From patchwork Sun Jun 3 18:56:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Opaniuk X-Patchwork-Id: 137610 Delivered-To: patch@linaro.org Received: by 2002:a2e:970d:0:0:0:0:0 with SMTP id r13-v6csp660825lji; Sun, 3 Jun 2018 12:01:35 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJcRYd7TVHm2waoF8wKEFg5mBx9YgOVheeMyTVPf0HvaqcQI8GEyeKnaMMU/fcAtROIbqoU X-Received: by 2002:a50:a643:: with SMTP id d61-v6mr21384225edc.296.1528052495772; Sun, 03 Jun 2018 12:01:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528052495; cv=none; d=google.com; s=arc-20160816; b=C6uQ7nRjseeAD3DJdVyUPEWWZDmH8LUnooru5lHvPFnYf1spRIuvdk1gyaVogORv+R 5gYgBbACRNUoVRXJPIq2fe4APCFOtJMLORgrAbixYlUgr6FwxmP1+Tt2uorg3V98kK3p XqTDaIWiAFGpUpCVLGKVfEiKYy0/DIsPyqSfmu3Xt9axo6oncosWAtfYoVDphr7W9eea 0YBxOidUlqeBSPCJsE5LDZv8mOa3GEQriMddbdRz3gqys1N1fW4G0SXA8tZ1t6upeje5 azwUuh5CPNHwEp3s7eGT7Nofryn96GanuXkvGqxr2fF+PQz5rUbUF9RpIX7IHHLJHgN/ /QFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:cc:references:in-reply-to:message-id :date:to:from:dkim-signature:arc-authentication-results; bh=GKCJ0736W5EjTeyNN6xPcWAbXiPiubX5DN56QAIJ8Lo=; b=egXNFlitakRddrm4a1KTVYxISUnhISxDVFbwwVYbdhoWLcTbRdX/aon9ApRK2+zcNx 8A1xlmQAsdTEUlDU31Dej6u4dpbyO8OSm4Ys3sPGN5dEXR9Ah/J1BkKagT6wjztD42wf XKytRBzlikOHxBzD3JrbUweGDUoY6ARocCxPq3y3ru520WSdcjTIt7UwlWiPAMwSxUlg u00OGSJjBgfXlfUoxZU/ssdbB6YUluzeS9251OxdMlvJW8DTnGMSSwsqB/F4C/s+HFpv wF1ZG9MwTYLOhlkueUzMRrJ9++yiE6/fKKGS6mtfwDRcqBXlBbVgtwuRiDqW9e/GbAPv Grmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=CObRIhfJ; spf=pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lists.denx.de (dione.denx.de. [81.169.180.215]) by mx.google.com with ESMTP id w27-v6si951751edl.174.2018.06.03.12.01.35; Sun, 03 Jun 2018 12:01:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) client-ip=81.169.180.215; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=CObRIhfJ; spf=pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: by lists.denx.de (Postfix, from userid 105) id 52D9DC21DD9; Sun, 3 Jun 2018 18:59:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 2F502C21E1B; Sun, 3 Jun 2018 18:57:35 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 0B34BC21E5B; Sun, 3 Jun 2018 18:57:12 +0000 (UTC) Received: from mail-lf0-f67.google.com (mail-lf0-f67.google.com [209.85.215.67]) by lists.denx.de (Postfix) with ESMTPS id 4F87CC21E52 for ; Sun, 3 Jun 2018 18:57:05 +0000 (UTC) Received: by mail-lf0-f67.google.com with SMTP id y72-v6so21834589lfd.2 for ; Sun, 03 Jun 2018 11:57:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=B/2MTPrHRcteNbGbiRn4je8f74qv4utWdLBTKSdv7x0=; b=CObRIhfJo+aVrZpI28FvilNSS/UroaROaie6CMKLy5O7PnWqBI4PeOGHP24gsch+me PY188K3FWa3MNeoJmrsW/Ky2NFXk5ZOmqsGCyOcstVgjQIUGc5pODcd//F/584QDTR46 bAvOgh5gMH1k9NhaGtgzwRtG37V1jtLtuZaWY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=B/2MTPrHRcteNbGbiRn4je8f74qv4utWdLBTKSdv7x0=; b=PvFM7IHgm2M/gBzRknOZ4oT0U0l08jZ9GsZ5wBB/ShDT1eL83398zH9dpanwDt/RX9 oLQgGSMlXRodtOsboKJJsUXhkC5N+JXcDzB1Lj5CXTyuoE2LbAlxGvVieCC8tAogxvf2 Lj63EmgmUFEw6okq93/jYzEx7UffkGCFa8uOATK3AQffvmkpKGDRcpGP2MxUyH4MDhcD C6m4tc0Wl0jdZaV7fT2oAfJqZOzDo69zMvmPQ2YECRcHECjnf1RLW6VEoR9Y4rYd2HnL K4CMvZqh7rN/uepGVqXJJTCRl9MFGnLfneI+5xD8Q1retGvwRpTQYeFiVDMeLWR4fPy3 kY2g== X-Gm-Message-State: ALKqPweaQFnchJbDqFPijSSBOov0ndyvgtU2efCN+MzzrlG2ovUL1sHH 8LvskgiJTXTRLoyn4J3gn7nF6EREqGZcdg== X-Received: by 2002:a19:d245:: with SMTP id j66-v6mr11775821lfg.139.1528052224423; Sun, 03 Jun 2018 11:57:04 -0700 (PDT) Received: from localhost (host-176-36-145-117.la.net.ua. [176.36.145.117]) by smtp.gmail.com with ESMTPSA id 30-v6sm2417189lfs.71.2018.06.03.11.57.