01ca9962bd0d18d0a958b289fe481cdab7c072ca |
|
23-May-2017 |
David Zeuthen <zeuthen@google.com> |
libavb: Only load and verify hash partition if requested. Currently avb_slot_verify() will load _and_ verify all hash partitions mentioned in vbmeta structus even if a partition isn't in the |requested_partitions| parameter. The current behavior is not useful because verification of a hash partition only works if you keep the loaded data around. If you don't keep it around, you set yourself up for a time-of-check-to-time-of-use (TOCTTOU) attack insofar that an attacker can change the partition contents in the window between it was checked and until you load it again. This should save ~400ms (the cost of sha256'ing ~32 MiB of data) in fs_mgr / early-mount. This is because fs_mgr requests no partitions to be loaded since it is only interested in the vbmeta structs. Bug: None Test: New unit test + all unit tests pass. Test: Manually tested on UEFI-based boot loader. Change-Id: I3e60d6c01e431c43ee2c629ed84318cbeac44347
/external/avb/test/fake_avb_ops.cc
|
27a291fcc1948ca8309b307c34d3eb229c5d208d |
|
28-Apr-2017 |
David Zeuthen <zeuthen@google.com> |
libavb: Load entire partition if |allow_verification_error| is true. This is needed to make the common workflow of $ fastboot flash boot /path/to/boot.img work. To do this we need to introduce a new AvbOps operation to get the partition size. Note that libavb integrators had already had to do this to implement read_from_partition() when a negative offset is passed... so this shouldn't be a lot of extra work. Also note that since libavb has no stable API this is not a breaking change so there is no need to bump any version numbers (version numbers are mostly for on-disk formats) ... in other words, libavb integrators are expected to re-integrate and re-test their bootloader code every time they uprev to a newer libavb. In this case they need to implement a new AvbOps operation. Add some extra docs to AvbOps to spell out that the struct should be zeroed before being populated with function pointers. This is to ensure unimplemented operations are always set to NULL. For now handle the case where the newly operation is NULL (e.g. not implemented) and just warn using avb_error() that it should be implemented. Add pre-condition checks to avb_slot_verify() to check that all required operations at least are set. Add a new unit test for this and also implement it in the examples/uefi boot loader and libavb_user. Bug: 37709309 Test: New unit test + all unit tests pass. Test: Manually tested on UEFI-based bootloader. Change-Id: Id225af91add2e52167994e80b5b3a788c6909c15
/external/avb/test/fake_avb_ops.cc
|
a5fd3a4b5617b75ce5666e1bfd38be578e865e1f |
|
27-Feb-2017 |
David Zeuthen <zeuthen@google.com> |
Allow top-level vbmeta struct to be in 'boot' partition. If there is no 'vbmeta' partition try to load the top-level vbmeta struct from the end of 'boot' via a footer. Two use-cases come to mind - bring-up when the partition table doesn't yet mention vbmeta; and - upgrades where it's not feasible to change the partition table Bug: None Test: New unit tests and all unit tests pass. Change-Id: Id0c6c0f95ce157ffbeb0692d3c9547f49ab58640
/external/avb/test/fake_avb_ops.cc
|
147b08db62f068c4fa76c3629f83d4282b614039 |
|
21-Dec-2016 |
Darren Krahn <dkrahn@google.com> |
Implement AVB Android Things eXtension (ATX) Android Things requires specific public key metadata and verification logic to correctly verify vbmeta public keys. This CL includes the verification logic, tools to create metadata, and documentation. Bug: 33553097 Test: unit tests Change-Id: I98955d3616f4c3ca1b893eb3941041e5e735fc7e (cherry picked from commit f89ed80e7d6c1a1526a032cefca80ab146ec1753)
/external/avb/test/fake_avb_ops.cc
|
574ed9991715ef621b38a4d8417e1707653105d3 |
|
05-Jan-2017 |
David Zeuthen <zeuthen@google.com> |
