DM-verity
key有多种我只取一把,像我们老大就是多把key排列组合,不行,不能泄密,感觉6.0刚换block-based现在7.0又来update engine,事情多的一匹
之前file-based的方式是mount起来/system,然后modify掉,现在不用mount了 block-based 直接对system分区的device进行烧写,我们的system的device是mmcblk0p1,自己的device可以在fstab上面看
system.img会构成这个样子
(----info>len real system size-- ) ( ---------------------------------------------------------------metadata--------------------------------------------------------)
| 1024B | supper block | system | & | megic number 4B | protocol_version 4B | signature 256B | table_length 4B | table sizeof(table_length) 204B |
大体流程:
1、releasetools 编译 system.img+metadata(就是编译的时候将metadata贴在system.img的屁股后面,生成带有metadata的system.img),salt在
android/build/tools/releasetools/build_image.py
FIXED_SALT ="aee087a5be3b982978c923f566a94613496b417f2af592639bc80d141e34dfe7"2、将system.img烧进去,这个东西在编译出的zip 包里面 system.new.dat,system.patch.dat system.transfer.list ,包里面带的updater,会将这三个东西烧进去,具体的东西可以在system.transfer.list 上面看,block的大小一般是4092,看system.transfer.list可以一目了然,注意:BoardConfigCommon.mk BOARD_SYSTEMIMAGE_PARTITION_SIZE大小一定要和自己分配的mmcblk0p1的大小一致,或者小一点也可以,不然update的时候就会卡到一半的循环,原因是mmcblk0p1装不下, 运行的方式和file-based的一样,都是recovery+updater这套软件。
3、init.rc 调用fs_mgr的function去ioctl device_mapper的驱动做验证,其实整个verity的核心就在fs_mgr,ro.secure=1设置了之后,fs_mgr在mount system之前会去验证签名和metadata的salt,对了!之前编译system.img时,verity_key会生成在root下面,fs_mgr签名验证不过的话就会触发slideshow显示,另外,如果metadata验证不ok的话,现在我是让它不断重启的,肯定不能再mount上system,官方的话会重启一次后设置成为logging的模式,意思就是重启一次之后还是能mount上system,只不过logging模式打开了之后,slideshow就会被运行,所以之后每次系统启动都会是显示警告图片!这个功能需要ramoops驱动支持,就是一切kernel panic的Log不掉电记录,另外还有一个verirty的分区是做一下mode 或者其它参数的备份,很小的,分个几M就可以了。
一、開啟
---a/image_file/components/packages/package5/root/default.prop 2016-11-26 07:53:21.247176960 +0800
+++b/image_file/components/packages/package5/root/default.prop 2016-11-21 03:34:24.849487137 +0800
@@ -1,10 +1,12 @@
#
#ADDITIONAL_DEFAULT_PROPERTIES
#
-ro.secure=0
+ro.secure=1
二、生成
Salt:
Paht:android/build/tools/releasetools/build_image.py
FIXED_SALT= "aee087a5be3b982978c923f566a94613496b417f2af592639bc80d141e34dfe7"
Verity_key:
1、cd android/build/target/product/secuity
2android/development/tools/make_key verity '/C=CN/ST=GuangDong/L=ShenZhen/O=Company/OU=Department/CN=YourName/emailAddress=YourE-mailAddress'
在android/build/target/product/secuity生成 verity.x509.pem 和verity.pk8
3android/out/host/linux-x86/bin/generate_verity_key -convert verity.x509.pem verity_key
4、mv ./verity_key.pub ./verity_key
Verity_key:是打包簽名system.img的key,
'/C=CN/ST=GuangDong/L=ShenZhen/O=Company/OU=Department/CN=YourName/emailAddress=YourE-mailAddress'
C ---> Country Name
ST ---> State or Province Name
L ---> Locality Name
O ---> Organization Name
OU ---> Organizational Unit Name
CN ---> Common Name
修改這個參數可以獲得不同的key。
修改/android/device/realtek/kylin/device.mk
+++ android/device/realtek/kylin/device.mk 2016-09-2619:03:24.846122420 +0800
@@ -441,6 +441,17 @@
#PRODUCT_LOCALES := en_US zh_TW zh_CN
#endif
+# add verity dependencies
+$(call inherit-product,build/target/product/verity.mk)
+PRODUCT_SUPPORTS_BOOT_SIGNER := false
+PRODUCT_SYSTEM_VERITY_PARTITION :=/dev/block/mmcblk0p1
+
+PRODUCT_PACKAGES += \
