一、使能Verified Boot 1.0
1.1 使能配置
(1)在kernel/msm-4.4/arch/arm64/configs/$project_defconfig中打开dm-verity功能:
1 | CONFIG_DM_VERITY=y |
(2)在device/qcom/common/base.mk中启用system/vendor签名:
1 | ifneq ($(BOARD_AVB_ENABLE), true) |
(3)在device/$manufacturer/$project/$project.mk中启用PRODUCT_SUPPORTS_VERITY:
1 | ifneq ($(BOARD_AVB_ENABLE), true) |
(4)在device/$manufacturer/$project/fstab.qti中为system/vendor添加verify flag:
1 | /dev/block/bootdevice/by-name/system / ext4 ro,barrier=1,discard wait,verify |
(5)在kernel/msm-4.4/arch/arm64/boot/dts/qcom/$platform.dtsi中为system/vendor添加verify flag:
1 | firmware: firmware { |
1.2 生成verity key的方式
(1)生成RSA密钥对
1 | openssl genrsa -out prvk.pem 2048 |
(2)生成verity.pk8
1 | openssl pkcs8 -topk8 -inform PEM -outform DER -in prvk.pem -out verity.pk8 -nocrypt |
(3)生成verity.x509.pem和verity.x509
1 | openssl req -new -x509 -key prvk.pem -out verity.x509.pem -ha256 |
(4)执行下面命令可以在out/host/linux-x86/bin目录生成generate_verity_key工具。
1 | make generate_verity_key |
(5)通过generate_verity_key工具将verity.x509.pem转换为verity_key。
1 | ./out/host/linux-x86/bin/generate_verity_key -convert verity.x509.pem verity_key |
(6)将key拷贝到指定目录。
1 | cp verity.pk8/verity.x509.pem/verity_key to build/target/product/security/ |
1.3 验证DM-VERITY功能方式
(1)执行下面指令挂载分区后,若system分区中包含dm-x字样即表明dm-verity功能已启用
1 | $adb shell mount | grep system |
(2)从vendor/etc中导入fstab文件,检查是否包含verify flag。
1 | #qualcomm |
二、使能AVB 2.0
注:如果平台使用的kernel版本大于等于4.9,并且是Android P版本,AVB2.0是必须要开启的。
2.1 使能配置
(1)在device/$manufacturer/$project/$project.mk中打开BOARD_AVB_ENABLE宏,并做如下配置:
1 | BOARD_AVB_ENABLE := true |
(2)还可以根据需要添加以下配置:
配置 | 选项 |
---|---|
BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS | –set_hashtree_disabled_flag |
BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS | –hash_algorithm –salt |
BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS | –hash_algorithm –salt –block_size –do_not_generate_fec |
BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS | –hash_algorithm –salt –block_size –do_not_generate_fec |
BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS | –hash_algorithm –salt |
2.2 分区签名文件存储位置
partition | meta verifier | verify key | enable dm-verity | mount partition |
---|---|---|---|---|
vbmeta | bootloader | oem_pubk | N/A | fs_mgr |
boot | bootloader | boot_pubk | N/A | fs_mgr |
dtbo | bootloader | dtbo_pubk | N/A | fs_mgr |
system | bootloader | system_pubk | kernel | kernel |
vendor | bootloader and fs_mgr | vendor_pubk | fs_mgr | fs_mgr |
2.3 command line中vbmeta信息
1 | androidboot.vbmeta.device=PARTUUID=9c1520f3-c2c5-4b89-8284-fe4c61208a9e |
2.4 自定义密钥方式
默认情况下,算法”SHA256_RSA4096”与”external / avb / test / data”目录中的测试密钥一起使用。可以使用BOARD_AVB_ALGORITHM和
BOARD_AVB_KEY_PATH变量来覆盖它以使用例如4096位RSA密钥和SHA-512:
1 | BOARD_AVB_ALGORITHM:= SHA512_RSA4096 |
该密钥的公共部分必须可用于设备的bootloader,以验证image。使用avbtool extract_public_key以预期格式提取密钥avbpubkey。
(1)生成oem.key
1 | openssl genrsa -out oem.key -f4 4096 |
(2)用oem.key替换external/avb/test/data/testkey_rsa4096.pem
(3)在bootable/bootloader/edk2/QcomModulePkg/Include/Library/DeviceInfo.h中保存该key。
1 | typedef struct device_info { |
(4)在bootable/bootloader/edk2/QcomModulePkg/Library/avb/OEMPublicKey.h或
bootable/bootloader/lk/platform/msm_shared/avb/OEMPublicKey.h中保存key
1 | /** |
1 | openssl pkcs8 -inform DER -nocrypt -in <PRODUCT_VERITY_SIGNING_KEY> -out <RSA_PUBLIC_KEY_PEM> |