Ensure signature for allowlisted system app update on boot
With v4 signature and fs-verity, verifying an APK integrity is O(1)
time. This allows us to enforce signature and detect persistent attack
(via tampering with an APK) across a reboot for updated system apps.
For the first step, we don't implement a policy (e.g. all priv apps)
and only protect the packages in an allowlist specified by a resource
property. This is due to the ecosystem complexity, where some OEM may
preload app from another developer, since developer's v4 signature may
need extra plumbing depending on how they are installed.
Some implementation details:
After a system package is updated, during the boot we still want to
retrieve the SigningDetails from the APK in the dm-verity protected
partition. This is to harden and protect the allowlisted apps from
tampered record in an attacking scenario. The SigningDetails of the
disabled pacakge is then used during the reconcile phase, to ensure
the updated package has consistent signature with the original version.
Originally, canSkipForcedPackageVerification checks splits explicitly.
This is not necessary because ParsingPackageUtils.getSigningDetails can
only succeed (e.g. during collectCertificatesLI, when forced) if the
splits are consistent with the base.
Delete some dead code, e.g. in the skipVerify condition.
Bug: 277344944
Test: 1. locally add com.android.egg to the allowlist
2. build EasterEgg with v4 signature; and EasterEgg2 with a
different signing key
3. adb install-multiple --no-incr EasterEgg.apk EasterEgg.apk.idsig
4. with root, replace base.apk and base.apk.idsig with EasterEgg2,
chown and enable fsverity
5. adb shell stop/start
6. verify from logcat that the APK is recovered by expected check
* With some code change to force condition.
Change-Id: I0b62b73208c7d4e6b8613f1ae3aa726de8d8fa65
diff --git a/data/etc/Android.bp b/data/etc/Android.bp
index 6a1f3f9..ade20d2 100644
--- a/data/etc/Android.bp
+++ b/data/etc/Android.bp
@@ -60,6 +60,12 @@
src: "preinstalled-packages-asl-files.xml",
}
+prebuilt_etc {
+ name: "preinstalled-packages-strict-signature.xml",
+ sub_dir: "sysconfig",
+ src: "preinstalled-packages-strict-signature.xml",
+}
+
// Privapp permission whitelist files
prebuilt_etc {
diff --git a/data/etc/preinstalled-packages-strict-signature.xml b/data/etc/preinstalled-packages-strict-signature.xml
new file mode 100644
index 0000000..3cbfa8c
--- /dev/null
+++ b/data/etc/preinstalled-packages-strict-signature.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+ ~ Copyright (C) 2023 The Android Open Source Project
+ ~
+ ~ Licensed under the Apache License, Version 2.0 (the "License");
+ ~ you may not use this file except in compliance with the License.
+ ~ You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing, software
+ ~ distributed under the License is distributed on an "AS IS" BASIS,
+ ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ ~ See the License for the specific language governing permissions and
+ ~ limitations under the License.
+ -->
+
+<!--
+This XML file declares which preinstalled apps, after updated, need to have strict signature check
+in boot time and avoid the cached results. This is to ensure the updated version still verifies
+against the preinstalled version.
+
+Example usage:
+ <require-strict-signature package="com.foo.bar"/>
+-->
+
+<config></config>
