| 01ca9962bd0d18d0a958b289fe481cdab7c072ca |
|
23-May-2017 |
David Zeuthen <zeuthen@google.com> |
libavb: Only load and verify hash partition if requested.
Currently avb_slot_verify() will load _and_ verify all hash partitions
mentioned in vbmeta structus even if a partition isn't in the
|requested_partitions| parameter.
The current behavior is not useful because verification of a hash
partition only works if you keep the loaded data around. If you don't
keep it around, you set yourself up for a time-of-check-to-time-of-use
(TOCTTOU) attack insofar that an attacker can change the partition
contents in the window between it was checked and until you load it
again.
This should save ~400ms (the cost of sha256'ing ~32 MiB of data) in
fs_mgr / early-mount. This is because fs_mgr requests no partitions to
be loaded since it is only interested in the vbmeta structs.
Bug: None
Test: New unit test + all unit tests pass.
Test: Manually tested on UEFI-based boot loader.
Change-Id: I3e60d6c01e431c43ee2c629ed84318cbeac44347
/external/avb/test/fake_avb_ops.cc
|
| 27a291fcc1948ca8309b307c34d3eb229c5d208d |
|
28-Apr-2017 |
David Zeuthen <zeuthen@google.com> |
libavb: Load entire partition if |allow_verification_error| is true.
This is needed to make the common workflow of
$ fastboot flash boot /path/to/boot.img
work. To do this we need to introduce a new AvbOps operation to get
the partition size. Note that libavb integrators had already had to do
this to implement read_from_partition() when a negative offset is
passed... so this shouldn't be a lot of extra work.
Also note that since libavb has no stable API this is not a breaking
change so there is no need to bump any version numbers (version
numbers are mostly for on-disk formats) ... in other words, libavb
integrators are expected to re-integrate and re-test their bootloader
code every time they uprev to a newer libavb. In this case they need
to implement a new AvbOps operation.
Add some extra docs to AvbOps to spell out that the struct should be
zeroed before being populated with function pointers. This is to
ensure unimplemented operations are always set to NULL.
For now handle the case where the newly operation is NULL (e.g. not
implemented) and just warn using avb_error() that it should be
implemented.
Add pre-condition checks to avb_slot_verify() to check that all
required operations at least are set.
Add a new unit test for this and also implement it in the
examples/uefi boot loader and libavb_user.
Bug: 37709309
Test: New unit test + all unit tests pass.
Test: Manually tested on UEFI-based bootloader.
Change-Id: Id225af91add2e52167994e80b5b3a788c6909c15
/external/avb/test/fake_avb_ops.cc
|
| a5fd3a4b5617b75ce5666e1bfd38be578e865e1f |
|
27-Feb-2017 |
David Zeuthen <zeuthen@google.com> |
Allow top-level vbmeta struct to be in 'boot' partition.
If there is no 'vbmeta' partition try to load the top-level vbmeta
struct from the end of 'boot' via a footer.
Two use-cases come to mind
- bring-up when the partition table doesn't yet mention vbmeta; and
- upgrades where it's not feasible to change the partition table
Bug: None
Test: New unit tests and all unit tests pass.
Change-Id: Id0c6c0f95ce157ffbeb0692d3c9547f49ab58640
/external/avb/test/fake_avb_ops.cc
|
| 147b08db62f068c4fa76c3629f83d4282b614039 |
|
21-Dec-2016 |
Darren Krahn <dkrahn@google.com> |
Implement AVB Android Things eXtension (ATX)
Android Things requires specific public key metadata and verification
logic to correctly verify vbmeta public keys. This CL includes the
verification logic, tools to create metadata, and documentation.
Bug: 33553097
Test: unit tests
Change-Id: I98955d3616f4c3ca1b893eb3941041e5e735fc7e
(cherry picked from commit f89ed80e7d6c1a1526a032cefca80ab146ec1753)
/external/avb/test/fake_avb_ops.cc
|
| 574ed9991715ef621b38a4d8417e1707653105d3 |
|
05-Jan-2017 |
David Zeuthen <zeuthen@google.com> |
Rework interactions between AvbOps and AvbABOps.
