965ec3caa8
Add optional parameter to 'avb verify' sub-command, so that user is able to specify which slot to use, in case when user's partitions are slotted. If that parameter is omitted, the behavior of 'avb verify' will be the same as before, so user API is content. Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org> Reviewed-by: Igor Opaniuk <igor.opaniuk@gmail.com> Acked-by: Igor Opaniuk <igor.opaniuk@gmail.com>
116 lines
4.0 KiB
Plaintext
116 lines
4.0 KiB
Plaintext
Android Verified Boot 2.0
|
|
|
|
This file contains information about the current support of Android Verified
|
|
Boot 2.0 in U-boot
|
|
|
|
1. OVERVIEW
|
|
---------------------------------
|
|
Verified Boot establishes a chain of trust from the bootloader to system images
|
|
* Provides integrity checking for:
|
|
- Android Boot image: Linux kernel + ramdisk. RAW hashing of the whole
|
|
partition is done and the hash is compared with the one stored in
|
|
the VBMeta image
|
|
- system/vendor partitions: verifying root hash of dm-verity hashtrees.
|
|
* Provides capabilities for rollback protection.
|
|
|
|
Integrity of the bootloader (U-boot BLOB and environment) is out of scope.
|
|
|
|
For additional details check:
|
|
https://android.googlesource.com/platform/external/avb/+/master/README.md
|
|
|
|
1.1. AVB using OP-TEE (optional)
|
|
---------------------------------
|
|
If AVB is configured to use OP-TEE (see 4. below) rollback indexes and
|
|
device lock state are stored in RPMB. The RPMB partition is managed by
|
|
OP-TEE (https://www.op-tee.org/) which is a secure OS leveraging ARM
|
|
TrustZone.
|
|
|
|
|
|
2. AVB 2.0 U-BOOT SHELL COMMANDS
|
|
-----------------------------------
|
|
Provides CLI interface to invoke AVB 2.0 verification + misc. commands for
|
|
different testing purposes:
|
|
|
|
avb init <dev> - initialize avb 2.0 for <dev>
|
|
avb verify - run verification process using hash data from vbmeta structure
|
|
avb read_rb <num> - read rollback index at location <num>
|
|
avb write_rb <num> <rb> - write rollback index <rb> to <num>
|
|
avb is_unlocked - returns unlock status of the device
|
|
avb get_uuid <partname> - read and print uuid of partition <partname>
|
|
avb read_part <partname> <offset> <num> <addr> - read <num> bytes from
|
|
partition <partname> to buffer <addr>
|
|
avb write_part <partname> <offset> <num> <addr> - write <num> bytes to
|
|
<partname> by <offset> using data from <addr>
|
|
|
|
|
|
3. PARTITIONS TAMPERING (EXAMPLE)
|
|
-----------------------------------
|
|
Boot or system/vendor (dm-verity metadata section) is tampered:
|
|
=> avb init 1
|
|
=> avb verify
|
|
avb_slot_verify.c:175: ERROR: boot: Hash of data does not match digest in
|
|
descriptor.
|
|
Slot verification result: ERROR_IO
|
|
|
|
Vbmeta partition is tampered:
|
|
=> avb init 1
|
|
=> avb verify
|
|
avb_vbmeta_image.c:206: ERROR: Hash does not match!
|
|
avb_slot_verify.c:388: ERROR: vbmeta: Error verifying vbmeta image:
|
|
HASH_MISMATCH
|
|
Slot verification result: ERROR_IO
|
|
|
|
|
|
4. ENABLE ON YOUR BOARD
|
|
-----------------------------------
|
|
The following options must be enabled:
|
|
CONFIG_LIBAVB=y
|
|
CONFIG_AVB_VERIFY=y
|
|
CONFIG_CMD_AVB=y
|
|
|
|
In addtion optionally if storing rollback indexes in RPMB with help of
|
|
OP-TEE:
|
|
CONFIG_TEE=y
|
|
CONFIG_OPTEE=y
|
|
CONFIG_OPTEE_TA_AVB=y
|
|
CONFIG_SUPPORT_EMMC_RPMB=y
|
|
|
|
Then add `avb verify` invocation to your android boot sequence of commands,
|
|
e.g.:
|
|
|
|
=> avb_verify=avb init $mmcdev; avb verify;
|
|
=> if run avb_verify; then \
|
|
echo AVB verification OK. Continue boot; \
|
|
set bootargs $bootargs $avb_bootargs; \
|
|
else \
|
|
echo AVB verification failed; \
|
|
exit; \
|
|
fi; \
|
|
|
|
=> emmc_android_boot= \
|
|
echo Trying to boot Android from eMMC ...; \
|
|
... \
|
|
run avb_verify; \
|
|
mmc read ${fdtaddr} ${fdt_start} ${fdt_size}; \
|
|
mmc read ${loadaddr} ${boot_start} ${boot_size}; \
|
|
bootm $loadaddr $loadaddr $fdtaddr; \
|
|
|
|
If partitions you want to verify are slotted (have A/B suffixes), then current
|
|
slot suffix should be passed to 'avb verify' sub-command, e.g.:
|
|
|
|
=> avb verify _a
|
|
|
|
To switch on automatic generation of vbmeta partition in AOSP build, add these
|
|
lines to device configuration mk file:
|
|
|
|
BOARD_AVB_ENABLE := true
|
|
BOARD_AVB_ALGORITHM := SHA512_RSA4096
|
|
BOARD_BOOTIMAGE_PARTITION_SIZE := <boot partition size>
|
|
|
|
After flashing U-boot don't forget to update environment and write new
|
|
partition table:
|
|
=> env default -f -a
|
|
=> setenv partitions $partitions_android
|
|
=> env save
|
|
=> gpt write mmc 1 $partitions_android
|