[PATCH v2 0/2] bootstd: android: Allow booting with AVB failures when unlocked

[PATCH v2 0/2] bootstd: android: Allow booting with AVB failures when unlocked

[Mattijs Korpershoek]

Android Verified Boot (AVB) [1] protects Android systems by providing a
root of trust in the vbmeta partition.

On unlocked devices, system developers might want to disable the root
of trust to reflash only some partitions.

This is officially supported in the Android bootflow [2] but is not
properly implemented in the Android bootmeth.
For development purposes

Add support for this in bootmeth_android.

This has been tested on AM62Px SK EVM with TI's Android 15 release [3]

[1] https://source.android.com/docs/security/features/verifiedboot/avb
[2] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices
[3] https://software-dl.ti.com/processor-sdk-android/esd/AM62PX/10_01_00/docs/devices/AM62PX/android/Release_Specific_Release_Notes.html

Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
---
Changes in v2:
- Re-did patch 2/2 a bit: fixed booting without AVB failures
- Link to v1: https://lore.kernel.org/r/20250108-avb-disable-verif-v1-0-009c35710ef4@baylibre.com

---
Mattijs Korpershoek (2):
      bootstd: android: Add missing NULL in the avb partition list
      bootstd: android: Allow boot with AVB failures when unlocked

 boot/bootmeth_android.c | 39 +++++++++++++++++++++++++--------------
 1 file changed, 25 insertions(+), 14 deletions(-)
---
base-commit: 6d41f0a39d6423c8e57e92ebbe9f8c0333a63f72
change-id: 20250108-avb-disable-verif-997f820c0c00

Best regards,
-- 
Mattijs Korpershoek <mkorpershoek@baylibre.com>

[PATCH v2 1/2] bootstd: android: Add missing NULL in the avb partition list

[Mattijs Korpershoek]

When booting an Android build with AVB enabled, it's still possible to
deactivate the check for development purposes if the bootloader state is
UNLOCKED.

This is very useful for development and can be done at flashing time via:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img

However, with bootmeth_android, we cannot boot this way:

    Scanning bootdev 'mmc@fa10000.bootdev':
      0  android      ready   mmc          0  mmc@fa10000.bootdev.whole
    ** Booting bootflow 'mmc@fa10000.bootdev.whole' with android
    avb_vbmeta_image.c:188: ERROR: Hash does not match!
    avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH
    get_partition: can't find partition '_a'
    avb_slot_verify.c:496: ERROR: _a: Error determining partition size.
    Verification failed, reason: I/O error occurred while trying to load data
    Boot failed (err=-5)
    No more bootdevs

From the logs we can see that avb tries to read a partition named '_a'.
It's doing so because the last element of requested_partitions implicitly is
'\0', but the doc explicitly request it to be NULL instead.

Add NULL as last element to requested_partitions to avoid this problem.

Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
---
 boot/bootmeth_android.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
index 19b1f2c377b9a51ff1683259085e1d636c939413..2cd167f80280801618a317a65e93a10e70a0d9ee 100644
--- a/boot/bootmeth_android.c
+++ b/boot/bootmeth_android.c
@@ -380,7 +380,7 @@ static int run_avb_verification(struct bootflow *bflow)
 {
 	struct blk_desc *desc = dev_get_uclass_plat(bflow->blk);
 	struct android_priv *priv = bflow->bootmeth_priv;
-	const char * const requested_partitions[] = {"boot", "vendor_boot"};
+	const char * const requested_partitions[] = {"boot", "vendor_boot", NULL};
 	struct AvbOps *avb_ops;
 	AvbSlotVerifyResult result;
 	AvbSlotVerifyData *out_data;

-- 
2.47.1

Re: [PATCH v2 1/2] bootstd: android: Add missing NULL in the avb partition list

[Julien Masson]

On Thu 23 Jan 2025 at 14:38, Mattijs Korpershoek <mkorpershoek@baylibre.com> wrote:

> When booting an Android build with AVB enabled, it's still possible to
> deactivate the check for development purposes if the bootloader state is
> UNLOCKED.
> 
> This is very useful for development and can be done at flashing time via:
> $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
> 
> However, with bootmeth_android, we cannot boot this way:
> 
>     Scanning bootdev 'mmc@fa10000.bootdev':
>       0  android      ready   mmc          0  mmc@fa10000.bootdev.whole
>     ** Booting bootflow 'mmc@fa10000.bootdev.whole' with android
>     avb_vbmeta_image.c:188: ERROR: Hash does not match!
>     avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH
>     get_partition: can't find partition '_a'
>     avb_slot_verify.c:496: ERROR: _a: Error determining partition size.
>     Verification failed, reason: I/O error occurred while trying to load data
>     Boot failed (err=-5)
>     No more bootdevs
> 
> From the logs we can see that avb tries to read a partition named '_a'.
> It's doing so because the last element of requested_partitions implicitly is
> '\0', but the doc explicitly request it to be NULL instead.
> 
> Add NULL as last element to requested_partitions to avoid this problem.
> 
> Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
> Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
> ---
>  boot/bootmeth_android.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
> index 19b1f2c377b9a51ff1683259085e1d636c939413..2cd167f80280801618a317a65e93a10e70a0d9ee 100644
> --- a/boot/bootmeth_android.c
> +++ b/boot/bootmeth_android.c
> @@ -380,7 +380,7 @@ static int run_avb_verification(struct bootflow *bflow)
>  {
>  	struct blk_desc *desc = dev_get_uclass_plat(bflow->blk);
>  	struct android_priv *priv = bflow->bootmeth_priv;
> -	const char * const requested_partitions[] = {"boot", "vendor_boot"};
> +	const char * const requested_partitions[] = {"boot", "vendor_boot", NULL};
>  	struct AvbOps *avb_ops;
>  	AvbSlotVerifyResult result;
>  	AvbSlotVerifyData *out_data;
> 
> -- 
> 2.47.1
> 

Reviewed-by: Julien Masson <jmasson@baylibre.com>

[PATCH v2 2/2] bootstd: android: Allow boot with AVB failures when unlocked

[Mattijs Korpershoek]

When the bootloader is UNLOCKED, it should be possible to boot Android
even if AVB reports verification errors [1].

This allows developers to flash modified partitions on
userdebug/engineering builds.

Developers can do so on unlocked devices with:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img

In such case, bootmeth_android refuses to boot.

Allow the boot to continue when the device is UNLOCKED and AVB reports
verification errors.

[1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices
Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
---
 boot/bootmeth_android.c | 37 ++++++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 13 deletions(-)

diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
index 2cd167f80280801618a317a65e93a10e70a0d9ee..dc9aad1633bb7a6d577013bfa0f939343f2e066b 100644
--- a/boot/bootmeth_android.c
+++ b/boot/bootmeth_android.c
@@ -407,17 +407,26 @@ static int run_avb_verification(struct bootflow *bflow)
 				 AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
 				 &out_data);
 
-	if (result != AVB_SLOT_VERIFY_RESULT_OK) {
-		printf("Verification failed, reason: %s\n",
-		       str_avb_slot_error(result));
-		avb_slot_verify_data_free(out_data);
-		return log_msg_ret("avb verify", -EIO);
-	}
-
-	if (unlocked)
-		boot_state = AVB_ORANGE;
-	else
+	if (!unlocked) {
+		/* When device is locked, we only accept AVB_SLOT_VERIFY_RESULT_OK */
+		if (result != AVB_SLOT_VERIFY_RESULT_OK) {
+			printf("Verification failed, reason: %s\n",
+			       str_avb_slot_error(result));
+			avb_slot_verify_data_free(out_data);
+			return log_msg_ret("avb verify", -EIO);
+		}
 		boot_state = AVB_GREEN;
+	} else {
+		/* When device is unlocked, we also accept verification errors */
+		if (result != AVB_SLOT_VERIFY_RESULT_OK &&
+		    result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION) {
+			printf("Unlocked verification failed, reason: %s\n",
+			       str_avb_slot_error(result));
+			avb_slot_verify_data_free(out_data);
+			return log_msg_ret("avb verify unlocked", -EIO);
+		}
+		boot_state = AVB_ORANGE;
+	}
 
 	extra_args = avb_set_state(avb_ops, boot_state);
 	if (extra_args) {
@@ -427,9 +436,11 @@ static int run_avb_verification(struct bootflow *bflow)
 			goto free_out_data;
 	}
 
-	ret = avb_append_commandline(bflow, out_data->cmdline);
-	if (ret < 0)
-		goto free_out_data;
+	if (result == AVB_SLOT_VERIFY_RESULT_OK) {
+		ret = avb_append_commandline(bflow, out_data->cmdline);
+		if (ret < 0)
+			goto free_out_data;
+	}
 
 	return 0;
 

-- 
2.47.1

Re: [PATCH v2 2/2] bootstd: android: Allow boot with AVB failures when unlocked

[Julien Masson]

