Merge pull request #2 from roku-senpai/twelve

Revert "libfs_avb: verifying vbmeta digest early"
ConquerOS · Dec 17, 2021 · 7e24250 · 7e24250
2 parents 18d78bb + ca68c46
commit 7e24250
Showing 1 changed file with 18 additions and 18 deletions.
diff --git a/fs_mgr/libfs_avb/fs_avb.cpp b/fs_mgr/libfs_avb/fs_avb.cpp
@@ -433,16 +433,6 @@ AvbUniquePtr AvbHandle::Open() {
     // Sets the MAJOR.MINOR for init to set it into "ro.boot.avb_version".
     avb_handle->avb_version_ = StringPrintf("%d.%d", AVB_VERSION_MAJOR, AVB_VERSION_MINOR);
 
-    // Verifies vbmeta structs against the digest passed from bootloader in kernel cmdline.
-    std::unique_ptr<AvbVerifier> avb_verifier = AvbVerifier::Create();
-    if (!avb_verifier || !avb_verifier->VerifyVbmetaImages(avb_handle->vbmeta_images_)) {
-        LERROR << "Failed to verify vbmeta digest";
-        if (!allow_verification_error) {
-            LERROR << "vbmeta digest error isn't allowed ";
-            return nullptr;
-        }
-    }
-
     // Checks whether FLAGS_VERIFICATION_DISABLED is set:
     //   - Only the top-level vbmeta struct is read.
     //   - vbmeta struct in other partitions are NOT processed, including AVB HASH descriptor(s)
@@ -453,16 +443,26 @@ AvbUniquePtr AvbHandle::Open() {
     bool verification_disabled = ((AvbVBMetaImageFlags)vbmeta_header.flags &
                                   AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED);
 
-    // Checks whether FLAGS_HASHTREE_DISABLED is set.
-    //   - vbmeta struct in all partitions are still processed, just disable
-    //     dm-verity in the user space.
-    bool hashtree_disabled =
-            ((AvbVBMetaImageFlags)vbmeta_header.flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED);
-
     if (verification_disabled) {
         avb_handle->status_ = AvbHandleStatus::kVerificationDisabled;
-    } else if (hashtree_disabled) {
-        avb_handle->status_ = AvbHandleStatus::kHashtreeDisabled;
+    } else {
+        // Verifies vbmeta structs against the digest passed from bootloader in kernel cmdline.
+        std::unique_ptr<AvbVerifier> avb_verifier = AvbVerifier::Create();
+        if (!avb_verifier) {
+            LERROR << "Failed to create AvbVerifier";
+            return nullptr;
+        }
+        if (!avb_verifier->VerifyVbmetaImages(avb_handle->vbmeta_images_)) {
+            LERROR << "VerifyVbmetaImages failed";
+            return nullptr;
+        }
+
+        // Checks whether FLAGS_HASHTREE_DISABLED is set.
+        bool hashtree_disabled = ((AvbVBMetaImageFlags)vbmeta_header.flags &
+                                  AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED);
+        if (hashtree_disabled) {
+            avb_handle->status_ = AvbHandleStatus::kHashtreeDisabled;
+        }
     }
 
     LINFO << "Returning avb_handle with status: " << avb_handle->status_;