* [PATCH v2 0/2] bootstd: android: Allow booting with AVB failures when unlocked
@ 2025-01-08 14:38 Mattijs Korpershoek
2025-01-08 14:38 ` [PATCH v2 1/2] bootstd: android: Add missing NULL in the avb partition list Mattijs Korpershoek
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Mattijs Korpershoek @ 2025-01-08 14:38 UTC (permalink / raw)
To: Simon Glass, Tom Rini, Julien Masson, Guillaume La Roque
Cc: u-boot, Mattijs Korpershoek
Android Verified Boot (AVB) [1] protects Android systems by providing a
root of trust in the vbmeta partition.
On unlocked devices, system developers might want to disable the root
of trust to reflash only some partitions.
This is officially supported in the Android bootflow [2] but is not
properly implemented in the Android bootmeth.
For development purposes
Add support for this in bootmeth_android.
This has been tested on AM62Px SK EVM with TI's Android 15 release [3]
[1] https://source.android.com/docs/security/features/verifiedboot/avb
[2] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices
[3] https://software-dl.ti.com/processor-sdk-android/esd/AM62PX/10_01_00/docs/devices/AM62PX/android/Release_Specific_Release_Notes.html
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
---
Changes in v2:
- Re-did patch 2/2 a bit: fixed booting without AVB failures
- Link to v1: https://lore.kernel.org/r/20250108-avb-disable-verif-v1-0-009c35710ef4@baylibre.com
---
Mattijs Korpershoek (2):
bootstd: android: Add missing NULL in the avb partition list
bootstd: android: Allow boot with AVB failures when unlocked
boot/bootmeth_android.c | 39 +++++++++++++++++++++++++--------------
1 file changed, 25 insertions(+), 14 deletions(-)
---
base-commit: 6d41f0a39d6423c8e57e92ebbe9f8c0333a63f72
change-id: 20250108-avb-disable-verif-997f820c0c00
Best regards,
--
Mattijs Korpershoek <mkorpershoek@baylibre.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2 1/2] bootstd: android: Add missing NULL in the avb partition list
2025-01-08 14:38 [PATCH v2 0/2] bootstd: android: Allow booting with AVB failures when unlocked Mattijs Korpershoek
@ 2025-01-08 14:38 ` Mattijs Korpershoek
2025-01-23 13:39 ` Julien Masson
2025-01-08 14:38 ` [PATCH v2 2/2] bootstd: android: Allow boot with AVB failures when unlocked Mattijs Korpershoek
2025-01-23 14:23 ` [PATCH v2 0/2] bootstd: android: Allow booting " Mattijs Korpershoek
2 siblings, 1 reply; 6+ messages in thread
From: Mattijs Korpershoek @ 2025-01-08 14:38 UTC (permalink / raw)
To: Simon Glass, Tom Rini, Julien Masson, Guillaume La Roque
Cc: u-boot, Mattijs Korpershoek
When booting an Android build with AVB enabled, it's still possible to
deactivate the check for development purposes if the bootloader state is
UNLOCKED.
This is very useful for development and can be done at flashing time via:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
However, with bootmeth_android, we cannot boot this way:
Scanning bootdev 'mmc@fa10000.bootdev':
0 android ready mmc 0 mmc@fa10000.bootdev.whole
** Booting bootflow 'mmc@fa10000.bootdev.whole' with android
avb_vbmeta_image.c:188: ERROR: Hash does not match!
avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH
get_partition: can't find partition '_a'
avb_slot_verify.c:496: ERROR: _a: Error determining partition size.
Verification failed, reason: I/O error occurred while trying to load data
Boot failed (err=-5)
No more bootdevs
From the logs we can see that avb tries to read a partition named '_a'.
It's doing so because the last element of requested_partitions implicitly is
'\0', but the doc explicitly request it to be NULL instead.
Add NULL as last element to requested_partitions to avoid this problem.
Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
---
boot/bootmeth_android.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
index 19b1f2c377b9a51ff1683259085e1d636c939413..2cd167f80280801618a317a65e93a10e70a0d9ee 100644
--- a/boot/bootmeth_android.c
+++ b/boot/bootmeth_android.c
@@ -380,7 +380,7 @@ static int run_avb_verification(struct bootflow *bflow)
{
struct blk_desc *desc = dev_get_uclass_plat(bflow->blk);
struct android_priv *priv = bflow->bootmeth_priv;
- const char * const requested_partitions[] = {"boot", "vendor_boot"};
+ const char * const requested_partitions[] = {"boot", "vendor_boot", NULL};
struct AvbOps *avb_ops;
AvbSlotVerifyResult result;
AvbSlotVerifyData *out_data;
--
2.47.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH v2 2/2] bootstd: android: Allow boot with AVB failures when unlocked
2025-01-08 14:38 [PATCH v2 0/2] bootstd: android: Allow booting with AVB failures when unlocked Mattijs Korpershoek
2025-01-08 14:38 ` [PATCH v2 1/2] bootstd: android: Add missing NULL in the avb partition list Mattijs Korpershoek
@ 2025-01-08 14:38 ` Mattijs Korpershoek
2025-01-23 13:40 ` Julien Masson
2025-01-23 14:23 ` [PATCH v2 0/2] bootstd: android: Allow booting " Mattijs Korpershoek
2 siblings, 1 reply; 6+ messages in thread
From: Mattijs Korpershoek @ 2025-01-08 14:38 UTC (permalink / raw)
To: Simon Glass, Tom Rini, Julien Masson, Guillaume La Roque
Cc: u-boot, Mattijs Korpershoek
When the bootloader is UNLOCKED, it should be possible to boot Android
even if AVB reports verification errors [1].
This allows developers to flash modified partitions on
userdebug/engineering builds.
Developers can do so on unlocked devices with:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
In such case, bootmeth_android refuses to boot.
Allow the boot to continue when the device is UNLOCKED and AVB reports
verification errors.
[1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices
Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
---
boot/bootmeth_android.c | 37 ++++++++++++++++++++++++-------------
1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
index 2cd167f80280801618a317a65e93a10e70a0d9ee..dc9aad1633bb7a6d577013bfa0f939343f2e066b 100644
--- a/boot/bootmeth_android.c
+++ b/boot/bootmeth_android.c
@@ -407,17 +407,26 @@ static int run_avb_verification(struct bootflow *bflow)
AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
&out_data);
- if (result != AVB_SLOT_VERIFY_RESULT_OK) {
- printf("Verification failed, reason: %s\n",
- str_avb_slot_error(result));
- avb_slot_verify_data_free(out_data);
- return log_msg_ret("avb verify", -EIO);
- }
-
- if (unlocked)
- boot_state = AVB_ORANGE;
- else
+ if (!unlocked) {
+ /* When device is locked, we only accept AVB_SLOT_VERIFY_RESULT_OK */
+ if (result != AVB_SLOT_VERIFY_RESULT_OK) {
+ printf("Verification failed, reason: %s\n",
+ str_avb_slot_error(result));
+ avb_slot_verify_data_free(out_data);
+ return log_msg_ret("avb verify", -EIO);
+ }
boot_state = AVB_GREEN;
+ } else {
+ /* When device is unlocked, we also accept verification errors */
+ if (result != AVB_SLOT_VERIFY_RESULT_OK &&
+ result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION) {
+ printf("Unlocked verification failed, reason: %s\n",
+ str_avb_slot_error(result));
+ avb_slot_verify_data_free(out_data);
+ return log_msg_ret("avb verify unlocked", -EIO);
+ }
+ boot_state = AVB_ORANGE;
+ }
extra_args = avb_set_state(avb_ops, boot_state);
if (extra_args) {
@@ -427,9 +436,11 @@ static int run_avb_verification(struct bootflow *bflow)
goto free_out_data;
}
- ret = avb_append_commandline(bflow, out_data->cmdline);
- if (ret < 0)
- goto free_out_data;
+ if (result == AVB_SLOT_VERIFY_RESULT_OK) {
+ ret = avb_append_commandline(bflow, out_data->cmdline);
+ if (ret < 0)
+ goto free_out_data;
+ }
return 0;
--
2.47.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2 1/2] bootstd: android: Add missing NULL in the avb partition list
2025-01-08 14:38 ` [PATCH v2 1/2] bootstd: android: Add missing NULL in the avb partition list Mattijs Korpershoek
@ 2025-01-23 13:39 ` Julien Masson
0 siblings, 0 replies; 6+ messages in thread
From: Julien Masson @ 2025-01-23 13:39 UTC (permalink / raw)
To: Mattijs Korpershoek, Simon Glass, Tom Rini, Guillaume La Roque
Cc: u-boot, Mattijs Korpershoek
On Thu 23 Jan 2025 at 14:38, Mattijs Korpershoek <mkorpershoek@baylibre.com> wrote:
> When booting an Android build with AVB enabled, it's still possible to
> deactivate the check for development purposes if the bootloader state is
> UNLOCKED.