Rework interactions between AvbOps and AvbABOps. Use pointers instead of aggregation and introduce a |user_data| field that can be used for platform-specific resources. This makes it easier for bootloader vendors since they don't have to "subclass" AvbOps or AvbABOps - instead they can just point to their platform-specific data using the |user_data| member in AvbOps. Additionally, this change makes it possible to add other libraries on top (such as libavb_atx) whilst still using both libavb and libavb_ab. Bug: None Test: Unit tests pass. Test: Manually tested on UEFI based bootloader. Change-Id: I72963cde94fdc922060e3cc42d7f360f6da01bb0
/external/avb/test/fake_avb_ops.cc
|
4b6a634e48353da1e119ebe0287299f7b919d778 |
|
03-Jan-2017 |
David Zeuthen <zeuthen@google.com> |
Fix-up coding style and add PREUPLOAD.cfg file. Previous commits broke the style specified our .clang-format file - fixed this by running it through clang-format(1). During this process discovered that I've been invoking clang-format(1) without the --style=file option meaning that our .clang-format file actually hadn't been used at all. So there's a rather big amount of formatting changes in this CL. Also replaced the .clang-format symlink target to ../../build/tools/brillo-clang-format with our own file since the brillo one may go away in the future or not exist at all. Finally, added a PREULOAD.cfg file to do this on every commit. See https://android.googlesource.com/platform/tools/repohooks/ for more information about how this works. Bug: None Test: Manually tested. Test: All unit tests pass. Change-Id: I6461478a62efd81689bc4316c22f758e7f98f59f
/external/avb/test/fake_avb_ops.cc
|
72d5790de1e0e6ee5e8b185e59d102cbb46a986a |
|
13-Dec-2016 |
Darren Krahn <dkrahn@google.com> |
test: Add abstract delegate and better rollback indexes to FakeAvbOps The abstract delegate allows tests to override and set their own delegate, effectively customizing the fake behavior with minimal fuss. A test could even use gmock to implement a delegate. Rollback indexes will not necessarily be contiguous (0, 1, 2, ...) going forward so handling them via a index-to-value map is better than a strict vector. Also, this CL moves C++ code, including tests, into a namespace. Bug: 33553097 Test: unit Change-Id: Ib53637c8b9320d9847b079aad79ce4fbd8ffc701
/external/avb/test/fake_avb_ops.cc
|
40ee1da883c634ce94bb69e97a52598f8fbc151d |
|
23-Nov-2016 |
David Zeuthen <zeuthen@google.com> |
Rename "rollback index slot" to "rollback index location". This is because the word slot is already used in the context of A/B. Less confusing this way. Bug: 33100927 Test: New unit tests and all unit tests pass. Test: Manually tested on UEFI based bootloader. Change-Id: Ic611b02dc18e7dd9f14c2c87b247be3cd8f4aaf2
/external/avb/test/fake_avb_ops.cc
|
18666abc5d8276a743111e6c3608e66f6c85fb51 |
|
15-Nov-2016 |
David Zeuthen <zeuthen@google.com> |
Make it possible to include public key metadata. A new option --public_key_metadata can be used at image build time to include a "public key metadata" blob in the vbmeta struct and this data is passed to the validate_vbmeta_public_key() AvbOps operation along with the public key. The use-case for this option is a device where the root-of-trust embedded in the device is different from the key used to sign AVB metadata. Specifically, the public key metadata blob can be data signed by the device root-of-trust and the data could assert the trust chain between this root-of-trust and the AVB public key used to sign the AVB metadata. (This change breaks the on-disk image format but that's OK because we're still pre-1.0 with respect to image format stability guarantees.) Bug: 32736356 Test: New unit tests and all unit tests pass. Test: Tested in UEFI-based bootloader in qemu. Change-Id: I7b9c3bf2f9326b5bb5659b2a431a59a5c9016aff
