帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Enabling DM-Verity singing failed on i.MX8MQ

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决
跳至解决方案

Enabling DM-Verity singing failed on i.MX8MQ

跳至解决方案
‎07-26-2020 10:47 PM
7,616 次查看
pratik_manvar
Contributor III

Hello,

I am using i.MX8MQ custom board. I want to enable DM-Veiry signing using dm-verity RSA private key available at "Android-9.0/build/target/product/security/verity/verity.pk8".

The kernel configuration for DM-Verity is as below:

----------------------------------------------------------------------------------------------------------

CONFIG_BLK_DEV_DM_BUILTIN=y
# CONFIG_DM_MQ_DEFAULT is not set
CONFIG_DM_DEBUG=y
CONFIG_DM_BUFIO=y
# CONFIG_DM_DEBUG_BLOCK_MANAGER_LOCKING is not set
CONFIG_DM_CRYPT=y
CONFIG_DM_UEVENT=y
# CONFIG_DM_FLAKEY is not set
CONFIG_DM_VERITY=y
CONFIG_DM_VERITY_HASH_PREFETCH_MIN_SIZE=1
# CONFIG_DM_VERITY_HASH_PREFETCH_MIN_SIZE_128 is not set
CONFIG_DM_VERITY_FEC=y
# CONFIG_DM_SWITCH is not set
# CONFIG_DM_LOG_WRITES is not set
# CONFIG_DM_INTEGRITY is not set
# CONFIG_DM_ANDROID_VERITY_AT_MOST_ONCE_DEFAULT_ENABLED is not set

----------------------------------------------------------------------------------------------------------

To enable signing of "system.img and vendor.img" using dm-verity RSA key, I have added below lines in my board.mk file.

----------------------------------------------------------------------------------------------------------

$(call inherit-product, build/target/product/verity.mk)

PRODUCT_VENDOR_VERITY_PARTITION := /dev/block/dm-1
PRODUCT_SYSTEM_VERITY_PARTITION := /dev/block/dm-0

----------------------------------------------------------------------------------------------------------

 

Then, I got some errors while building the system and vendor images. Please see the attached file for build log errors.

If I do not add "$(call inherit-product, build/target/product/verity.mk)" line then, build is successfully completed without any errors but signing is not done.

Please help me out to find what I am doing wrong.

Thank You.

Pratik Manvar

imx8mq-dm-verity-build-errors.txt.zip
回复
1 解答

跳至解决方案
‎08-13-2020 01:11 AM
7,466 次查看
joanxie
NXP TechSupport
NXP TechSupport

yes I think so, pls see the pic as below:

pastedImage_1.png

give an example of P9.0.0_1.0.0:

The AVB is already enabled by default in Android P9.0.0_1.0.0_GA for i.MX8MM EVK board.

The support is enabled/disabled by modifying BoardConfig.mk file located  at ${MY_ANDROID}/device/fsl/imx8m/evk_8mm:

BOARD_AVB_ENABLE := true

Once this configuration is enabled the Android project creates vbmeta.img which will contain a hash descriptor for boot.img, a hashtree descriptor for system.img, a kernel-cmdline descriptor for setting up dm-verity for system.img and append a hash-tree to system.img.

在原帖中查看解决方案

回复
5 回复数

跳至解决方案
‎07-29-2020 10:55 AM
7,466 次查看
pratik_manvar
Contributor III

Hello All,

Actually, what I mean here is to use custom keys to sign DM-Verity table for system and vendor images. Where should I put the custom keys and how I can validate that images are signed with my custom keys?

I was under impression that keys under "Android-9.0/build/target/product/security/verity/" directory are used to sign DM verity table. But, even I have deleted "verity.pk8", "verity.x509.pem" and "verity_key" files from this directory, there is no error in build. So, I believe that signing part is not yet enabled. If I want to sign DM-verity using custom keys, where do I need to put my custom keys?

Please guide me.

Thanks,

Pratik Manvar

0 项奖励
回复

跳至解决方案
‎08-11-2020 02:06 AM
7,466 次查看
joanxie
NXP TechSupport
NXP TechSupport

what android version do you use? as I known the latest version enable it by default

0 项奖励
回复

跳至解决方案
‎08-11-2020 03:01 AM
7,466 次查看
pratik_manvar
Contributor III

Hi joanxie‌,

Thanks for your reply.

We are using "android_p9.0.0_2.0.0-ga" release. I have some update in this thread like you said it is enabled by default.

We are using i.MX8MQ custom board. For i.MX8MQ, AVB signing is by-default enabled with "BOARD_AVB_ENABLE := true" to verify kernel and DTB.

DM-Verity is also enabled in kernel configurations. So, the hash of system and vendor images are verified using hashtree descriptor stored in vbmeta.img and both images are mounted as device mapper /dev/block/dm-0 and /dev/block/dm-1 devices.

 

But, as per "IMX_ANDROID_SECURITY_USERS_GUIDE_v10.pdf" and "Android_Frequently_Asked_Questions.pdf" documents, RSA key (${MY_ANDROID}/build/target/product/security/verity/verity.pk8) is used to sign the DM_verity table to produce a table signature and it is validated first using the public key named "verity_key" at boot time.

 

However, we have observed that DM_verity table is NOT signed using verity.pk8 when "BOARD_AVB_ENABLE := true". In fact it is not signed at all. The signing scripts are not invoked during build time when "BOARD_AVB_ENABLE := true"

 

To enable DM_verity signing part, we need to comment/remove "BOARD_AVB_ENABLE := true" and add below lines.

-----------------------------------------------------------------------------------------------------

# dm-verity definitions

ifneq ($(BOARD_AVB_ENABLE), true)

    PRODUCT_SYSTEM_VERITY_PARTITION=/dev/block/by-name/system

    PRODUCT_VENDOR_VERITY_PARTITION=/dev/block/by-name/vendor

    $(call inherit-product, build/target/product/verity.mk)

endif

-------------------------------------------------------------------------------------------------------

 

Can you please help us to understand, if dm-verity table signing/verification (using RSA keys) is really required if AVB is already enabled (BOARD_AVB_ENABLE := true)?

Thank You for your help.

Regards,

Pratik Manvar

0 项奖励
回复

跳至解决方案
‎08-13-2020 01:11 AM
7,467 次查看
joanxie
NXP TechSupport
NXP TechSupport

yes I think so, pls see the pic as below:

pastedImage_1.png

give an example of P9.0.0_1.0.0:

The AVB is already enabled by default in Android P9.0.0_1.0.0_GA for i.MX8MM EVK board.

The support is enabled/disabled by modifying BoardConfig.mk file located  at ${MY_ANDROID}/device/fsl/imx8m/evk_8mm:

BOARD_AVB_ENABLE := true

Once this configuration is enabled the Android project creates vbmeta.img which will contain a hash descriptor for boot.img, a hashtree descriptor for system.img, a kernel-cmdline descriptor for setting up dm-verity for system.img and append a hash-tree to system.img.

回复

跳至解决方案
‎08-17-2020 04:50 AM
7,466 次查看
pratik_manvar
Contributor III

Hi joanxie‌,

Yes you are right. We also got below clarification from NXP Team. 

"The dm-verity key is used for old Android OS which doesn't has AVB support.  It is not used for the system which has AVB function, vbmeta binary has the root hash and vbmeta is signed with AVB private key to make sure the integrity of the root hash."

Thank you for your support.

Regards,

Pratik Manvar

0 项奖励
回复