From ee0449129027a1775f04d71f8170a0d29969bb05 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Thu, 2 Feb 2023 02:33:33 -0500 Subject: [PATCH] fs-verity enforced at boot for system app updates --- static/releases.html | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/static/releases.html b/static/releases.html index e8d81123..1887f67c 100644 --- a/static/releases.html +++ b/static/releases.html @@ -678,14 +678,13 @@ enhanced the downgrade protection check for system updates to require a greater version rather than equal or greater due to most Android OS components not having their versionCode consistently increased when they're changed, and - this is now integrated into our new verification. At the moment, we enforce - verification for APK-based components at boot. We already provide fs-verity - metadata for continuous verification of all the out-of-band updates we ship - and we require it to be provided for system update installation, but we need - to phase in enforcing it at boot time in a way that won't cause system app - updates to be rolled back for users upgrading from older OS releases where - they updated to newer system app versions than the ones bundled in the new OS - update.

+ this is now integrated into our new verification. Fully verifying signatures + of system app updates at boot isn't enough to fully extend the verified boot + guarantees to them, so we're shipping signed fs-verity metadata for all our + system app updates through our app repository and we're enforcing having valid + fs-verity metadata for system app updates at install time and boot time. This + provides continuous verification of the data provided by out-of-band package + updates.

Since fs-verity is now fully enforced for installing system app updates, they can only be installed from our app repository providing the fs-verity @@ -712,7 +711,7 @@

  • fix upstream Android bug causing out-of-band updates to system components using original-package to be rolled back after reboot if they're still using the old package name, which will allow us to ship Vanadium updates out-of-band without the browser package updates being rolled back for users with an older install where it's still org.chromium.chrome instead of app.vanadium.browser
  • SELinux policy: drop base OS apk_data_file restrictions to avoid blocking out-of-band updates to APK-based system components (this was a minor security feature that's being replaced with our recent and ongoing improvements to package manager and verified boot security to close major weaknesses in the standard Android verified boot security model)
  • disable package parser cache since it provides a verified boot bypass for system component updates for regular boots while not saving more than around a second of boot time
    • -
  • perform additional boot-time checks on system package updates in order to extend verified boot to out-of-band system package updates
    • +
  • perform additional boot-time checks on system package updates in order to extend verified boot to out-of-band system package updates including enforcing having valid signed fs-verity metadata for continuous verification (Android does not even provide working boot-time verification for out-of-band APK updates for non-APEX components)
  • reimplement requiring fs-verity when installing system package updates in a better way
  • remove unnecessary warning for failed virtual A/B sideloaded updates since it's atomic just like A/B updates
  • drop our extension to the install available apps feature making it work for apps not installed in Owner since this is risky in a situation where there are actually separate people using secondary users and while we want to provide this feature, we'd need to come up with a way to address this to add it back