文章内容是来自:https://blog.csdn.net/weixin_40419181/article/details/123795690
前言
Android Verified Boot上有两个阶段,bootloader和init,每个阶段校验的内容都是不一样的。当然这个也不是绝对的,我觉得这个AVB的校验逻辑是可以用在很多的方面的,根据自己的启动方案可以设置很多的校验逻辑,这里就不展开了,说多了就不安全了。
这里暂时分为两个阶段:bootloader和init
第一阶段
在bootloader中,需要校验分区的函数变量:
// Library/avb/VerifiedBoot.c
static CHAR8 *avb_verify_partition_name[] = {
"boot",
"dtbo",
"vbmeta",
"recovery",
"vendor_boot"
};
从上面的变量可以知道,在bootloader中,可能需要校验上面的5个分区。
为什么说是可能?因为最终的校验是需要根据vbmeta分区来决定的。
解析vbmeta镜像:
avbtool info_image --image vbmeta.img > vbmeta.img.info
vbmeta.img.info 内容
Minimum libavb version: 1.0
Header Block: 256 bytes
Authentication Block: 576 bytes
Auxiliary Block: 4032 bytes
Public key (sha1): 2e22ae4a46cf9db9c24ab74cee91fa005ccb30e4
Algorithm: SHA256_RSA4096
Rollback Index: 0
Flags: 0
Release String: 'avbtool 1.1.0'
Descriptors:
Chain Partition descriptor:
Partition Name: vbmeta_system
Rollback Index Location: 2
Public key (sha1): fc92d9cba0628858d846fb9a18a7af72b05d7dc8
...
Hash descriptor:
Image Size: 59932672 bytes
Hash Algorithm: sha256
Partition Name: boot
Salt: e691366c1c43ee5e23b342d65555ad8cfbadf77118dceb77e240c8e7d3e63ea6
Digest: 239648eb41f5a491c7c4d6b51b52a533bd9da98ba8800f58a0957f7341dd1686
Flags: 0
Hash descriptor:
Image Size: 740733 bytes
Hash Algorithm: sha256
Partition Name: dtbo
Salt: d445a36d8154a774589dd51c49029ee388ecaac28212c8c6899f45dc5a51dbcf
Digest: cac0bd59091464292bc83d6f1193afb1520c12a3849f2673ad3160bb951acf6d
Flags: 0
Hash descriptor:
Image Size: 1916928 bytes
Hash Algorithm: sha256
Partition Name: vendor_boot
Salt: 5f7b7c3592142d4f3645d7e675fb7865915e52e8b361ba330fccf00aeb1c4028
Digest: cf153ab9df9a5c34024417ea2b0b4dfd716d01ba9cd2d5bcf964fe7e25cdd802
Flags: 0
Hashtree descriptor:
Version of dm-verity: 1
Image Size: 864256 bytes
Tree Offset: 864256
Tree Size: 12288 bytes
Data Block Size: 4096 bytes
Hash Block Size: 4096 bytes
FEC num roots: 2
FEC offset: 876544
FEC size: 8192 bytes
Hash Algorithm: sha1
Partition Name: odm
Salt: b6e1f57ae6939659355e83ad7fa57feb6b5eb15a3d16b96752f43cdc14918708
Root Digest: da99875b16661e72eec81d05d58dffdf09fe228d
Flags: 0
Hashtree descriptor:
Version of dm-verity: 1
Image Size: 1002233856 bytes
Tree Offset: 1002233856
Tree Size: 7897088 bytes
Data Block Size: 4096 bytes
Hash Block Size: 4096 bytes
FEC num roots: 2
FEC offset: 1010130944
FEC size: 7987200 bytes
Hash Algorithm: sha1
Partition Name: vendor
Salt: b6e1f57ae6939659355e83ad7fa57feb6b5eb15a3d16b96752f43cdc14918708
Root Digest: 336bd4885da274ae0de38b32b899f7b6169e676f
Flags: 0
通过vbmeta.img.info可以知道,bootloader中需要校验 vbmeta、boot 、dtbo、vendor_boot四个分区。
第二阶段
init阶段的avb校验,可以通过dts和fstab确定需要校验的分区。
1、dts
android {
compatible = "android,firmware";
vbmeta {
compatible = "android,vbmeta";
parts = "vbmeta,boot,system,vendor,dtbo";
};
fstab {
compatible = "android,fstab";
vendor {
compatible = "android,vendor";
dev = "/dev/block/platform/soc/1d84000.ufshc/by-name/vendor";
type = "ext4";
mnt_flags = "ro,barrier=1,discard";