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 03 Jun 2018 11:57:03 -0700 (PDT) From: Igor Opaniuk To: u-boot@lists.denx.de Date: Sun, 3 Jun 2018 21:56:43 +0300 Message-Id: <1528052203-29689-9-git-send-email-igor.opaniuk@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1528052203-29689-1-git-send-email-igor.opaniuk@linaro.org> References: <1528052203-29689-1-git-send-email-igor.opaniuk@linaro.org> Cc: trini@konsulko.com, praneeth@ti.com, misael.lopez@ti.com, erosca@de.adit-jv.com, joakim.bech@linaro.org Subject: [U-Boot] [PATCH v2 8/8] doc: avb2.0: add README about AVB2.0 integration X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Contains: 1. Overview of Android Verified Boot 2.0 2. Description of avb subset of commands 3. Examples of errors when boot/vendor/system/vbmeta partitions are tampered 4. Examples of enabling AVB2.0 on your setup Signed-off-by: Igor Opaniuk --- doc/README.avb2 | 97 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 doc/README.avb2 diff --git a/doc/README.avb2 b/doc/README.avb2 new file mode 100644 index 0000000..67784b5 --- /dev/null +++ b/doc/README.avb2 @@ -0,0 +1,97 @@ +Android Verified Boot 2.0 + +This file contains information about the current support of Android Verified +Boot 2.0 in U-boot + +1. OVERVIEW +--------------------------------- +Verified Boot establishes a chain of trust from the bootloader to system images +* Provides integrity checking for: + - Android Boot image: Linux kernel + ramdisk. RAW hashing of the whole + partition is done and the hash is compared with the one stored in + the VBMeta image + - system/vendor partitions: verifying root hash of dm-verity hashtrees. +* Provides capabilities for rollback protection. + +Integrity of the bootloader (U-boot BLOB and environment) is out of scope. + +For additional details check: +https://android.googlesource.com/platform/external/avb/+/master/README.md + + +2. AVB 2.0 U-BOOT SHELL COMMANDS +----------------------------------- +Provides CLI interface to invoke AVB 2.0 verification + misc. commands for +different testing purposes: + +avb init - initialize avb 2.0 for +avb verify - run verification process using hash data from vbmeta structure +avb read_rb - read rollback index at location +avb write_rb - write rollback index to +avb is_unlocked - returns unlock status of the device +avb get_uuid - read and print uuid of partition +avb read_part - read bytes from +partition to buffer +avb write_part - write bytes to + by using data from + + +3. PARTITIONS TAMPERING (EXAMPLE) +----------------------------------- +Boot or system/vendor (dm-verity metadata section) is tampered: +=> avb init 1 +=> avb verify +avb_slot_verify.c:175: ERROR: boot: Hash of data does not match digest in +descriptor. +Slot verification result: ERROR_IO + +Vbmeta partition is tampered: +=> avb init 1 +=> avb verify +avb_vbmeta_image.c:206: ERROR: Hash does not match! +avb_slot_verify.c:388: ERROR: vbmeta: Error verifying vbmeta image: +HASH_MISMATCH +Slot verification result: ERROR_IO + + +4. ENABLE ON YOUR BOARD +----------------------------------- +The following options must be enabled: +CONFIG_LIBAVB=y +CONFIG_CMD_AVB=y + + +Then add `avb verify` invocation to your android boot sequence of commands, +e.g.: + +=> avb_verify=avb init $mmcdev; avb verify; +=> if run avb_verify; then \ + echo AVB verification OK. Continue boot; \ + set bootargs $bootargs $avb_bootargs; \ + else \ + echo AVB verification failed; \ + exit; \ + fi; \ + +=> emmc_android_boot= \ + echo Trying to boot Android from eMMC ...; \ + ... \ + run avb_verify; \ + mmc read ${fdtaddr} ${fdt_start} ${fdt_size}; \ + mmc read ${loadaddr} ${boot_start} ${boot_size}; \ + bootm $loadaddr $loadaddr $fdtaddr; \ + + +To switch on automatic generation of vbmeta partition in AOSP build, add these +lines to device configuration mk file: + +BOARD_AVB_ENABLE := true +BOARD_AVB_ALGORITHM := SHA512_RSA4096 +BOARD_BOOTIMAGE_PARTITION_SIZE := + +After flashing U-boot don't forget to update environment and write new +partition table: +=> env default -f -a +=> setenv partitions $partitions_android +=> env save +=> gpt write mmc 1 $partitions_android