fd0ba0d49101461dbb493cfb28c3a0a2158559b9 |
|
02-Feb-2018 |
Darren Krahn <dkrahn@google.com> |
Implement support for on-device persistent digests. This feature allows digests from on-device persistent storage to be used in place of digests embedded in descriptors. This allows verification of partitions which hold per-device configuration data set during a factory or provisioning stage and expected to remain unchanged from that point forward. Support is added for both 'hash' and 'hashtree' descriptors. In the case of hashtree descriptors, the verity root digest needs to be added to the kernel command line so this can be configured later without access to AVB persistent storage. This is accomplished by supporting substitutions of the form $(AVB_<part_name>_ROOT_DIGEST) where <part_name> is the uppercase partition name. For example, if the partition name was 'factory' the kernel command line descriptor would hold: "androidboot.vbmeta.root_digest.factory=$(AVB_FACTORY_ROOT_DIGEST)" The persistent value ops are designed to be reusable. Persistent values are expected to be tamper-proof, similar to rollback indexes, and are not expected to be available outside of the boot code running AVB. Using persistent digests also requires that the partition not use A/B. A new flag has been added to avbtool to support this as well as a 'flags' field in hash and hashtree descriptors. This CL bumps the AVB version to 1.1 and any use of persistent digests (or the --do_not_use_ab flag) will set the minimum libavb version in vbmeta to 1.1. If these features are not used, the minimum remains 1.0. Bug: 73020477 Test: Unit Change-Id: Iffef31b232492bc8700ab8496c5da2ccfb49be44
/external/avb/libavb/avb_hashtree_descriptor.h
|
5cb2db99e2bd7ea889a91f22d3c104118ff199b7 |
|
27-Oct-2016 |
David Zeuthen <zeuthen@google.com> |
Add room for expansion in descriptors. As seen in the previous CL adding FEC data to the Hashtree descriptor, it's not inconceivable that we'll need additional fields in the future. Therefore add a reserved field of 64 bytes for each descriptor type. This way we can add fields in the future without breaking forwards or backwards compability. Don't do this for Property or KernelCmdline descriptors since these are already free-form data. Bug: None Test: Unit tests pass. Change-Id: I4a277546fd48e83f861ab5484f7e18524b7b0117
/external/avb/libavb/avb_hashtree_descriptor.h
|
0b7f1d3aadf8fcc79fff914480c7efcc3cfa4008 |
|
25-Oct-2016 |
David Zeuthen <zeuthen@google.com> |
Add support for FEC in hashtrees. This change adds support for 'avbtool add_hashtree_footer' options --generate_fec and --fec_num_roots. If used, this generates FEC data on the given image. If used on the root filesystem, the kernel command-line will be set up to use it. For more information about FEC, see https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity By default this feature is not turned on. It can be enabled for the root filesystem by adding this line BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS := --generate_fec to the build system files. Note that this change extends the AvbHashtreeDescriptor struct to carry FEC-related metadata. This change would normally be a no-no (since we're changing metadata stored on disk!) but since AVB isn't yet used in device firmware - or even undergone a release (see Issue 32414650) - this change is considered to be OK. Test: New unit tests + unit tests pass. Test: Manually tested in qemu using an UEFI-based bootloader. Bug: 31263832 Change-Id: I271956112c0fe52f57e3a66c0d0658e6b5266239
/external/avb/libavb/avb_hashtree_descriptor.h
|
c612e2e353444f6ad714e43702c2afd057516254 |
|
16-Sep-2016 |
David Zeuthen <zeuthen@google.com> |
Switch to MIT license. BUG=31508897 TEST=Unit tests pass. Change-Id: I790afce2889e3dfaf6a53c02ccaaec3544229a9c
/external/avb/libavb/avb_hashtree_descriptor.h
|
21e95266704e572ced1c633bbc4aea9f42afa0a5 |
|
27-Jul-2016 |
David Zeuthen <zeuthen@google.com> |
Add common verified boot tools and library. This code is originally from the Brillo project but has been adapted for use in all of Android. It consists of a tool - avbtool - for working with images (e.g. boot.img, system.img). See the README file for how it's integrated into the Android build system and how to enable it. The main job of avbtool is to create vbmeta.img which is the top-level object for verified boot. This image is designed to go into the vbmeta partition (or, if using A/B, the slot in question e.g. vbmeta_a or vbmeta_b) and be of minimal size (for out-of-band updates). The vbmeta image is cryptographically signed and contains verification data (e.g. cryptographic digests) for verifying boot.img, system.img, and other partitions/images. The vbmeta image can also contain references to other partitions where verification data is stored as well as a public key indicating who should sign the verification data. This indirection provides delegation, that is, it allows a 3rd party to control content on a given partition by including the public key said 3rd party is using to sign the data with, in vbmeta.img. By design, this authority can be easily revoked by simply updating vbmeta.img with new descriptors for the partition in question. Storing signed verification data on other images - for example boot.img and system.img - is also done with avbtool. In addition to avbtool, a library - libavb - is provided. This library performs all verification on the device side e.g. it starts by loading the vbmeta partition, checks the signature, and then goes on to load the boot partition for verification. The libavb library is intended to be used in both boot loaders and inside Android. It has a simple abstraction for system dependencies (see libavb/avb_sysdeps.h) as well as operations that the boot loader or OS is expected to implement (see libavb/avb_ops.h). In addition to handling verified boot, libavb will in the future be extended to handle A/B selection in a way that can be used in the device's fastboot implementation, its boot loader, and its boot_control HAL implementation. This will be implemented in a future CL. BUG=29414516 TEST=Unit tests for avbtool and libavb + unit tests pass. Change-Id: I69ee86878e21fa718faccfc56eb0b1f40707d847
/external/avb/libavb/avb_hashtree_descriptor.h
|