Google is committed to advancing racial equity for Black communities. See how.

fs-verity Integration

fs-verity is a Linux kernel feature that allows the system to continuously verify APK files with trusted digital certificates. When the platform provides this on-access verification mechanism, with a trusted certificate from a supported store like Play, the store can install APK files with a fs-verity signature for continuous verification. Files protected by fs-verity are immutable and read requests only succeed if the content verifies.

Once fs-verity is supported in the kernel, partners can put the new type of certificate from their trusted stores in the product partition /product/etc/security/fsverity, the certificates are loaded to kernel keyring during boot time. On a device supporting this feature, the trusted store can install an APK with their corresponding fs-verity signature.

Implementation

Devices launching with Android R

fs-verity is a Linux kernel feature upstreamed since 5.4, and has been backported to Android common kernel 4.14 and higher. New devices using common kernel 4.14 or higher and using ext4 or f2fs for userdata partitions don't need to take any action as they already support fs-verity through the Linux kernel.

Devices upgrading to Android R

fs-verity patches need to be backported to the device kernel. For ext4, add fsverity to the fs_mgr flag in fstab. Then the feature can be enabled with the following setting:

ro.apk_verity.mode=2

API

A new public API has been introduced to query the device's support state and to determine if a certificate is trusted on a device.

  public final class FileIntegrityManager {
    public boolean isApkVeritySupported();
    @RequiresPermission(anyOf={
        android.Manifest.permission.INSTALL_PACKAGES,
        android.Manifest.permission.REQUEST_INSTALL_PACKAGES})
    public boolean isAppSourceCertificateTrusted(@NonNull java.security.cert.X509Certificate)
            throws java.security.cert.CertificateEncodingException;
  }

Validation

Run the following VTS, CTS, and GTS tests to validate the implementation.

  • [VTS] ApkVerityTest
  • [CTS] CtsAppSecurityHostTestCases:android.appsecurity.cts.ApkVerityInstallTest
  • [CTS] CtsSecurityHostTestCases#android.security.cts.KernelConfigTest
  • [GTS] GtsPlayFsiTestCases & GtsPlayFsiHostTestCases