fsmgr_flags = "wait,slotselect,avb";
status = "ok";
};
};
};
fsmgr_flags = "wait,slotselect,avb"知道,根据fstab中分区的挂载参数,来确定需要进行校验的分区。
2. fstab.qcom
我们只需要关注fstab中的 wait,slotselect,avb= 挂载参数。
system /system ext4 ro,barrier=1,discard wait,slotselect,avb=vbmeta_system,logical,first_stage_mount,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey
system_ext /system_ext ext4 ro,barrier=1,discard wait,slotselect,avb=vbmeta_system,logical,first_stage_mount
product /product ext4 ro,barrier=1,discard wait,slotselect,avb=vbmeta_system,logical,first_stage_mount
vendor /vendor ext4 ro,barrier=1,discard wait,slotselect,avb,logical,first_stage_mount
odm /odm ext4 ro,barrier=1,discard wait,slotselect,avb,logical,first_stage_mount
其中 wait,slotselect,avb=vbmeta_system涉及的system、system_ext、product三个分区需要跟vbmeta_system分区进行校验。
而wait,slotselect,avb没有vbmeta_system参数的,则跟vbmeta分区进行校验,可以参考上面解析的vbmeta.img.info。
解析 vbmeta_system镜像以求证wait,slotselect,avb=vbmeta_system涉及的三个分区:
avbtool info_image --image vbmeta_system.img > vbmeta_system.img.info
vbmeta_system.img.info内容
Minimum libavb version: 1.0
Header Block: 256 bytes
Authentication Block: 320 bytes
Auxiliary Block: 2368 bytes
Public key (sha1): fc92d9cba0628858d846fb9a18a7af72b05d7dc8
Algorithm: SHA256_RSA2048
Rollback Index: 1598918400
Flags: 0
Release String: 'avbtool 1.1.0'
Descriptors:
...
Hashtree descriptor:
Version of dm-verity: 1
Image Size: 141250560 bytes
Tree Offset: 141250560
Tree Size: 1122304 bytes
Data Block Size: 4096 bytes
Hash Block Size: 4096 bytes
FEC num roots: 2
FEC offset: 142372864
FEC size: 1130496 bytes
Hash Algorithm: sha1
Partition Name: product
Salt: b6e1f57ae6939659355e83ad7fa57feb6b5eb15a3d16b96752f43cdc14918708
Root Digest: 8747dcab121c9cf740b106dc4b5545d685ee148f
Flags: 0
Hashtree descriptor:
Version of dm-verity: 1
Image Size: 2592661504 bytes
Tree Offset: 2592661504
Tree Size: 20422656 bytes
Data Block Size: 4096 bytes
Hash Block Size: 4096 bytes
FEC num roots: 2
FEC offset: 2613084160
FEC size: 20660224 bytes
Hash Algorithm: sha1
Partition Name: system
Salt: b6e1f57ae6939659355e83ad7fa57feb6b5eb15a3d16b96752f43cdc14918708
Root Digest: 489a406f49dd15c6c4ab3f86ae8c490837602f81
Flags: 0
Hashtree descriptor:
Version of dm-verity: 1
Image Size: 418029568 bytes
Tree Offset: 418029568
Tree Size: 3301376 bytes
Data Block Size: 4096 bytes
Hash Block Size: 4096 bytes
FEC num roots: 2
FEC offset: 421330944
FEC size: 3334144 bytes
Hash Algorithm: sha1
Partition Name: system_ext
Salt: b6e1f57ae6939659355e83ad7fa57feb6b5eb15a3d16b96752f43cdc14918708
Root Digest: 3eabb06d98d7e4639fbca3fd21806ef36332f1d3
Flags: 0
可以看到vbmeta_system.img.info中包含product system system_ext三个分区校验信息。
总结
AVB校验 分成两个阶段
- bootloader 阶段 AVB 校验以下镜像
vbmeta.img、boot.img 、dtbo.img、vendor_boot.img
- init 阶段 AVB 校验以下镜像
vbmeta_system.img vbmeta.img vendor.img product.img odm.img system_ext.img
这里具体的校验方法前面也说了,以及哪些分区在那个步骤被校验也是可以自定义的,但是google这个框架推荐的区别,呗大多数使用。
最后感谢这前辈分享的blog
后面有时间再把这个两个阶段的代码层梳理一下。