diff options
| author | 2022-11-09 15:34:01 -0800 | |
|---|---|---|
| committer | 2022-11-21 11:48:31 -0800 | |
| commit | 4bdb6e5ef09eb8e060359eab3c824cc036d2c105 (patch) | |
| tree | e0b49728606b941a8a3ae86b121c98d9375cc738 /libs/hwui/Readback.cpp | |
| parent | cc6f6e08ccbe14b2bc2e937ae7fdfca3c92564b1 (diff) | |
Move fs-verity signature check from kernel to install
This unblocks the deprecation of fs-verity kernel keyring.
With an APK is installed with .fsv_sig, the signature was installed to
the filesystem to be verified with a kernel keyring. Due to the current
threat model of root or system server, checking the signature in kernel
is not superior since the attacker can simply strip fs-verity protection
from the file. The userspace check should be done anyway if the keyring
contains multiple keys.
Without regressing any security guarantee, this change moves the
signature check to (only) install time. FileIntegrityService already
holds the certificates and facilitates the signature check.
In order to keep the test passing, FileIntegrityService now supports
(debug only) cmd for adding and removing a debug cert.
Bug: 258708453
Test: ApkVerityTest
Test: CtsAppSecurityHostTestCases:android.appsecurity.cts.ApkVerityInstallTest
Test: ChecksumsTest
Change-Id: I737f058229928f1b242612631a13c62709b06d33
Diffstat (limited to 'libs/hwui/Readback.cpp')
0 files changed, 0 insertions, 0 deletions