[PATCH v2 0/2] bootstd: android: Allow booting with AVB failures when unlocked
Android Verified Boot (AVB) [1] protects Android systems by providing a root of trust in the vbmeta partition.
On unlocked devices, system developers might want to disable the root of trust to reflash only some partitions.
This is officially supported in the Android bootflow [2] but is not properly implemented in the Android bootmeth. For development purposes
Add support for this in bootmeth_android.
This has been tested on AM62Px SK EVM with TI's Android 15 release [3]
[1] https://source.android.com/docs/security/features/verifiedboot/avb [2] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unl... [3] https://software-dl.ti.com/processor-sdk-android/esd/AM62PX/10_01_00/docs/de...
Signed-off-by: Mattijs Korpershoek mkorpershoek@baylibre.com --- Changes in v2: - Re-did patch 2/2 a bit: fixed booting without AVB failures - Link to v1: https://lore.kernel.org/r/20250108-avb-disable-verif-v1-0-009c35710ef4@bayli...
--- Mattijs Korpershoek (2): bootstd: android: Add missing NULL in the avb partition list bootstd: android: Allow boot with AVB failures when unlocked
boot/bootmeth_android.c | 39 +++++++++++++++++++++++++-------------- 1 file changed, 25 insertions(+), 14 deletions(-) --- base-commit: 6d41f0a39d6423c8e57e92ebbe9f8c0333a63f72 change-id: 20250108-avb-disable-verif-997f820c0c00
Best regards,
When booting an Android build with AVB enabled, it's still possible to deactivate the check for development purposes if the bootloader state is UNLOCKED.
This is very useful for development and can be done at flashing time via: $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
However, with bootmeth_android, we cannot boot this way:
Scanning bootdev 'mmc@fa10000.bootdev': 0 android ready mmc 0 mmc@fa10000.bootdev.whole ** Booting bootflow 'mmc@fa10000.bootdev.whole' with android avb_vbmeta_image.c:188: ERROR: Hash does not match! avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH get_partition: can't find partition '_a' avb_slot_verify.c:496: ERROR: _a: Error determining partition size. Verification failed, reason: I/O error occurred while trying to load data Boot failed (err=-5) No more bootdevs
From the logs we can see that avb tries to read a partition named '_a'.
It's doing so because the last element of requested_partitions implicitly is '\0', but the doc explicitly request it to be NULL instead.
Add NULL as last element to requested_partitions to avoid this problem.
Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android") Signed-off-by: Mattijs Korpershoek mkorpershoek@baylibre.com --- boot/bootmeth_android.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c index 19b1f2c377b9a51ff1683259085e1d636c939413..2cd167f80280801618a317a65e93a10e70a0d9ee 100644 --- a/boot/bootmeth_android.c +++ b/boot/bootmeth_android.c @@ -380,7 +380,7 @@ static int run_avb_verification(struct bootflow *bflow) { struct blk_desc *desc = dev_get_uclass_plat(bflow->blk); struct android_priv *priv = bflow->bootmeth_priv; - const char * const requested_partitions[] = {"boot", "vendor_boot"}; + const char * const requested_partitions[] = {"boot", "vendor_boot", NULL}; struct AvbOps *avb_ops; AvbSlotVerifyResult result; AvbSlotVerifyData *out_data;
On Thu 23 Jan 2025 at 14:38, Mattijs Korpershoek mkorpershoek@baylibre.com wrote:
When booting an Android build with AVB enabled, it's still possible to deactivate the check for development purposes if the bootloader state is UNLOCKED.
This is very useful for development and can be done at flashing time via: $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
However, with bootmeth_android, we cannot boot this way:
Scanning bootdev 'mmc@fa10000.bootdev': 0 android ready mmc 0 mmc@fa10000.bootdev.whole ** Booting bootflow 'mmc@fa10000.bootdev.whole' with android avb_vbmeta_image.c:188: ERROR: Hash does not match! avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH get_partition: can't find partition '_a' avb_slot_verify.c:496: ERROR: _a: Error determining partition size. Verification failed, reason: I/O error occurred while trying to load data Boot failed (err=-5) No more bootdevsFrom the logs we can see that avb tries to read a partition named '_a'. It's doing so because the last element of requested_partitions implicitly is '\0', but the doc explicitly request it to be NULL instead.
Add NULL as last element to requested_partitions to avoid this problem.
Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android") Signed-off-by: Mattijs Korpershoek mkorpershoek@baylibre.com
boot/bootmeth_android.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c index 19b1f2c377b9a51ff1683259085e1d636c939413..2cd167f80280801618a317a65e93a10e70a0d9ee 100644 --- a/boot/bootmeth_android.c +++ b/boot/bootmeth_android.c @@ -380,7 +380,7 @@ static int run_avb_verification(struct bootflow *bflow) { struct blk_desc *desc = dev_get_uclass_plat(bflow->blk); struct android_priv *priv = bflow->bootmeth_priv;
- const char * const requested_partitions[] = {"boot", "vendor_boot"};
- const char * const requested_partitions[] = {"boot", "vendor_boot", NULL}; struct AvbOps *avb_ops; AvbSlotVerifyResult result; AvbSlotVerifyData *out_data;
-- 2.47.1
Reviewed-by: Julien Masson jmasson@baylibre.com
When the bootloader is UNLOCKED, it should be possible to boot Android even if AVB reports verification errors [1].
This allows developers to flash modified partitions on userdebug/engineering builds.
Developers can do so on unlocked devices with: $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
In such case, bootmeth_android refuses to boot.
Allow the boot to continue when the device is UNLOCKED and AVB reports verification errors.
