From patchwork Wed Apr 25 13:18:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Opaniuk X-Patchwork-Id: 134304 Delivered-To: patch@linaro.org Received: by 10.46.151.6 with SMTP id r6csp864203lji; Wed, 25 Apr 2018 06:25:10 -0700 (PDT) X-Google-Smtp-Source: AIpwx49kVjSeCkJQQPyfk07NOqCdZYEB5GQOLLpghz0vXMSRN1/65QqvLOWtVI1xSB0aiBtDLd1L X-Received: by 10.80.150.101 with SMTP id y92mr38414822eda.21.1524662710875; Wed, 25 Apr 2018 06:25:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524662710; cv=none; d=google.com; s=arc-20160816; b=eJGJTIvZdCuDdN+vjDV2dNs7w7oL7TbgSOIxnK9ac23PpWvj8hS3UUf+wQ4zpmjKF1 tWm1dThL1de3SKZturi5EwkuM2x3O3WlSaLl5hPZDUxmeCBdkbxJ3NXW815kuXgCSd4O /NpMoiiZ7JZiQse4FW5UeVTKPkU2IGZVchKv72rT/OFQqByOfsnGRF/BzV0N18Z93OdO e3zXH5douwjA3cpAn7PeaXEaCj7t3XxeMAcXTvcEyLvNMFO2FcVfWy4pmOf5WZUmmPdW y9VxpoX/nQZXqOhjMP8bPM37X+gDWOL1/Rmiaa6lMnehFwnlaMJGsG5CDlwRIZOGaMEM sl8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:cc:references:in-reply-to:message-id :date:to:from:dkim-signature:arc-authentication-results; bh=vU8M3sHcWpFai7NzzGblC6impJ6hGtm1hKj859rtanM=; b=0dPOR01Vv+SDetm3NX5EewqDpDdsTOX9V6pTB9obY90pPvXjIpI3YWp6SmnW7pN99v XBnBUHmBJxlFaJ3J/hZRDkRf86OGVrMKynxR4UZodR1PRw2HCa2ZnDYboI69wqIrriC0 8N3RvebMyf7JfI6RRac6IgEj5U/Q3GvHDIzRNlJoZxtiXA2S4AtfdoThQuInCmxVROzU GCRuaKF3nKk9+YYC6FWTwRrxYNzSMltyMJP3tCXGsJfE7dHNgDix+9ZdabgsUEkDK72F wQt/O9uBXHUkDZ+GYGR6iT5WOpwQnepUQ+StMnvMKf9oUa9NU1QzeQKEByaERdOVA6Wy JjKg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=N+rDAP8k; spf=pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.denx.de (dione.denx.de. [81.169.180.215]) by mx.google.com with ESMTP id e37si1191252edd.114.2018.04.25.06.25.10; Wed, 25 Apr 2018 06:25:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) client-ip=81.169.180.215; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=N+rDAP8k; spf=pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: by lists.denx.de (Postfix, from userid 105) id 75EBCC21FB5; Wed, 25 Apr 2018 13:23:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 01686C21FF5; Wed, 25 Apr 2018 13:21:03 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 1B4E8C21FA0; Wed, 25 Apr 2018 13:18:24 +0000 (UTC) Received: from mail-lf0-f52.google.com (mail-lf0-f52.google.com [209.85.215.52]) by lists.denx.de (Postfix) with ESMTPS id E76E6C21FEA for ; Wed, 25 Apr 2018 13:18:23 +0000 (UTC) Received: by mail-lf0-f52.google.com with SMTP id r125-v6so25426894lfe.2 for ; Wed, 25 Apr 2018 06:18:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=UgAdpsw+QYt/xasjU+PqcUk5sinzqlCbtnTwsjfNmuY=; b=N+rDAP8kcN8YHDPRTuhZnLPTiQOQBS4gFo3co9hGZgweuW+q0YXVwbA3CrheEJfNRV SsC2EP0sxfSVeB6I4jDQ4G3pupiDs72zyJPVckIpDJwh/TtQ8EGsMvCR6E1DKjqqA1YO D0q4jW4AWILdWmgstqcPdaj93gW4DmbwQbUDI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=UgAdpsw+QYt/xasjU+PqcUk5sinzqlCbtnTwsjfNmuY=; b=nmc7A60WRuGFVKf74gNcs+4ZZafeS4dwrSY3YuqdSx7jznZOsOreG7j3RLH/mAf5bn /4gwSJK+qOkBX8XFXCCIHQe+3Y/mORoD4v7WFJDnkQj+nG1voLTWTKYdhl2KChw8k4na 2GpJ3v1QvOfzFNtzvly5kbnGcGppd3424MpwG/TjinVarOqAdvyFXn6BSAxSXMr2ujwM hm+lKMe0PSrvAH0A49V+HS1j1GE1jJ17/btggq0EnXxpZtsF154vAppLlm2AjoZUFrKu xgv0QQn8HKlm2AoVKtyGg7e+4oy5RGOBHUwaHJVrd1sjQcLbbU4JOmfVjDoArudkpPrT ngGA== X-Gm-Message-State: ALQs6tC8z9FLwuGuUOsL/nJovi34rnHd+Z2zBsuC4g3i4WwN78YlTEpY Zd2E91FWIcl+KH2gwZrKzeEidALbhRViLQ== X-Received: by 2002:a19:c905:: with SMTP id z5-v6mr14819974lff.37.1524662302935; Wed, 25 Apr 2018 06:18:22 -0700 (PDT) Received: from localhost ([195.238.93.36]) by smtp.gmail.com with ESMTPSA id y11sm3309542ljj.95.2018.04.25.06.18.