/external/avb/test/fake_avb_ops.cc
|
baf59e232e48d0111e4b38f74c60c89e6f8f0b14 |
|
14-Nov-2016 |
David Zeuthen <zeuthen@google.com> |
libavb: Move all A/B functionality into separate libavb_ab/ directory. This new libavb_ab "library" depends on libavb "library" insofar that it's using the same abstractions (system dependencies and operations). For easy integration the newly introduced AvbABOps struct extends the AvbOps struct so users can build just a single struct and use that for both. Also emphasize in README that libavb_ab usage is optional and that it's possible to integrate libavb with another A/B stack. (The quotes in use for "library" above is because these are not really libraries from a system-integration perspective. That is, 3rd party is expected to integrate this source-code with their own build-system and toolchain.) Since we now have multiple libraries - at least from the point of view of how it's used in unit tests - change Android.mk such that library users need to use libavb/libavb.h and libavb_ab/libavb_ab.h instead of just e.g. libavb.h. Test: Unit tests pass Test: Tested in UEFI-based bootloader in qemu. Test: Tested boot_control.avb.so in same UEFI-based system. Bug: None Change-Id: I19ea8f6bd1e63b2617b0e9fa9fc3b2a68ac4a92e
/external/avb/test/fake_avb_ops.cc
|
4cc9652142693767098d5d96fccc822cefaf63de |
|
28-Oct-2016 |
David Zeuthen <zeuthen@google.com> |
libavb: Make it possible to store A/B metadata somewhere else than 'misc'. For multi-stage bootloaders it might be desirable for the early stage to store A/B metadata in e.g. NVRAM rather than on disk. Allow this by introducing read_ab_metadata() and write_ab_metadata() operations in AvbOps and use these instead of avb_ab_data_read() and avb_ab_data_write(). Make a note in the AvbOps docs that avb_ab_data_read() and avb_ab_data_write() can be used directly. Bug: None Test: New unit tests and unit tests pass. Test: Tested in UEFI-based bootloader in qemu. Change-Id: I0e32e387de8f9239de1c035e1c0db03e43a66115
/external/avb/test/fake_avb_ops.cc
|
507752b2b5eed4340288d805b61e04d39ed4f618 |
|
29-Sep-2016 |
David Zeuthen <zeuthen@google.com> |
libavb: Allow AvbOps functions to fail with OOM. To do this we have to slightly change some public library API so we can bubble up OOM failures. Also fix up the boot_control implementation since it's using some of this API. Also fix two warnings found by compiling with gcc instead of clang. Bug: None Change-Id: I241ee10e10cef5d7f7ec8db418b279a2a2543c9e Test: All unit tests pass.
/external/avb/test/fake_avb_ops.cc
|
8b6973be7468f5c0db42ff8fcd91f8e97a345a27 |
|
20-Sep-2016 |
David Zeuthen <zeuthen@google.com> |
Add A/B implementation. This CL add routines for working with A/B metadata, including A/B selection and managing rollback indexes. A/B metadata is stored in the 'misc' partition in the |slot_suffix| field using a format private to libavb - see bootable/recovery/bootloader.h for more details. A new set_ab_metadata sub-command has been added to avbtool for initializing A/B metadata at build time. A/B metadata integrity is provided by a simple magic marker and a CRC-32 checksum. If invalid A/B metadata is detected, the behavior is to reset the A/B metadata to a known state where both slots are given seven boot tries. An implementation of the boot_control HAL using AVB-specific A/B metadata is also provided. Also factored out the test-side AvbOps into a FakeAvbOps class and put it in its own file. Saw a couple of references to things like "Brillo Boot Image" and the like. Fixed these up. This CL is based on work done by Kevin Chavez - see b/29072323 - during his internship at Google. BUG=31264229 TEST=New unit tests + all unit tests pass. TEST=Manual testing of boot_control HAL using the bootctl command. Change-Id: I594ea4173a051ecb72636058440372ff1ca5855b
/external/avb/test/fake_avb_ops.cc
|