Key revocation check is permissive when device is unlocked

imageValidationThrowOrWarning() logs the error as a warning if device bootloader is unlocked, else re-throw the error. Device lock state is queried via PersistentDataBlockManager service. Bug: 128892201 Test: adb shell am start-activity \ -n com.android.dynsystem/com.android.dynsystem.VerificationActivity \ -a android.os.image.action.START_INSTALL \ --el KEY_USERDATA_SIZE 8192 \ -d file:///storage/emulated/0/Download/aosp_arm64-dsu_test.zip \ --es ${IMAGE_KEY} Test: Observe the logcat Change-Id: I895e70d90624afda2bf7cd3b34ea8d21a1702163
author: Yo Chiang <yochiang@google.com> 2020-02-19 16:40:46 +0800
committer: Yo Chiang <yochiang@google.com> 2020-02-19 11:11:29 +0000
commit: be20495f0bce4509c32bce2cdeaac3e3aea0754d (patch)
tree: 5024d9295b3c394beb24bdc043f9881d46bd2450
parent: 3bdf29c1f6db23255ca6686d2c4805a11189b705 (diff)
3 files changed, 16 insertions, 5 deletions
diff --git a/data/etc/privapp-permissions-platform.xml b/data/etc/privapp-permissions-platform.xml
index 821909da2490..e3700d429277 100644
--- a/data/etc/privapp-permissions-platform.xml
+++ b/data/etc/privapp-permissions-platform.xml
@@ -377,6 +377,7 @@ applications that come with the platform
     <privapp-permissions package="com.android.dynsystem">
         <permission name="android.permission.REBOOT"/>
         <permission name="android.permission.MANAGE_DYNAMIC_SYSTEM"/>
+        <permission name="android.permission.READ_OEM_UNLOCK_STATE"/>
     </privapp-permissions>
 
     <privapp-permissions package="com.android.settings">
diff --git a/packages/DynamicSystemInstallationService/AndroidManifest.xml b/packages/DynamicSystemInstallationService/AndroidManifest.xml
index d718eae9293c..b4d520d7d71a 100644
--- a/packages/DynamicSystemInstallationService/AndroidManifest.xml
+++ b/packages/DynamicSystemInstallationService/AndroidManifest.xml
@@ -7,6 +7,7 @@
     <uses-permission android:name="android.permission.MANAGE_DYNAMIC_SYSTEM" />
     <uses-permission android:name="android.permission.REBOOT" />
     <uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
+    <uses-permission android:name="android.permission.READ_OEM_UNLOCK_STATE" />
 
     <application
         android:allowBackup="false"
diff --git a/packages/DynamicSystemInstallationService/src/com/android/dynsystem/InstallationAsyncTask.java b/packages/DynamicSystemInstallationService/src/com/android/dynsystem/InstallationAsyncTask.java
index 7093914aa847..f8952ace3cb3 100644
--- a/packages/DynamicSystemInstallationService/src/com/android/dynsystem/InstallationAsyncTask.java
+++ b/packages/DynamicSystemInstallationService/src/com/android/dynsystem/InstallationAsyncTask.java
@@ -23,6 +23,7 @@ import android.os.AsyncTask;
 import android.os.MemoryFile;
 import android.os.ParcelFileDescriptor;
 import android.os.image.DynamicSystemManager;
+import android.service.persistentdata.PersistentDataBlockManager;
 import android.util.Log;
 import android.webkit.URLUtil;
 
@@ -133,6 +134,7 @@ class InstallationAsyncTask extends AsyncTask<String, InstallationAsyncTask.Prog
     private final DynamicSystemManager mDynSystem;
     private final ProgressListener mListener;
     private final boolean mIsNetworkUrl;
+    private final boolean mIsDeviceBootloaderUnlocked;
     private DynamicSystemManager.Session mInstallationSession;
     private KeyRevocationList mKeyRevocationList;
 
@@ -160,6 +162,13 @@ class InstallationAsyncTask extends AsyncTask<String, InstallationAsyncTask.Prog
         mDynSystem = dynSystem;
         mListener = listener;
         mIsNetworkUrl = URLUtil.isNetworkUrl(mUrl);
+        PersistentDataBlockManager pdbManager =
+                (PersistentDataBlockManager)
+                        mContext.getSystemService(Context.PERSISTENT_DATA_BLOCK_SERVICE);
+        mIsDeviceBootloaderUnlocked =
+                (pdbManager != null)
+                        && (pdbManager.getFlashLockState()
+                                == PersistentDataBlockManager.FLASH_LOCK_UNLOCKED);
     }
 
     @Override
@@ -272,7 +281,6 @@ class InstallationAsyncTask extends AsyncTask<String, InstallationAsyncTask.Prog
                     String.format(Locale.US, "Unsupported URL: %s", mUrl));
         }
 
-        // TODO(yochiang): Bypass this check if device is unlocked
         try {
             String listUrl = mContext.getString(R.string.key_revocation_list_url);
             mKeyRevocationList = KeyRevocationList.fromUrl(new URL(listUrl));
@@ -287,11 +295,12 @@ class InstallationAsyncTask extends AsyncTask<String, InstallationAsyncTask.Prog
 
     private void imageValidationThrowOrWarning(ImageValidationException e)
             throws ImageValidationException {
-        if (mIsNetworkUrl) {
-            throw e;
-        } else {
-            // If DSU is being installed from a local file URI, then be permissive
+        if (mIsDeviceBootloaderUnlocked || !mIsNetworkUrl) {
+            // If device is OEM unlocked or DSU is being installed from a local file URI,
+            // then be permissive.
             Log.w(TAG, e.toString());
+        } else {
+            throw e;
         }
     }
author	Yo Chiang <yochiang@google.com>	2020-02-19 16:40:46 +0800
committer	Yo Chiang <yochiang@google.com>	2020-02-19 11:11:29 +0000
commit	be20495f0bce4509c32bce2cdeaac3e3aea0754d (patch)
tree	5024d9295b3c394beb24bdc043f9881d46bd2450
parent	3bdf29c1f6db23255ca6686d2c4805a11189b705 (diff)