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Apr 2018 06:18:22 -0700 (PDT) From: Igor Opaniuk To: u-boot@lists.denx.de Date: Wed, 25 Apr 2018 16:18:05 +0300 Message-Id: <1524662285-19617-9-git-send-email-igor.opaniuk@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1524662285-19617-1-git-send-email-igor.opaniuk@linaro.org> References: <1524662285-19617-1-git-send-email-igor.opaniuk@linaro.org> X-Mailman-Approved-At: Wed, 25 Apr 2018 13:20:57 +0000 Cc: trini@konsulko.com, praneeth@ti.com, misael.lopez@ti.com, joakim.bech@linaro.org Subject: [U-Boot] [PATCH 8/8] doc: avb2.0: add README about AVB2.0 integration X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Contains: 1. Overview of Android Verified Boot 2.0 2. Description of avb subset of commands 3. Examples of errors when boot/vendor/system/vbmeta partitions are tampered 4. Examples of enabling AVB2.0 on your setup Signed-off-by: Igor Opaniuk --- doc/README.avb2 | 100 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 doc/README.avb2 diff --git a/doc/README.avb2 b/doc/README.avb2 new file mode 100644 index 0000000..40db7c5 --- /dev/null +++ b/doc/README.avb2 @@ -0,0 +1,100 @@ +Android Verified Boot 2.0 + +This file contains information about the current support of Android Verified +Boot 2.0 in U-boot + +1. OVERVIEW +--------------------------------- +Verified Boot establishes a chain of trust from the bootloader to system images +* Provides integrity checking for: + - Android Boot image: Linux kernel + ramdisk. RAW hashing of the whole + partition is done and the hash is compared with the one stored in + the VBMeta image + - system/vendor partitions: verifying root hash of dm-verity hashtrees. +* Provides capabilities for rollback protection. + +Integrity of the bootloader (U-boot BLOB and environment) is out of scope. + +For additional details check: +https://android.googlesource.com/platform/external/avb/+/master/README.md + + +2. AVB 2.0 U-BOOT SHELL COMMANDS +----------------------------------- +Provides CLI interface to invoke AVB 2.0 verification + misc. commands for +different testing purposes: + +avb init - initialize avb 2.0 for +avb verify - run verification process using hash data from vbmeta structure +avb read_rb - read rollback index at location +avb write_rb - write rollback index to +avb is_unlocked - returns unlock status of the device +avb get_uuid - read and print uuid of partition +avb read_part - read bytes from +partition to buffer +avb write_part - write bytes to + by using data from + + +3. PARTITIONS TAMPERING (EXAMPLE) +----------------------------------- +Boot or system/vendor (dm-verity metadata section) is tampered: +=> avb init 1 +=> avb verify +avb_slot_verify.c:175: ERROR: boot: Hash of data does not match digest in +descriptor. +Slot verification result: ERROR_IO + +Vbmeta partition is tampered: +=> avb init 1 +=> avb verify +avb_vbmeta_image.c:206: ERROR: Hash does not match! +avb_slot_verify.c:388: ERROR: vbmeta: Error verifying vbmeta image: +HASH_MISMATCH +Slot verification result: ERROR_IO + + +4. ENABLE ON YOUR BOARD +----------------------------------- +The following options must be enabled: +CONFIG_LIBAVB=y +CONFIG_LIBAVB_AB=y +CONFIG_CMD_AVB=y + + +Then add `avb verify` invocation to your android boot sequence of commands, +e.g.: + +=> avb_verify=avb init $mmcdev; avb verify; +=> if run avb_verify; then \ + echo AVB verification OK. Continue boot; \ + set bootargs $bootargs $avb_bootargs; \ + else \ + echo AVB verification failed; \ + exit; \ + fi; \ + +=> emmc_android_boot= \ + echo Trying to boot Android from eMMC ...; \ + ... \ + run avb_verify; \ + mmc read ${fdtaddr} ${fdt_start} ${fdt_size}; \ + mmc read ${loadaddr} ${boot_start} ${boot_size}; \ + bootm $loadaddr $loadaddr $fdtaddr; \ + + +To switch on automatic generation of vbmeta partition in AOSP build, add these +lines to device configuration mk file: + +BOARD_AVB_ENABLE := true +BOARD_AVB_ALGORITHM := SHA512_RSA4096 +BOARD_BOOTIMAGE_PARTITION_SIZE := + +After flashing U-boot don't forget to update environment and write new +partition table: +=> env default -f -a +=> setenv partitions $partitions_android +=> env save +=> fas 1 + +$ fastboot oem format