summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java4
-rw-r--r--core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java4
-rw-r--r--core/java/android/util/apk/ApkSigningBlockUtils.java2
-rw-r--r--core/java/android/util/apk/VerityBuilder.java (renamed from core/java/android/util/apk/ApkVerityBuilder.java)40
-rw-r--r--services/core/java/com/android/server/pm/PackageManagerService.java5
-rw-r--r--services/core/java/com/android/server/security/VerityUtils.java8
6 files changed, 32 insertions, 31 deletions
diff --git a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
index 1203541756e8..1bbef8e9cfff 100644
--- a/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
+++ b/core/java/android/util/apk/ApkSignatureSchemeV2Verifier.java
@@ -410,7 +410,7 @@ public class ApkSignatureSchemeV2Verifier {
NoSuchAlgorithmException {
try (RandomAccessFile apk = new RandomAccessFile(apkPath, "r")) {
SignatureInfo signatureInfo = findSignature(apk);
- return ApkVerityBuilder.generateApkVerity(apkPath, bufferFactory, signatureInfo);
+ return VerityBuilder.generateApkVerity(apkPath, bufferFactory, signatureInfo);
}
}
@@ -423,7 +423,7 @@ public class ApkSignatureSchemeV2Verifier {
if (vSigner.verityRootHash == null) {
return null;
}
- return ApkVerityBuilder.generateApkVerityRootHash(
+ return VerityBuilder.generateApkVerityRootHash(
apk, ByteBuffer.wrap(vSigner.verityRootHash), signatureInfo);
}
}
diff --git a/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java b/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java
index 939522dcd57f..1471870bd7d2 100644
--- a/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java
+++ b/core/java/android/util/apk/ApkSignatureSchemeV3Verifier.java
@@ -534,7 +534,7 @@ public class ApkSignatureSchemeV3Verifier {
NoSuchAlgorithmException {
try (RandomAccessFile apk = new RandomAccessFile(apkPath, "r")) {
SignatureInfo signatureInfo = findSignature(apk);
- return ApkVerityBuilder.generateApkVerity(apkPath, bufferFactory, signatureInfo);
+ return VerityBuilder.generateApkVerity(apkPath, bufferFactory, signatureInfo);
}
}
@@ -547,7 +547,7 @@ public class ApkSignatureSchemeV3Verifier {
if (vSigner.verityRootHash == null) {
return null;
}
- return ApkVerityBuilder.generateApkVerityRootHash(
+ return VerityBuilder.generateApkVerityRootHash(
apk, ByteBuffer.wrap(vSigner.verityRootHash), signatureInfo);
}
}
diff --git a/core/java/android/util/apk/ApkSigningBlockUtils.java b/core/java/android/util/apk/ApkSigningBlockUtils.java
index 081033ae84e9..87af5364c945 100644
--- a/core/java/android/util/apk/ApkSigningBlockUtils.java
+++ b/core/java/android/util/apk/ApkSigningBlockUtils.java
@@ -332,7 +332,7 @@ final class ApkSigningBlockUtils {
try {
byte[] expectedRootHash = parseVerityDigestAndVerifySourceLength(expectedDigest,
apk.length(), signatureInfo);
- ApkVerityBuilder.ApkVerityResult verity = ApkVerityBuilder.generateApkVerityTree(apk,
+ VerityBuilder.VerityResult verity = VerityBuilder.generateApkVerityTree(apk,
signatureInfo, new ByteBufferFactory() {
@Override
public ByteBuffer create(int capacity) {
diff --git a/core/java/android/util/apk/ApkVerityBuilder.java b/core/java/android/util/apk/VerityBuilder.java
index edd09f8f73c4..443bbd8597af 100644
--- a/core/java/android/util/apk/ApkVerityBuilder.java
+++ b/core/java/android/util/apk/VerityBuilder.java
@@ -29,19 +29,18 @@ import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
/**
- * ApkVerityBuilder builds the APK verity tree and the verity header. The generated tree format can
- * be stored on disk for apk-verity setup and used by kernel. Note that since the current
- * implementation is different from the upstream, we call this implementation apk-verity instead of
- * fs-verity.
+ * VerityBuilder builds the verity Merkle tree and other metadata. The generated tree format can
+ * be stored on disk for fs-verity setup and used by kernel. The builder support standard
+ * fs-verity, and Android specific apk-verity that requires additional kernel patches.
