1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 /*
18  * This program verifies the integrity of the partitions after an A/B OTA
19  * update. It gets invoked by init, and will only perform the verification if
20  * it's the first boot post an A/B OTA update.
21  *
22  * It relies on dm-verity to capture any corruption on the partitions being
23  * verified. dm-verity must be in enforcing mode, so that it will reboot the
24  * device on dm-verity failures. When that happens, the bootloader should
25  * mark the slot as unbootable and stops trying. We should never see a device
26  * started in dm-verity logging mode but with isSlotMarkedSuccessful equals to
27  * 0.
28  *
29  * The current slot will be marked as having booted successfully if the
30  * verifier reaches the end after the verification.
31  *
32  * TODO: The actual verification part will be added later after we have the
33  * A/B OTA package format in place.
34  */
35 
36 #include <string.h>
37 
38 #include <hardware/boot_control.h>
39 
40 #define LOG_TAG       "update_verifier"
41 #include <log/log.h>
42 
main(int argc,char ** argv)43 int main(int argc, char** argv) {
44   for (int i = 1; i < argc; i++) {
45     SLOGI("Started with arg %d: %s\n", i, argv[i]);
46   }
47 
48   const hw_module_t* hw_module;
49   if (hw_get_module("bootctrl", &hw_module) != 0) {
50     SLOGE("Error getting bootctrl module.\n");
51     return -1;
52   }
53 
54   boot_control_module_t* module = reinterpret_cast<boot_control_module_t*>(
55       const_cast<hw_module_t*>(hw_module));
56   module->init(module);
57 
58   unsigned current_slot = module->getCurrentSlot(module);
59   int is_successful= module->isSlotMarkedSuccessful(module, current_slot);
60   SLOGI("Booting slot %u: isSlotMarkedSuccessful=%d\n", current_slot, is_successful);
61 
62   if (is_successful == 0) {
63     // The current slot has not booted successfully.
64 
65     // TODO: Add the actual verification after we have the A/B OTA package
66     // format in place.
67 
68     // TODO: Assert the dm-verity mode. Bootloader should never boot a newly
69     // flashed slot (isSlotMarkedSuccessful == 0) with dm-verity logging mode.
70 
71     int ret = module->markBootSuccessful(module);
72     if (ret != 0) {
73       SLOGE("Error marking booted successfully: %s\n", strerror(-ret));
74       return -1;
75     }
76     SLOGI("Marked slot %u as booted successfully.\n", current_slot);
77   }
78 
79   SLOGI("Leaving update_verifier.\n");
80   return 0;
81 }
82