1#
2# Copyright (C) 2018 The Android Open Source Project
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8#      http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15#
16
17"""Unittests for validate_target_files.py."""
18
19import os
20import os.path
21import shutil
22import zipfile
23
24import common
25import test_utils
26from rangelib import RangeSet
27from validate_target_files import (ValidateVerifiedBootImages,
28                                   ValidateFileConsistency, CheckBuildPropDuplicity)
29from verity_utils import CreateVerityImageBuilder
30
31class ValidateTargetFilesTest(test_utils.ReleaseToolsTestCase):
32
33  def setUp(self):
34    self.testdata_dir = test_utils.get_testdata_dir()
35
36  def _generate_boot_image(self, output_file):
37    kernel = common.MakeTempFile(prefix='kernel-')
38    with open(kernel, 'wb') as kernel_fp:
39      kernel_fp.write(os.urandom(10))
40
41    cmd = ['mkbootimg', '--kernel', kernel, '-o', output_file]
42    proc = common.Run(cmd)
43    stdoutdata, _ = proc.communicate()
44    self.assertEqual(
45        0, proc.returncode,
46        "Failed to run mkbootimg: {}".format(stdoutdata))
47
48    cmd = ['boot_signer', '/boot', output_file,
49           os.path.join(self.testdata_dir, 'testkey.pk8'),
50           os.path.join(self.testdata_dir, 'testkey.x509.pem'), output_file]
51    proc = common.Run(cmd)
52    stdoutdata, _ = proc.communicate()
53    self.assertEqual(
54        0, proc.returncode,
55        "Failed to sign boot image with boot_signer: {}".format(stdoutdata))
56
57  @test_utils.SkipIfExternalToolsUnavailable()
58  def test_ValidateVerifiedBootImages_bootImage(self):
59    input_tmp = common.MakeTempDir()
60    os.mkdir(os.path.join(input_tmp, 'IMAGES'))
61    boot_image = os.path.join(input_tmp, 'IMAGES', 'boot.img')
62    self._generate_boot_image(boot_image)
63
64    info_dict = {
65        'boot_signer' : 'true',
66    }
67    options = {
68        'verity_key' : os.path.join(self.testdata_dir, 'testkey.x509.pem'),
69    }
70    ValidateVerifiedBootImages(input_tmp, info_dict, options)
71
72  @test_utils.SkipIfExternalToolsUnavailable()
73  def test_ValidateVerifiedBootImages_bootImage_wrongKey(self):
74    input_tmp = common.MakeTempDir()
75    os.mkdir(os.path.join(input_tmp, 'IMAGES'))
76    boot_image = os.path.join(input_tmp, 'IMAGES', 'boot.img')
77    self._generate_boot_image(boot_image)
78
79    info_dict = {
80        'boot_signer' : 'true',
81    }
82    options = {
83        'verity_key' : os.path.join(self.testdata_dir, 'verity.x509.pem'),
84    }
85    self.assertRaises(
86        AssertionError, ValidateVerifiedBootImages, input_tmp, info_dict,
87        options)
88
89  @test_utils.SkipIfExternalToolsUnavailable()
90  def test_ValidateVerifiedBootImages_bootImage_corrupted(self):
91    input_tmp = common.MakeTempDir()
92    os.mkdir(os.path.join(input_tmp, 'IMAGES'))
93    boot_image = os.path.join(input_tmp, 'IMAGES', 'boot.img')
94    self._generate_boot_image(boot_image)
95
96    # Corrupt the late byte of the image.