*
- * <p>Unlike a regular Merkle tree, APK verity tree does not cover the content fully. Due to
- * the existing APK format, it has to skip APK Signing Block and also has some special treatment for
- * the "Central Directory offset" field of ZIP End of Central Directory.
+ * <p>Unlike a regular Merkle tree of fs-verity, the apk-verity tree does not cover the file content
+ * fully, and has to skip APK Signing Block with some special treatment for the "Central Directory
+ * offset" field of ZIP End of Central Directory.
*
* @hide
*/
-public abstract class ApkVerityBuilder {
- private ApkVerityBuilder() {}
+public abstract class VerityBuilder {
+ private VerityBuilder() {}
private static final int CHUNK_SIZE_BYTES = 4096; // Typical Linux block size
private static final int DIGEST_SIZE_BYTES = 32; // SHA-256 size
@@ -52,7 +51,7 @@ public abstract class ApkVerityBuilder {
private static final byte[] DEFAULT_SALT = new byte[8];
/** Result generated by the builder. */
- public static class ApkVerityResult {
+ public static class VerityResult {
/** Raw fs-verity metadata and Merkle tree ready to be deployed on disk. */
public final ByteBuffer verityData;
@@ -62,7 +61,7 @@ public abstract class ApkVerityBuilder {
/** Root hash of the Merkle tree. */
public final byte[] rootHash;
- private ApkVerityResult(ByteBuffer verityData, int merkleTreeSize, byte[] rootHash) {
+ private VerityResult(ByteBuffer verityData, int merkleTreeSize, byte[] rootHash) {
this.verityData = verityData;
this.merkleTreeSize = merkleTreeSize;
this.rootHash = rootHash;
@@ -74,14 +73,14 @@ public abstract class ApkVerityBuilder {
* ByteBuffer} created by the {@link ByteBufferFactory}. The output is suitable to be used as
* the on-disk format for fs-verity to use.
*
- * @return ApkVerityResult containing a buffer with the generated Merkle tree stored at the
+ * @return VerityResult containing a buffer with the generated Merkle tree stored at the
* front, the tree size, and the calculated root hash.
*/
@NonNull
- public static ApkVerityResult generateFsVerityTree(@NonNull RandomAccessFile apk,
+ public static VerityResult generateFsVerityTree(@NonNull RandomAccessFile apk,
@NonNull ByteBufferFactory bufferFactory)
throws IOException, SecurityException, NoSuchAlgorithmException, DigestException {
- return generateVerityTree(apk, bufferFactory, null /* signatureInfo */,
+ return generateVerityTreeInternal(apk, bufferFactory, null /* signatureInfo */,
false /* skipSigningBlock */);
}
@@ -91,18 +90,19 @@ public abstract class ApkVerityBuilder {
* Block specificed in {@code signatureInfo}. The output is suitable to be used as the on-disk
* format for fs-verity to use (with elide and patch extensions).
*
- * @return ApkVerityResult containing a buffer with the generated Merkle tree stored at the
+ * @return VerityResult containing a buffer with the generated Merkle tree stored at the
* front, the tree size, and the calculated root hash.
