[v2,0/8] Initial integration of AVB2.0

Message ID	1528052203-29689-1-git-send-email-igor.opaniuk@linaro.org
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of u-boot-bounces@lists.denx.de designates 81.169.180.215 as permitted sender) client-ip=81.169.180.215; From: Igor Opaniuk <igor.opaniuk@linaro.org> To: u-boot@lists.denx.de Date: Sun, 3 Jun 2018 21:56:35 +0300 Message-Id: <1528052203-29689-1-git-send-email-igor.opaniuk@linaro.org> MIME-Version: 1.0 Cc: trini@konsulko.com, praneeth@ti.com, misael.lopez@ti.com, erosca@de.adit-jv.com, joakim.bech@linaro.org Subject: [U-Boot] [PATCH v2 0/8] Initial integration of AVB2.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	Initial integration of AVB2.0 \| expand [v2,0/8] Initial integration of AVB2.0 [v2,1/8] avb2.0: add Android Verified Boot 2.0 library [v2,2/8] avb2.0: integrate avb 2.0 into the build system [v2,3/8] avb2.0: implement AVB ops [v2,4/8] cmd: avb2.0: avb command for performing verification [v2,5/8] avb2.0: add boot states and dm-verity support [v2,6/8] am57xx_hs: avb2.0: add support of AVB 2.0 [v2,7/8] test/py: avb2.0: add tests for avb commands [v2,8/8] doc: avb2.0: add README about AVB2.0 integration

Message ID

1528052203-29689-1-git-send-email-igor.opaniuk@linaro.org

Headers

Received-SPF: pass (google.com: best guess record for domain of
	u-boot-bounces@lists.denx.de designates 81.169.180.215 as
	permitted sender) client-ip=81.169.180.215; 
From: Igor Opaniuk <igor.opaniuk@linaro.org>
To: u-boot@lists.denx.de
Date: Sun,  3 Jun 2018 21:56:35 +0300
Message-Id: <1528052203-29689-1-git-send-email-igor.opaniuk@linaro.org>
MIME-Version: 1.0
Cc: trini@konsulko.com, praneeth@ti.com, misael.lopez@ti.com,
	erosca@de.adit-jv.com, joakim.bech@linaro.org
Subject: [U-Boot] [PATCH v2 0/8] Initial integration of AVB2.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

Initial integration of AVB2.0 | expand

Message

Igor Opaniuk June 3, 2018, 6:56 p.m. UTC

This series of patches introduces support of Android Verified Boot 2.0,
which provides integrity checking of Android partitions on MMC.

It integrates libavb into the U-boot, provides implementation of
AvbOps, subset of `avb` commands to run verification chain (and for debugging
purposes), and it enables AVB2.0 verification on AM57xx HS SoC by default. 

Currently, there is still no support for verification of A/B boot slots 
and no rollback protection (for storing rollback indexes 
there are plans to use eMMC RPMB)

Libavb will be deviated from AOSP upstream in the future,
that's why minimal amount of changes were introduced into the lib sources, 
so checkpatch may fail.

For additional details check [1] AVB 2.0 README and doc/README.avb2, which
is a part of this patchset.

[1] https://android.googlesource.com/platform/external/avb/+/master/README.md

Changes for v2:
- Updated libavb from the AOSP upstream
- Removed libavb_ab is it's marked as deprecated
- Added default n to Kconfigs for this feature (both for CONFIG_LIBAVB and
  CONFIG_CMD_AVB)
- Minor fixes in avb_find_dm_args
- Replaced "reinvented the wheel" str macro with existing __stringify()
- Updated documentation
- Updated avb_slot_verify invocation, supplying with new AvbHashtreeErrorMode
  param
- Fixed array boundary exceeded error when handling bootargs in
  avb_find_dm_args

Igor Opaniuk (8):
  avb2.0: add Android Verified Boot 2.0 library
  avb2.0: integrate avb 2.0 into the build system
  avb2.0: implement AVB ops
  cmd: avb2.0: avb command for performing verification
  avb2.0: add boot states and dm-verity support
  am57xx_hs: avb2.0: add support of AVB 2.0
  test/py: avb2.0: add tests for avb commands
  doc: avb2.0: add README about AVB2.0 integration

