Init: Run boringssl self test via separate binaries.
Instead of init.cpp knowning about the boringssl self
test, use init.rc to exec dedicated self test executables.
Advantages:
- The self test is run not only both the copy of libcrypto
in /system but also /apex/com.android.conscrypt.
- The self test is run not only for the primary (e.g. 64bit)
ABI but also for a secondarry (e.g. 32bit) ABI.
- The dependency on libcrypto is kept to the self test binary.
- The self test binary abstracts the exact native API for
running the self test (this will change soon because the
self test will be run when the library is loaded).
Bug: 137267623
Test: Check that logcat shows both binaries being started as root,
and finishing with exit code 0.
Change-Id: I1e716749ee2133993f0f7b2836483391fd1a62f0
diff --git a/init/Android.bp b/init/Android.bp
index 57555f6..52cd1ca 100644
--- a/init/Android.bp
+++ b/init/Android.bp
@@ -109,7 +109,6 @@
"action.cpp",
"action_manager.cpp",
"action_parser.cpp",
- "boringssl_self_test.cpp",
"bootchart.cpp",
"builtins.cpp",
"capabilities.cpp",
diff --git a/init/boringssl_self_test.cpp b/init/boringssl_self_test.cpp
deleted file mode 100644
index 759eb43..0000000
--- a/init/boringssl_self_test.cpp
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "boringssl_self_test.h"
-
-#include <android-base/logging.h>
-#include <cutils/android_reboot.h>
-#include <openssl/crypto.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-namespace android {
-namespace init {
-
-Result<void> StartBoringSslSelfTest(const BuiltinArguments&) {
- pid_t id = fork();
-
- if (id == 0) {
- if (BORINGSSL_self_test() != 1) {
- LOG(INFO) << "BoringSSL crypto self tests failed";
-
- // This check has failed, so the device should refuse
- // to boot. Rebooting to bootloader to wait for
- // further action from the user.
-
- int result = android_reboot(ANDROID_RB_RESTART2, 0,
- "bootloader,boringssl-self-check-failed");
- if (result != 0) {
- LOG(ERROR) << "Failed to reboot into bootloader";
- }
- }
-
- _exit(0);
- } else if (id == -1) {
- // Failed to fork, so cannot run the test. Refuse to continue.
- PLOG(FATAL) << "Failed to fork for BoringSSL self test";
- }
-
- return {};
-}
-
-} // namespace init
-} // namespace android
diff --git a/init/boringssl_self_test.h b/init/boringssl_self_test.h
deleted file mode 100644
index 9e717d0..0000000
--- a/init/boringssl_self_test.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#pragma once
-
-#include "builtin_arguments.h"
-#include "result.h"
-
-namespace android {
-namespace init {
-
-Result<void> StartBoringSslSelfTest(const BuiltinArguments&);
-
-} // namespace init
-} // namespace android
diff --git a/init/init.cpp b/init/init.cpp
index d4cbb5f..1f74ab6 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -51,7 +51,6 @@
#include <selinux/android.h>
#include "action_parser.h"
-#include "boringssl_self_test.h"
#include "builtins.h"
#include "epoll.h"
#include "first_stage_init.h"
@@ -739,9 +738,6 @@
// Trigger all the boot actions to get us started.
am.QueueEventTrigger("init");
- // Starting the BoringSSL self test, for NIAP certification compliance.
- am.QueueBuiltinAction(StartBoringSslSelfTest, "StartBoringSslSelfTest");
-
// Repeat mix_hwrng_into_linux_rng in case /dev/hw_random or /dev/random
// wasn't ready immediately after wait_for_coldboot_done
am.QueueBuiltinAction(MixHwrngIntoLinuxRngAction, "MixHwrngIntoLinuxRng");
diff --git a/rootdir/init.rc b/rootdir/init.rc
index bb36139..d6a32c3 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -127,7 +127,7 @@
mkdir /mnt/expand 0771 system system
mkdir /mnt/appfuse 0711 root root
- # tmpfs place for BORINGSSL_self_test() to remember whether it has run
+ # These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run.
mkdir /dev/boringssl 0755 root root
mkdir /dev/boringssl/selftest 0755 root root
@@ -315,6 +315,16 @@
start hwservicemanager
start vndservicemanager
+# Run boringssl self test for each ABI so that later processes can skip it. http://b/139348610
+on init && property:ro.product.cpu.abilist32=*:
+ exec_reboot_on_failure boringssl-self-check-failed /system/bin/boringssl_self_test32
+on init && property:ro.product.cpu.abilist64=*
+ exec_reboot_on_failure boringssl-self-check-failed /system/bin/boringssl_self_test64
+on property:apexd.status=ready && property:ro.product.cpu.abilist64=*
+ exec_reboot_on_failure boringssl-self-check-failed /apex/com.android.conscrypt/bin/boringssl_self_test64
+on property:apexd.status=ready && property:ro.product.cpu.abilist32=*
+ exec_reboot_on_failure boringssl-self-check-failed /apex/com.android.conscrypt/bin/boringssl_self_test32
+
# Healthd can trigger a full boot from charger mode by signaling this
# property when the power button is held.
on property:sys.boot_from_charger_mode=1