Use pointers instead of aggregation and introduce a |user_data| field
that can be used for platform-specific resources. This makes it easier
for bootloader vendors since they don't have to "subclass" AvbOps or
AvbABOps - instead they can just point to their platform-specific data
using the |user_data| member in AvbOps. Additionally, this change
makes it possible to add other libraries on top (such as libavb_atx)
whilst still using both libavb and libavb_ab.
Bug: None
Test: Unit tests pass.
Test: Manually tested on UEFI based bootloader.
Change-Id: I72963cde94fdc922060e3cc42d7f360f6da01bb0
/external/avb/test/fake_avb_ops.cc
|
| 4b6a634e48353da1e119ebe0287299f7b919d778 |
|
03-Jan-2017 |
David Zeuthen <zeuthen@google.com> |
Fix-up coding style and add PREUPLOAD.cfg file.
Previous commits broke the style specified our .clang-format file -
fixed this by running it through clang-format(1). During this process
discovered that I've been invoking clang-format(1) without the
--style=file option meaning that our .clang-format file actually
hadn't been used at all. So there's a rather big amount of formatting
changes in this CL.
Also replaced the .clang-format symlink target to
../../build/tools/brillo-clang-format with our own file since the
brillo one may go away in the future or not exist at all.
Finally, added a PREULOAD.cfg file to do this on every commit. See
https://android.googlesource.com/platform/tools/repohooks/
for more information about how this works.
Bug: None
Test: Manually tested.
Test: All unit tests pass.
Change-Id: I6461478a62efd81689bc4316c22f758e7f98f59f
/external/avb/test/fake_avb_ops.cc
|
| 72d5790de1e0e6ee5e8b185e59d102cbb46a986a |
|
13-Dec-2016 |
Darren Krahn <dkrahn@google.com> |
test: Add abstract delegate and better rollback indexes to FakeAvbOps
The abstract delegate allows tests to override and set their own
delegate, effectively customizing the fake behavior with minimal fuss. A
test could even use gmock to implement a delegate.
Rollback indexes will not necessarily be contiguous (0, 1, 2, ...) going
forward so handling them via a index-to-value map is better than a
strict vector.
Also, this CL moves C++ code, including tests, into a namespace.
Bug: 33553097
Test: unit
Change-Id: Ib53637c8b9320d9847b079aad79ce4fbd8ffc701
/external/avb/test/fake_avb_ops.cc
|
| 40ee1da883c634ce94bb69e97a52598f8fbc151d |
|
23-Nov-2016 |
David Zeuthen <zeuthen@google.com> |
Rename "rollback index slot" to "rollback index location".
This is because the word slot is already used in the context of
A/B. Less confusing this way.
Bug: 33100927
Test: New unit tests and all unit tests pass.
Test: Manually tested on UEFI based bootloader.
Change-Id: Ic611b02dc18e7dd9f14c2c87b247be3cd8f4aaf2
/external/avb/test/fake_avb_ops.cc
|
| 18666abc5d8276a743111e6c3608e66f6c85fb51 |
|
15-Nov-2016 |
David Zeuthen <zeuthen@google.com> |
Make it possible to include public key metadata.
A new option --public_key_metadata can be used at image build time to
include a "public key metadata" blob in the vbmeta struct and this
data is passed to the validate_vbmeta_public_key() AvbOps operation
along with the public key.
The use-case for this option is a device where the root-of-trust
embedded in the device is different from the key used to sign AVB
metadata. Specifically, the public key metadata blob can be data
signed by the device root-of-trust and the data could assert the trust
chain between this root-of-trust and the AVB public key used to sign
the AVB metadata.
(This change breaks the on-disk image format but that's OK because
we're still pre-1.0 with respect to image format stability
guarantees.)
Bug: 32736356
Test: New unit tests and all unit tests pass.
Test: Tested in UEFI-based bootloader in qemu.
