1*b7c941bbSAndroid Build Coastguard WorkerHow the test works 2*b7c941bbSAndroid Build Coastguard Worker================== 3*b7c941bbSAndroid Build Coastguard WorkerApkVerityTestApp is a test helper app to be installed with fs-verity signature 4*b7c941bbSAndroid Build Coastguard Workerfile (.fsv\_sig). In order for this CTS test to run on a release build across 5*b7c941bbSAndroid Build Coastguard Workervendors, the signature needs to be verified against a release certificate loaded 6*b7c941bbSAndroid Build Coastguard Workerto kernel. 7*b7c941bbSAndroid Build Coastguard Worker 8*b7c941bbSAndroid Build Coastguard WorkerHow to modify the test helper app 9*b7c941bbSAndroid Build Coastguard Worker================================= 10*b7c941bbSAndroid Build Coastguard WorkerModifying the test helper app will also require to sign the apk with a local debug 11*b7c941bbSAndroid Build Coastguard Workerkey. You will also need to point the test to use your local build. 12*b7c941bbSAndroid Build Coastguard Worker 13*b7c941bbSAndroid Build Coastguard WorkerHow to load debug key 14*b7c941bbSAndroid Build Coastguard Worker--------------------- 15*b7c941bbSAndroid Build Coastguard WorkerOn debuggable build, it can be done by: 16*b7c941bbSAndroid Build Coastguard Worker 17*b7c941bbSAndroid Build Coastguard Worker``` 18*b7c941bbSAndroid Build Coastguard Workeradb root 19*b7c941bbSAndroid Build Coastguard Workeradb shell 'mini-keyctl padd asymmetric fsv-play .fs-verity' < fsverity-debug.x509.der 20*b7c941bbSAndroid Build Coastguard Worker``` 21*b7c941bbSAndroid Build Coastguard Worker 22*b7c941bbSAndroid Build Coastguard WorkerOn user build, the keyring is closed and doesn't accept extra key. A workaround 23*b7c941bbSAndroid Build Coastguard Workeris to copy the .der file to /system/etc/security/fsverity. Upon reboot, the 24*b7c941bbSAndroid Build Coastguard Workercertificate will be loaded to kernel as usual. 25*b7c941bbSAndroid Build Coastguard Worker 26*b7c941bbSAndroid Build Coastguard WorkerHow to use the app built locally 27*b7c941bbSAndroid Build Coastguard Worker-------------------------------- 28*b7c941bbSAndroid Build Coastguard WorkerYou need to override the prebuilts with the debug build. 29*b7c941bbSAndroid Build Coastguard Worker 30*b7c941bbSAndroid Build Coastguard Worker1. Build the debug artifacts by `m CtsApkVerityTestDebugFiles`. Copy the output 31*b7c941bbSAndroid Build Coastguard Worker to a temporary directory, e.g. 32*b7c941bbSAndroid Build Coastguard Worker 33*b7c941bbSAndroid Build Coastguard Worker``` 34*b7c941bbSAndroid Build Coastguard Worker(cd $ANDROID_BUILD_TOP && cp `cat 35*b7c941bbSAndroid Build Coastguard Workerout/soong/.intermediates/cts/hostsidetests/appsecurity/test-apps/ApkVerityTestApp/testdata/CtsApkVerityTestDebugFiles/gen/CtsApkVerityTestDebugFiles.txt` 36*b7c941bbSAndroid Build Coastguard Worker/tmp/prebuilts/) 37*b7c941bbSAndroid Build Coastguard Worker``` 38*b7c941bbSAndroid Build Coastguard Worker 39*b7c941bbSAndroid Build Coastguard Worker2. Copy files to create bad app, e.g. in /tmp/prebuilts, 40*b7c941bbSAndroid Build Coastguard Worker 41*b7c941bbSAndroid Build Coastguard Worker``` 42*b7c941bbSAndroid Build Coastguard Workercp CtsApkVerityTestApp.apk CtsApkVerityTestApp2.apk 43*b7c941bbSAndroid Build Coastguard Workercp CtsApkVerityTestAppSplit.apk.fsv_sig CtsApkVerityTestApp2.apk.fsv_sig 44*b7c941bbSAndroid Build Coastguard Worker``` 45*b7c941bbSAndroid Build Coastguard Worker 46*b7c941bbSAndroid Build Coastguard Worker3. Rename file names to match the test expectation. 