97    with open(boot_image, 'r+b') as boot_fp:
98      boot_fp.seek(-1, os.SEEK_END)
99      last_byte = boot_fp.read(1)
100      last_byte = bytes([255 - ord(last_byte)])
101      boot_fp.seek(-1, os.SEEK_END)
102      boot_fp.write(last_byte)
103
104    info_dict = {
105        'boot_signer' : 'true',
106    }
107    options = {
108        'verity_key' : os.path.join(self.testdata_dir, 'testkey.x509.pem'),
109    }
110    self.assertRaises(
111        AssertionError, ValidateVerifiedBootImages, input_tmp, info_dict,
112        options)
113
114  def _generate_system_image(self, output_file, system_root=None,
115                             file_map=None):
116    prop_dict = {
117        'partition_size': str(1024 * 1024),
118        'verity': 'true',
119        'verity_block_device': '/dev/block/system',
120        'verity_key' : os.path.join(self.testdata_dir, 'testkey'),
121        'verity_fec': "true",
122        'verity_signer_cmd': 'verity_signer',
123    }
124    verity_image_builder = CreateVerityImageBuilder(prop_dict)
125    image_size = verity_image_builder.CalculateMaxImageSize()
126
127    # Use an empty root directory.
128    if not system_root:
129      system_root = common.MakeTempDir()
130    cmd = ['mkuserimg_mke2fs', '-s', system_root, output_file, 'ext4',
131           '/system', str(image_size), '-j', '0']
132    if file_map:
133      cmd.extend(['-B', file_map])
134    proc = common.Run(cmd)
135    stdoutdata, _ = proc.communicate()
136    self.assertEqual(
137        0, proc.returncode,
138        "Failed to create system image with mkuserimg_mke2fs: {}".format(
139            stdoutdata))
140
141    # Append the verity metadata.
142    verity_image_builder.Build(output_file)
143
144  @test_utils.SkipIfExternalToolsUnavailable()
145  def test_ValidateVerifiedBootImages_systemRootImage(self):
146    input_tmp = common.MakeTempDir()
147    os.mkdir(os.path.join(input_tmp, 'IMAGES'))
148    system_image = os.path.join(input_tmp, 'IMAGES', 'system.img')
149    self._generate_system_image(system_image)
150
151    # Pack the verity key.
152    verity_key_mincrypt = os.path.join(input_tmp, 'ROOT', 'verity_key')
153    os.makedirs(os.path.dirname(verity_key_mincrypt))
154    shutil.copyfile(
155        os.path.join(self.testdata_dir, 'testkey_mincrypt'),
156        verity_key_mincrypt)
157
158    info_dict = {
159        'system_root_image' : 'true',
160        'verity' : 'true',
161    }
162    options = {
163        'verity_key' : os.path.join(self.testdata_dir, 'testkey.x509.pem'),
164        'verity_key_mincrypt' : verity_key_mincrypt,
165    }
166    ValidateVerifiedBootImages(input_tmp, info_dict, options)
167
168  @test_utils.SkipIfExternalToolsUnavailable()
169  def test_ValidateVerifiedBootImages_nonSystemRootImage(self):
170    input_tmp = common.MakeTempDir()
171    os.mkdir(os.path.join(input_tmp, 'IMAGES'))
172    system_image = os.path.join(input_tmp, 'IMAGES', 'system.img')
173    self._generate_system_image(system_image)
174
175    # Pack the verity key into the root dir in system.img.
176    verity_key_mincrypt = os.path.join(input_tmp, 'ROOT', 'verity_key')
177    os.makedirs(os.path.dirname(verity_key_mincrypt))
178    shutil.copyfile(
179        os.path.join(self.testdata_dir, 'testkey_mincrypt'),
180        verity_key_mincrypt)
181
182    # And a copy in ramdisk.
183    verity_key_ramdisk = os.path.join(
184        input_tmp, 'BOOT', 'RAMDISK', 'verity_key')
185    os.makedirs(os.path.dirname(verity_key_ramdisk))
186    shutil.copyfile(
187        os.path.join(self.testdata_dir, 'testkey_mincrypt'),
188        verity_key_ramdisk)
189
190    info_dict = {
191        'verity' : 'true',
192    }
193    options = {
194        'verity_key' : os.path.join(self.testdata_dir, 'testkey.x509.pem'),
195        'verity_key_mincrypt' : verity_key_mincrypt,
196    }
197    ValidateVerifiedBootImages(input_tmp, info_dict, options)
198
199  @test_utils.SkipIfExternalToolsUnavailable()
200  def test_ValidateVerifiedBootImages_nonSystemRootImage_mismatchingKeys(self):
201    input_tmp = common.MakeTempDir()
202    os.mkdir(os.path.join(input_tmp, 'IMAGES'))
203    system_image = os.path.join(input_tmp, 'IMAGES', 'system.img')
204    self._generate_system_image(system_image)
205
206    # Pack the verity key into the root dir in system.img.