+ slideshow \
+ verity_warning_images
+
+
+
PRODUCT_COPY_FILES +=device/realtek/kylin/venus_IR_input.kl:system/usr/keylayout/venus_IR_input.kl
PRODUCT_COPY_FILES +=device/realtek/kylin/venus_IR_input.kcm:system/usr/keychars/venus_IR_input.kcm
build sytem.bin
--- a/image_file/components/bin/runCmd.pl 2016-11-04 12:00:50.704055922 +0800
+++ b/image_file/components/bin/runCmd.pl 2016-11-18 11:21:27.564614249 +0800
@@ -26,6 +26,9 @@
my$SIMG2IMG ="../bin/simg2img";
my$E2FSCK_PATH ="../bin/e2fsck";
my$RESIZE2FS_PATH = "../bin/resize2fs";
+my $MKSYSTEM_PATH ="build/tools/releasetools/build_image.py";
+my $SYSTEMIMG_INFO ="out/target/product/kylin32/obj/PACKAGING/systemimage_intermediates/system_image_info.txt";
+
###global variables
my$cur_path = `pwd`;
@@ -287,6 +290,15 @@
{
print "\ngLinux rootfs done.\n";
}
+ elsif($label_name eq "system")
+ {
+ chdir '../../../android' or die "can not chdir to android :$!";
+ system("$MKSYSTEM_PATH $package_path/$partitions_by_labels{$label_name}{\"label\"}$SYSTEMIMG_INFO $tmp_path/system.img$package_path/$partitions_by_labels{$label_name}{\"label\"};sync;");
+ chdir '../image_file/components/tmp/' or die "can not chdir to tmp: $!";
+ system("$SIMG2IMG $tmp_path/system.img $tmp_path/system.bin;sync");
+ copy_binary_to_target("$tmp_path/system.bin","$tmp_path/pkgfile/$package/");
+
+ }
else
{
build rtk_kylin32-ota-eng.xxx.zip
1、 cp -r android/build/tools/releasetools android/device/realtek/kylin/releasetools
2、修改/android/build/core/Makefile
+++ android/build/core/Makefile@@ -1722,76 +1721,22 @@
$(INTERNAL_OTA_PACKAGE_TARGET): KEY_CERT_PAIR:= $(DEFAULT_KEY_CERT_PAIR)
+
+
+
+
$(INTERNAL_OTA_PACKAGE_TARGET):$(BUILT_TARGET_FILES_PACKAGE) $(DISTTOOLS)
@echo "Package OTA: $@"
-# $(hide)PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATHMKBOOTIMG=$(MKBOOTIMG) \
-# ./build/tools/releasetools/ota_from_target_files-v \
-# --block \
-# -p $(HOST_OUT) \
-# $(if $(OEM_OTA_CONFIG), -o$(OEM_OTA_CONFIG)) \
-# $(BUILT_TARGET_FILES_PACKAGE) $@
- if[ '$(ENABLE_SIGN)' = 'y' ]; then \
- echo"Enter EnableSign" && rm -rf $(signed_intermediates)/*&& mkdir -p $(signed_intermediates) && \
- echo`./build/tools/releasetools/sign_target_files_apks -d $(SIGN_KEYPATH)$(SIGN_EXCLUDEAPK_CMD) $(BUILT_TARGET_FILES_PACKAGE)$(BUILT_SIGNED_TARGET_FILES_PACKAGE)` && \
- cd$(signed_intermediates) && echo `unzip $(sign_name).zip 'SYSTEM/*'`&& cd -; \
- if[ -f ./$(recovery_scripts_extras)/ota_from_target_files ]; then \
- echo"Enter device local ota_from_target_files-".$(recovery_scripts_extras); \
- if[ -f ./$(recovery_scripts_extras)/extra.py ]; then \
- echo`./$(recovery_scripts_extras)/ota_from_target_files -v \
- -p$(HOST_OUT) -n\
- -k$(KEY_CERT_PAIR) \
- -e$(recovery_scripts_extras)/extra.py \
- $(BUILT_SIGNED_TARGET_FILES_PACKAGE)$@`; \
- else\
- echo`./$(recovery_scripts_extras)/ota_from_target_files -v \
- -p$(HOST_OUT) -n\
- -k$(KEY_CERT_PAIR) \
- $(BUILT_SIGNED_TARGET_FILES_PACKAGE)$@`; \
- fi;\
- else\
- if[ -f ./$(recovery_scripts_extras)/extra.py ]; then \
- echo`./build/tools/releasetools/ota_from_target_files -v \
- -p$(HOST_OUT) -n\
- -k$(KEY_CERT_PAIR) \
