From: Sam Protsenko <semen.protsenko@linaro.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 8/8] doc: avb2.0: add README about AVB2.0 integration
Date: Wed, 2 May 2018 22:12:43 +0300 [thread overview]
Message-ID: <CAKaJLVvzuss8ySkNHNHdnt9C5e31NuYDRnwcJzHz8AruF-snjg@mail.gmail.com> (raw)
In-Reply-To: <1524662285-19617-9-git-send-email-igor.opaniuk@linaro.org>
On 25 April 2018 at 16:18, Igor Opaniuk <igor.opaniuk@linaro.org> wrote:
> Contains:
> 1. Overview of Android Verified Boot 2.0
> 2. Description of avb subset of commands
> 3. Examples of errors when boot/vendor/system/vbmeta partitions
> are tampered
> 4. Examples of enabling AVB2.0 on your setup
>
> Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>
> ---
> doc/README.avb2 | 100 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 100 insertions(+)
> create mode 100644 doc/README.avb2
>
> diff --git a/doc/README.avb2 b/doc/README.avb2
> new file mode 100644
> index 0000000..40db7c5
> --- /dev/null
> +++ b/doc/README.avb2
> @@ -0,0 +1,100 @@
> +Android Verified Boot 2.0
> +
> +This file contains information about the current support of Android Verified
> +Boot 2.0 in U-boot
> +
> +1. OVERVIEW
> +---------------------------------
> +Verified Boot establishes a chain of trust from the bootloader to system images
> +* Provides integrity checking for:
> + - Android Boot image: Linux kernel + ramdisk. RAW hashing of the whole
> + partition is done and the hash is compared with the one stored in
> + the VBMeta image
> + - system/vendor partitions: verifying root hash of dm-verity hashtrees.
> +* Provides capabilities for rollback protection.
> +
> +Integrity of the bootloader (U-boot BLOB and environment) is out of scope.
> +
> +For additional details check:
> +https://android.googlesource.com/platform/external/avb/+/master/README.md
> +
> +
> +2. AVB 2.0 U-BOOT SHELL COMMANDS
> +-----------------------------------
> +Provides CLI interface to invoke AVB 2.0 verification + misc. commands for
> +different testing purposes:
> +
> +avb init <dev> - initialize avb 2.0 for <dev>
> +avb verify - run verification process using hash data from vbmeta structure
> +avb read_rb <num> - read rollback index at location <num>
> +avb write_rb <num> <rb> - write rollback index <rb> to <num>
> +avb is_unlocked - returns unlock status of the device
> +avb get_uuid <partname> - read and print uuid of partition <partname>
> +avb read_part <partname> <offset> <num> <addr> - read <num> bytes from
> +partition <partname> to buffer <addr>
> +avb write_part <partname> <offset> <num> <addr> - write <num> bytes to
> +<partname> by <offset> using data from <addr>
> +
> +
> +3. PARTITIONS TAMPERING (EXAMPLE)
> +-----------------------------------
> +Boot or system/vendor (dm-verity metadata section) is tampered:
> +=> avb init 1
> +=> avb verify
> +avb_slot_verify.c:175: ERROR: boot: Hash of data does not match digest in
> +descriptor.
> +Slot verification result: ERROR_IO
> +
> +Vbmeta partition is tampered:
> +=> avb init 1
> +=> avb verify
> +avb_vbmeta_image.c:206: ERROR: Hash does not match!
> +avb_slot_verify.c:388: ERROR: vbmeta: Error verifying vbmeta image:
> +HASH_MISMATCH
> +Slot verification result: ERROR_IO
> +
> +
> +4. ENABLE ON YOUR BOARD
> +-----------------------------------
> +The following options must be enabled:
> +CONFIG_LIBAVB=y
> +CONFIG_LIBAVB_AB=y
> +CONFIG_CMD_AVB=y
> +
> +
> +Then add `avb verify` invocation to your android boot sequence of commands,
> +e.g.:
> +
> +=> avb_verify=avb init $mmcdev; avb verify;
> +=> if run avb_verify; then \
> + echo AVB verification OK. Continue boot; \
> + set bootargs $bootargs $avb_bootargs; \
> + else \
> + echo AVB verification failed; \
> + exit; \
> + fi; \
> +
> +=> emmc_android_boot= \
> + echo Trying to boot Android from eMMC ...; \
> + ... \
> + run avb_verify; \
> + mmc read ${fdtaddr} ${fdt_start} ${fdt_size}; \
> + mmc read ${loadaddr} ${boot_start} ${boot_size}; \
> + bootm $loadaddr $loadaddr $fdtaddr; \
> +
> +
> +To switch on automatic generation of vbmeta partition in AOSP build, add these
> +lines to device configuration mk file:
> +
> +BOARD_AVB_ENABLE := true
> +BOARD_AVB_ALGORITHM := SHA512_RSA4096
> +BOARD_BOOTIMAGE_PARTITION_SIZE := <boot partition size>
> +
> +After flashing U-boot don't forget to update environment and write new
> +partition table:
> +=> env default -f -a
> +=> setenv partitions $partitions_android
> +=> env save
> +=> fas 1
> +
> +$ fastboot oem format
FYI, those commands can be shrank down to a single command:
=> gpt write mmc 1 $partitions_android
because that's exactly what "fastboot oem format" is doing. This way
you can avoid using fastboot, and thus having it as a dependency. But
your way is better w.r.t. user experience (i.e. if environment is
already set, user can just run host command, and avoid tinkering with
U-Boot shell at all). Please choose which one is better depending on
targeting use-case.
> --
> 2.7.4
>
next prev parent reply other threads:[~2018-05-02 19:12 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-25 13:17 [U-Boot] [PATCH 0/8] Initial integration of AVB2.0 Igor Opaniuk
2018-04-25 13:17 ` [U-Boot] [PATCH 1/8] avb2.0: add Android Verified Boot 2.0 libraries Igor Opaniuk
2018-04-25 13:17 ` [U-Boot] [PATCH 2/8] avb2.0: integrate avb 2.0 into the build system Igor Opaniuk
2018-04-25 13:18 ` [U-Boot] [PATCH 3/8] avb2.0: implement AVB ops Igor Opaniuk
2018-04-25 13:18 ` [U-Boot] [PATCH 4/8] cmd: avb2.0: avb command for performing verification Igor Opaniuk
2018-05-02 18:52 ` Sam Protsenko
2018-05-03 2:31 ` Simon Glass
2018-05-15 15:44 ` Igor Opaniuk
2018-05-15 16:26 ` Simon Glass
2018-05-15 17:31 ` Igor Opaniuk
2018-05-15 18:28 ` Simon Glass
2018-05-16 8:20 ` Igor Opaniuk
2018-05-16 15:40 ` Simon Glass
2018-04-25 13:18 ` [U-Boot] [PATCH 5/8] avb2.0: add boot states and dm-verity support Igor Opaniuk
2018-05-02 18:59 ` Sam Protsenko
2018-04-25 13:18 ` [U-Boot] [PATCH 6/8] am57xx_hs: avb2.0: add support of AVB 2.0 Igor Opaniuk
2018-05-02 19:06 ` Sam Protsenko
2018-04-25 13:18 ` [U-Boot] [PATCH 7/8] test/py: avb2.0: add tests for avb commands Igor Opaniuk
2018-04-25 13:18 ` [U-Boot] [PATCH 8/8] doc: avb2.0: add README about AVB2.0 integration Igor Opaniuk
2018-05-02 19:12 ` Sam Protsenko [this message]
2018-05-16 9:20 ` Igor Opaniuk
2018-04-26 3:05 ` [U-Boot] [PATCH 0/8] Initial integration of AVB2.0 Kever Yang
2018-04-26 13:00 ` Igor Opaniuk
2018-04-26 18:35 ` Alex Deymo
2018-04-27 9:53 ` Igor Opaniuk
2018-04-30 10:47 ` Alex Deymo
2018-05-06 11:31 ` Eugeniu Rosca
2018-05-15 15:31 ` Eugeniu Rosca
2018-05-15 16:58 ` Igor Opaniuk
2018-05-15 17:10 ` Eugeniu Rosca
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKaJLVvzuss8ySkNHNHdnt9C5e31NuYDRnwcJzHz8AruF-snjg@mail.gmail.com \
--to=semen.protsenko@linaro.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.