fd41eb9a7848ad8d2ae0a80186e461741bf134f1 |
|
17-Nov-2016 |
David Zeuthen <zeuthen@google.com> |
Add way to disable dm-verity allowing rootfs to be writable. This feature already exist in Android's current verified boot implementation and can be enabled by running 'adb disable-verity'. As it's very useful for developers (it allows replacing e.g. binaries on the root filesystem) we want AVB to have this feature as well. First, add a 'flags' field in the VBMeta struct with a single possible flag value HASHTREE_DISABLED (we can add more flags in the future). Second, to enable the feature we essentially need to pass root=PARTUUID=$(ANDROID_SYSTEM_PARTUUID) instead of dm="1 vroot ... PARTUUID=$(ANDROID_SYSTEM_PARTUUID) ... " root=0xfd00 To do this cleanly and keep all the details about dm-verity setup outside the bootloader binary, introduce a flags field to the command-line descriptor allowing the bootloader to skip the command-line snippet depending on whether HASHTREE_DISABLED is set or not. With this in place, modify avbtool to generate two kernel command-line descriptors - one if HASHTREE_DISABLED is set and one if it's not. One note is that the VBMeta flag HASHTREE_DISABLED will never be used at image build time. Instead, it's expected that 'adb disable-verity' will set the flag by writing to vbmeta_a or vbmeta_b directly. This will of course cause the image to not be verified but if the device is unlocked the bootloader will boot it anyway .. this is because of the previous CL with subject "Enable operations on unlocked devices." I tried all this using my toy UEFI-based bootloader using libavb and here's the result. First the bootloader output when processing a freshly built image (with lots of thing deleted for brevity): ab_result=OK, slot_suffix=_a, command-line='dm="1 vroot none ro 1,0 [...]" root=0xfd00 androidboot.slot_suffix=_a androidboot.vbmeta.device_state=unlocked [...]' and once we've get a shell remounting rootfs rw fails: $ su # mount -orw,remount / '/dev/root' is read-only It's possible however to set the new HASHTREE_DISABLED flag by writing to vbmeta_a: # echo -n -e \\x01 | dd bs=1 oseek=123 count=1 \ of=/dev/block/pci/pci0000\:00/0000\:00\:01.1/by-name/vbmeta_a 1+0 records in 1+0 records out 1 bytes transferred in 0.001 secs (1000 bytes/sec) When rebooting the bootloader now outputs the following: ab_result=OK_WITH_VERIFICATION_ERROR, slot_suffix=_a, command-line='root=PARTUUID=c2531a08-1ff2-4c3e-9d9d-a50e5abd02c8 androidboot.slot_suffix=_a androidboot.vbmeta.device_state=unlocked [...]' and it's now possible to remount the root filesystem and write to it: $ su # mount -orw,remount / # echo foo > /bar # cat /bar foo with changes persisting across reboots. Needless to say, disabling hashtree verification like this will ONLY work if the device is unlocked. This is because the HASHTREE_DISABLED flag is in the verified data. Test: New unit tests and unit tests pass. Test: Manually tested on UEFI based bootloader, see above. Bug: 32949911 Change-Id: I9474ddd5f442be369cb0a551f03ac181cc41a265
/external/avb/libavb/avb_kernel_cmdline_descriptor.h
|
c612e2e353444f6ad714e43702c2afd057516254 |
|
16-Sep-2016 |
David Zeuthen <zeuthen@google.com> |
Switch to MIT license. BUG=31508897 TEST=Unit tests pass. Change-Id: I790afce2889e3dfaf6a53c02ccaaec3544229a9c
/external/avb/libavb/avb_kernel_cmdline_descriptor.h
|
21e95266704e572ced1c633bbc4aea9f42afa0a5 |
|
27-Jul-2016 |
David Zeuthen <zeuthen@google.com> |
Add common verified boot tools and library. This code is originally from the Brillo project but has been adapted for use in all of Android. It consists of a tool - avbtool - for working with images (e.g. boot.img, system.img). See the README file for how it's integrated into the Android build system and how to enable it. The main job of avbtool is to create vbmeta.img which is the top-level object for verified boot. This image is designed to go into the vbmeta partition (or, if using A/B, the slot in question e.g. vbmeta_a or vbmeta_b) and be of minimal size (for out-of-band updates). The vbmeta image is cryptographically signed and contains verification data (e.g. cryptographic digests) for verifying boot.img, system.img, and other partitions/images. The vbmeta image can also contain references to other partitions where verification data is stored as well as a public key indicating who should sign the verification data. This indirection provides delegation, that is, it allows a 3rd party to control content on a given partition by including the public key said 3rd party is using to sign the data with, in vbmeta.img. By design, this authority can be easily revoked by simply updating vbmeta.img with new descriptors for the partition in question. Storing signed verification data on other images - for example boot.img and system.img - is also done with avbtool. In addition to avbtool, a library - libavb - is provided. This library performs all verification on the device side e.g. it starts by loading the vbmeta partition, checks the signature, and then goes on to load the boot partition for verification. The libavb library is intended to be used in both boot loaders and inside Android. It has a simple abstraction for system dependencies (see libavb/avb_sysdeps.h) as well as operations that the boot loader or OS is expected to implement (see libavb/avb_ops.h). In addition to handling verified boot, libavb will in the future be extended to handle A/B selection in a way that can be used in the device's fastboot implementation, its boot loader, and its boot_control HAL implementation. This will be implemented in a future CL. BUG=29414516 TEST=Unit tests for avbtool and libavb + unit tests pass. Change-Id: I69ee86878e21fa718faccfc56eb0b1f40707d847
/external/avb/libavb/avb_kernel_cmdline_descriptor.h
|