| fd0ba0d49101461dbb493cfb28c3a0a2158559b9 |
|
02-Feb-2018 |
Darren Krahn <dkrahn@google.com> |
Implement support for on-device persistent digests.
This feature allows digests from on-device persistent storage to be used
in place of digests embedded in descriptors. This allows verification of
partitions which hold per-device configuration data set during a factory
or provisioning stage and expected to remain unchanged from that point
forward.
Support is added for both 'hash' and 'hashtree' descriptors. In the case
of hashtree descriptors, the verity root digest needs to be added to the
kernel command line so this can be configured later without access to
AVB persistent storage. This is accomplished by supporting substitutions
of the form $(AVB_<part_name>_ROOT_DIGEST) where <part_name> is the
uppercase partition name. For example, if the partition name was
'factory' the kernel command line descriptor would hold:
"androidboot.vbmeta.root_digest.factory=$(AVB_FACTORY_ROOT_DIGEST)"
The persistent value ops are designed to be reusable. Persistent values
are expected to be tamper-proof, similar to rollback indexes, and are
not expected to be available outside of the boot code running AVB.
Using persistent digests also requires that the partition not use A/B.
A new flag has been added to avbtool to support this as well as a
'flags' field in hash and hashtree descriptors.
This CL bumps the AVB version to 1.1 and any use of persistent digests
(or the --do_not_use_ab flag) will set the minimum libavb version in
vbmeta to 1.1. If these features are not used, the minimum remains 1.0.
Bug: 73020477
Test: Unit
Change-Id: Iffef31b232492bc8700ab8496c5da2ccfb49be44
/external/avb/libavb/avb_util.c
|
| 36e5c43f58d2565dd1d432633b27115a073bd9d2 |
|
27-Oct-2017 |
Zach Riggle <riggle@google.com> |
Fix incorrect variable names in avb_replace
Test: All unit tests pass.
Change-Id: Ic6beda299b59af6ca1ea0f74526bffbcb5f81b15
/external/avb/libavb/avb_util.c
|
| f1bdec37f0f97c0640667178b2ac152c54442dfc |
|
10-Mar-2017 |
David Zeuthen <zeuthen@google.com> |
libavb: Only print basename of file in avb_debug() and friends.
In some setups where libavb is used, the macro __FILE__ evaluates to a
really long strings such as
/some_mount_point/path/to/something/and/then/libavb/avb_slot_verify.c
/foo/bar/baz/foo/XyzComponent/../../libavb/avb_slot_verify.c
meaning that debug output is cluttered to the point that it's not
useful. Unfortunately there's no __FILENAME__ macro in C so instead
figure out the basename at runtime.
Bug: None
Test: New unit tests and unit tests pass.
Test: Tested on various boot loaders.
Change-Id: Icb7d407bc0960d50ac069d3426a48531775dcf89
/external/avb/libavb/avb_util.c
|
| bc41cead048a90f63e3dd4335097c5588ec09345 |
|
16-Feb-2017 |
David Zeuthen <zeuthen@google.com> |
libavb: Include androidboot.vbmeta.version in the generated command-line.
This version number represents the version of the libavb embedded in
the bootloader. This can be used at run-time to reject updates that
would write a vbmeta partition with a newer version than what the
bootloader supports.
(Also include some fixes for the previous CL which didn't make the cut
before Treehugger merged it.)
Bug: 35416772
Test: New unit tests and all unit tests pass.
Test: Manually tested on UEFI based bootloader.
Change-Id: Ie6aea68d0d5154be64cb1fff0699d16a0b123d39
/external/avb/libavb/avb_util.c
|
| 19c38437eb77101ac30b29135cca58fbc684eace |
|
16-Feb-2017 |
David Zeuthen <zeuthen@google.com> |
libavb: Don't pass androidboot.slot_suffix in generated kernel command-line.
It's not appropriate to do this since the boot loader's A/B stack will
likely do this. Also add new avb_strdupv() utility function so it's
easy to do this yourself and update UEFI example bootloader to use
this.
Bug: None
Test: New unit tests + all unit tests pass.
Test: Manually tested on UEFI based bootloader.
Change-Id: I9f9596b1f273330e80a38d857233167fefcce01b
/external/avb/libavb/avb_util.c
|
| 4b6a634e48353da1e119ebe0287299f7b919d778 |
|
03-Jan-2017 |
David Zeuthen <zeuthen@google.com> |
Fix-up coding style and add PREUPLOAD.cfg file.
Previous commits broke the style specified our .clang-format file -
fixed this by running it through clang-format(1). During this process
discovered that I've been invoking clang-format(1) without the
--style=file option meaning that our .clang-format file actually
hadn't been used at all. So there's a rather big amount of formatting
changes in this CL.
Also replaced the .clang-format symlink target to
../../build/tools/brillo-clang-format with our own file since the
brillo one may go away in the future or not exist at all.