207    verity_key_mincrypt = os.path.join(input_tmp, 'ROOT', 'verity_key')
208    os.makedirs(os.path.dirname(verity_key_mincrypt))
209    shutil.copyfile(
210        os.path.join(self.testdata_dir, 'testkey_mincrypt'),
211        verity_key_mincrypt)
212
213    # And an invalid copy in ramdisk.
214    verity_key_ramdisk = os.path.join(
215        input_tmp, 'BOOT', 'RAMDISK', 'verity_key')
216    os.makedirs(os.path.dirname(verity_key_ramdisk))
217    shutil.copyfile(
218        os.path.join(self.testdata_dir, 'verity_mincrypt'),
219        verity_key_ramdisk)
220
221    info_dict = {
222        'verity' : 'true',
223    }
224    options = {
225        'verity_key' : os.path.join(self.testdata_dir, 'testkey.x509.pem'),
226        'verity_key_mincrypt' : verity_key_mincrypt,
227    }
228    self.assertRaises(
229        AssertionError, ValidateVerifiedBootImages, input_tmp, info_dict,
230        options)
231
232  @test_utils.SkipIfExternalToolsUnavailable()
233  def test_ValidateFileConsistency_incompleteRange(self):
234    input_tmp = common.MakeTempDir()
235    os.mkdir(os.path.join(input_tmp, 'IMAGES'))
236    system_image = os.path.join(input_tmp, 'IMAGES', 'system.img')
237    system_root = os.path.join(input_tmp, "SYSTEM")
238    os.mkdir(system_root)
239
240    # Write test files that contain multiple blocks of zeros, and these zero
241    # blocks will be omitted by kernel. Each test file will occupy one block in
242    # the final system image.
243    with open(os.path.join(system_root, 'a'), 'w') as f:
244      f.write('aaa')
245      f.write('\0' * 4096 * 3)
246    with open(os.path.join(system_root, 'b'), 'w') as f:
247      f.write('bbb')
248      f.write('\0' * 4096 * 3)
249
250    raw_file_map = os.path.join(input_tmp, 'IMAGES', 'raw_system.map')
251    self._generate_system_image(system_image, system_root, raw_file_map)
252
253    # Parse the generated file map and update the block ranges for each file.
254    file_map_list = {}
255    image_ranges = RangeSet()
256    with open(raw_file_map) as f:
257      for line in f.readlines():
258        info = line.split()
259        self.assertEqual(2, len(info))
260        image_ranges = image_ranges.union(RangeSet(info[1]))
261        file_map_list[info[0]] = RangeSet(info[1])
262
263    # Add one unoccupied block as the shared block for all test files.
264    mock_shared_block = RangeSet("10-20").subtract(image_ranges).first(1)
265    with open(os.path.join(input_tmp, 'IMAGES', 'system.map'), 'w') as f:
266      for key in sorted(file_map_list.keys()):
267        line = '{} {}\n'.format(
268            key, file_map_list[key].union(mock_shared_block))
269        f.write(line)
270
271    # Prepare for the target zip file
272    input_file = common.MakeTempFile()
273    all_entries = ['SYSTEM/', 'SYSTEM/b', 'SYSTEM/a', 'IMAGES/',
274                   'IMAGES/system.map', 'IMAGES/system.img']
275    with zipfile.ZipFile(input_file, 'w', allowZip64=True) as input_zip:
276      for name in all_entries:
277        input_zip.write(os.path.join(input_tmp, name), arcname=name)
278
279    # Expect the validation to pass and both files are skipped due to
280    # 'incomplete' block range.
