blob: 4aca7a5c660ff3dd54e3548092a3e033852de675 [file] [log] [blame]
Sam Protsenko586a1bf2020-01-24 17:53:44 +02001.. SPDX-License-Identifier: GPL-2.0+
2
3Android Verified Boot 2.0
4=========================
5
6This file contains information about the current support of Android Verified
7Boot 2.0 in U-Boot.
8
9Overview
10--------
11
12Verified Boot establishes a chain of trust from the bootloader to system images:
13
14* Provides integrity checking for:
15
16 * Android Boot image: Linux kernel + ramdisk. RAW hashing of the whole
17 partition is done and the hash is compared with the one stored in
18 the VBMeta image
19 * ``system``/``vendor`` partitions: verifying root hash of dm-verity hashtrees
20
21* Provides capabilities for rollback protection
22
23Integrity of the bootloader (U-Boot BLOB and environment) is out of scope.
24
25For additional details check [1]_.
26
27AVB using OP-TEE (optional)
28^^^^^^^^^^^^^^^^^^^^^^^^^^^
29
30If AVB is configured to use OP-TEE (see `Enable on your board`_) rollback
31indexes and device lock state are stored in RPMB. The RPMB partition is managed
32by OP-TEE (see [2]_ for details) which is a secure OS leveraging ARM
33TrustZone.
34
35AVB 2.0 U-Boot shell commands
36-----------------------------
37
38Provides CLI interface to invoke AVB 2.0 verification + misc. commands for
39different testing purposes::
40
Igor Opaniuke2f62702024-02-09 20:20:45 +010041 avb init <dev> - initialize avb 2 for <dev>
Sam Protsenko586a1bf2020-01-24 17:53:44 +020042 avb read_rb <num> - read rollback index at location <num>
43 avb write_rb <num> <rb> - write rollback index <rb> to <num>
44 avb is_unlocked - returns unlock status of the device
Igor Opaniuke2f62702024-02-09 20:20:45 +010045 avb get_uuid <partname> - read and print uuid of partition <part>
Sam Protsenko586a1bf2020-01-24 17:53:44 +020046 avb read_part <partname> <offset> <num> <addr> - read <num> bytes from
Igor Opaniuke2f62702024-02-09 20:20:45 +010047 partition <partname> to buffer <addr>
48 avb read_part_hex <partname> <offset> <num> - read <num> bytes from
49 partition <partname> and print to stdout
Sam Protsenko586a1bf2020-01-24 17:53:44 +020050 avb write_part <partname> <offset> <num> <addr> - write <num> bytes to
Igor Opaniuke2f62702024-02-09 20:20:45 +010051 <partname> by <offset> using data from <addr>
52 avb read_pvalue <name> <bytes> - read a persistent value <name>
53 avb write_pvalue <name> <value> - write a persistent value <name>
54 avb verify [slot_suffix] - run verification process using hash data
55 from vbmeta structure
56 [slot_suffix] - _a, _b, etc (if vbmeta partition is slotted)
Sam Protsenko586a1bf2020-01-24 17:53:44 +020057
58Partitions tampering (example)
59------------------------------
60
61Boot or system/vendor (dm-verity metadata section) is tampered::
62
63 => avb init 1
64 => avb verify
65 avb_slot_verify.c:175: ERROR: boot: Hash of data does not match digest in
66 descriptor.
67 Slot verification result: ERROR_IO
68
69Vbmeta partition is tampered::
70
71 => avb init 1
72 => avb verify
73 avb_vbmeta_image.c:206: ERROR: Hash does not match!
74 avb_slot_verify.c:388: ERROR: vbmeta: Error verifying vbmeta image:
75 HASH_MISMATCH
76 Slot verification result: ERROR_IO
77
78Enable on your board
79--------------------
80
81The following options must be enabled::
82
83 CONFIG_LIBAVB=y
84 CONFIG_AVB_VERIFY=y
85 CONFIG_CMD_AVB=y
86
87In addtion optionally if storing rollback indexes in RPMB with help of
88OP-TEE::
89
90 CONFIG_TEE=y
91 CONFIG_OPTEE=y
92 CONFIG_OPTEE_TA_AVB=y
93 CONFIG_SUPPORT_EMMC_RPMB=y
94
95Then add ``avb verify`` invocation to your android boot sequence of commands,
96e.g.::
97
98 => avb_verify=avb init $mmcdev; avb verify;
99 => if run avb_verify; then \
100 echo AVB verification OK. Continue boot; \
101 set bootargs $bootargs $avb_bootargs; \
102 else \
103 echo AVB verification failed; \
104 exit; \
105 fi; \
106
107 => emmc_android_boot= \
108 echo Trying to boot Android from eMMC ...; \
109 ... \
110 run avb_verify; \
111 mmc read ${fdtaddr} ${fdt_start} ${fdt_size}; \
112 mmc read ${loadaddr} ${boot_start} ${boot_size}; \
113 bootm $loadaddr $loadaddr $fdtaddr; \
114
115If partitions you want to verify are slotted (have A/B suffixes), then current
116slot suffix should be passed to ``avb verify`` sub-command, e.g.::
117
118 => avb verify _a
119
120To switch on automatic generation of vbmeta partition in AOSP build, add these
121lines to device configuration mk file::
122
123 BOARD_AVB_ENABLE := true
124 BOARD_AVB_ALGORITHM := SHA512_RSA4096
125 BOARD_BOOTIMAGE_PARTITION_SIZE := <boot partition size>
126
127After flashing U-Boot don't forget to update environment and write new
128partition table::
129
130 => env default -f -a
131 => setenv partitions $partitions_android
132 => env save
133 => gpt write mmc 1 $partitions_android
134
135References
136----------
137
138.. [1] https://android.googlesource.com/platform/external/avb/+/master/README.md
139.. [2] https://www.op-tee.org/