Enabling DM-Verity singing failed on i.MX8MQ

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enabling DM-Verity singing failed on i.MX8MQ

Jump to solution
3,743 Views
pratik_manvar
Contributor III

Hello,

I am using i.MX8MQ custom board. I want to enable DM-Veiry signing using dm-verity RSA private key available at "Android-9.0/build/target/product/security/verity/verity.pk8".

The kernel configuration for DM-Verity is as below:

----------------------------------------------------------------------------------------------------------

CONFIG_BLK_DEV_DM_BUILTIN=y
# CONFIG_DM_MQ_DEFAULT is not set
CONFIG_DM_DEBUG=y
CONFIG_DM_BUFIO=y
# CONFIG_DM_DEBUG_BLOCK_MANAGER_LOCKING is not set
CONFIG_DM_CRYPT=y
CONFIG_DM_UEVENT=y
# CONFIG_DM_FLAKEY is not set
CONFIG_DM_VERITY=y
CONFIG_DM_VERITY_HASH_PREFETCH_MIN_SIZE=1
# CONFIG_DM_VERITY_HASH_PREFETCH_MIN_SIZE_128 is not set
CONFIG_DM_VERITY_FEC=y
# CONFIG_DM_SWITCH is not set
# CONFIG_DM_LOG_WRITES is not set
# CONFIG_DM_INTEGRITY is not set
# CONFIG_DM_ANDROID_VERITY_AT_MOST_ONCE_DEFAULT_ENABLED is not set

----------------------------------------------------------------------------------------------------------

To enable signing of "system.img and vendor.img" using dm-verity RSA key, I have added below lines in my board.mk file.

----------------------------------------------------------------------------------------------------------

$(call inherit-product, build/target/product/verity.mk)

PRODUCT_VENDOR_VERITY_PARTITION := /dev/block/dm-1
PRODUCT_SYSTEM_VERITY_PARTITION := /dev/block/dm-0

----------------------------------------------------------------------------------------------------------

 

Then, I got some errors while building the system and vendor images. Please see the attached file for build log errors.

If I do not add "$(call inherit-product, build/target/product/verity.mk)" line then, build is successfully completed without any errors but signing is not done.

Please help me out to find what I am doing wrong.

Thank You.

Pratik Manvar

1 Solution
3,593 Views
joanxie
NXP TechSupport
NXP TechSupport

yes I think so, pls see the pic as below:

pastedImage_1.png

give an example of P9.0.0_1.0.0:

The AVB is already enabled by default in Android P9.0.0_1.0.0_GA for i.MX8MM EVK board.

The support is enabled/disabled by modifying BoardConfig.mk file located  at ${MY_ANDROID}/device/fsl/imx8m/evk_8mm:

BOARD_AVB_ENABLE := true

Once this configuration is enabled the Android project creates vbmeta.img which will contain a hash descriptor for boot.img, a hashtree descriptor for system.img, a kernel-cmdline descriptor for setting up dm-verity for system.img and append a hash-tree to system.img.

View solution in original post

5 Replies
3,593 Views
pratik_manvar
Contributor III

Hello All,

Actually, what I mean here is to use custom keys to sign DM-Verity table for system and vendor images. Where should I put the custom keys and how I can validate that images are signed with my custom keys?

I was under impression that keys under "Android-9.0/build/target/product/security/verity/" directory are used to sign DM verity table. But, even I have deleted "verity.pk8", "verity.x509.pem" and "verity_key" files from this directory, there is no error in build. So, I believe that signing part is not yet enabled. If I want to sign DM-verity using custom keys, where do I need to put my custom keys?

Please guide me.

Thanks,

Pratik Manvar

0 Kudos
3,593 Views
joanxie
NXP TechSupport
NXP TechSupport

what android version do you use? as I known the latest version enable it by default

0 Kudos
3,593 Views
pratik_manvar
Contributor III

Hi joanxie‌,

Thanks for your reply.

We are using "android_p9.0.0_2.0.0-ga" release. I have some update in this thread like you said it is enabled by default.

We are using i.MX8MQ custom board. For i.MX8MQ, AVB signing is by-default enabled with "BOARD_AVB_ENABLE := true" to verify kernel and DTB.

DM-Verity is also enabled in kernel configurations. So, the hash of system and vendor images are verified using hashtree descriptor stored in vbmeta.img and both images are mounted as device mapper /dev/block/dm-0 and /dev/block/dm-1 devices.

 

But, as per "IMX_ANDROID_SECURITY_USERS_GUIDE_v10.pdf" and "Android_Frequently_Asked_Questions.pdf" documents, RSA key (${MY_ANDROID}/build/target/product/security/verity/verity.pk8) is used to sign the DM_verity table to produce a table signature and it is validated first using the public key named "verity_key" at boot time.

 

However, we have observed that DM_verity table is NOT signed using verity.pk8 when "BOARD_AVB_ENABLE := true". In fact it is not signed at all. The signing scripts are not invoked during build time when "BOARD_AVB_ENABLE := true"

 

To enable DM_verity signing part, we need to comment/remove "BOARD_AVB_ENABLE := true" and add below lines.

-----------------------------------------------------------------------------------------------------

# dm-verity definitions

ifneq ($(BOARD_AVB_ENABLE), true)

    PRODUCT_SYSTEM_VERITY_PARTITION=/dev/block/by-name/system

    PRODUCT_VENDOR_VERITY_PARTITION=/dev/block/by-name/vendor

    $(call inherit-product, build/target/product/verity.mk)

endif

-------------------------------------------------------------------------------------------------------

 

Can you please help us to understand, if dm-verity table signing/verification (using RSA keys) is really required if AVB is already enabled (BOARD_AVB_ENABLE := true)?

Thank You for your help.

Regards,

Pratik Manvar

0 Kudos
3,594 Views
joanxie
NXP TechSupport
NXP TechSupport

yes I think so, pls see the pic as below:

pastedImage_1.png

give an example of P9.0.0_1.0.0:

The AVB is already enabled by default in Android P9.0.0_1.0.0_GA for i.MX8MM EVK board.

The support is enabled/disabled by modifying BoardConfig.mk file located  at ${MY_ANDROID}/device/fsl/imx8m/evk_8mm:

BOARD_AVB_ENABLE := true

Once this configuration is enabled the Android project creates vbmeta.img which will contain a hash descriptor for boot.img, a hashtree descriptor for system.img, a kernel-cmdline descriptor for setting up dm-verity for system.img and append a hash-tree to system.img.

3,593 Views
pratik_manvar
Contributor III

Hi joanxie‌,

Yes you are right. We also got below clarification from NXP Team. 

"The dm-verity key is used for old Android OS which doesn't has AVB support.  It is not used for the system which has AVB function, vbmeta binary has the root hash and vbmeta is signed with AVB private key to make sure the integrity of the root hash."

Thank you for your support.

Regards,

Pratik Manvar

0 Kudos