- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
-
Hi All,
I want to understand DM-Verity singing/verification process of system and vendor images on i.MX8M Android platform.
We are using i.MX8MQ custom board. DM-Verity support is enabled in kernel. The vbmeta image contains hashtree descriptors of system and vendor images. At boot time, system image is mounted as root with dm-0 block device and vendor is mounted with dm-1 block device. So, this part is working as expected.
I am looking for the signing part using RSA private key at build time and verification part using public key at boot time.
In IMX_ANDROID_SECURITY_USER_GUIDE, it is mentioned that RSA key (${MY_ANDROID}/
build/target/product/security/verity/verity.pk8) is used to sign the DM_verity table to produce a table signature. When verifying a partition, the table signature is validated first using the public key named "verity_key". In our case, I think this part is missing.
Questions:
1. How we can check that images are signed using DM-Verity keys inside ${MY_ANDROID}/
build/target/product/security/verity/ directory?
2. Which configurations are needs to be enabled for DM-Verity signing?
3. Where exactly verity public key will be available on device for DM-Verity verification?
Thank you for the support.
Regards,
Pratik Manvar
已解决! 转到解答。
Hi All,
We got below clarification from NXP Team.
"The dm-verity key is used for old Android OS which doesn't has AVB support. It is not used for the system which has AVB function, vbmeta binary has the root hash and vbmeta is signed with AVB private key to make sure the integrity of the root hash."
Please refer "Enabling DM-Verity singing failed on i.MX8MQ" for more detils.
Thank you for your support.
Regards,
Pratik Manvar
Hi All,
We got below clarification from NXP Team.
"The dm-verity key is used for old Android OS which doesn't has AVB support. It is not used for the system which has AVB function, vbmeta binary has the root hash and vbmeta is signed with AVB private key to make sure the integrity of the root hash."
Please refer "Enabling DM-Verity singing failed on i.MX8MQ" for more detils.
Thank you for your support.
Regards,
Pratik Manvar
Hi James,
Thanks for the quick response.
Thanks & Regards,
Pratik Manvar
Hi jamesbone
Thanks for the response.
Actually, my question here is for enabling dm-verity signing using RSA keys available at "<Android9.0>/build/make/target/product/security". I have used CST tool to generate and sign bootloader image and verify using HABv4.
For imx8mq board, If "BOARD_AVB_ENABLE := true" is enabled, then there is no verity_key in image and system & vendor images are not signed using "extras/verity/build_verity_metadata.py" script.
If I comment/remove "BOARD_AVB_ENABLE := true" and inherit verity.mk (add below code), then only signing of system & vendor images are enabled by extras/verity/build_verity_metadata.py using "<Android9.0>/build/make/target/product/security/verity.pk8" and verity_key is added in image.
-----------------------------------------------------------------------------------------------------
# dm-verity definitions
ifneq ($(BOARD_AVB_ENABLE), true)
PRODUCT_SYSTEM_VERITY_PARTITION=/dev/block/by-name/system
PRODUCT_VENDOR_VERITY_PARTITION=/dev/block/by-name/vendor
ifeq ($(ENABLE_VENDOR_IMAGE), true)
PRODUCT_VENDOR_VERITY_PARTITION=/dev/block/by-name/vendor
endif
$(call inherit-product, build/target/product/verity.mk)
endif
-------------------------------------------------------------------------------------------------------
Questions:
1. Why I need to comment/remove "BOARD_AVB_ENABLE" to sign DM-Verity table? What is relation of AVB and DM-Verity?
Actually I want to enable both "AVB signing/verification" and "DM-Verity signing/verification".
2. When "BOARD_AVB_ENABLE := true", is there any way to sign system & vendor images using dm-verity key at "<Android9.0>/build/make/target/product/security/"?
Thanks,
Pratik Manvar
This will make the build system create vbmeta.img which will contain a hash descriptor for boot.img, a hashtree descriptor for system.img, a kernel-cmdline descriptor for setting up dm-verity for system.img and append a hash-tree to system.img.
By default, the algorithm SHA256_RSA4096 is used with a test key from the external/avb/test/data directory. This can be overriden by the BOARD_AVB_ALGORITHM and BOARD_AVB_KEY_PATH variables to use e.g. a 4096-bit RSA key and SHA-512:
BOARD_AVB_ALGORITHM := SHA512_RSA4096 BOARD_AVB_KEY_PATH := /path/to/rsa_key_4096bits.pem
Hi jamesbone
Thanks for the quick response.
Yes, the expatiation you given is already enabled. The hash of system and vendor images are verified using hashtree descriptor stored in vbmeta.img and both images are mounted as device mapper /dev/block/dm-0 and /dev/block/dm-1 devices.
But in this case, verity-table does not signed using dm-verity key <Android9.0>/build/make/target/product/security/verity.pk8) by "<Android9.0>/extras/verity/build_verity_metadata.py" script to produce the table signature. For this, I need to comment/remove "BOARD_AVB_ENABLE := true" line and add below lines in product.mk.
-----------------------------------------------------------------------------------------------------
# dm-verity definitions
ifneq ($(BOARD_AVB_ENABLE), true)
PRODUCT_SYSTEM_VERITY_PARTITION=/dev/block/by-name/system
PRODUCT_VENDOR_VERITY_PARTITION=/dev/block/by-name/vendor
$(call inherit-product, build/target/product/verity.mk)
endif
-------------------------------------------------------------------------------------------------------
Can you please help me to understand, if dm-verity table signing is really required if AVB is already enabled?
Thanks,
Pratik Manvar
