Merge "Support booting a chained boot-debug.img"android-o-mr1-iot-release-1.0.12oreo-mr1-iot-release

1 files changed, 16 insertions, 12 deletions

diff --git a/fs_mgr/libfs_avb/fs_avb.cpp b/fs_mgr/libfs_avb/fs_avb.cpp
index 04776edc5..c4d75110f 100644
--- a/fs_mgr/libfs_avb/fs_avb.cpp
+++ b/fs_mgr/libfs_avb/fs_avb.cpp
@@ -338,6 +338,7 @@ AvbUniquePtr AvbHandle::LoadAndVerifyVbmeta() {
                                nullptr /* custom_device_path */);
 }
 
+// TODO(b/128807537): removes this function.
 AvbUniquePtr AvbHandle::Open() {
     bool is_device_unlocked = IsDeviceUnlocked();
 
@@ -353,25 +354,28 @@ AvbUniquePtr AvbHandle::Open() {
     AvbSlotVerifyResult verify_result =
             avb_ops.AvbSlotVerify(fs_mgr_get_slot_suffix(), flags, &avb_handle->vbmeta_images_);
 
-    // Only allow two verify results:
+    // Only allow the following verify results:
     //   - AVB_SLOT_VERIFY_RESULT_OK.
-    //   - AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION (for UNLOCKED state).
-    //     If the device is UNLOCKED, i.e., |allow_verification_error| is true for
-    //     AvbSlotVerify(), then the following return values are all non-fatal:
-    //       * AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION
-    //       * AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED
-    //       * AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX
-    //     The latter two results were checked by bootloader prior to start fs_mgr so
-    //     we just need to handle the first result here. See *dummy* operations in
-    //     FsManagerAvbOps and the comments in external/avb/libavb/avb_slot_verify.h
-    //     for more details.
+    //   - AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION (UNLOCKED only).
+    //     Might occur in either the top-level vbmeta or a chained vbmeta.
+    //   - AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED (UNLOCKED only).
+    //     Could only occur in a chained vbmeta. Because we have *dummy* operations in
+    //     FsManagerAvbOps such that avb_ops->validate_vbmeta_public_key() used to validate
+    //     the public key of the top-level vbmeta always pass in userspace here.
+    //
+    // The following verify result won't happen, because the *dummy* operation
+    // avb_ops->read_rollback_index() always returns the minimum value zero. So rollbacked
+    // vbmeta images, which should be caught in the bootloader stage, won't be detected here.
+    //   - AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX
     switch (verify_result) {
         case AVB_SLOT_VERIFY_RESULT_OK:
             avb_handle->status_ = AvbHandleStatus::kSuccess;
             break;
         case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION:
+        case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED:
             if (!is_device_unlocked) {
-                LERROR << "ERROR_VERIFICATION isn't allowed when the device is LOCKED";
+                LERROR << "ERROR_VERIFICATION / PUBLIC_KEY_REJECTED isn't allowed "
+                       << "if the device is LOCKED";
                 return nullptr;
             }
             avb_handle->status_ = AvbHandleStatus::kVerificationError;