- -e$(recovery_scripts_extras)/extra.py \
- $(BUILT_SIGNED_TARGET_FILES_PACKAGE)$@`; \
- else\
- echo`./build/tools/releasetools/ota_from_target_files -v \
- -p$(HOST_OUT) -n\
- -k$(KEY_CERT_PAIR) \
- $(BUILT_SIGNED_TARGET_FILES_PACKAGE)$@`; \
- fi;\
- fi;\
- else\
- if[ -f ./$(recovery_scripts_extras)/ota_from_target_files ]; then \
- echo"Enter device local ota_from_target_files-".$(recovery_scripts_extras); \
- if[ -f ./$(recovery_scripts_extras)/extra.py ]; then \
- echo`./$(recovery_scripts_extras)/ota_from_target_files -v \
- -p$(HOST_OUT) -n\
- -k$(KEY_CERT_PAIR) \
- -e$(recovery_scripts_extras)/extra.py \
- $(BUILT_TARGET_FILES_PACKAGE)$@`; \
- else\
- echo`./$(recovery_scripts_extras)/ota_from_target_files -v \
- -p$(HOST_OUT) -n\
- -k$(KEY_CERT_PAIR) \
- $(BUILT_TARGET_FILES_PACKAGE)$@`; \
- fi;\
- else\
- if[ -f ./$(recovery_scripts_extras)/extra.py ]; then \
- echo`./build/tools/releasetools/ota_from_target_files -v \
- -p$(HOST_OUT) -n\
- -k$(KEY_CERT_PAIR) \
- -e$(recovery_scripts_extras)/extra.py \
- $(BUILT_TARGET_FILES_PACKAGE)$@`; \
- else\
- echo`./build/tools/releasetools/ota_from_target_files -v \
- -p$(HOST_OUT) -n\
- -k$(KEY_CERT_PAIR) \
- $(BUILT_TARGET_FILES_PACKAGE)$@`; \
- fi;\
- fi;\
- fi;
+ $(hide)PATH=$(foreach p,$(INTERNAL_USERIMAGES_BINARY_PATHS),$(p):)$$PATHMKBOOTIMG=$(MKBOOTIMG) \
+ ./$(recovery_scripts_extras)/ota_from_target_files -v \
+ --block \
+ -p $(HOST_OUT) \
+ -k $(KEY_CERT_PAIR) \
+ $(if $(OEM_OTA_CONFIG), -o$(OEM_OTA_CONFIG)) \
+ $(BUILT_TARGET_FILES_PACKAGE) $@
+
+
+
.PHONY: otapackage
3、修改/android/device/realtek/kylin/common/BoardConfigCommon.mk
注意:BOARD_SYSTEMIMAGE_PARTITION_SIZE需要在
android/out/target/product/kylin32/obj/PACKAGING/systemimage_intermediates/system_image_info.txt里面的system_size大小相同,否则update会越界出错。
+++ /android/device/realtek/kylin/common/BoardConfigCommon.mk 2016-09-2714:56:22.258392684 +0800
@@ -32,15 +32,29 @@
TARGET_BOARD_PLATFORM := kylin
+
+
+BOARD_CACHEIMAGE_PARTITION_SIZE :=419430400
+BOARD_CACHEIMAGE_FILE_SYSTEM_TYPE := ext4
BOARD_FLASH_BLOCK_SIZE := 4096
TARGET_USERIMAGES_USE_EXT4 := true
-BOARD_SYSTEMIMAGE_PARTITION_SIZE :=1073741824
+BOARD_SYSTEMIMAGE_PARTITION_SIZE :=696246272
+
#System
TARGET_PRELINK_MODULE := true
TARGET_NO_BOOTLOADER := true
-TARGET_NO_RECOVERY := true
-TARGET_NO_KERNEL := true
+TARGET_NO_RECOVERY := false
+TARGET_NO_KERNEL := false
TARGET_NO_RADIOIMAGE := true
USE_OPENGL_RENDERER := true
BOARD_USES_GENERIC_AUDIO := true
4、修改/android/device/realtek/kylin/releasetools/ota_from_target_files
+++ android/device/realtek/kylin/releasetools/ota_from_target_files 2016-09-26 20:33:37.262142856 +0800
@@ -647,7 +659,7 @@
common.ZipWriteStr(output_zip, "boot.img", boot_img.data)
script.ShowProgress(0.05, 5)
- script.WriteRawImage("/boot", "boot.img")
+ #script.WriteRawImage("/boot", "boot.img")
5、修改/android/device/realtek/kylin/releasetools/edify_generator.py
+++ android/device/realtek/kylin/releasetools/edify_generator.py 2016-09-26 20:34:26.914143043+0800
@@ -12,7 +12,6 @@
def AssertDevice(self, device):
"""Assert that the device identifier is the givenstring."""
