stm32mp157
/
uboot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
uboot/u-boot-stm32mp-2020.01/doc/android/avb2.txt

116 lines
4.0 KiB
Plaintext
Raw Permalink Blame History

Android Verified Boot 2.0
This file contains information about the current support of Android Verified
Boot 2.0 in U-boot
1. OVERVIEW
---------------------------------
Verified Boot establishes a chain of trust from the bootloader to system images
* Provides integrity checking for:
- Android Boot image: Linux kernel + ramdisk. RAW hashing of the whole
partition is done and the hash is compared with the one stored in
the VBMeta image
- system/vendor partitions: verifying root hash of dm-verity hashtrees.
* Provides capabilities for rollback protection.
Integrity of the bootloader (U-boot BLOB and environment) is out of scope.
For additional details check:
https://android.googlesource.com/platform/external/avb/+/master/README.md
1.1. AVB using OP-TEE (optional)
---------------------------------
If AVB is configured to use OP-TEE (see 4. below) rollback indexes and
device lock state are stored in RPMB. The RPMB partition is managed by
OP-TEE (https://www.op-tee.org/) which is a secure OS leveraging ARM
TrustZone.
2. AVB 2.0 U-BOOT SHELL COMMANDS
-----------------------------------
Provides CLI interface to invoke AVB 2.0 verification + misc. commands for
different testing purposes:
avb init <dev> - initialize avb 2.0 for <dev>
avb verify - run verification process using hash data from vbmeta structure
avb read_rb <num> - read rollback index at location <num>
avb write_rb <num> <rb> - write rollback index <rb> to <num>
avb is_unlocked - returns unlock status of the device
avb get_uuid <partname> - read and print uuid of partition <partname>
avb read_part <partname> <offset> <num> <addr> - read <num> bytes from
partition <partname> to buffer <addr>
avb write_part <partname> <offset> <num> <addr> - write <num> bytes to
<partname> by <offset> using data from <addr>
3. PARTITIONS TAMPERING (EXAMPLE)
-----------------------------------
Boot or system/vendor (dm-verity metadata section) is tampered:
=> avb init 1
=> avb verify
avb_slot_verify.c:175: ERROR: boot: Hash of data does not match digest in
descriptor.
Slot verification result: ERROR_IO
Vbmeta partition is tampered:
=> avb init 1
=> avb verify
avb_vbmeta_image.c:206: ERROR: Hash does not match!
avb_slot_verify.c:388: ERROR: vbmeta: Error verifying vbmeta image:
HASH_MISMATCH
Slot verification result: ERROR_IO
4. ENABLE ON YOUR BOARD
-----------------------------------
The following options must be enabled:
CONFIG_LIBAVB=y
CONFIG_AVB_VERIFY=y
CONFIG_CMD_AVB=y
In addtion optionally if storing rollback indexes in RPMB with help of
OP-TEE:
CONFIG_TEE=y
CONFIG_OPTEE=y
CONFIG_OPTEE_TA_AVB=y
CONFIG_SUPPORT_EMMC_RPMB=y
Then add `avb verify` invocation to your android boot sequence of commands,
e.g.:
=> avb_verify=avb init $mmcdev; avb verify;
=> if run avb_verify; then \
echo AVB verification OK. Continue boot; \
set bootargs $bootargs $avb_bootargs; \
else \
echo AVB verification failed; \
exit; \
fi; \
=> emmc_android_boot= \
echo Trying to boot Android from eMMC ...; \
... \
run avb_verify; \
mmc read ${fdtaddr} ${fdt_start} ${fdt_size}; \
mmc read ${loadaddr} ${boot_start} ${boot_size}; \
bootm $loadaddr $loadaddr $fdtaddr; \
If partitions you want to verify are slotted (have A/B suffixes), then current
slot suffix should be passed to 'avb verify' sub-command, e.g.:
=> avb verify _a
To switch on automatic generation of vbmeta partition in AOSP build, add these
lines to device configuration mk file:
BOARD_AVB_ENABLE := true
BOARD_AVB_ALGORITHM := SHA512_RSA4096
BOARD_BOOTIMAGE_PARTITION_SIZE := <boot partition size>
After flashing U-boot don't forget to update environment and write new
partition table:
=> env default -f -a
=> setenv partitions $partitions_android
=> env save
=> gpt write mmc 1 $partitions_android
Reference in New Issue View Git Blame Copy Permalink