Change-Id: I7b9c3bf2f9326b5bb5659b2a431a59a5c9016aff
/external/avb/test/fake_avb_ops.cc
|
| baf59e232e48d0111e4b38f74c60c89e6f8f0b14 |
|
14-Nov-2016 |
David Zeuthen <zeuthen@google.com> |
libavb: Move all A/B functionality into separate libavb_ab/ directory.
This new libavb_ab "library" depends on libavb "library" insofar that
it's using the same abstractions (system dependencies and
operations). For easy integration the newly introduced AvbABOps struct
extends the AvbOps struct so users can build just a single struct and
use that for both.
Also emphasize in README that libavb_ab usage is optional and that
it's possible to integrate libavb with another A/B stack.
(The quotes in use for "library" above is because these are not really
libraries from a system-integration perspective. That is, 3rd party is
expected to integrate this source-code with their own build-system and
toolchain.)
Since we now have multiple libraries - at least from the point of view
of how it's used in unit tests - change Android.mk such that library
users need to use libavb/libavb.h and libavb_ab/libavb_ab.h instead of
just e.g. libavb.h.
Test: Unit tests pass
Test: Tested in UEFI-based bootloader in qemu.
Test: Tested boot_control.avb.so in same UEFI-based system.
Bug: None
Change-Id: I19ea8f6bd1e63b2617b0e9fa9fc3b2a68ac4a92e
/external/avb/test/fake_avb_ops.cc
|
| 4cc9652142693767098d5d96fccc822cefaf63de |
|
28-Oct-2016 |
David Zeuthen <zeuthen@google.com> |
libavb: Make it possible to store A/B metadata somewhere else than 'misc'.
For multi-stage bootloaders it might be desirable for the early stage to
store A/B metadata in e.g. NVRAM rather than on disk.
Allow this by introducing read_ab_metadata() and write_ab_metadata()
operations in AvbOps and use these instead of avb_ab_data_read() and
avb_ab_data_write().
Make a note in the AvbOps docs that avb_ab_data_read() and
avb_ab_data_write() can be used directly.
Bug: None
Test: New unit tests and unit tests pass.
Test: Tested in UEFI-based bootloader in qemu.
Change-Id: I0e32e387de8f9239de1c035e1c0db03e43a66115
/external/avb/test/fake_avb_ops.cc
|
| 507752b2b5eed4340288d805b61e04d39ed4f618 |
|
29-Sep-2016 |
David Zeuthen <zeuthen@google.com> |
libavb: Allow AvbOps functions to fail with OOM.
To do this we have to slightly change some public library API so we can
bubble up OOM failures. Also fix up the boot_control implementation
since it's using some of this API.
Also fix two warnings found by compiling with gcc instead of clang.
Bug: None
Change-Id: I241ee10e10cef5d7f7ec8db418b279a2a2543c9e
Test: All unit tests pass.
/external/avb/test/fake_avb_ops.cc
|
| 8b6973be7468f5c0db42ff8fcd91f8e97a345a27 |
|
20-Sep-2016 |
David Zeuthen <zeuthen@google.com> |
Add A/B implementation.
This CL add routines for working with A/B metadata, including A/B
selection and managing rollback indexes.
A/B metadata is stored in the 'misc' partition in the |slot_suffix|
field using a format private to libavb - see bootable/recovery/bootloader.h
for more details. A new set_ab_metadata sub-command has been added to
avbtool for initializing A/B metadata at build time.
A/B metadata integrity is provided by a simple magic marker and a CRC-32
checksum. If invalid A/B metadata is detected, the behavior is to reset
the A/B metadata to a known state where both slots are given seven boot
tries.
An implementation of the boot_control HAL using AVB-specific A/B
metadata is also provided.
Also factored out the test-side AvbOps into a FakeAvbOps class and put
it in its own file.
Saw a couple of references to things like "Brillo Boot Image" and the
like. Fixed these up.
This CL is based on work done by Kevin Chavez - see b/29072323 - during
his internship at Google.
BUG=31264229
TEST=New unit tests + all unit tests pass.
TEST=Manual testing of boot_control HAL using the bootctl command.
Change-Id: I594ea4173a051ecb72636058440372ff1ca5855b
/external/avb/test/fake_avb_ops.cc
|