/realtek/kylin/releasetools/edify_generator.py

+++   android/device/realtek/kylin/releasetools/edify_generator.py        2016-09-26 20:34:26.914143043+0800

 

@@ -12,7 +12,6 @@

  def AssertDevice(self, device):

    """Assert that the device identifier is the givenstring."""

+#   cmd = ('getprop("ro.product.device") == "%s" || '

+#          'abort("This package is for \\"%s\\" devices; '

+#          'this is a \\"" + getprop("ro.product.device") +"\\".");') % (

+#               device, device)

+#   self.script.append(cmd)

 

 

 

 

build  rtk_kylin32-target_increment.xxx.zip

 

注:rtk_kylin32-target_files-eng.xxx_a.zip必須是上一次update進去的system

    系統指紋需要一致

1、cd  android

 

2android/device/realtek/kylin/releasetools/ota_from_target_files --block -iandroid/out/target/product/kylin32/obj/PACKAGING/target_files_intermediates/rtk_kylin32-target_files-eng.xxx_a.zipandroid/out/target/product/kylin32/obj/PACKAGING/target_files_intermediates/rtk_kylin32-target_files-eng.xxx_b.zip  rtk_kylin32-target_files-eng.xxx_c.zip

 

3、系統指紋

Path1:android/out/target/product/kylin32/recovery/root/default.prop

Path2:android/out/target/product/kylin32/system/build.prop

 

修改Path1文件裡面的ro.build.fingerprint參數等於path2

 

三、驅動

1、修改linux_kernel/drivers/md/dm-verity.c

+++  linux_kernel/drivers/md/dm-verity.c          2016-09-2620:34:26.914143043 +0800

@@ -12,7 +12,6 @@

         kobject_uevent_env(&disk_to_dev(dm_disk(md))->kobj,KOBJ_CHANGE, envp);

 

out:

         if(v->mode == DM_VERITY_MODE_LOGGING)

-                 return0;

+      kernel_restart("dm-verity device corrupted");

         if(v->mode == DM_VERITY_MODE_RESTART)

                   kernel_restart("dm-veritydevice corrupted");

 

         return1;

 

2、修改linux-kernel/arch/arm64/boot/dts/realtek/rtd-1295-giraffe.dts

--a/linux-kernel/arch/arm64/boot/dts/realtek/rtd-1295-giraffe.dts        2016-11-26 04:46:55.507134725 +0800

+++b/linux-kernel/arch/arm64/boot/dts/realtek/rtd-1295-giraffe.dts      2016-11-11 01:55:02.354202302 +0800

@@ -76,16 +78,25 @@

                 >;

        };

    };

+   reserved-memory {

+       #address-cells = <1>;

+       #size-cells = <1>;

+       ranges;

+

+       ramoops_mem: ramoops_mem {

+           reg = <0x22000000 0x00200000>;

+           reg-names = "ramoops_mem";

+           no-map;

+       };

+   };

+

+   ramoops@10014000 {

+       compatible   ="ramoops";

+       record-size  = <00x00004000>;

+       console-size = <0 0x00100000>;

+       ftrace-size  = <00x00004000>;

+       memory-region = <&ramoops_mem>;

+   };

+

};

 

3、修改內核配置linux-kernel/.config

--- a/linux-kernel/.config 2016-11-2801:52:31.903747680 +0800

+++ b/linux-kernel/.config   2016-11-21 03:04:33.517480373 +0800

@@ -1294,7 +1404,7 @@

 #CONFIG_DM_DELAY is not set

 CONFIG_DM_UEVENT=y

 #CONFIG_DM_FLAKEY is not set

-# CONFIG_DM_VERITY is not set

+CONFIG_DM_VERITY=y

@@ -3339,7 +3548,11 @@

 #CONFIG_QNX4FS_FS is not set

 #CONFIG_QNX6FS_FS is not set

 #CONFIG_ROMFS_FS is not set

-# CONFIG_PSTORE is not set

+CONFIG_PSTORE=y

+CONFIG_PSTORE_CONSOLE=y

+# CONFIG_PSTORE_PMSG is not set

+CONFIG_PSTORE_FTRACE=y

+CONFIG_PSTORE_RAM=y

 

 

4、修改linux-kernel/drivers/soc/realtek/rtd129x/rtd129x_restart.c

Diff --gita/drivers/soc/realtek/rtd129x/rtd129x_restart.cb/drivers/soc/realtek/rtd129x/rtd129x_restart.c

index e2156de..c0b9117 100644

—a/drivers/soc/realtek/rtd129x/rtd129x_restart.c

+++b/drivers/soc/realtek/rtd129x/rtd129x_restart.c

@@ -16,9 +16,13 @@ static void __iomem *wdt_base;

