[PATCH 0/2] bootstd: android: Allow booting with AVB failures when unlocked

[PATCH 0/2] bootstd: android: Allow booting with AVB failures when unlocked

[Mattijs Korpershoek]

Android Verified Boot (AVB) [1] protects Android systems by providing a
root of trust in the vbmeta partition.

On unlocked devices, system developers might want to disable the root
of trust to reflash only some partitions.

This is officially supported in the Android bootflow [2] but is not
properly implemented in the Android bootmeth.
For development purposes

Add support for this in bootmeth_android.

This has been tested on AM62Px SK EVM with TI's Android 15 release [3]

[1] https://source.android.com/docs/security/features/verifiedboot/avb
[2] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices
[3] https://software-dl.ti.com/processor-sdk-android/esd/AM62PX/10_01_00/docs/devices/AM62PX/android/Release_Specific_Release_Notes.html

Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
---
Mattijs Korpershoek (2):
      bootstd: android: Add missing NULL in the avb partition list
      bootstd: android: Allow boot with AVB failures when unlocked

 boot/bootmeth_android.c | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)
---
base-commit: 6d41f0a39d6423c8e57e92ebbe9f8c0333a63f72
change-id: 20250108-avb-disable-verif-997f820c0c00

Best regards,
-- 
Mattijs Korpershoek <mkorpershoek@baylibre.com>

[PATCH 1/2] bootstd: android: Add missing NULL in the avb partition list

[Mattijs Korpershoek]

When booting an Android build with AVB enabled, it's still possible to
deactivate the check for development purposes if the bootloader state is
UNLOCKED.

This is very useful for development and can be done at flashing time via:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img

However, with bootmeth_android, we cannot boot this way:

    Scanning bootdev 'mmc@fa10000.bootdev':
      0  android      ready   mmc          0  mmc@fa10000.bootdev.whole
    ** Booting bootflow 'mmc@fa10000.bootdev.whole' with android
    avb_vbmeta_image.c:188: ERROR: Hash does not match!
    avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH
    get_partition: can't find partition '_a'
    avb_slot_verify.c:496: ERROR: _a: Error determining partition size.
    Verification failed, reason: I/O error occurred while trying to load data
    Boot failed (err=-5)
    No more bootdevs

From the logs we can see that avb tries to read a partition named '_a'.
It's doing so because the last element of requested_partitions implicitly is
'\0', but the doc explicitly request it to be NULL instead.

Add NULL as last element to requested_partitions to avoid this problem.

Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
---
 boot/bootmeth_android.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
index 19b1f2c377b9a51ff1683259085e1d636c939413..2cd167f80280801618a317a65e93a10e70a0d9ee 100644
--- a/boot/bootmeth_android.c
+++ b/boot/bootmeth_android.c
@@ -380,7 +380,7 @@ static int run_avb_verification(struct bootflow *bflow)
 {
 	struct blk_desc *desc = dev_get_uclass_plat(bflow->blk);
 	struct android_priv *priv = bflow->bootmeth_priv;
-	const char * const requested_partitions[] = {"boot", "vendor_boot"};
+	const char * const requested_partitions[] = {"boot", "vendor_boot", NULL};
 	struct AvbOps *avb_ops;
 	AvbSlotVerifyResult result;
 	AvbSlotVerifyData *out_data;

-- 
2.47.1

[PATCH 2/2] bootstd: android: Allow boot with AVB failures when unlocked

[Mattijs Korpershoek]

When the bootloader is UNLOCKED, it should be possible to boot Android
even if AVB reports verification errors [1].

This allows developers to flash modified partitions on
userdebug/engineering builds.

Developers can do so on unlocked devices with:
$ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img

In such case, bootmeth_android refuses to boot.

Allow the boot to continue when the device is UNLOCKED and AVB reports
verification errors.

