From ca68c46f7d302e765e4894d3a215f1c796ffde32 Mon Sep 17 00:00:00 2001
From: Arian <arian.kulmer@web.de>
Date: Fri, 17 Dec 2021 08:22:39 +0000
Subject: [PATCH] Revert "libfs_avb: verifying vbmeta digest early"

This reverts commit ec10d3cf6e328da90dd4a388761d2d26543fce8f.
---
 fs_mgr/libfs_avb/fs_avb.cpp | 36 ++++++++++++++++++------------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/fs_mgr/libfs_avb/fs_avb.cpp b/fs_mgr/libfs_avb/fs_avb.cpp
index 1da71176c8..49333a13b2 100644
--- a/fs_mgr/libfs_avb/fs_avb.cpp
+++ b/fs_mgr/libfs_avb/fs_avb.cpp
@@ -433,16 +433,6 @@ AvbUniquePtr AvbHandle::Open() {
     // Sets the MAJOR.MINOR for init to set it into "ro.boot.avb_version".
     avb_handle->avb_version_ = StringPrintf("%d.%d", AVB_VERSION_MAJOR, AVB_VERSION_MINOR);
 
-    // Verifies vbmeta structs against the digest passed from bootloader in kernel cmdline.
-    std::unique_ptr<AvbVerifier> avb_verifier = AvbVerifier::Create();
-    if (!avb_verifier || !avb_verifier->VerifyVbmetaImages(avb_handle->vbmeta_images_)) {
-        LERROR << "Failed to verify vbmeta digest";
-        if (!allow_verification_error) {
-            LERROR << "vbmeta digest error isn't allowed ";
-            return nullptr;
-        }
-    }
-
     // Checks whether FLAGS_VERIFICATION_DISABLED is set:
     //   - Only the top-level vbmeta struct is read.
     //   - vbmeta struct in other partitions are NOT processed, including AVB HASH descriptor(s)
@@ -453,16 +443,26 @@ AvbUniquePtr AvbHandle::Open() {
     bool verification_disabled = ((AvbVBMetaImageFlags)vbmeta_header.flags &
                                   AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED);
 
-    // Checks whether FLAGS_HASHTREE_DISABLED is set.
-    //   - vbmeta struct in all partitions are still processed, just disable
-    //     dm-verity in the user space.
-    bool hashtree_disabled =
-            ((AvbVBMetaImageFlags)vbmeta_header.flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED);
-
     if (verification_disabled) {
         avb_handle->status_ = AvbHandleStatus::kVerificationDisabled;
-    } else if (hashtree_disabled) {
-        avb_handle->status_ = AvbHandleStatus::kHashtreeDisabled;
+    } else {
+        // Verifies vbmeta structs against the digest passed from bootloader in kernel cmdline.
+        std::unique_ptr<AvbVerifier> avb_verifier = AvbVerifier::Create();
+        if (!avb_verifier) {
+            LERROR << "Failed to create AvbVerifier";
+            return nullptr;
+        }
+        if (!avb_verifier->VerifyVbmetaImages(avb_handle->vbmeta_images_)) {
+            LERROR << "VerifyVbmetaImages failed";
+            return nullptr;
+        }
+
+        // Checks whether FLAGS_HASHTREE_DISABLED is set.
+        bool hashtree_disabled = ((AvbVBMetaImageFlags)vbmeta_header.flags &
+                                  AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED);
+        if (hashtree_disabled) {
+            avb_handle->status_ = AvbHandleStatus::kHashtreeDisabled;
+        }
     }
 
     LINFO << "Returning avb_handle with status: " << avb_handle->status_;