 cmd/Kconfig                                 |   16 +
 cmd/Makefile                                |    3 +
 cmd/avb.c                                   |  372 ++++++++
 common/Makefile                             |    2 +
 common/avb_verify.c                         |  741 +++++++++++++++
 doc/README.avb2                             |   97 ++
 include/avb_verify.h                        |   96 ++
 include/configs/am57xx_evm.h                |   11 +
 include/environment/ti/boot.h               |   15 +
 lib/Kconfig                                 |   14 +
 lib/Makefile                                |    1 +
 lib/libavb/Makefile                         |   15 +
 lib/libavb/avb_chain_partition_descriptor.c |   46 +
 lib/libavb/avb_chain_partition_descriptor.h |   54 ++
 lib/libavb/avb_cmdline.c                    |  422 +++++++++
 lib/libavb/avb_cmdline.h                    |   72 ++
 lib/libavb/avb_crypto.c                     |  354 +++++++
 lib/libavb/avb_crypto.h                     |  156 +++
 lib/libavb/avb_descriptor.c                 |  142 +++
 lib/libavb/avb_descriptor.h                 |  113 +++
 lib/libavb/avb_footer.c                     |   36 +
 lib/libavb/avb_footer.h                     |   68 ++
 lib/libavb/avb_hash_descriptor.c            |   44 +
 lib/libavb/avb_hash_descriptor.h            |   70 ++
 lib/libavb/avb_hashtree_descriptor.c        |   52 +
 lib/libavb/avb_hashtree_descriptor.h        |   80 ++
 lib/libavb/avb_kernel_cmdline_descriptor.c  |   40 +
 lib/libavb/avb_kernel_cmdline_descriptor.h  |   63 ++
 lib/libavb/avb_ops.h                        |  293 ++++++
 lib/libavb/avb_property_descriptor.c        |  167 ++++
 lib/libavb/avb_property_descriptor.h        |   89 ++
 lib/libavb/avb_rsa.c                        |  276 ++++++
 lib/libavb/avb_rsa.h                        |   55 ++
 lib/libavb/avb_sha.h                        |   72 ++
 lib/libavb/avb_sha256.c                     |  364 +++++++
 lib/libavb/avb_sha512.c                     |  362 +++++++
 lib/libavb/avb_slot_verify.c                | 1367 +++++++++++++++++++++++++++
 lib/libavb/avb_slot_verify.h                |  341 +++++++
 lib/libavb/avb_sysdeps.h                    |  101 ++
 lib/libavb/avb_sysdeps_posix.c              |   63 ++
 lib/libavb/avb_util.c                       |  412 ++++++++
 lib/libavb/avb_util.h                       |  269 ++++++
 lib/libavb/avb_vbmeta_image.c               |  290 ++++++
 lib/libavb/avb_vbmeta_image.h               |  276 ++++++
 lib/libavb/avb_version.c                    |   16 +
 lib/libavb/avb_version.h                    |   41 +
 lib/libavb/libavb.h                         |   32 +
 test/py/tests/test_avb.py                   |  111 +++
 48 files changed, 8192 insertions(+)
 create mode 100644 cmd/avb.c
 create mode 100644 common/avb_verify.c
 create mode 100644 doc/README.avb2
 create mode 100644 include/avb_verify.h
 create mode 100644 lib/libavb/Makefile
 create mode 100644 lib/libavb/avb_chain_partition_descriptor.c
 create mode 100644 lib/libavb/avb_chain_partition_descriptor.h
 create mode 100644 lib/libavb/avb_cmdline.c
 create mode 100644 lib/libavb/avb_cmdline.h
 create mode 100644 lib/libavb/avb_crypto.c
 create mode 100644 lib/libavb/avb_crypto.h
 create mode 100644 lib/libavb/avb_descriptor.c
 create mode 100644 lib/libavb/avb_descriptor.h
 create mode 100644 lib/libavb/avb_footer.c
 create mode 100644 lib/libavb/avb_footer.h
 create mode 100644 lib/libavb/avb_hash_descriptor.c
 create mode 100644 lib/libavb/avb_hash_descriptor.h
 create mode 100644 lib/libavb/avb_hashtree_descriptor.c
 create mode 100644 lib/libavb/avb_hashtree_descriptor.h
 create mode 100644 lib/libavb/avb_kernel_cmdline_descriptor.c
 create mode 100644 lib/libavb/avb_kernel_cmdline_descriptor.h
 create mode 100644 lib/libavb/avb_ops.h
 create mode 100644 lib/libavb/avb_property_descriptor.c
 create mode 100644 lib/libavb/avb_property_descriptor.h
 create mode 100644 lib/libavb/avb_rsa.c
 create mode 100644 lib/libavb/avb_rsa.h
 create mode 100644 lib/libavb/avb_sha.h
 create mode 100644 lib/libavb/avb_sha256.c
 create mode 100644 lib/libavb/avb_sha512.c
 create mode 100644 lib/libavb/avb_slot_verify.c
 create mode 100644 lib/libavb/avb_slot_verify.h
 create mode 100644 lib/libavb/avb_sysdeps.h
 create mode 100644 lib/libavb/avb_sysdeps_posix.c
 create mode 100644 lib/libavb/avb_util.c
 create mode 100644 lib/libavb/avb_util.h
 create mode 100644 lib/libavb/avb_vbmeta_image.c
 create mode 100644 lib/libavb/avb_vbmeta_image.h
 create mode 100644 lib/libavb/avb_version.c
 create mode 100644 lib/libavb/avb_version.h
 create mode 100644 lib/libavb/libavb.h
 create mode 100644 test/py/tests/test_avb.py