>
> This is very useful for development and can be done at flashing time via:
> $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
>
> However, with bootmeth_android, we cannot boot this way:
>
> Scanning bootdev 'mmc@fa10000.bootdev':
> 0 android ready mmc 0 mmc@fa10000.bootdev.whole
> ** Booting bootflow 'mmc@fa10000.bootdev.whole' with android
> avb_vbmeta_image.c:188: ERROR: Hash does not match!
> avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH
> get_partition: can't find partition '_a'
> avb_slot_verify.c:496: ERROR: _a: Error determining partition size.
> Verification failed, reason: I/O error occurred while trying to load data
> Boot failed (err=-5)
> No more bootdevs
>
> From the logs we can see that avb tries to read a partition named '_a'.
> It's doing so because the last element of requested_partitions implicitly is
> '\0', but the doc explicitly request it to be NULL instead.
>
> Add NULL as last element to requested_partitions to avoid this problem.
>
> Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
> Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
> ---
> boot/bootmeth_android.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
> index 19b1f2c377b9a51ff1683259085e1d636c939413..2cd167f80280801618a317a65e93a10e70a0d9ee 100644
> --- a/boot/bootmeth_android.c
> +++ b/boot/bootmeth_android.c
> @@ -380,7 +380,7 @@ static int run_avb_verification(struct bootflow *bflow)
> {
> struct blk_desc *desc = dev_get_uclass_plat(bflow->blk);
> struct android_priv *priv = bflow->bootmeth_priv;
> - const char * const requested_partitions[] = {"boot", "vendor_boot"};
> + const char * const requested_partitions[] = {"boot", "vendor_boot", NULL};
> struct AvbOps *avb_ops;
> AvbSlotVerifyResult result;
> AvbSlotVerifyData *out_data;
>
> --
> 2.47.1
>
Reviewed-by: Julien Masson <jmasson@baylibre.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2 2/2] bootstd: android: Allow boot with AVB failures when unlocked
2025-01-08 14:38 ` [PATCH v2 2/2] bootstd: android: Allow boot with AVB failures when unlocked Mattijs Korpershoek
@ 2025-01-23 13:40 ` Julien Masson
0 siblings, 0 replies; 6+ messages in thread
From: Julien Masson @ 2025-01-23 13:40 UTC (permalink / raw)
To: Mattijs Korpershoek, Simon Glass, Tom Rini, Guillaume La Roque
Cc: u-boot, Mattijs Korpershoek
On Thu 23 Jan 2025 at 14:40, Mattijs Korpershoek <mkorpershoek@baylibre.com> wrote:
> When the bootloader is UNLOCKED, it should be possible to boot Android
> even if AVB reports verification errors [1].
>
> This allows developers to flash modified partitions on
> userdebug/engineering builds.
>
> Developers can do so on unlocked devices with:
> $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
>
> In such case, bootmeth_android refuses to boot.
>
> Allow the boot to continue when the device is UNLOCKED and AVB reports
> verification errors.
