1#!/system/bin/sh
2
3# Copyright (C) 2019 The Android Open Source Project
4#
5# Licensed under the Apache License, Version 2.0 (the "License");
6# you may not use this file except in compliance with the License.
7# You may obtain a copy of the License at
8#
9#      http://www.apache.org/licenses/LICENSE-2.0
10#
11# Unless required by applicable law or agreed to in writing, software
12# distributed under the License is distributed on an "AS IS" BASIS,
13# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14# See the License for the specific language governing permissions and
15# limitations under the License.
16#
17
18alias log_info="log -t art_apex -p i"
19alias log_error="log -t art_apex -p f"
20
21log_info "=== ART pre-boot integrity checks ==="
22
23# Measure (and enable) fsverity to see if things are installed. Enable is not
24# idempotent, and we'd need to parse the error string to see whether it says
25# data was installed. Rather do a two-step.
26FILES=`find /data/dalvik-cache -type f -a -name 'system@framework@boot*' -o name 'system@framework@*jar*'`
27
28if [ ! -f "/system/bin/fsverity" ] ; then
29  log_error "Device is not fsverity-enabled."
30  rm -f $FILES
31  exit 0
32fi
33
34for FILE in $FILES ; do
35  if [ ! -f "$FILE" ] ; then
36    continue # May have deleted already.
37  fi
38
39  # Check for fsverity protection.
40  fsverity measure $FILE || \
41    ENABLE_MSG=`fsverity enable $FILE 2>&1` || \
42      {
43        # No installed data, can't enable - clean up.
44        # Note: to avoid side effects, only delete the tested files. To avoid
45        #       understanding arches here, delete all, even if that may delete
46        #       too aggressively.
47        log_error "Enable failed: $ENABLE_MSG" ;
48        rm -f $FILES ;
49        exit 1 ;
50      }
51
52  # Check for integrity.
53  INTEGRITY_MSG=`dd if=$FILE of=/dev/null bs=4k 2>&1` || \
54    { log_error "Integrity failed: $INTEGRITY_MSG" ; rm -f $FILES ; exit 2 ; }
55done
56