DM-Verity singing/verification in i.MX8MQ

cancel
Showing results for 
Search instead for 
Did you mean: 

DM-Verity singing/verification in i.MX8MQ

Jump to solution
1,246 Views
pratik_manvar
Contributor III

Hi All,

I want to understand DM-Verity singing/verification process of system and vendor images on i.MX8M Android platform.

We are using i.MX8MQ custom board. DM-Verity support is enabled in kernel. The vbmeta image contains hashtree descriptors of system and vendor images. At boot time, system image is mounted as root with dm-0 block device and vendor is mounted with dm-1 block device. So, this part is working as expected.

I am looking for the signing part using RSA private key at build time and verification part using public key at boot time.

In IMX_ANDROID_SECURITY_USER_GUIDE, it is mentioned that RSA key (${MY_ANDROID}/
build/target/product/security/verity/verity.pk8) is used to sign the DM_verity table to produce a table signature. When verifying a partition, the table signature is validated first using the public key named "verity_key". In our case, I think this part is missing.

Questions:

1. How we can check that images are signed using DM-Verity keys inside ${MY_ANDROID}/
build/target/product/security/verity/ directory?

2. Which configurations are needs to be enabled for DM-Verity signing?

3. Where exactly verity public key will be available on device for DM-Verity verification?

Thank you for the support.

Regards,

Pratik Manvar

Tags (1)
0 Kudos
1 Solution
998 Views
pratik_manvar
Contributor III

Hi All,

We got below clarification from NXP Team. 

"The dm-verity key is used for old Android OS which doesn't has AVB support.  It is not used for the system which has AVB function, vbmeta binary has the root hash and vbmeta is signed with AVB private key to make sure the integrity of the root hash."

Please refer "Enabling DM-Verity singing failed on i.MX8MQ" for more detils.

 

Thank you for your support.

Regards,

Pratik Manvar

View solution in original post

0 Kudos
7 Replies
999 Views
pratik_manvar
Contributor III

Hi All,

We got below clarification from NXP Team. 

"The dm-verity key is used for old Android OS which doesn't has AVB support.  It is not used for the system which has AVB function, vbmeta binary has the root hash and vbmeta is signed with AVB private key to make sure the integrity of the root hash."

Please refer "Enabling DM-Verity singing failed on i.MX8MQ" for more detils.

 

Thank you for your support.

Regards,

Pratik Manvar

View solution in original post

0 Kudos
998 Views
pratik_manvar
Contributor III

Hi James,

Thanks for the quick response.

Actually I want to enable the DM-Verity with singing/verification using RSA keys. The documents "IMX_ANDROID_SECURITY_USER_GUIDE.pdf" and "Android_Frequently_Asked_Questions.pdf", mentions about key path, but it does not mention about how keys will be used to sign verity table at the build time. In my board, the public key "verity_key" does not seem to exist. So, I want to get more information about if any tools/scripts, variables, etc. are used to sign verity table at build time and install verity_key on target.

Thanks & Regards,

Pratik Manvar

0 Kudos
998 Views
jamesbone
NXP TechSupport
NXP TechSupport

This is created by CST Tool, which creates the Keys.

0 Kudos
998 Views
pratik_manvar
Contributor III

Hi jamesbone

Thanks for the response.

Actually, my question here is for enabling dm-verity signing using RSA keys available at "<Android9.0>/build/make/target/product/security". I have used CST tool to generate and sign bootloader image and verify using HABv4.

For imx8mq board, If "BOARD_AVB_ENABLE := true" is enabled, then there is no verity_key in image and system & vendor images are not signed using "extras/verity/build_verity_metadata.py" script.

If I comment/remove "BOARD_AVB_ENABLE := true" and inherit verity.mk (add below code), then only signing of system & vendor images are enabled by extras/verity/build_verity_metadata.py using "<Android9.0>/build/make/target/product/security/verity.pk8" and verity_key is added in image.

-----------------------------------------------------------------------------------------------------
# dm-verity definitions
ifneq ($(BOARD_AVB_ENABLE), true)
PRODUCT_SYSTEM_VERITY_PARTITION=/dev/block/by-name/system
PRODUCT_VENDOR_VERITY_PARTITION=/dev/block/by-name/vendor
ifeq ($(ENABLE_VENDOR_IMAGE), true)
PRODUCT_VENDOR_VERITY_PARTITION=/dev/block/by-name/vendor
endif
$(call inherit-product, build/target/product/verity.mk)
endif
-------------------------------------------------------------------------------------------------------

Questions:
1. Why I need to comment/remove "BOARD_AVB_ENABLE" to sign DM-Verity table? What is relation of AVB and DM-Verity?
Actually I want to enable both "AVB signing/verification" and "DM-Verity signing/verification".
2. When "BOARD_AVB_ENABLE := true", is there any way to sign system & vendor images using dm-verity key at "<Android9.0>/build/make/target/product/security/"?

Thanks,

Pratik Manvar

0 Kudos
998 Views
jamesbone
NXP TechSupport
NXP TechSupport

This will make the build system create vbmeta.img which will contain a hash descriptor for boot.img, a hashtree descriptor for system.img, a kernel-cmdline descriptor for setting up dm-verity for system.img and append a hash-tree to system.img.

By default, the algorithm SHA256_RSA4096 is used with a test key from the external/avb/test/data directory. This can be overriden by the BOARD_AVB_ALGORITHM and BOARD_AVB_KEY_PATH variables to use e.g. a 4096-bit RSA key and SHA-512:

BOARD_AVB_ALGORITHM := SHA512_RSA4096 BOARD_AVB_KEY_PATH := /path/to/rsa_key_4096bits.pem
0 Kudos
998 Views
pratik_manvar
Contributor III

Hi jamesbone

Thanks for the quick response.

Yes, the expatiation you given is already enabled. The hash of system and vendor images are verified using hashtree descriptor stored in vbmeta.img and both images are mounted as device mapper /dev/block/dm-0 and /dev/block/dm-1 devices.

But in this case, verity-table does not signed using dm-verity key <Android9.0>/build/make/target/product/security/verity.pk8) by "<Android9.0>/extras/verity/build_verity_metadata.py" script to produce the table signature. For this, I need to comment/remove "BOARD_AVB_ENABLE := true" line and add below lines in product.mk.

-----------------------------------------------------------------------------------------------------
# dm-verity definitions
ifneq ($(BOARD_AVB_ENABLE), true)
    PRODUCT_SYSTEM_VERITY_PARTITION=/dev/block/by-name/system
    PRODUCT_VENDOR_VERITY_PARTITION=/dev/block/by-name/vendor
    $(call inherit-product, build/target/product/verity.mk)
endif
-------------------------------------------------------------------------------------------------------

Can you please help me to understand, if dm-verity table signing is really required if AVB is already enabled?

Thanks,

Pratik Manvar

0 Kudos
998 Views
jamesbone
NXP TechSupport
NXP TechSupport

Please take a look into the following document:

https://community.nxp.com/docs/DOC-344908 

0 Kudos