[1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices
Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
---
 boot/bootmeth_android.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
index 2cd167f80280801618a317a65e93a10e70a0d9ee..564d21784feb0667bf9bed2a59be0a232601a7dd 100644
--- a/boot/bootmeth_android.c
+++ b/boot/bootmeth_android.c
@@ -407,11 +407,16 @@ static int run_avb_verification(struct bootflow *bflow)
 				 AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
 				 &out_data);
 
-	if (result != AVB_SLOT_VERIFY_RESULT_OK) {
+	if (result != AVB_SLOT_VERIFY_RESULT_OK && !unlocked) {
 		printf("Verification failed, reason: %s\n",
 		       str_avb_slot_error(result));
 		avb_slot_verify_data_free(out_data);
 		return log_msg_ret("avb verify", -EIO);
+	} else if (result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION && unlocked) {
+		printf("Unlocked verification failed, reason: %s\n",
+		       str_avb_slot_error(result));
+		avb_slot_verify_data_free(out_data);
+		return log_msg_ret("avb verify unlocked", -EIO);
 	}
 
 	if (unlocked)
@@ -427,9 +432,11 @@ static int run_avb_verification(struct bootflow *bflow)
 			goto free_out_data;
 	}
 
-	ret = avb_append_commandline(bflow, out_data->cmdline);
-	if (ret < 0)
-		goto free_out_data;
+	if (result == AVB_SLOT_VERIFY_RESULT_OK) {
+		ret = avb_append_commandline(bflow, out_data->cmdline);
+		if (ret < 0)
+			goto free_out_data;
+	}
 
 	return 0;
 

-- 
2.47.1

Re: [PATCH 2/2] bootstd: android: Allow boot with AVB failures when unlocked

[Mattijs Korpershoek]

Hi,

Please ignore this patch, I've send this a bit too fast and did not test
all the cases.

Sorry for the noise.

Mattijs

On mer., janv. 08, 2025 at 14:43, Mattijs Korpershoek <mkorpershoek@baylibre.com> wrote:

> When the bootloader is UNLOCKED, it should be possible to boot Android
> even if AVB reports verification errors [1].
>
> This allows developers to flash modified partitions on
> userdebug/engineering builds.
>
> Developers can do so on unlocked devices with:
> $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img
>
> In such case, bootmeth_android refuses to boot.
>
> Allow the boot to continue when the device is UNLOCKED and AVB reports
> verification errors.
>
> [1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices
> Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android")
> Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
> ---
>  boot/bootmeth_android.c | 15 +++++++++++----
>  1 file changed, 11 insertions(+), 4 deletions(-)
>
> diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c
> index 2cd167f80280801618a317a65e93a10e70a0d9ee..564d21784feb0667bf9bed2a59be0a232601a7dd 100644
> --- a/boot/bootmeth_android.c
> +++ b/boot/bootmeth_android.c
> @@ -407,11 +407,16 @@ static int run_avb_verification(struct bootflow *bflow)
>  				 AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
>  				 &out_data);
>  
> -	if (result != AVB_SLOT_VERIFY_RESULT_OK) {
> +	if (result != AVB_SLOT_VERIFY_RESULT_OK && !unlocked) {
>  		printf("Verification failed, reason: %s\n",
>  		       str_avb_slot_error(result));
>  		avb_slot_verify_data_free(out_data);
>  		return log_msg_ret("avb verify", -EIO);
> +	} else if (result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION && unlocked) {
> +		printf("Unlocked verification failed, reason: %s\n",
> +		       str_avb_slot_error(result));
> +		avb_slot_verify_data_free(out_data);
> +		return log_msg_ret("avb verify unlocked", -EIO);
>  	}
>  
>  	if (unlocked)
> @@ -427,9 +432,11 @@ static int run_avb_verification(struct bootflow *bflow)
>  			goto free_out_data;
>  	}
>  
> -	ret = avb_append_commandline(bflow, out_data->cmdline);
> -	if (ret < 0)
> -		goto free_out_data;
> +	if (result == AVB_SLOT_VERIFY_RESULT_OK) {
> +		ret = avb_append_commandline(bflow, out_data->cmdline);
> +		if (ret < 0)
> +			goto free_out_data;
> +	}
>  
>  	return 0;
>  
>
> -- 
> 2.47.1