AnsweredAssumed Answered

DM-Verity singing/verification in i.MX8MQ

Question asked by pratik manvar on Jul 23, 2020
Latest reply on Aug 8, 2020 by pratik manvar

Hi All,


I want to understand DM-Verity singing/verification process of system and vendor images on i.MX8M Android platform.


We are using i.MX8MQ custom board. DM-Verity support is enabled in kernel. The vbmeta image contains hashtree descriptors of system and vendor images. At boot time, system image is mounted as root with dm-0 block device and vendor is mounted with dm-1 block device. So, this part is working as expected.


I am looking for the signing part using RSA private key at build time and verification part using public key at boot time.


In IMX_ANDROID_SECURITY_USER_GUIDE, it is mentioned that RSA key (${MY_ANDROID}/
build/target/product/security/verity/verity.pk8) is used to sign the DM_verity table to produce a table signature. When verifying a partition, the table signature is validated first using the public key named "verity_key". In our case, I think this part is missing.



1. How we can check that images are signed using DM-Verity keys inside ${MY_ANDROID}/
build/target/product/security/verity/ directory?

2. Which configurations are needs to be enabled for DM-Verity signing?

3. Where exactly verity public key will be available on device for DM-Verity verification?


Thank you for the support.



Pratik Manvar