On Sat, Aug 25, 2018 at 03:43:43PM +0800, Gao Xiang wrote: > > I don't know of any plan to use fs-verity on Android's system partition or to > > replace dm-verity on the system partition. The use cases so far have been > > verifying files on /data, like APK files. > > > > So I don't think you need to support fs-verity in EROFS. > > Thanks for your information about fs-verity, that is quite useful for us > Actually, I was worrying about that these months... :) I'll be even clearer --- I can't *imagine* any situation where it would make sense to use fs-verity on the Android system partition. Remember, for OTA to work the system image has to be bit-for-bit identical to the official golden image for that release. So the system image has to be completely locked down from any modification (to data or metadata), and that means dm-verity and *NOT* fs-verity. The initial use of fs-verity (as you can see if you look at AOSP) will be to protect a small number of privileged APK's that are stored on the data partition. Previously, they were verified when they were downloaded, and never again. Part of the goal which we are trying to achieve here is that even if the kernel gets compromised by a 0-day, a successful reboot should restore the system to a known state. That is, the secure bootloader checks the signature of the kernel, and then in turn, dm-verity will verify the root Merkle hash protecting the system partition, and fs-verity will protect the privileged APK's. If malware modifies any these components in an attempt to be persistent, the modifications would be detected, and the worst it could do is to cause subsequent reboots to fail until the phone's software could be reflashed. Cheers, - Ted
