Hi All,
I want to understand DM-Verity singing/verification process of system and vendor images on i.MX8M Android platform.
We are using i.MX8MQ custom board. DM-Verity support is enabled in kernel. The vbmeta image contains hashtree descriptors of system and vendor images. At boot time, system image is mounted as root with dm-0 block device and vendor is mounted with dm-1 block device. So, this part is working as expected.
I am looking for the signing part using RSA private key at build time and verification part using public key at boot time.
In IMX_ANDROID_SECURITY_USER_GUIDE, it is mentioned that RSA key (${MY_ANDROID}/
build/target/product/security/verity/verity.pk8) is used to sign the DM_verity table to produce a table signature. When verifying a partition, the table signature is validated first using the public key named "verity_key". In our case, I think this part is missing.
Questions:
1. How we can check that images are signed using DM-Verity keys inside ${MY_ANDROID}/
build/target/product/security/verity/ directory?
2. Which configurations are needs to be enabled for DM-Verity signing?
3. Where exactly verity public key will be available on device for DM-Verity verification?
Thank you for the support.
Regards,
Pratik Manvar
Solved! Go to Solution.
Hi All,
We got below clarification from NXP Team.
"The dm-verity key is used for old Android OS which doesn't has AVB support. It is not used for the system which has AVB function, vbmeta binary has the root hash and vbmeta is signed with AVB private key to make sure the integrity of the root hash."
Please refer "Enabling DM-Verity singing failed on i.MX8MQ" for more detils.
Thank you for your support.
Regards,
Pratik Manvar
Hi All,
We got below clarification from NXP Team.
"The dm-verity key is used for old Android OS which doesn't has AVB support. It is not used for the system which has AVB function, vbmeta binary has the root hash and vbmeta is signed with AVB private key to make sure the integrity of the root hash."
Please refer "Enabling DM-Verity singing failed on i.MX8MQ" for more detils.
Thank you for your support.
Regards,
Pratik Manvar
Hi James,
Thanks for the quick response.
Thanks & Regards,
Pratik Manvar
This is created by CST Tool, which creates the Keys.
Hi jamesbone
Thanks for the response.
Actually, my question here is for enabling dm-verity signing using RSA keys available at "<Android9.0>/build/make/target/product/security". I have used CST tool to generate and sign bootloader image and verify using HABv4.
For imx8mq board, If "BOARD_AVB_ENABLE := true" is enabled, then there is no verity_key in image and system & vendor images are not signed using "extras/verity/build_verity_metadata.py" script.
If I comment/remove "BOARD_AVB_ENABLE := true" and inherit verity.mk (add below code), then only signing of system & vendor images are enabled by extras/verity/build_verity_metadata.py using "<Android9.0>/build/make/target/product/security/verity.pk8" and verity_key is added in image.
-----------------------------------------------------------------------------------------------------
# dm-verity definitions
ifneq ($(BOARD_AVB_ENABLE), true)
PRODUCT_SYSTEM_VERITY_PARTITION=/dev/block/by-name/system
PRODUCT_VENDOR_VERITY_PARTITION=/dev/block/by-name/vendor
ifeq ($(ENABLE_VENDOR_IMAGE), true)
PRODUCT_VENDOR_VERITY_PARTITION=/dev/block/by-name/vendor
endif
$(call inherit-product, build/target/product/verity.mk)
endif
-------------------------------------------------------------------------------------------------------
Questions:
1. Why I need to comment/remove "BOARD_AVB_ENABLE" to sign DM-Verity table? What is relation of AVB and DM-Verity?
Actually I want to enable both "AVB signing/verification" and "DM-Verity signing/verification".
2. When "BOARD_AVB_ENABLE := true", is there any way to sign system & vendor images using dm-verity key at "<Android9.0>/build/make/target/product/security/"?
Thanks,
Pratik Manvar
This will make the build system create vbmeta.img
which will contain a hash descriptor for boot.img
, a hashtree descriptor for system.img
, a kernel-cmdline descriptor for setting up dm-verity
for system.img
and append a hash-tree to system.img
.
By default, the algorithm SHA256_RSA4096
is used with a test key from the external/avb/test/data
directory. This can be overriden by the BOARD_AVB_ALGORITHM
and BOARD_AVB_KEY_PATH
variables to use e.g. a 4096-bit RSA key and SHA-512:
BOARD_AVB_ALGORITHM := SHA512_RSA4096 BOARD_AVB_KEY_PATH := /path/to/rsa_key_4096bits.pem
Hi jamesbone
Thanks for the quick response.
Yes, the expatiation you given is already enabled. The hash of system and vendor images are verified using hashtree descriptor stored in vbmeta.img and both images are mounted as device mapper /dev/block/dm-0 and /dev/block/dm-1 devices.
But in this case, verity-table does not signed using dm-verity key <Android9.0>/build/make/target/product/security/verity.pk8) by "<Android9.0>/extras/verity/build_verity_metadata.py" script to produce the table signature. For this, I need to comment/remove "BOARD_AVB_ENABLE := true" line and add below lines in product.mk.
-----------------------------------------------------------------------------------------------------
# dm-verity definitions
ifneq ($(BOARD_AVB_ENABLE), true)
PRODUCT_SYSTEM_VERITY_PARTITION=/dev/block/by-name/system
PRODUCT_VENDOR_VERITY_PARTITION=/dev/block/by-name/vendor
$(call inherit-product, build/target/product/verity.mk)
endif
-------------------------------------------------------------------------------------------------------
Can you please help me to understand, if dm-verity table signing is really required if AVB is already enabled?
Thanks,
Pratik Manvar
Please take a look into the following document: