Commit 5dfb4e99 authored by David Zeuthen's avatar David Zeuthen
Browse files

avbtool: verify_image: Verify hash-, hashtree, and chain-descriptors.

Up until now 'avbtool verify_image' only checks that the vbmeta struct
is signed with the embedded public key. While this is useful it would
be more useful if we also checked that the digests in the hash- and
hashtree descriptors are correct.

The complication with this is that we need to load other image files
and we don't really know what file to look for - all we have is a
partition name. The way we solve this is to look in the same directory
as the given image and also use the file extension of the given
image. E.g. if you use --image /path/to/vbmeta.img and we process a
hash descriptor for 'boot' it will make us look for /path/to/boot.img.

Here's an example of a garden-vanilla setup where all integrity-data
is stored in vbmeta.img:

 $ ./avbtool verify_image --image ${ANDROID_PRODUCT_OUT}/vbmeta.img
 Verifying image /ssd/android/aosp/out/target/product/uefi_x86_64/vbmeta.img using embedded public key
 vbmeta: Successfully verified SHA256_RSA4096 vbmeta struct in /ssd/android/aosp/out/target/product/uefi_x86_64/vbmeta.img
 boot: Successfully verified sha256 hash of /ssd/android/aosp/out/target/product/uefi_x86_64/boot.img for image of 10543104 bytes
 system: Successfully verified sha1 hashtree of /ssd/android/aosp/out/target/product/uefi_x86_64/system.img for image of 1065213952 bytes
 vendor: Successfully verified sha1 hashtree of /ssd/android/aosp/out/target/product/uefi_x86_64/vendor.img for image of 264114176 bytes
 $ echo $?
 0

Here's an example where we want to ensure vbmeta.img is signed with a
given key. It fails because it's signed by the default test key which
is test/data/testkey_rsa4096.pem

 $ ./avbtool verify_image --image ${ANDROID_PRODUCT_OUT}/vbmeta.img --key test/data/testkey_rsa2048.pem
 Verifying image /ssd/android/aosp/out/target/product/uefi_x86_64/vbmeta.img using key at test/data/testkey_rsa2048.pem
 ./avbtool: Embedded public key does not match given key.
 $ echo $?
 1

If we pass that key verification succeeds

 $ ./avbtool verify_image --image ${ANDROID_PRODUCT_OUT}/vbmeta.img --key test/data/testkey_rsa4096.pem
 Verifying image /ssd/android/aosp/out/target/product/uefi_x86_64/vbmeta.img using key at test/data/testkey_rsa4096.pem
 vbmeta: Successfully verified SHA256_RSA4096 vbmeta struct in /ssd/android/aosp/out/target/product/uefi_x86_64/vbmeta.img
 boot: Successfully verified sha256 hash of /ssd/android/aosp/out/target/product/uefi_x86_64/boot.img for image of 10543104 bytes
 system: Successfully verified sha1 hashtree of /ssd/android/aosp/out/target/product/uefi_x86_64/system.img for image of 1065213952 bytes
 vendor: Successfully verified sha1 hashtree of /ssd/android/aosp/out/target/product/uefi_x86_64/vendor.img for image of 264114176 bytes
 $ echo $?
 0

Also, verification still work for chained partitions and provided the
filename matches the partition name (modulo extension) then
hash/hashtree verification machinery also kicks in:

 $ ./avbtool verify_image --image ${ANDROID_PRODUCT_OUT}/system.img
 Verifying image /ssd/android/aosp/out/target/product/uefi_x86_64/system.img using embedded public key
 vbmeta: Successfully verified footer and SHA256_RSA4096 vbmeta struct in /ssd/android/aosp/out/target/product/uefi_x86_64/system.img
 system: Successfully verified sha1 hashtree of /ssd/android/aosp/out/target/product/uefi_x86_64/system.img for image of 1065213952 bytes
 $ echo $?
 0

Also make it such that for each chain partition descriptor a
corresponding --expected_chain_partition option must also be
given. The format of this is exactly the same as the --chain_partition
option. The intent of this option is to verify that the image is
indeed using the correct rollback index location and public key for
chain partitions.

Also make 'avbtool verify_image' a lot more verbose so it's easier to
see what's going on.

Bug: 62038348
Test: New unit tests and all unit tests pass.
Change-Id: Ic6cd48c9ef9c8d97f6427104466bdc1822fc54aa
parent 01ca9962
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment