char *avb_set_enforce_verity(const char *cmdline) { char *newargs; newargs = avb_set_enforce_option(cmdline, VERITY_TABLE_OPT_RESTART); if (newargs) newargs = append_cmd_line(newargs, "androidboot.veritymode=enforcing"); return newargs; }
char *avb_set_ignore_corruption(const char *cmdline) { char *newargs = NULL; newargs = avb_set_enforce_option(cmdline, VERITY_TABLE_OPT_LOGGING); if (newargs) newargs = append_cmd_line(newargs, "androidboot.veritymode=eio"); return newargs; }
static char *avb_set_enforce_option(const char *cmdline, const char *option) { char *cmdarg[AVB_MAX_ARGS]; char *newargs = NULL; int i = 0; int total_args; memset(cmdarg, 0, sizeof(cmdarg)); cmdarg[i++] = strtok((char *)cmdline, " "); do { cmdarg[i] = strtok(NULL, " "); if (!cmdarg[i]) break; if (++i >= AVB_MAX_ARGS) { printf("%s: Can't handle more then %d args\n", __func__, i); return NULL; } } while (true); total_args = i; i = avb_find_dm_args(&cmdarg[0], VERITY_TABLE_OPT_LOGGING); if (i >= 0) { cmdarg[i] = (char *)option; } else { i = avb_find_dm_args(&cmdarg[0], VERITY_TABLE_OPT_RESTART); if (i < 0) { printf("%s: No verity options found\n", __func__); return NULL; } cmdarg[i] = (char *)option; } for (i = 0; i <= total_args; i++) newargs = append_cmd_line(newargs, cmdarg[i]); return newargs; }
int do_avb_verify_part(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[]) { AvbSlotVerifyResult slot_result; AvbSlotVerifyData *out_data; char *cmdline; char *extra_args; bool unlocked = false; int res = CMD_RET_FAILURE; if (!avb_ops) { printf("AVB 2.0 is not initialized, run 'avb init' first\n"); return CMD_RET_FAILURE; } if (argc != 1) return CMD_RET_USAGE; printf("## Android Verified Boot 2.0 version %s\n", avb_version_string()); if (avb_ops->read_is_device_unlocked(avb_ops, &unlocked) != AVB_IO_RESULT_OK) { printf("Can't determine device lock state.\n"); return CMD_RET_FAILURE; } slot_result = avb_slot_verify(avb_ops, requested_partitions, "", unlocked, AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE, &out_data); switch (slot_result) { case AVB_SLOT_VERIFY_RESULT_OK: /* Until we don't have support of changing unlock states, we * assume that we are by default in locked state. * So in this case we can boot only when verification is * successful; we also supply in cmdline GREEN boot state */ printf("Verification passed successfully\n"); /* export additional bootargs to AVB_BOOTARGS env var */ extra_args = avb_set_state(avb_ops, AVB_GREEN); if (extra_args) cmdline = append_cmd_line(out_data->cmdline, extra_args); else cmdline = out_data->cmdline; env_set(AVB_BOOTARGS, cmdline); res = CMD_RET_SUCCESS; break; case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: printf("Verification failed\n"); break; case AVB_SLOT_VERIFY_RESULT_ERROR_IO: printf("I/O error occurred during verification\n"); break; case AVB_SLOT_VERIFY_RESULT_ERROR_OOM: printf("OOM error occurred during verification\n"); break; case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA: printf("Corrupted dm-verity metadata detected\n"); break; case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION: printf("Unsupported version avbtool was used\n"); break; case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX: printf("Checking rollback index failed\n"); break; case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED: printf("Public key was rejected\n"); break; default: printf("Unknown error occurred\n"); } return res; }