[1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unl... Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android") Signed-off-by: Mattijs Korpershoek mkorpershoek@baylibre.com --- boot/bootmeth_android.c | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c index 2cd167f80280801618a317a65e93a10e70a0d9ee..dc9aad1633bb7a6d577013bfa0f939343f2e066b 100644 --- a/boot/bootmeth_android.c +++ b/boot/bootmeth_android.c @@ -407,17 +407,26 @@ static int run_avb_verification(struct bootflow *bflow) AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE, &out_data);
- if (result != AVB_SLOT_VERIFY_RESULT_OK) { - printf("Verification failed, reason: %s\n", - str_avb_slot_error(result)); - avb_slot_verify_data_free(out_data); - return log_msg_ret("avb verify", -EIO); - } - - if (unlocked) - boot_state = AVB_ORANGE; - else + if (!unlocked) { + /* When device is locked, we only accept AVB_SLOT_VERIFY_RESULT_OK */ + if (result != AVB_SLOT_VERIFY_RESULT_OK) { + printf("Verification failed, reason: %s\n", + str_avb_slot_error(result)); + avb_slot_verify_data_free(out_data); + return log_msg_ret("avb verify", -EIO); + } boot_state = AVB_GREEN; + } else { + /* When device is unlocked, we also accept verification errors */ + if (result != AVB_SLOT_VERIFY_RESULT_OK && + result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION) { + printf("Unlocked verification failed, reason: %s\n", + str_avb_slot_error(result)); + avb_slot_verify_data_free(out_data); + return log_msg_ret("avb verify unlocked", -EIO); + } + boot_state = AVB_ORANGE; + }
extra_args = avb_set_state(avb_ops, boot_state); if (extra_args) { @@ -427,9 +436,11 @@ static int run_avb_verification(struct bootflow *bflow) goto free_out_data; }
- ret = avb_append_commandline(bflow, out_data->cmdline); - if (ret < 0) - goto free_out_data; + if (result == AVB_SLOT_VERIFY_RESULT_OK) { + ret = avb_append_commandline(bflow, out_data->cmdline); + if (ret < 0) + goto free_out_data; + }
return 0;
On Thu 23 Jan 2025 at 14:40, Mattijs Korpershoek mkorpershoek@baylibre.com wrote:
When the bootloader is UNLOCKED, it should be possible to boot Android even if AVB reports verification errors [1].
This allows developers to flash modified partitions on userdebug/engineering builds.
Developers can do so on unlocked devices with: $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
In such case, bootmeth_android refuses to boot.
Allow the boot to continue when the device is UNLOCKED and AVB reports verification errors.
[1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unl... Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android") Signed-off-by: Mattijs Korpershoek mkorpershoek@baylibre.com
boot/bootmeth_android.c | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c index 2cd167f80280801618a317a65e93a10e70a0d9ee..dc9aad1633bb7a6d577013bfa0f939343f2e066b 100644 --- a/boot/bootmeth_android.c +++ b/boot/bootmeth_android.c @@ -407,17 +407,26 @@ static int run_avb_verification(struct bootflow *bflow) AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE, &out_data);
- if (result != AVB_SLOT_VERIFY_RESULT_OK) {
printf("Verification failed, reason: %s\n",str_avb_slot_error(result));avb_slot_verify_data_free(out_data);return log_msg_ret("avb verify", -EIO);- }
- if (unlocked)
boot_state = AVB_ORANGE;- else
if (!unlocked) {
/* When device is locked, we only accept AVB_SLOT_VERIFY_RESULT_OK */if (result != AVB_SLOT_VERIFY_RESULT_OK) {printf("Verification failed, reason: %s\n",str_avb_slot_error(result));avb_slot_verify_data_free(out_data);return log_msg_ret("avb verify", -EIO);}boot_state = AVB_GREEN;
} else {
/* When device is unlocked, we also accept verification errors */if (result != AVB_SLOT_VERIFY_RESULT_OK &&result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION) {printf("Unlocked verification failed, reason: %s\n",str_avb_slot_error(result));avb_slot_verify_data_free(out_data);return log_msg_ret("avb verify unlocked", -EIO);}boot_state = AVB_ORANGE;}
extra_args = avb_set_state(avb_ops, boot_state); if (extra_args) {
@@ -427,9 +436,11 @@ static int run_avb_verification(struct bootflow *bflow) goto free_out_data; }
- ret = avb_append_commandline(bflow, out_data->cmdline);
- if (ret < 0)
goto free_out_data;
if (result == AVB_SLOT_VERIFY_RESULT_OK) {
ret = avb_append_commandline(bflow, out_data->cmdline);if (ret < 0)goto free_out_data;}
return 0;
-- 2.47.1
Reviewed-by: Julien Masson jmasson@baylibre.com
Hi,
On Wed, 08 Jan 2025 15:38:40 +0100, Mattijs Korpershoek wrote:
Android Verified Boot (AVB) [1] protects Android systems by providing a root of trust in the vbmeta partition.
On unlocked devices, system developers might want to disable the root of trust to reflash only some partitions.
This is officially supported in the Android bootflow [2] but is not properly implemented in the Android bootmeth. For development purposes
[...]
Thanks, Applied to https://source.denx.de/u-boot/custodians/u-boot-dfu (u-boot-dfu)
[1/2] bootstd: android: Add missing NULL in the avb partition list https://source.denx.de/u-boot/custodians/u-boot-dfu/-/commit/ae58cd7b3920717... [2/2] bootstd: android: Allow boot with AVB failures when unlocked https://source.denx.de/u-boot/custodians/u-boot-dfu/-/commit/6745cbed6edc06f...
-- Mattijs
participants (2)
-
Julien Masson -
Mattijs Korpershoek