*/
@NonNull
- public static ApkVerityResult generateApkVerityTree(@NonNull RandomAccessFile apk,
+ public static VerityResult generateApkVerityTree(@NonNull RandomAccessFile apk,
@Nullable SignatureInfo signatureInfo, @NonNull ByteBufferFactory bufferFactory)
throws IOException, SecurityException, NoSuchAlgorithmException, DigestException {
- return generateVerityTree(apk, bufferFactory, signatureInfo, true /* skipSigningBlock */);
+ return generateVerityTreeInternal(apk, bufferFactory, signatureInfo,
+ true /* skipSigningBlock */);
}
@NonNull
- private static ApkVerityResult generateVerityTree(@NonNull RandomAccessFile apk,
+ private static VerityResult generateVerityTreeInternal(@NonNull RandomAccessFile apk,
@NonNull ByteBufferFactory bufferFactory, @Nullable SignatureInfo signatureInfo,
boolean skipSigningBlock)
throws IOException, SecurityException, NoSuchAlgorithmException, DigestException {
@@ -124,7 +124,7 @@ public abstract class ApkVerityBuilder {
byte[] salt = skipSigningBlock ? DEFAULT_SALT : null;
byte[] apkRootHash = generateVerityTreeInternal(apk, signatureInfo, salt, levelOffset,
tree, skipSigningBlock);
- return new ApkVerityResult(output, merkleTreeSize, apkRootHash);
+ return new VerityResult(output, merkleTreeSize, apkRootHash);
}
static void generateApkVerityFooter(@NonNull RandomAccessFile apk,
@@ -173,7 +173,7 @@ public abstract class ApkVerityBuilder {
throws IOException, SignatureNotFoundException, SecurityException, DigestException,
NoSuchAlgorithmException {
try (RandomAccessFile apk = new RandomAccessFile(apkPath, "r")) {
- ApkVerityResult result = generateVerityTree(apk, bufferFactory, signatureInfo,
+ VerityResult result = generateVerityTreeInternal(apk, bufferFactory, signatureInfo,
true /* skipSigningBlock */);
ByteBuffer footer = slice(result.verityData, result.merkleTreeSize,
result.verityData.limit());
diff --git a/services/core/java/com/android/server/pm/PackageManagerService.java b/services/core/java/com/android/server/pm/PackageManagerService.java
index 10980b79f1f4..296d7ae349bc 100644
--- a/services/core/java/com/android/server/pm/PackageManagerService.java
+++ b/services/core/java/com/android/server/pm/PackageManagerService.java
@@ -8474,7 +8474,7 @@ public class PackageManagerService extends IPackageManager.Stub
private boolean canSkipFullApkVerification(String apkPath) {
final byte[] rootHashObserved;
try {
- rootHashObserved = VerityUtils.generateFsverityRootHash(apkPath);
+ rootHashObserved = VerityUtils.generateApkVerityRootHash(apkPath);
if (rootHashObserved == null) {
return false; // APK does not contain Merkle tree root hash.
}
@@ -16010,7 +16010,8 @@ public class PackageManagerService extends IPackageManager.Stub
if (Build.IS_DEBUGGABLE) Slog.i(TAG, "Enabling apk verity to " + apkPath);
FileDescriptor fd = result.getUnownedFileDescriptor();
try {
- final byte[] signedRootHash = VerityUtils.generateFsverityRootHash(apkPath);
+ final byte[] signedRootHash =
+ VerityUtils.generateApkVerityRootHash(apkPath);
mInstaller.installApkVerity(apkPath, fd, result.getContentSize());
mInstaller.assertFsverityRootHashMatches(apkPath, signedRootHash);
} catch (InstallerException | IOException | DigestException |
diff --git a/services/core/java/com/android/server/security/VerityUtils.java b/services/core/java/com/android/server/security/VerityUtils.java
index 37966108fe64..8070f3add5c6 100644
--- a/services/core/java/com/android/server/security/VerityUtils.java
+++ b/services/core/java/com/android/server/security/VerityUtils.java
@@ -26,9 +26,9 @@ import android.system.Os;
import android.util.Pair;
import android.util.Slog;
import android.util.apk.ApkSignatureVerifier;
-import android.util.apk.ApkVerityBuilder;
import android.util.apk.ByteBufferFactory;
import android.util.apk.SignatureNotFoundException;
+import android.util.apk.VerityBuilder;
import libcore.util.HexEncoding;
@@ -115,9 +115,9 @@ abstract public class VerityUtils {
}
/**
- * {@see ApkSignatureVerifier#generateFsverityRootHash(String)}.
+ * {@see ApkSignatureVerifier#generateApkVerityRootHash(String)}.
*/
- public static byte[] generateFsverityRootHash(@NonNull String apkPath)
+ public static byte[] generateApkVerityRootHash(@NonNull String apkPath)
throws NoSuchAlgorithmException, DigestException, IOException {
return ApkSignatureVerifier.generateApkVerityRootHash(apkPath);
}
@@ -146,7 +146,7 @@ abstract public class VerityUtils {
throws IOException, SignatureNotFoundException, SecurityException, DigestException,
NoSuchAlgorithmException {
try (RandomAccessFile file = new RandomAccessFile(filePath, "r")) {
- ApkVerityBuilder.ApkVerityResult result = ApkVerityBuilder.generateFsVerityTree(
+ VerityBuilder.VerityResult result = VerityBuilder.generateFsVerityTree(
file, trackedBufferFactory);
ByteBuffer buffer = result.verityData;
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-11-26 20:32:25 +0000