blob: 67784b529e4713e8fa92782412e3061c492a444c [file] [log] [blame]
Igor Opaniuk523788b2018-06-03 21:56:43 +03001Android Verified Boot 2.0
2
3This file contains information about the current support of Android Verified
4Boot 2.0 in U-boot
5
61. OVERVIEW
7---------------------------------
8Verified Boot establishes a chain of trust from the bootloader to system images
9* Provides integrity checking for:
10 - Android Boot image: Linux kernel + ramdisk. RAW hashing of the whole
11 partition is done and the hash is compared with the one stored in
12 the VBMeta image
13 - system/vendor partitions: verifying root hash of dm-verity hashtrees.
14* Provides capabilities for rollback protection.
15
16Integrity of the bootloader (U-boot BLOB and environment) is out of scope.
17
18For additional details check:
19https://android.googlesource.com/platform/external/avb/+/master/README.md
20
21
222. AVB 2.0 U-BOOT SHELL COMMANDS
23-----------------------------------
24Provides CLI interface to invoke AVB 2.0 verification + misc. commands for
25different testing purposes:
26
27avb init <dev> - initialize avb 2.0 for <dev>
28avb verify - run verification process using hash data from vbmeta structure
29avb read_rb <num> - read rollback index at location <num>
30avb write_rb <num> <rb> - write rollback index <rb> to <num>
31avb is_unlocked - returns unlock status of the device
32avb get_uuid <partname> - read and print uuid of partition <partname>
33avb read_part <partname> <offset> <num> <addr> - read <num> bytes from
34partition <partname> to buffer <addr>
35avb write_part <partname> <offset> <num> <addr> - write <num> bytes to
36<partname> by <offset> using data from <addr>
37
38
393. PARTITIONS TAMPERING (EXAMPLE)
40-----------------------------------
41Boot or system/vendor (dm-verity metadata section) is tampered:
42=> avb init 1
43=> avb verify
44avb_slot_verify.c:175: ERROR: boot: Hash of data does not match digest in
45descriptor.
46Slot verification result: ERROR_IO
47
48Vbmeta partition is tampered:
49=> avb init 1
50=> avb verify
51avb_vbmeta_image.c:206: ERROR: Hash does not match!
52avb_slot_verify.c:388: ERROR: vbmeta: Error verifying vbmeta image:
53HASH_MISMATCH
54Slot verification result: ERROR_IO
55
56
574. ENABLE ON YOUR BOARD
58-----------------------------------
59The following options must be enabled:
60CONFIG_LIBAVB=y
61CONFIG_CMD_AVB=y
62
63
64Then add `avb verify` invocation to your android boot sequence of commands,
65e.g.:
66
67=> avb_verify=avb init $mmcdev; avb verify;
68=> if run avb_verify; then \
69 echo AVB verification OK. Continue boot; \
70 set bootargs $bootargs $avb_bootargs; \
71 else \
72 echo AVB verification failed; \
73 exit; \
74 fi; \
75
76=> emmc_android_boot= \
77 echo Trying to boot Android from eMMC ...; \
78 ... \
79 run avb_verify; \
80 mmc read ${fdtaddr} ${fdt_start} ${fdt_size}; \
81 mmc read ${loadaddr} ${boot_start} ${boot_size}; \
82 bootm $loadaddr $loadaddr $fdtaddr; \
83
84
85To switch on automatic generation of vbmeta partition in AOSP build, add these
86lines to device configuration mk file:
87
88BOARD_AVB_ENABLE := true
89BOARD_AVB_ALGORITHM := SHA512_RSA4096
90BOARD_BOOTIMAGE_PARTITION_SIZE := <boot partition size>
91
92After flashing U-boot don't forget to update environment and write new
93partition table:
94=> env default -f -a
95=> setenv partitions $partitions_android
96=> env save
97=> gpt write mmc 1 $partitions_android