#define WDT_CTL    0

#define WDT_OVERFLOW        0xC

#define WDT_NMI 8

+#define WDT_OE 0x44 //0x980076C4

+

void rtk_machine_restart(char mode, constchar *cmd)

{

+ writel(0, wdt_base + WDT_OE);

+

writel(BIT(0), wdt_base + WDT_CLR);

writel(0x00800000, wdt_base +WDT_OVERFLOW);

writel(0x000000FF, wdt_base + WDT_CTL);

 

 

四、運行

1、修改/image_file/components/packages/package5/root/init.kylin.rc

+++ /home/yebin/1295/1295/image_file/components/packages/package5/root/init.kylin.rc         2016-09-27 13:22:22.566371390 +0800

@@ -22,6 +22,9 @@

    write /proc/sys/vm/swappiness 100

 

 oninit

+   # Load persistent dm-verity state

+   verity_load_state

+

    #loglevel 3

    start watchdogd

 

@@ -43,6 +46,17 @@

    swapon_all /fstab.kylin

    setprop persist.storage.resizefs 1

 

+   #Adjust parameters for dm-verity device

+   write /sys/block/dm-0/queue/read_ahead_kb 2048

+

+   #Update dm-verity state and set partition.*.verified properties

+   verity_update_state

+

+on verity-logging

+   exec u:r:slideshow:s0 -- /sbin/slideshow warning/verity_red_1warning/verity_red_2

+

+

2、修改/image_file/components/packages/package5/root/fstab.kylin

+++/home/yebin/1295/1295/image_file/components/packages/package5/root/fstab.kylin  2016-09-26 19:11:14.750124194 +0800

@@ -3,7 +3,7 @@

 #The filesystem that contains the filesystem checker binary (typically /system)cannot

 #specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK

 

-/dev/block/mmcblk0p1  /system             ext4 ro,noatime       wait

+/dev/block/mmcblk0p1 /system             ext4 ro,noatime       wait,verify=/dev/block/mmcblk0p8

 /dev/block/mmcblk0p3 /cache               ext4 rw,noatime,nosuid,nodev,journal_checksum,errors=continue,data_err=ignore,discard         wait

 #/dev/block/mmcblk0p2        /data                  ext4         rw,noatime,nosuid,nodev,journal_checksum,errors=continue,data_err=ignore,discard      wait,forceencrypt=/cache/data-MD1

 /dev/block/mmcblk0p2 /data                  ext4 rw,noatime,nosuid,nodev,journal_checksum,errors=continue,data_err=ignore,discard         wait,encryptable=/cache/data-MD1

 

3、修改/android/system/core/fs_mgr/fs_mgr_verity.c

+++ /home/yebin/1295/1295/android/system/core/fs_mgr/fs_mgr_verity.c 2016-10-10 15:50:16.038842554 +0800

@@ -61,7 +61,7 @@

 #define VERITY_STATE_VERSION 1

 

 #define VERITY_KMSG_RESTART "dm-veritydevice corrupted"

-#define VERITY_KMSG_BUFSIZE 1024

+#define VERITY_KMSG_BUFSIZE 16384

 

@@ -412,8 +412,13 @@

        // cannot use logging mode with these drivers, they always cause

        // an I/O error for corrupted blocks

        strcpy(verity_params, table);

-   } else if (snprintf(verity_params, bufsize, "%s %d", table,mode) < 0) {

-       return -1;

+   } else

+     {

+      char *modeStr = mode == VERITY_MODE_LOGGING ?"ignore_corruption" : "restart_on_corruption";

+       if (snprintf(verity_params, bufsize, "%s %d %s", table, 1,modeStr) < 0) {

+           return -1;

+      }

+

    }

 

@@ -508,13 +527,15 @@

 static int was_verity_restart()

 {

    static const char *files[] = {

-       "/sys/fs/pstore/console-ramoops",

+       "/sys/fs/pstore/console-ramoops-0",

        "/proc/last_kmsg",

        NULL

    };

    int i;

 

上面配置只是列举了配置的一部分



要验证的话可以自己更换不同的verity_key,device mapper 驱动可能因为androdi的fs_mgr改版传下去的参数不一致


而且那个salt贴在system.img屁股后面也是不安全的,后面我又将那salt 做了sha256生成一把key放在  emmc 的rpmb 上面,启动LK时再去做一次验证,少年是不是还是感觉不够放心


评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值