>
> [1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices
> Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
> Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
> ---
> boot/bootmeth_android.c | 37 ++++++++++++++++++++++++-------------
> 1 file changed, 24 insertions(+), 13 deletions(-)
>
> diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
> index 2cd167f80280801618a317a65e93a10e70a0d9ee..dc9aad1633bb7a6d577013bfa0f939343f2e066b 100644
> --- a/boot/bootmeth_android.c
> +++ b/boot/bootmeth_android.c
> @@ -407,17 +407,26 @@ static int run_avb_verification(struct bootflow *bflow)
> AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
> &out_data);
>
> - if (result != AVB_SLOT_VERIFY_RESULT_OK) {
> - printf("Verification failed, reason: %s\n",
> - str_avb_slot_error(result));
> - avb_slot_verify_data_free(out_data);
> - return log_msg_ret("avb verify", -EIO);
> - }
> -
> - if (unlocked)
> - boot_state = AVB_ORANGE;
> - else
> + if (!unlocked) {
> + /* When device is locked, we only accept AVB_SLOT_VERIFY_RESULT_OK */
> + if (result != AVB_SLOT_VERIFY_RESULT_OK) {
> + printf("Verification failed, reason: %s\n",
> + str_avb_slot_error(result));
> + avb_slot_verify_data_free(out_data);
> + return log_msg_ret("avb verify", -EIO);
> + }
> boot_state = AVB_GREEN;
> + } else {
> + /* When device is unlocked, we also accept verification errors */
> + if (result != AVB_SLOT_VERIFY_RESULT_OK &&
> + result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION) {
> + printf("Unlocked verification failed, reason: %s\n",
> + str_avb_slot_error(result));
> + avb_slot_verify_data_free(out_data);
> + return log_msg_ret("avb verify unlocked", -EIO);
> + }
> + boot_state = AVB_ORANGE;
> + }
>
> extra_args = avb_set_state(avb_ops, boot_state);
> if (extra_args) {
> @@ -427,9 +436,11 @@ static int run_avb_verification(struct bootflow *bflow)
> goto free_out_data;
> }
>
> - ret = avb_append_commandline(bflow, out_data->cmdline);
> - if (ret < 0)
> - goto free_out_data;
> + if (result == AVB_SLOT_VERIFY_RESULT_OK) {
> + ret = avb_append_commandline(bflow, out_data->cmdline);
> + if (ret < 0)
> + goto free_out_data;
> + }
>
> return 0;
>
>
> --
> 2.47.1
>
Reviewed-by: Julien Masson <jmasson@baylibre.com>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2 0/2] bootstd: android: Allow booting with AVB failures when unlocked
2025-01-08 14:38 [PATCH v2 0/2] bootstd: android: Allow booting with AVB failures when unlocked Mattijs Korpershoek
2025-01-08 14:38 ` [PATCH v2 1/2] bootstd: android: Add missing NULL in the avb partition list Mattijs Korpershoek
2025-01-08 14:38 ` [PATCH v2 2/2] bootstd: android: Allow boot with AVB failures when unlocked Mattijs Korpershoek
@ 2025-01-23 14:23 ` Mattijs Korpershoek
2 siblings, 0 replies; 6+ messages in thread
From: Mattijs Korpershoek @ 2025-01-23 14:23 UTC (permalink / raw)
To: Simon Glass, Tom Rini, Julien Masson, Guillaume La Roque,
Mattijs Korpershoek
Cc: u-boot
Hi,
On Wed, 08 Jan 2025 15:38:40 +0100, Mattijs Korpershoek wrote:
> Android Verified Boot (AVB) [1] protects Android systems by providing a
> root of trust in the vbmeta partition.
>
> On unlocked devices, system developers might want to disable the root
> of trust to reflash only some partitions.
>
> This is officially supported in the Android bootflow [2] but is not
> properly implemented in the Android bootmeth.
> For development purposes
>
> [...]
Thanks, Applied to https://source.denx.de/u-boot/custodians/u-boot-dfu (u-boot-dfu)
[1/2] bootstd: android: Add missing NULL in the avb partition list
https://source.denx.de/u-boot/custodians/u-boot-dfu/-/commit/ae58cd7b39207175c8696d7bf38321b1a4c9957a
[2/2] bootstd: android: Allow boot with AVB failures when unlocked
https://source.denx.de/u-boot/custodians/u-boot-dfu/-/commit/6745cbed6edc06fae7fbc4b360e39c3963d57b13
--
Mattijs
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2025-01-23 14:23 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-01-08 14:38 [PATCH v2 0/2] bootstd: android: Allow booting with AVB failures when unlocked Mattijs Korpershoek
2025-01-08 14:38 ` [PATCH v2 1/2] bootstd: android: Add missing NULL in the avb partition list Mattijs Korpershoek
2025-01-23 13:39 ` Julien Masson
2025-01-08 14:38 ` [PATCH v2 2/2] bootstd: android: Allow boot with AVB failures when unlocked Mattijs Korpershoek
2025-01-23 13:40 ` Julien Masson
2025-01-23 14:23 ` [PATCH v2 0/2] bootstd: android: Allow booting " Mattijs Korpershoek
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox