diff options
| author | 2019-01-05 00:27:56 +0000 | |
|---|---|---|
| committer | 2019-01-05 00:27:56 +0000 | |
| commit | c4085a8f72b6515354564cd1c4c29ae9f79e20ca (patch) | |
| tree | d1f15aadd6cdf82051b37e4da5e1d442f48237d1 | |
| parent | 2cf41e4fbfeca5b58714589c9c3505d281cd33de (diff) | |
| parent | d33cafed376b5bb5d44822b3e0801630f09ba954 (diff) | |
Merge "Skip forced package verification if fs-verity exists"
| -rw-r--r-- | services/core/java/com/android/server/pm/PackageManagerService.java | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java index 5c4c1bac2419..fe89be6f73c4 100644 --- a/services/core/java/com/android/server/pm/PackageManagerService.java +++ b/services/core/java/com/android/server/pm/PackageManagerService.java @@ -8549,16 +8549,16 @@ public class PackageManagerService extends IPackageManager.Stub } /** - * Returns if full apk verification can be skipped for the whole package, including the splits. + * Returns if forced apk verification can be skipped for the whole package, including splits. */ - private boolean canSkipFullPackageVerification(PackageParser.Package pkg) { - if (!canSkipFullApkVerification(pkg.baseCodePath)) { + private boolean canSkipForcedPackageVerification(PackageParser.Package pkg) { + if (!canSkipForcedApkVerification(pkg.baseCodePath)) { return false; } // TODO: Allow base and splits to be verified individually. if (!ArrayUtils.isEmpty(pkg.splitCodePaths)) { for (int i = 0; i < pkg.splitCodePaths.length; i++) { - if (!canSkipFullApkVerification(pkg.splitCodePaths[i])) { + if (!canSkipForcedApkVerification(pkg.splitCodePaths[i])) { return false; } } @@ -8567,14 +8567,17 @@ public class PackageManagerService extends IPackageManager.Stub } /** - * Returns if full apk verification can be skipped, depending on current FSVerity setup and + * Returns if forced apk verification can be skipped, depending on current FSVerity setup and * whether the apk contains signed root hash. Note that the signer's certificate still needs to * match one in a trusted source, and should be done separately. */ - private boolean canSkipFullApkVerification(String apkPath) { - final byte[] rootHashObserved; + private boolean canSkipForcedApkVerification(String apkPath) { + if (!PackageManagerServiceUtils.isLegacyApkVerityMode()) { + return VerityUtils.hasFsverity(apkPath); + } + try { - rootHashObserved = VerityUtils.generateApkVerityRootHash(apkPath); + final byte[] rootHashObserved = VerityUtils.generateApkVerityRootHash(apkPath); if (rootHashObserved == null) { return false; // APK does not contain Merkle tree root hash. } @@ -8746,7 +8749,7 @@ public class PackageManagerService extends IPackageManager.Stub // in verified partition, or can be verified on access (when apk verity is enabled). In both // cases, only data in Signing Block is verified instead of the whole file. final boolean skipVerify = scanSystemPartition - || (forceCollect && canSkipFullPackageVerification(pkg)); + || (forceCollect && canSkipForcedPackageVerification(pkg)); collectCertificatesLI(pkgSetting, pkg, forceCollect, skipVerify); // Reset profile if the application version is changed |