+# cmd = ('getprop("ro.product.device") == "%s" || '
+# 'abort("This package is for \\"%s\\" devices; '
+# 'this is a \\"" + getprop("ro.product.device") +"\\".");') % (
+# device, device)
+# self.script.append(cmd)
build rtk_kylin32-target_increment.xxx.zip
注:rtk_kylin32-target_files-eng.xxx_a.zip必須是上一次update進去的system
系統指紋需要一致
1、cd android
2android/device/realtek/kylin/releasetools/ota_from_target_files --block -iandroid/out/target/product/kylin32/obj/PACKAGING/target_files_intermediates/rtk_kylin32-target_files-eng.xxx_a.zipandroid/out/target/product/kylin32/obj/PACKAGING/target_files_intermediates/rtk_kylin32-target_files-eng.xxx_b.zip rtk_kylin32-target_files-eng.xxx_c.zip
3、系統指紋
Path1:android/out/target/product/kylin32/recovery/root/default.prop
Path2:android/out/target/product/kylin32/system/build.prop
修改Path1文件裡面的ro.build.fingerprint參數等於path2
三、驅動
1、修改linux_kernel/drivers/md/dm-verity.c
+++ linux_kernel/drivers/md/dm-verity.c 2016-09-2620:34:26.914143043 +0800
@@ -12,7 +12,6 @@
kobject_uevent_env(&disk_to_dev(dm_disk(md))->kobj,KOBJ_CHANGE, envp);
out:
if(v->mode == DM_VERITY_MODE_LOGGING)
- return0;
+ kernel_restart("dm-verity device corrupted");
if(v->mode == DM_VERITY_MODE_RESTART)
kernel_restart("dm-veritydevice corrupted");
return1;
2、修改linux-kernel/arch/arm64/boot/dts/realtek/rtd-1295-giraffe.dts
--a/linux-kernel/arch/arm64/boot/dts/realtek/rtd-1295-giraffe.dts 2016-11-26 04:46:55.507134725 +0800
+++b/linux-kernel/arch/arm64/boot/dts/realtek/rtd-1295-giraffe.dts 2016-11-11 01:55:02.354202302 +0800
@@ -76,16 +78,25 @@
>;
};
};
+ reserved-memory {
+ #address-cells = <1>;
+ #size-cells = <1>;
+ ranges;
+
+ ramoops_mem: ramoops_mem {
+ reg = <0x22000000 0x00200000>;
+ reg-names = "ramoops_mem";
+ no-map;
+ };
+ };
+
+ ramoops@10014000 {
+ compatible ="ramoops";
+ record-size = <00x00004000>;
+ console-size = <0 0x00100000>;
+ ftrace-size = <00x00004000>;
+ memory-region = <&ramoops_mem>;
+ };
+
};
3、修改內核配置linux-kernel/.config
--- a/linux-kernel/.config 2016-11-2801:52:31.903747680 +0800
+++ b/linux-kernel/.config 2016-11-21 03:04:33.517480373 +0800
@@ -1294,7 +1404,7 @@
#CONFIG_DM_DELAY is not set
CONFIG_DM_UEVENT=y
#CONFIG_DM_FLAKEY is not set
-# CONFIG_DM_VERITY is not set
+CONFIG_DM_VERITY=y
@@ -3339,7 +3548,11 @@
#CONFIG_QNX4FS_FS is not set
#CONFIG_QNX6FS_FS is not set
#CONFIG_ROMFS_FS is not set
-# CONFIG_PSTORE is not set
+CONFIG_PSTORE=y
+CONFIG_PSTORE_CONSOLE=y
+# CONFIG_PSTORE_PMSG is not set
+CONFIG_PSTORE_FTRACE=y
+CONFIG_PSTORE_RAM=y
4、修改linux-kernel/drivers/soc/realtek/rtd129x/rtd129x_restart.c
Diff --gita/drivers/soc/realtek/rtd129x/rtd129x_restart.cb/drivers/soc/realtek/rtd129x/rtd129x_restart.c
index e2156de..c0b9117 100644
—a/drivers/soc/realtek/rtd129x/rtd129x_restart.c
+++b/drivers/soc/realtek/rtd129x/rtd129x_restart.c
@@ -16,9 +16,13 @@ static void __iomem *wdt_base;
#define WDT_CTL 0
#define WDT_OVERFLOW 0xC
#define WDT_NMI 8
+#define WDT_OE 0x44 //0x980076C4
+
