From 5e6c4e9a91674826bf11cab604250b41a9326fd8 Mon Sep 17 00:00:00 2001 From: Tianjie Xu Date: Tue, 6 Aug 2019 12:32:05 -0700 Subject: Force package installation with FUSE unless the package stores on device The non-A/B package installation is subject to TOC/TOU flaw if the attacker can switch the package in the middle of installation. And the most pratical case is to store the package on an external device, e.g. a sdcard, and swap the device in the middle. To prevent that, we can adopt the same protection as used in sideloading a package with FUSE. Specifically, when we install the package with FUSE, we read the entire package to cryptographically verify its signature. The hash for each transfer block is recorded in the memory (TOC), and the subsequent reads (TOU) will be rejected upon dectecting a mismatch. This CL forces the package installation with FUSE when the package stays on a removable media. Bug: 136498130 Test: Run bin/recovery --update_package with various paths; and packages are installed from FUSE as expected Test: recovery_component_test - all passing Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f --- Android.bp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Android.bp') diff --git a/Android.bp b/Android.bp index 3a8e97883..bda36c2f5 100644 --- a/Android.bp +++ b/Android.bp @@ -72,6 +72,7 @@ cc_defaults { ], static_libs: [ + "libc++fs", "libinstall", "librecovery_fastboot", "libminui", @@ -95,6 +96,7 @@ cc_library_static { ], shared_libs: [ + "libfusesideload", "librecovery_ui", ], } -- cgit v1.2.3 From daaacea96ebfc55b47f44240e2082c820c8eb234 Mon Sep 17 00:00:00 2001 From: Raman Tenneti Date: Thu, 13 Feb 2020 02:50:42 +0000 Subject: Revert "Force package installation with FUSE unless the package stores on device" This reverts commit 5e6c4e9a91674826bf11cab604250b41a9326fd8. Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error. Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420 Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031 Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031 --- Android.bp | 2 -- 1 file changed, 2 deletions(-) (limited to 'Android.bp') diff --git a/Android.bp b/Android.bp index bda36c2f5..3a8e97883 100644 --- a/Android.bp +++ b/Android.bp @@ -72,7 +72,6 @@ cc_defaults { ], static_libs: [ - "libc++fs", "libinstall", "librecovery_fastboot", "libminui", @@ -96,7 +95,6 @@ cc_library_static { ], shared_libs: [ - "libfusesideload", "librecovery_ui", ], } -- cgit v1.2.3 From cd8faf7eeead6fd6ee5912ddd26dab5ab6c7dda7 Mon Sep 17 00:00:00 2001 From: Tianjie Xu Date: Tue, 6 Aug 2019 12:32:05 -0700 Subject: Force off-device package installation with FUSE The non-A/B package installation is subject to TOC/TOU flaw if the attacker can switch the package in the middle of installation. And the most pratical case is to store the package on an external device, e.g. a sdcard, and swap the device in the middle. To prevent that, we can adopt the same protection as used in sideloading a package with FUSE. Specifically, when we install the package with FUSE, we read the entire package to cryptographically verify its signature. The hash for each transfer block is recorded in the memory (TOC), and the subsequent reads (TOU) will be rejected upon dectecting a mismatch. This CL forces the package installation with FUSE when the package stays on a removable media. Bug: 136498130 Test: Run bin/recovery --update_package with various paths; and packages are installed from FUSE as expected Test: recovery_unit_test - no new failures Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5 Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031 --- Android.bp | 2 ++ 1 file changed, 2 insertions(+) (limited to 'Android.bp') diff --git a/Android.bp b/Android.bp index 4032bcc19..e7e1938b8 100644 --- a/Android.bp +++ b/Android.bp @@ -72,6 +72,7 @@ cc_defaults { ], static_libs: [ + "libc++fs", "libinstall", "librecovery_fastboot", "libminui", @@ -94,6 +95,7 @@ cc_library_static { ], shared_libs: [ + "libfusesideload", "librecovery_ui", ], } -- cgit v1.2.3