From 19cc0c71fec422e9af37d5f0ba800e40aa066154 Mon Sep 17 00:00:00 2001 From: yeyuning Date: Fri, 16 Aug 2024 17:00:07 +0800 Subject: [PATCH] move profile to el1 public Signed-off-by: yeyuning Change-Id: Ib095cbda61a3e61ee06d508b828f0d2afb182fc2 --- .../key_enable/cfg/disable_xpm/key_enable.cfg | 6 +- .../cfg/enable_xpm/level1/key_enable.cfg | 6 +- .../cfg/enable_xpm/level2/key_enable.cfg | 6 +- .../cfg/enable_xpm/level3/key_enable.cfg | 6 +- .../cfg/enable_xpm/level4/key_enable.cfg | 6 +- .../cfg/enable_xpm/level5/key_enable.cfg | 6 +- services/key_enable/src/key_enable.rs | 6 +- services/key_enable/src/profile_utils.rs | 69 ++++++++++++------- 8 files changed, 67 insertions(+), 44 deletions(-) diff --git a/services/key_enable/cfg/disable_xpm/key_enable.cfg b/services/key_enable/cfg/disable_xpm/key_enable.cfg index 72286b9..32a8fb3 100644 --- a/services/key_enable/cfg/disable_xpm/key_enable.cfg +++ b/services/key_enable/cfg/disable_xpm/key_enable.cfg @@ -3,9 +3,9 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { "name" : "init", diff --git a/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg index acc92ff..c96ac7c 100644 --- a/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg +++ b/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg @@ -3,9 +3,9 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { "name" : "init", diff --git a/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg index 5d62baa..68da39f 100644 --- a/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg +++ b/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg @@ -3,9 +3,9 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { "name" : "init", diff --git a/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg index def9b8a..4d5fb6f 100644 --- a/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg +++ b/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg @@ -3,9 +3,9 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { "name" : "init", diff --git a/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg index 76624f0..86babbf 100644 --- a/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg +++ b/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg @@ -3,9 +3,9 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { "name" : "init", diff --git a/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg index eba37f2..6eb075e 100644 --- a/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg +++ b/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg @@ -3,9 +3,9 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { "name" : "init", diff --git a/services/key_enable/src/key_enable.rs b/services/key_enable/src/key_enable.rs index 7cb350f..dfae091 100644 --- a/services/key_enable/src/key_enable.rs +++ b/services/key_enable/src/key_enable.rs @@ -41,8 +41,8 @@ const KEYRING_TYPE: &str = "keyring"; const FSVERITY_KEYRING_NAME: &str = ".fs-verity"; const LOCAL_KEY_NAME: &str = "local_key"; const CODE_SIGN_KEY_NAME_PREFIX: &str = "fs_verity_key"; -const PROFILE_STORE_EL1: &str = "/data/service/el1/profiles"; -const PROFILE_SEARCH_SLEEP_TIME: u64 = 1; +const PROFILE_STORE_EL1: &str = "/data/service/el1/public/profiles"; +const PROFILE_SEARCH_SLEEP_TIME: u64 = 200; const PROFILE_SEARCH_SLEEP_OUT_TIME: u64 = 600; const SUCCESS: i32 = 0; @@ -197,7 +197,7 @@ fn add_profile_cert_path_thread( error!(LOG_LABEL, "Timeout while waiting for PROFILE_STORE_EL1."); break; } else { - thread::sleep(Duration::from_secs(PROFILE_SEARCH_SLEEP_TIME)); + thread::sleep(Duration::from_millis(PROFILE_SEARCH_SLEEP_TIME)); } } }) diff --git a/services/key_enable/src/profile_utils.rs b/services/key_enable/src/profile_utils.rs index 5a970b8..2053d46 100644 --- a/services/key_enable/src/profile_utils.rs +++ b/services/key_enable/src/profile_utils.rs @@ -43,8 +43,10 @@ const LOG_LABEL: HiLogLabel = HiLogLabel { }; const PROFILE_STORE_EL0_PREFIX: &str = "/data/service/el0/profiles/developer"; const PROFILE_STORE_EL1_PREFIX: &str = "/data/service/el1/profiles/release"; +const PROFILE_STORE_EL1_PUBLIC_PREFIX: &str = "/data/service/el1/public/profiles/release"; const DEBUG_PROFILE_STORE_EL0_PREFIX: &str = "/data/service/el0/profiles/debug"; const DEBUG_PROFILE_STORE_EL1_PREFIX: &str = "/data/service/el1/profiles/debug"; +const DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX: &str = "/data/service/el1/public/profiles/debug"; const PROFILE_STORE_TAIL: &str = "profile.p7b"; const PROFILE_TYPE_KEY: &str = "type"; const PROFILE_DEVICE_ID_TYPE_KEY: &str = "device-id-type"; @@ -276,8 +278,8 @@ fn format_x509_fabricate_name(name: &X509NameRef) -> String { fn get_profile_paths(is_debug: bool) -> Vec { let mut paths = Vec::new(); let profile_prefixes = match is_debug { - false => vec![PROFILE_STORE_EL0_PREFIX, PROFILE_STORE_EL1_PREFIX], - true => vec![DEBUG_PROFILE_STORE_EL0_PREFIX, DEBUG_PROFILE_STORE_EL1_PREFIX], + false => vec![PROFILE_STORE_EL0_PREFIX, PROFILE_STORE_EL1_PREFIX, PROFILE_STORE_EL1_PUBLIC_PREFIX], + true => vec![DEBUG_PROFILE_STORE_EL0_PREFIX, DEBUG_PROFILE_STORE_EL1_PREFIX, DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX], }; for profile_prefix in profile_prefixes { paths.extend(get_paths_from_prefix(profile_prefix)); @@ -432,10 +434,10 @@ fn process_data(profile_data: &[u8]) -> Result<(String, String, u32), ()> { fn create_bundle_path(bundle_name: &str, profile_type: u32) -> Result { let bundle_path = match profile_type { value if value == DebugCertPathType::Developer as u32 => { - fmt_store_path(DEBUG_PROFILE_STORE_EL1_PREFIX, bundle_name) + fmt_store_path(DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX, bundle_name) } value if value == ReleaseCertPathType::Developer as u32 => { - fmt_store_path(PROFILE_STORE_EL1_PREFIX, bundle_name) + fmt_store_path(PROFILE_STORE_EL1_PUBLIC_PREFIX, bundle_name) } _ => { error!(LOG_LABEL, "invalid profile type"); @@ -479,24 +481,16 @@ fn enable_key_in_profile_internal( Ok(()) } -fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()> { - let _bundle_name = c_char_to_string(bundle_name); - if _bundle_name.is_empty() { - error!(LOG_LABEL, "Invalid bundle name"); +fn process_remove_bundle( + prefix: &str, + bundle_name: &str, +) -> Result<(), ()> { + let bundle_path = fmt_store_path(prefix, bundle_name); + + if !file_exists(&bundle_path) { return Err(()); } - let debug_bundle_path = fmt_store_path(DEBUG_PROFILE_STORE_EL1_PREFIX, &_bundle_name); - let release_bundle_path = fmt_store_path(PROFILE_STORE_EL1_PREFIX, &_bundle_name); - - let bundle_path = if file_exists(&debug_bundle_path) { - debug_bundle_path - } else if file_exists(&release_bundle_path) { - release_bundle_path - } else { - error!(LOG_LABEL, "bundle path does not exists!"); - return Err(()); - }; let filename = fmt_store_path(&bundle_path, PROFILE_STORE_TAIL); let mut profile_data = Vec::new(); if load_bytes_from_file(&filename, &mut profile_data).is_err() { @@ -509,19 +503,48 @@ fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()> error!(LOG_LABEL, "remove profile data error!"); return Err(()); } + info!(LOG_LABEL, "remove bundle_path path {}!", @public(bundle_path)); - if unsafe { !IsDeveloperModeOn() } && profile_type == DebugCertPathType::Developer as u32 { - info!(LOG_LABEL, "not remove profile_type:{} when development off", @public(profile_type)); - return Ok(()); - } + if remove_cert_path_info(subject, issuer, profile_type, DEFAULT_MAX_CERT_PATH_LEN).is_err() { error!(LOG_LABEL, "remove profile data error!"); return Err(()); } + info!(LOG_LABEL, "finish remove cert path in ioctl!"); Ok(()) } +fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()> { + let _bundle_name = c_char_to_string(bundle_name); + if _bundle_name.is_empty() { + error!(LOG_LABEL, "Invalid bundle name"); + return Err(()); + } + + let profile_prefix = vec![ + DEBUG_PROFILE_STORE_EL0_PREFIX, + PROFILE_STORE_EL0_PREFIX, + DEBUG_PROFILE_STORE_EL1_PREFIX, + PROFILE_STORE_EL1_PREFIX, + DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX, + PROFILE_STORE_EL1_PUBLIC_PREFIX, + ]; + + let mut rm_succ = false; + for prefix in profile_prefix { + if process_remove_bundle(prefix, &_bundle_name).is_ok() { + rm_succ = true; + } + } + if rm_succ { + Ok(()) + } else { + error!(LOG_LABEL, "Failed to remove bundle profile info, bundleName: {}.", @public(_bundle_name)); + Err(()) + } +} + fn c_char_to_string(c_str: *const c_char) -> String { unsafe { if c_str.is_null() { -- Gitee