Possible to build Android 9 with dm-verity unlocked by default?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Possible to build Android 9 with dm-verity unlocked by default?

6,087 Views
tomas_brannstro
Contributor I

Hello

I've been tackling this issue for a while so I thought I'd ask here. To be able to remount the root partition on Android 9 you can follow the steps from the Android Users Guide pdf by toggling OEM unlock in the settings GUI, unlocking the bootloader and finally disabling dm-verity. However I would like the bootloader to be unlocked by default and have dm-verity be disabled by default.

Is this possible to achieve when building the Android source, maybe through updating some Makefile or similar? Or is it more complicated?

This is for i.MX 8M-Quad, using the P9.0.0_1.0.0_GA_ANDROID_SOURCE package, built as an "eng" build.

0 Kudos
Reply
8 Replies

5,150 Views
diegoadrian
NXP Employee
NXP Employee

Hello,

I have not tried yet. But you could disable since the kernel building in the menuconfig. 

Just enter into the menuconfig and disable the DM_VERITY option. After that, you need to modify your defconfig file with the new configuration. Otherwise, you will not see any change at all.

Hope this information could help you.

Best regards,

Diego.

0 Kudos
Reply

5,150 Views
tomas_brannstro
Contributor I

I tried this by running menuconfig with arch/arm64/configs/android_defconfig as base and removed the VERITY option. Unfortunately this lead to the device starting to boot loop with this error:

[ 5.266211] device-mapper: init: attempting early device configuration.
[ 5.273686] device-mapper: init: adding target '0 3611944 verity 1 PARTUUID=c7e1105f-edb9-4038-91e3-0
5267b7aadc1 PARTUUID=c7e1105f-edb9-4038-91e3-05267b7aadc1 4096 4096 451493 451493 sha1 21211af52625976f8
cc6fc172259ed83a2b5e073 a9db84dbbce1d80cd858794cf480f195765b0b6e 10 restart_on_corruption ignore_zero_bl
ocks use_fec_from_device PARTUUID=c7e1105f-edb9-4038-91e3-05267b7aadc1 fec_roots 2 fec_blocks 455050 fec
_start 455050'
[ 5.311517] device-mapper: table: 252:0: verity: unknown target type
[ 5.317883] device-mapper: init: starting dm-0 (vroot) failed
[ 5.323921] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[ 5.332053] Mem abort info:
[ 5.334847] Exception class = IABT (current EL), IL = 32 bits
[ 5.340831] SET = 0, FnV = 0
[ 5.343894] EA = 0, S1PTW = 0
[ 5.347044] [0000000000000000] user address but active_mm is swapper
[ 5.353412] Internal error: Oops: 86000004 [#1] PREEMPT SMP
[ 5.358984] Modules linked in:
[ 5.362043] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 4.14.78-00042-g5bb884cb9645-dirty #3
[ 5.370304] Hardware name: Freescale i.MX8MQ EVK (DT)
[ 5.375354] task: ffff800060620000 task.stack: ffff000008038000
[ 5.381274] PC is at 0x0
[ 5.383813] LR is at generic_make_request+0xf0/0x24c
[ 5.388775] pc : [<0000000000000000>] lr : [<ffff000008492634>] pstate: 60000145

......

[ 6.233823] Code: bad PC value
[ 6.236882] ---[ end trace 370d3aa0e3eb719b ]---
[ 6.241603] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
[ 6.241603]
[ 6.250735] SMP: stopping secondary CPUs
[ 6.254707] Kernel Offset: disabled
[ 6.258195] CPU features: 0x080200c
[ 6.261681] Memory Limit: none
[ 6.264737] Rebooting in 5 seconds..

Maybe something more needs to configured?

0 Kudos
Reply

5,150 Views
diegoadrian
NXP Employee
NXP Employee

Hello,

Could you please try commenting the whole verity.mk file and building again the Android image?

The file is located in the following path: android_build/build/make/target/product/verity.mk

Best regards,

Diego.

0 Kudos
Reply

5,150 Views
tomas_brannstro
Contributor I

I gave it a shot, but the same problem occurs. I also tried to remove the different VERITY definitions from the product.mk file:

PRODUCT_SUPPORTS_VERITY
PRODUCT_SUPPORTS_VERITY_FEC
PRODUCT_VERITY_SIGNING_KEY
PRODUCT_SYSTEM_VERITY_PARTITION
PRODUCT_VENDOR_VERITY_PARTITION
PRODUCT_PRODUCT_VERITY_PARTITION

No success either though. Seems like there must be something else that should be disabled. Just to be clear, right now I have disabled "Verity target support" under "Multiple device driver support (RAID and LVM)".

0 Kudos
Reply

5,150 Views
diegoadrian
NXP Employee
NXP Employee

Hello,

I found the below information that could be useful.

root access - How to disable dm-verity on Android with "user" build type ROM? - Android Enthusiasts ... 

Best regards,

Diego.

0 Kudos
Reply

5,150 Views
tomas_brannstro
Contributor I

Thanks a lot. That information helped a bit: I can now remount the /vendor partition since it was marked as "vb" in the dts file.

I'm still having troubles with the root partition though... It still requires a manual OEM unlock and an "adb remount" (just a regular mount -o remount,rw / does not work for example; so I guess adb remount does some additional magic) in order to remount as read/write. Event setting it as rw in fstab does not help (something I've tried before).

I will keep digging into this for a bit in case I've missed something though.

0 Kudos
Reply

5,150 Views
diegoadrian
NXP Employee
NXP Employee

Hello,

I found more information on the official Android webpage regarding the oem-unlock property. Probably it can be useful to you.

Using the Bootloader  |  Android Open Source Project 

Unfortunately, we cannot provide more support about how to disable the bootloader at the build level. Since you are dealing with some security gaps if you unlock the bootloader.

I apologize for the inconvenience.

Best regards,

Diego. 

0 Kudos
Reply

5,150 Views
tomas_brannstro
Contributor I

I understand, thanks for your assistance anyway. I have put this on hold a bit for now while we explore other ways to accomplish what we want to do without unlocking.

0 Kudos
Reply