void rtk_machine_restart(char mode, constchar *cmd)
{
+ writel(0, wdt_base + WDT_OE);
+
writel(BIT(0), wdt_base + WDT_CLR);
writel(0x00800000, wdt_base +WDT_OVERFLOW);
writel(0x000000FF, wdt_base + WDT_CTL);
四、運行
1、修改/image_file/components/packages/package5/root/init.kylin.rc
+++ /home/yebin/1295/1295/image_file/components/packages/package5/root/init.kylin.rc 2016-09-27 13:22:22.566371390 +0800
@@ -22,6 +22,9 @@
write /proc/sys/vm/swappiness 100
oninit
+ # Load persistent dm-verity state
+ verity_load_state
+
#loglevel 3
start watchdogd
@@ -43,6 +46,17 @@
swapon_all /fstab.kylin
setprop persist.storage.resizefs 1
+ #Adjust parameters for dm-verity device
+ write /sys/block/dm-0/queue/read_ahead_kb 2048
+
+ #Update dm-verity state and set partition.*.verified properties
+ verity_update_state
+
+on verity-logging
+ exec u:r:slideshow:s0 -- /sbin/slideshow warning/verity_red_1warning/verity_red_2
+
+
2、修改/image_file/components/packages/package5/root/fstab.kylin
+++/home/yebin/1295/1295/image_file/components/packages/package5/root/fstab.kylin 2016-09-26 19:11:14.750124194 +0800
@@ -3,7 +3,7 @@
#The filesystem that contains the filesystem checker binary (typically /system)cannot
#specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK
-/dev/block/mmcblk0p1 /system ext4 ro,noatime wait
+/dev/block/mmcblk0p1 /system ext4 ro,noatime wait,verify=/dev/block/mmcblk0p8
/dev/block/mmcblk0p3 /cache ext4 rw,noatime,nosuid,nodev,journal_checksum,errors=continue,data_err=ignore,discard wait
#/dev/block/mmcblk0p2 /data ext4 rw,noatime,nosuid,nodev,journal_checksum,errors=continue,data_err=ignore,discard wait,forceencrypt=/cache/data-MD1
/dev/block/mmcblk0p2 /data ext4 rw,noatime,nosuid,nodev,journal_checksum,errors=continue,data_err=ignore,discard wait,encryptable=/cache/data-MD1
3、修改/android/system/core/fs_mgr/fs_mgr_verity.c
+++ /home/yebin/1295/1295/android/system/core/fs_mgr/fs_mgr_verity.c 2016-10-10 15:50:16.038842554 +0800
@@ -61,7 +61,7 @@
#define VERITY_STATE_VERSION 1
#define VERITY_KMSG_RESTART "dm-veritydevice corrupted"
-#define VERITY_KMSG_BUFSIZE 1024
+#define VERITY_KMSG_BUFSIZE 16384
@@ -412,8 +412,13 @@
// cannot use logging mode with these drivers, they always cause
// an I/O error for corrupted blocks
strcpy(verity_params, table);
- } else if (snprintf(verity_params, bufsize, "%s %d", table,mode) < 0) {
- return -1;
+ } else
+ {
+ char *modeStr = mode == VERITY_MODE_LOGGING ?"ignore_corruption" : "restart_on_corruption";
+ if (snprintf(verity_params, bufsize, "%s %d %s", table, 1,modeStr) < 0) {
+ return -1;
+ }
+
}
@@ -508,13 +527,15 @@
static int was_verity_restart()
{
static const char *files[] = {
- "/sys/fs/pstore/console-ramoops",
+ "/sys/fs/pstore/console-ramoops-0",
"/proc/last_kmsg",
NULL
};
int i;
上面配置只是列举了配置的一部分
要验证的话可以自己更换不同的verity_key,device mapper 驱动可能因为androdi的fs_mgr改版传下去的参数不一致
而且那个salt贴在system.img屁股后面也是不安全的,后面我又将那salt 做了sha256生成一把key放在 emmc 的rpmb 上面,启动LK时再去做一次验证,少年是不是还是感觉不够放心