47*b7c941bbSAndroid Build Coastguard Worker``` 48*b7c941bbSAndroid Build Coastguard Workerfor f in CtsApkVerityTestApp*; do echo $f | sed -E 's/([^.]+)\.(.+)/mv & \1Prebuilt.\2/'; done | sh 49*b7c941bbSAndroid Build Coastguard Worker``` 50*b7c941bbSAndroid Build Coastguard Worker 51*b7c941bbSAndroid Build Coastguard Worker4. Run the test. 52*b7c941bbSAndroid Build Coastguard Worker 53*b7c941bbSAndroid Build Coastguard Worker``` 54*b7c941bbSAndroid Build Coastguard Workeratest CtsAppSecurityHostTestCases:android.appsecurity.cts.ApkVerityInstallTest 55*b7c941bbSAndroid Build Coastguard Worker``` 56*b7c941bbSAndroid Build Coastguard Worker 57*b7c941bbSAndroid Build Coastguard WorkerHow to update the prebuilts 58*b7c941bbSAndroid Build Coastguard Worker=========================== 59*b7c941bbSAndroid Build Coastguard Worker 60*b7c941bbSAndroid Build Coastguard Worker1. Download CtsApkVerityTestApp.apk, CtsApkVerityTestApp.apk.idsig and CtsApkVerityTestAppSplit.apk. 61*b7c941bbSAndroid Build Coastguard WorkerThe current prebuilts are downloaded from the links below. 62*b7c941bbSAndroid Build Coastguard Worker 63*b7c941bbSAndroid Build Coastguard Worker``` 64*b7c941bbSAndroid Build Coastguard Workerhttps://android-build.googleplex.com/builds/submitted/9178658/test_suites_arm64/latest/ 65*b7c941bbSAndroid Build Coastguard Workerhttps://android-build.googleplex.com/builds/submitted/9178658/test_suites_x86_64/latest/ 66*b7c941bbSAndroid Build Coastguard Worker``` 67*b7c941bbSAndroid Build Coastguard Worker 68*b7c941bbSAndroid Build Coastguard Worker2. Ask the key owner to sign the .apk files with the "fsverity-release" key 69*b7c941bbSAndroid Build Coastguard Worker (example: b/253983589). 70*b7c941bbSAndroid Build Coastguard Worker3. Receive the release signature .fsv\_sig. 71*b7c941bbSAndroid Build Coastguard Worker4. Override CtsApkVerityTestApp2 to create a bad signature. 72*b7c941bbSAndroid Build Coastguard Worker 73*b7c941bbSAndroid Build Coastguard Worker``` 74*b7c941bbSAndroid Build Coastguard Workercp CtsApkVerityTestApp.apk CtsApkVerityTestApp2.apk 75*b7c941bbSAndroid Build Coastguard Workercp CtsApkVerityTestAppSplit.apk.fsv_sig CtsApkVerityTestApp2.apk.fsv_sig 76*b7c941bbSAndroid Build Coastguard Worker``` 77*b7c941bbSAndroid Build Coastguard Worker 78*b7c941bbSAndroid Build Coastguard Worker5. Rename to "Prebuilt". 79*b7c941bbSAndroid Build Coastguard Worker 80*b7c941bbSAndroid Build Coastguard Worker``` 81*b7c941bbSAndroid Build Coastguard Workerfor f in CtsApkVerityTestApp*; do echo $f | sed -E 's/([^.]+)\.(.+)/mv & \1Prebuilt.\2/'; done | sh 82*b7c941bbSAndroid Build Coastguard Worker``` 83*b7c941bbSAndroid Build Coastguard Worker 84*b7c941bbSAndroid Build Coastguard Worker6. Duplicate arm64 prebuilts into arm and arm64, x86\_64 into x86 and x86\_64. 85