Finally, added a PREULOAD.cfg file to do this on every commit. See
https://android.googlesource.com/platform/tools/repohooks/
for more information about how this works.
Bug: None
Test: Manually tested.
Test: All unit tests pass.
Change-Id: I6461478a62efd81689bc4316c22f758e7f98f59f
/external/avb/libavb/avb_util.c
|
| a8bb9a0e8635e3562367ebfe89b1870b4e2cc8e2 |
|
28-Oct-2016 |
David Zeuthen <zeuthen@google.com> |
libavb: Make it possible to load other partitions than 'boot'.
Boot loaders may need to load other partitions than just 'boot'. For
example in a setup where both the Secure OS and Android is managed and
updated under the same A/B regime, the boot loader needs to load and
verify both of these and start both of them.
Concretely, make avb_slot_verify() and avb_ab_flow() take a list of
partition name to load and extend AvbSlotVerifyData to contain an array
of the partitions that were loaded.
Bug: None
Test: New unit tests and unit tests pass.
Test: Tested in UEFI-based bootloader and qemu.
Change-Id: I5c369faebf707f87df41418223ce94506d86058e
/external/avb/libavb/avb_util.c
|
| 8b6973be7468f5c0db42ff8fcd91f8e97a345a27 |
|
20-Sep-2016 |
David Zeuthen <zeuthen@google.com> |
Add A/B implementation.
This CL add routines for working with A/B metadata, including A/B
selection and managing rollback indexes.
A/B metadata is stored in the 'misc' partition in the |slot_suffix|
field using a format private to libavb - see bootable/recovery/bootloader.h
for more details. A new set_ab_metadata sub-command has been added to
avbtool for initializing A/B metadata at build time.
A/B metadata integrity is provided by a simple magic marker and a CRC-32
checksum. If invalid A/B metadata is detected, the behavior is to reset
the A/B metadata to a known state where both slots are given seven boot
tries.
An implementation of the boot_control HAL using AVB-specific A/B
metadata is also provided.
Also factored out the test-side AvbOps into a FakeAvbOps class and put
it in its own file.
Saw a couple of references to things like "Brillo Boot Image" and the
like. Fixed these up.
This CL is based on work done by Kevin Chavez - see b/29072323 - during
his internship at Google.
BUG=31264229
TEST=New unit tests + all unit tests pass.
TEST=Manual testing of boot_control HAL using the bootctl command.
Change-Id: I594ea4173a051ecb72636058440372ff1ca5855b
/external/avb/libavb/avb_util.c
|
| c612e2e353444f6ad714e43702c2afd057516254 |
|
16-Sep-2016 |
David Zeuthen <zeuthen@google.com> |
Switch to MIT license.
BUG=31508897
TEST=Unit tests pass.
Change-Id: I790afce2889e3dfaf6a53c02ccaaec3544229a9c
/external/avb/libavb/avb_util.c
|
| 21e95266704e572ced1c633bbc4aea9f42afa0a5 |
|
27-Jul-2016 |
David Zeuthen <zeuthen@google.com> |
Add common verified boot tools and library.
This code is originally from the Brillo project but has been adapted for
use in all of Android. It consists of a tool - avbtool - for working
with images (e.g. boot.img, system.img). See the README file for how
it's integrated into the Android build system and how to enable it.
The main job of avbtool is to create vbmeta.img which is the
top-level object for verified boot. This image is designed to go into
the vbmeta partition (or, if using A/B, the slot in question
e.g. vbmeta_a or vbmeta_b) and be of minimal size (for out-of-band
updates). The vbmeta image is cryptographically signed and contains
verification data (e.g. cryptographic digests) for verifying boot.img,
system.img, and other partitions/images.
The vbmeta image can also contain references to other partitions where
verification data is stored as well as a public key indicating who
should sign the verification data. This indirection provides
delegation, that is, it allows a 3rd party to control content on a given
partition by including the public key said 3rd party is using to sign
the data with, in vbmeta.img. By design, this authority can be easily
revoked by simply updating vbmeta.img with new descriptors for the
partition in question.
Storing signed verification data on other images - for example
boot.img and system.img - is also done with avbtool.
In addition to avbtool, a library - libavb - is provided. This library
performs all verification on the device side e.g. it starts by loading
the vbmeta partition, checks the signature, and then goes on to load
the boot partition for verification.
The libavb library is intended to be used in both boot loaders and
inside Android. It has a simple abstraction for system dependencies
(see libavb/avb_sysdeps.h) as well as operations that the boot loader
or OS is expected to implement (see libavb/avb_ops.h).
In addition to handling verified boot, libavb will in the future be
extended to handle A/B selection in a way that can be used in the
device's fastboot implementation, its boot loader, and its
boot_control HAL implementation. This will be implemented in a future
CL.
BUG=29414516
TEST=Unit tests for avbtool and libavb + unit tests pass.
Change-Id: I69ee86878e21fa718faccfc56eb0b1f40707d847
/external/avb/libavb/avb_util.c
|