Hi Ted, Sorry for the late reply... On 2018/8/26 1:06, Theodore Y. Ts'o wrote: > On Sat, Aug 25, 2018 at 03:43:43PM +0800, Gao Xiang wrote: >>> I don't know of any plan to use fs-verity on Android's system partition or to >>> replace dm-verity on the system partition. The use cases so far have been >>> verifying files on /data, like APK files. >>> >>> So I don't think you need to support fs-verity in EROFS. >> >> Thanks for your information about fs-verity, that is quite useful for us >> Actually, I was worrying about that these months... :) > > I'll be even clearer --- I can't *imagine* any situation where it > would make sense to use fs-verity on the Android system partition. > Remember, for OTA to work the system image has to be bit-for-bit > identical to the official golden image for that release. So the > system image has to be completely locked down from any modification > (to data or metadata), and that means dm-verity and *NOT* fs-verity. I think so mainly because of the security reason you said above. In addition, I think it is mandatory that the Android system partition should also _never_ suffer from filesystem corrupted by design (expect for the storage device corrupt or malware), therefore I think the bit-for-bit read-only, and identical-verity requirement is quite strong for Android, which will make the Android system steady and as solid as rocks. But I need to make sure my personal thoughts through this topic. :) > > The initial use of fs-verity (as you can see if you look at AOSP) will > be to protect a small number of privileged APK's that are stored on > the data partition. Previously, they were verified when they were > downloaded, and never again. > > Part of the goal which we are trying to achieve here is that even if > the kernel gets compromised by a 0-day, a successful reboot should > restore the system to a known state. That is, the secure bootloader > checks the signature of the kernel, and then in turn, dm-verity will > verify the root Merkle hash protecting the system partition, and > fs-verity will protect the privileged APK's. If malware modifies any > these components in an attempt to be persistent, the modifications > would be detected, and the worst it could do is to cause subsequent > reboots to fail until the phone's software could be reflashed. > Yeah, I have seen the the fs-verity presentation and materials from Android bootcamp and other official channels before. Thanks for your kindly detailed explanation. :) Best regards, Gao Xiang > Cheers, > > - Ted >