On Thu 23 Jan 2025 at 14:40, Mattijs Korpershoek <mkorpershoek@baylibre.com> wrote:

> When the bootloader is UNLOCKED, it should be possible to boot Android
> even if AVB reports verification errors [1].
> 
> This allows developers to flash modified partitions on
> userdebug/engineering builds.
> 
> Developers can do so on unlocked devices with:
> $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
> 
> In such case, bootmeth_android refuses to boot.
> 
> Allow the boot to continue when the device is UNLOCKED and AVB reports
> verification errors.
> 
> [1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices
> Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
> Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
> ---
>  boot/bootmeth_android.c | 37 ++++++++++++++++++++++++-------------
>  1 file changed, 24 insertions(+), 13 deletions(-)
> 
> diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
> index 2cd167f80280801618a317a65e93a10e70a0d9ee..dc9aad1633bb7a6d577013bfa0f939343f2e066b 100644
> --- a/boot/bootmeth_android.c
> +++ b/boot/bootmeth_android.c
> @@ -407,17 +407,26 @@ static int run_avb_verification(struct bootflow *bflow)
>  				 AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
>  				 &out_data);
>  
> -	if (result != AVB_SLOT_VERIFY_RESULT_OK) {
> -		printf("Verification failed, reason: %s\n",
> -		       str_avb_slot_error(result));
> -		avb_slot_verify_data_free(out_data);
> -		return log_msg_ret("avb verify", -EIO);
> -	}
> -
> -	if (unlocked)
> -		boot_state = AVB_ORANGE;
> -	else
> +	if (!unlocked) {
> +		/* When device is locked, we only accept AVB_SLOT_VERIFY_RESULT_OK */
> +		if (result != AVB_SLOT_VERIFY_RESULT_OK) {
> +			printf("Verification failed, reason: %s\n",
> +			       str_avb_slot_error(result));
> +			avb_slot_verify_data_free(out_data);
> +			return log_msg_ret("avb verify", -EIO);
> +		}
>  		boot_state = AVB_GREEN;
> +	} else {
> +		/* When device is unlocked, we also accept verification errors */
> +		if (result != AVB_SLOT_VERIFY_RESULT_OK &&
> +		    result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION) {
> +			printf("Unlocked verification failed, reason: %s\n",
> +			       str_avb_slot_error(result));
> +			avb_slot_verify_data_free(out_data);
> +			return log_msg_ret("avb verify unlocked", -EIO);
> +		}
> +		boot_state = AVB_ORANGE;
> +	}
>  
>  	extra_args = avb_set_state(avb_ops, boot_state);
>  	if (extra_args) {
> @@ -427,9 +436,11 @@ static int run_avb_verification(struct bootflow *bflow)
>  			goto free_out_data;
>  	}
>  
> -	ret = avb_append_commandline(bflow, out_data->cmdline);
> -	if (ret < 0)
> -		goto free_out_data;
> +	if (result == AVB_SLOT_VERIFY_RESULT_OK) {
> +		ret = avb_append_commandline(bflow, out_data->cmdline);
> +		if (ret < 0)
> +			goto free_out_data;
> +	}
>  
>  	return 0;
>  
> 
> -- 
> 2.47.1
> 

Reviewed-by: Julien Masson <jmasson@baylibre.com>

Re: [PATCH v2 0/2] bootstd: android: Allow booting with AVB failures when unlocked

[Mattijs Korpershoek]

Hi,

On Wed, 08 Jan 2025 15:38:40 +0100, Mattijs Korpershoek wrote:
> Android Verified Boot (AVB) [1] protects Android systems by providing a
> root of trust in the vbmeta partition.
> 
> On unlocked devices, system developers might want to disable the root
> of trust to reflash only some partitions.
> 
> This is officially supported in the Android bootflow [2] but is not
> properly implemented in the Android bootmeth.
> For development purposes
> 
> [...]

Thanks, Applied to https://source.denx.de/u-boot/custodians/u-boot-dfu (u-boot-dfu)

[1/2] bootstd: android: Add missing NULL in the avb partition list
      https://source.denx.de/u-boot/custodians/u-boot-dfu/-/commit/ae58cd7b39207175c8696d7bf38321b1a4c9957a
[2/2] bootstd: android: Allow boot with AVB failures when unlocked
      https://source.denx.de/u-boot/custodians/u-boot-dfu/-/commit/6745cbed6edc06fae7fbc4b360e39c3963d57b13

--
Mattijs