From 6d0043a6230d9003beb90ef6366bfea8c5e654bd Mon Sep 17 00:00:00 2001 From: Igor Opaniuk Date: Sun, 3 Jun 2018 21:56:43 +0300 Subject: [PATCH] doc: avb2.0: add README about AVB2.0 integration Contains: 1. Overview of Android Verified Boot 2.0 2. Description of avb subset of commands 3. Examples of errors when boot/vendor/system/vbmeta partitions are tampered 4. Examples of enabling AVB2.0 on your setup Signed-off-by: Igor Opaniuk --- doc/README.avb2 | 97 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 doc/README.avb2 diff --git a/doc/README.avb2 b/doc/README.avb2 new file mode 100644 index 0000000000..67784b529e --- /dev/null +++ b/doc/README.avb2 @@ -0,0 +1,97 @@ +Android Verified Boot 2.0 + +This file contains information about the current support of Android Verified +Boot 2.0 in U-boot + +1. OVERVIEW +--------------------------------- +Verified Boot establishes a chain of trust from the bootloader to system images +* Provides integrity checking for: + - Android Boot image: Linux kernel + ramdisk. RAW hashing of the whole + partition is done and the hash is compared with the one stored in + the VBMeta image + - system/vendor partitions: verifying root hash of dm-verity hashtrees. +* Provides capabilities for rollback protection. + +Integrity of the bootloader (U-boot BLOB and environment) is out of scope. + +For additional details check: +https://android.googlesource.com/platform/external/avb/+/master/README.md + + +2. AVB 2.0 U-BOOT SHELL COMMANDS +----------------------------------- +Provides CLI interface to invoke AVB 2.0 verification + misc. commands for +different testing purposes: + +avb init - initialize avb 2.0 for +avb verify - run verification process using hash data from vbmeta structure +avb read_rb - read rollback index at location +avb write_rb - write rollback index to +avb is_unlocked - returns unlock status of the device +avb get_uuid - read and print uuid of partition +avb read_part - read bytes from +partition to buffer +avb write_part - write bytes to + by using data from + + +3. PARTITIONS TAMPERING (EXAMPLE) +----------------------------------- +Boot or system/vendor (dm-verity metadata section) is tampered: +=> avb init 1 +=> avb verify +avb_slot_verify.c:175: ERROR: boot: Hash of data does not match digest in +descriptor. +Slot verification result: ERROR_IO + +Vbmeta partition is tampered: +=> avb init 1 +=> avb verify +avb_vbmeta_image.c:206: ERROR: Hash does not match! +avb_slot_verify.c:388: ERROR: vbmeta: Error verifying vbmeta image: +HASH_MISMATCH +Slot verification result: ERROR_IO + + +4. ENABLE ON YOUR BOARD +----------------------------------- +The following options must be enabled: +CONFIG_LIBAVB=y +CONFIG_CMD_AVB=y + + +Then add `avb verify` invocation to your android boot sequence of commands, +e.g.: + +=> avb_verify=avb init $mmcdev; avb verify; +=> if run avb_verify; then \ + echo AVB verification OK. Continue boot; \ + set bootargs $bootargs $avb_bootargs; \ + else \ + echo AVB verification failed; \ + exit; \ + fi; \ + +=> emmc_android_boot= \ + echo Trying to boot Android from eMMC ...; \ + ... \ + run avb_verify; \ + mmc read ${fdtaddr} ${fdt_start} ${fdt_size}; \ + mmc read ${loadaddr} ${boot_start} ${boot_size}; \ + bootm $loadaddr $loadaddr $fdtaddr; \ + + +To switch on automatic generation of vbmeta partition in AOSP build, add these +lines to device configuration mk file: + +BOARD_AVB_ENABLE := true +BOARD_AVB_ALGORITHM := SHA512_RSA4096 +BOARD_BOOTIMAGE_PARTITION_SIZE := + +After flashing U-boot don't forget to update environment and write new +partition table: +=> env default -f -a +=> setenv partitions $partitions_android +=> env save +=> gpt write mmc 1 $partitions_android -- 2.39.5