[PATCH 0/2] bootstd: android: Allow booting with AVB failures when unlocked
Android Verified Boot (AVB) [1] protects Android systems by providing a root of trust in the vbmeta partition.
On unlocked devices, system developers might want to disable the root of trust to reflash only some partitions.
This is officially supported in the Android bootflow [2] but is not properly implemented in the Android bootmeth. For development purposes
Add support for this in bootmeth_android.
This has been tested on AM62Px SK EVM with TI's Android 15 release [3]
[1] https://source.android.com/docs/security/features/verifiedboot/avb [2] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unl... [3] https://software-dl.ti.com/processor-sdk-android/esd/AM62PX/10_01_00/docs/de...
Signed-off-by: Mattijs Korpershoek mkorpershoek@baylibre.com --- Mattijs Korpershoek (2): bootstd: android: Add missing NULL in the avb partition list bootstd: android: Allow boot with AVB failures when unlocked
boot/bootmeth_android.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) --- base-commit: 6d41f0a39d6423c8e57e92ebbe9f8c0333a63f72 change-id: 20250108-avb-disable-verif-997f820c0c00
Best regards,
When booting an Android build with AVB enabled, it's still possible to deactivate the check for development purposes if the bootloader state is UNLOCKED.
This is very useful for development and can be done at flashing time via: $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
However, with bootmeth_android, we cannot boot this way:
Scanning bootdev 'mmc@fa10000.bootdev': 0 android ready mmc 0 mmc@fa10000.bootdev.whole ** Booting bootflow 'mmc@fa10000.bootdev.whole' with android avb_vbmeta_image.c:188: ERROR: Hash does not match! avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH get_partition: can't find partition '_a' avb_slot_verify.c:496: ERROR: _a: Error determining partition size. Verification failed, reason: I/O error occurred while trying to load data Boot failed (err=-5) No more bootdevs
From the logs we can see that avb tries to read a partition named '_a'.
It's doing so because the last element of requested_partitions implicitly is '\0', but the doc explicitly request it to be NULL instead.
Add NULL as last element to requested_partitions to avoid this problem.
Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android") Signed-off-by: Mattijs Korpershoek mkorpershoek@baylibre.com --- boot/bootmeth_android.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c index 19b1f2c377b9a51ff1683259085e1d636c939413..2cd167f80280801618a317a65e93a10e70a0d9ee 100644 --- a/boot/bootmeth_android.c +++ b/boot/bootmeth_android.c @@ -380,7 +380,7 @@ static int run_avb_verification(struct bootflow *bflow) { struct blk_desc *desc = dev_get_uclass_plat(bflow->blk); struct android_priv *priv = bflow->bootmeth_priv; - const char * const requested_partitions[] = {"boot", "vendor_boot"}; + const char * const requested_partitions[] = {"boot", "vendor_boot", NULL}; struct AvbOps *avb_ops; AvbSlotVerifyResult result; AvbSlotVerifyData *out_data;
When the bootloader is UNLOCKED, it should be possible to boot Android even if AVB reports verification errors [1].
This allows developers to flash modified partitions on userdebug/engineering builds.
Developers can do so on unlocked devices with: $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
In such case, bootmeth_android refuses to boot.
Allow the boot to continue when the device is UNLOCKED and AVB reports verification errors.
[1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unl... Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android") Signed-off-by: Mattijs Korpershoek mkorpershoek@baylibre.com --- boot/bootmeth_android.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c index 2cd167f80280801618a317a65e93a10e70a0d9ee..564d21784feb0667bf9bed2a59be0a232601a7dd 100644 --- a/boot/bootmeth_android.c +++ b/boot/bootmeth_android.c @@ -407,11 +407,16 @@ static int run_avb_verification(struct bootflow *bflow) AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE, &out_data);
- if (result != AVB_SLOT_VERIFY_RESULT_OK) { + if (result != AVB_SLOT_VERIFY_RESULT_OK && !unlocked) { printf("Verification failed, reason: %s\n", str_avb_slot_error(result)); avb_slot_verify_data_free(out_data); return log_msg_ret("avb verify", -EIO); + } else if (result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION && unlocked) { + printf("Unlocked verification failed, reason: %s\n", + str_avb_slot_error(result)); + avb_slot_verify_data_free(out_data); + return log_msg_ret("avb verify unlocked", -EIO); }
if (unlocked) @@ -427,9 +432,11 @@ static int run_avb_verification(struct bootflow *bflow) goto free_out_data; }
- ret = avb_append_commandline(bflow, out_data->cmdline); - if (ret < 0) - goto free_out_data; + if (result == AVB_SLOT_VERIFY_RESULT_OK) { + ret = avb_append_commandline(bflow, out_data->cmdline); + if (ret < 0) + goto free_out_data; + }
return 0;
Hi,
Please ignore this patch, I've send this a bit too fast and did not test all the cases.
Sorry for the noise.
Mattijs
On mer., janv. 08, 2025 at 14:43, Mattijs Korpershoek mkorpershoek@baylibre.com wrote:
When the bootloader is UNLOCKED, it should be possible to boot Android even if AVB reports verification errors [1].
This allows developers to flash modified partitions on userdebug/engineering builds.
Developers can do so on unlocked devices with: $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
In such case, bootmeth_android refuses to boot.
Allow the boot to continue when the device is UNLOCKED and AVB reports verification errors.
[1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unl... Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android") Signed-off-by: Mattijs Korpershoek mkorpershoek@baylibre.com
boot/bootmeth_android.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c index 2cd167f80280801618a317a65e93a10e70a0d9ee..564d21784feb0667bf9bed2a59be0a232601a7dd 100644 --- a/boot/bootmeth_android.c +++ b/boot/bootmeth_android.c @@ -407,11 +407,16 @@ static int run_avb_verification(struct bootflow *bflow) AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE, &out_data);
- if (result != AVB_SLOT_VERIFY_RESULT_OK) {
if (result != AVB_SLOT_VERIFY_RESULT_OK && !unlocked) { printf("Verification failed, reason: %s\n", str_avb_slot_error(result)); avb_slot_verify_data_free(out_data); return log_msg_ret("avb verify", -EIO);
} else if (result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION && unlocked) {
printf("Unlocked verification failed, reason: %s\n",str_avb_slot_error(result));avb_slot_verify_data_free(out_data);return log_msg_ret("avb verify unlocked", -EIO);}
if (unlocked)
@@ -427,9 +432,11 @@ static int run_avb_verification(struct bootflow *bflow) goto free_out_data; }
- ret = avb_append_commandline(bflow, out_data->cmdline);
- if (ret < 0)
goto free_out_data;
if (result == AVB_SLOT_VERIFY_RESULT_OK) {
ret = avb_append_commandline(bflow, out_data->cmdline);if (ret < 0)goto free_out_data;}
return 0;
-- 2.47.1
participants (1)
-
Mattijs Korpershoek