281    with zipfile.ZipFile(input_file) as input_zip:
282      info_dict = {'extfs_sparse_flag': '-s'}
283      ValidateFileConsistency(input_zip, input_tmp, info_dict)
284
285  @test_utils.SkipIfExternalToolsUnavailable()
286  def test_ValidateFileConsistency_nonMonotonicRanges(self):
287    input_tmp = common.MakeTempDir()
288    os.mkdir(os.path.join(input_tmp, 'IMAGES'))
289    system_image = os.path.join(input_tmp, 'IMAGES', 'system.img')
290    system_root = os.path.join(input_tmp, "SYSTEM")
291    os.mkdir(system_root)
292
293    # Write the test file that contain three blocks of 'a', 'b', 'c'.
294    with open(os.path.join(system_root, 'abc'), 'w') as f:
295      f.write('a' * 4096 + 'b' * 4096 + 'c' * 4096)
296    raw_file_map = os.path.join(input_tmp, 'IMAGES', 'raw_system.map')
297    self._generate_system_image(system_image, system_root, raw_file_map)
298
299    # Parse the generated file map and manipulate the block ranges of 'abc' to
300    # be 'cba'.
301    file_map_list = {}
302    with open(raw_file_map) as f:
303      for line in f.readlines():
304        info = line.split()
305        self.assertEqual(2, len(info))
306        ranges = RangeSet(info[1])
307        self.assertTrue(ranges.monotonic)
308        blocks = reversed(list(ranges.next_item()))
309        file_map_list[info[0]] = ' '.join([str(block) for block in blocks])
310
311    # Update the contents of 'abc' to be 'cba'.
312    with open(os.path.join(system_root, 'abc'), 'w') as f:
313      f.write('c' * 4096 + 'b' * 4096 + 'a' * 4096)
314
315    # Update the system.map.
316    with open(os.path.join(input_tmp, 'IMAGES', 'system.map'), 'w') as f:
317      for key in sorted(file_map_list.keys()):
318        f.write('{} {}\n'.format(key, file_map_list[key]))
319
320    # Get the target zip file.
321    input_file = common.MakeTempFile()
322    all_entries = ['SYSTEM/', 'SYSTEM/abc', 'IMAGES/',
323                   'IMAGES/system.map', 'IMAGES/system.img']
324    with zipfile.ZipFile(input_file, 'w', allowZip64=True) as input_zip:
325      for name in all_entries:
326        input_zip.write(os.path.join(input_tmp, name), arcname=name)
327
328    with zipfile.ZipFile(input_file) as input_zip:
329      info_dict = {'extfs_sparse_flag': '-s'}
330      ValidateFileConsistency(input_zip, input_tmp, info_dict)
331
332  @staticmethod
333  def make_build_prop(build_prop):
334    input_tmp = common.MakeTempDir()
335    system_dir = os.path.join(input_tmp, 'SYSTEM')
336    os.makedirs(system_dir)
337    prop_file = os.path.join(system_dir, 'build.prop')
338    with open(prop_file, 'w') as output_file:
339      output_file.write("\n".join(build_prop))
340    return input_tmp
341
342  def test_checkDuplicateProps_noDuplicate(self):
343    build_prop = [
344        'ro.odm.build.date.utc=1578430045',
345        'ro.odm.build.fingerprint='
346        'google/coral/coral:10/RP1A.200325.001/6337676:user/dev-keys',
347        'ro.product.odm.device=coral',
348    ]
349    input_tmp = ValidateTargetFilesTest.make_build_prop(build_prop)
350    CheckBuildPropDuplicity(input_tmp)
351
352  def test_checkDuplicateProps_withDuplicate(self):
353    build_prop = [
354        'ro.odm.build.date.utc=1578430045',
355        'ro.odm.build.date.utc=1578430049',
356        'ro.odm.build.fingerprint='
357        'google/coral/coral:10/RP1A.200325.001/6337676:user/dev-keys',
358        'ro.product.odm.device=coral',
359    ]
360    input_tmp = ValidateTargetFilesTest.make_build_prop(build_prop)
361
362    self.assertRaises(ValueError, CheckBuildPropDuplicity, input_tmp)
363