This series of patches introduces support of Android Verified Boot 2.0, which provides integrity checking of Android partitions on MMC.
It integrates libavb into the U-boot, provides implementation of AvbOps, subset of `avb` commands to run verification chain (and for debugging purposes), and it enables AVB2.0 verification on AM57xx HS SoC by default.
Currently, there is still no support for verification of A/B boot slots and no rollback protection (for storing rollback indexes there are plans to use eMMC RPMB)
Libavb will be deviated from AOSP upstream in the future, that's why minimal amount of changes were introduced into the lib sources, so checkpatch may fail.
For additional details check [1] AVB 2.0 README and doc/README.avb2, which is a part of this patchset.
[1] https://android.googlesource.com/platform/external/avb/+/master/README.md
Changes for v2: - Updated libavb from the AOSP upstream - Removed libavb_ab is it's marked as deprecated - Added default n to Kconfigs for this feature (both for CONFIG_LIBAVB and CONFIG_CMD_AVB) - Minor fixes in avb_find_dm_args - Replaced "reinvented the wheel" str macro with existing __stringify() - Updated documentation - Updated avb_slot_verify invocation, supplying with new AvbHashtreeErrorMode param - Fixed array boundary exceeded error when handling bootargs in avb_find_dm_args
Igor Opaniuk (8): avb2.0: add Android Verified Boot 2.0 library avb2.0: integrate avb 2.0 into the build system avb2.0: implement AVB ops cmd: avb2.0: avb command for performing verification avb2.0: add boot states and dm-verity support am57xx_hs: avb2.0: add support of AVB 2.0 test/py: avb2.0: add tests for avb commands doc: avb2.0: add README about AVB2.0 integration
cmd/Kconfig | 16 + cmd/Makefile | 3 + cmd/avb.c | 372 ++++++++ common/Makefile | 2 + common/avb_verify.c | 741 +++++++++++++++ doc/README.avb2 | 97 ++ include/avb_verify.h | 96 ++ include/configs/am57xx_evm.h | 11 + include/environment/ti/boot.h | 15 + lib/Kconfig | 14 + lib/Makefile | 1 + lib/libavb/Makefile | 15 + lib/libavb/avb_chain_partition_descriptor.c | 46 + lib/libavb/avb_chain_partition_descriptor.h | 54 ++ lib/libavb/avb_cmdline.c | 422 +++++++++ lib/libavb/avb_cmdline.h | 72 ++ lib/libavb/avb_crypto.c | 354 +++++++ lib/libavb/avb_crypto.h | 156 +++ lib/libavb/avb_descriptor.c | 142 +++ lib/libavb/avb_descriptor.h | 113 +++ lib/libavb/avb_footer.c | 36 + lib/libavb/avb_footer.h | 68 ++ lib/libavb/avb_hash_descriptor.c | 44 + lib/libavb/avb_hash_descriptor.h | 70 ++ lib/libavb/avb_hashtree_descriptor.c | 52 + lib/libavb/avb_hashtree_descriptor.h | 80 ++ lib/libavb/avb_kernel_cmdline_descriptor.c | 40 + lib/libavb/avb_kernel_cmdline_descriptor.h | 63 ++ lib/libavb/avb_ops.h | 293 ++++++ lib/libavb/avb_property_descriptor.c | 167 ++++ lib/libavb/avb_property_descriptor.h | 89 ++ lib/libavb/avb_rsa.c | 276 ++++++ lib/libavb/avb_rsa.h | 55 ++ lib/libavb/avb_sha.h | 72 ++ lib/libavb/avb_sha256.c | 364 +++++++ lib/libavb/avb_sha512.c | 362 +++++++ lib/libavb/avb_slot_verify.c | 1367 +++++++++++++++++++++++++++ lib/libavb/avb_slot_verify.h | 341 +++++++ lib/libavb/avb_sysdeps.h | 101 ++ lib/libavb/avb_sysdeps_posix.c | 63 ++ lib/libavb/avb_util.c | 412 ++++++++ lib/libavb/avb_util.h | 269 ++++++ lib/libavb/avb_vbmeta_image.c | 290 ++++++ lib/libavb/avb_vbmeta_image.h | 276 ++++++ lib/libavb/avb_version.c | 16 + lib/libavb/avb_version.h | 41 + lib/libavb/libavb.h | 32 + test/py/tests/test_avb.py | 111 +++ 48 files changed, 8192 insertions(+) create mode 100644 cmd/avb.c create mode 100644 common/avb_verify.c create mode 100644 doc/README.avb2 create mode 100644 include/avb_verify.h create mode 100644 lib/libavb/Makefile create mode 100644 lib/libavb/avb_chain_partition_descriptor.c create mode 100644 lib/libavb/avb_chain_partition_descriptor.h create mode 100644 lib/libavb/avb_cmdline.c create mode 100644 lib/libavb/avb_cmdline.h create mode 100644 lib/libavb/avb_crypto.c create mode 100644 lib/libavb/avb_crypto.h create mode 100644 lib/libavb/avb_descriptor.c create mode 100644 lib/libavb/avb_descriptor.h create mode 100644 lib/libavb/avb_footer.c create mode 100644 lib/libavb/avb_footer.h create mode 100644 lib/libavb/avb_hash_descriptor.c create mode 100644 lib/libavb/avb_hash_descriptor.h create mode 100644 lib/libavb/avb_hashtree_descriptor.c create mode 100644 lib/libavb/avb_hashtree_descriptor.h create mode 100644 lib/libavb/avb_kernel_cmdline_descriptor.c create mode 100644 lib/libavb/avb_kernel_cmdline_descriptor.h create mode 100644 lib/libavb/avb_ops.h create mode 100644 lib/libavb/avb_property_descriptor.c create mode 100644 lib/libavb/avb_property_descriptor.h create mode 100644 lib/libavb/avb_rsa.c create mode 100644 lib/libavb/avb_rsa.h create mode 100644 lib/libavb/avb_sha.h create mode 100644 lib/libavb/avb_sha256.c create mode 100644 lib/libavb/avb_sha512.c create mode 100644 lib/libavb/avb_slot_verify.c create mode 100644 lib/libavb/avb_slot_verify.h create mode 100644 lib/libavb/avb_sysdeps.h create mode 100644 lib/libavb/avb_sysdeps_posix.c create mode 100644 lib/libavb/avb_util.c create mode 100644 lib/libavb/avb_util.h create mode 100644 lib/libavb/avb_vbmeta_image.c create mode 100644 lib/libavb/avb_vbmeta_image.h create mode 100644 lib/libavb/avb_version.c create mode 100644 lib/libavb/avb_version.h create mode 100644 lib/libavb/libavb.h create mode 100644 test/py/tests/test_avb.py