Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / avb / 0155e6b158bdc5b3a442f16a5dc124d5dee9c71c
commit0155e6b158bdc5b3a442f16a5dc124d5dee9c71c[log] [tgz]
authorDavid Zeuthen <zeuthen@google.com>Wed Nov 16 17:58:13 2016 -0500
committerDavid Zeuthen <zeuthen@google.com>Mon Nov 21 15:30:56 2016 -0500
tree6554794899e94fb8955d32bd18936a3ce914828c
parent18666abc5d8276a743111e6c3608e66f6c85fb51 [diff]
Enable operations on unlocked devices.

If a device is unlocked the expected behavior is that slots are
rejected if, and only if, they are invalid, not if they fail
verification.

Verification failure includes rollback index comparison failures,
signature mismatch, signature made by an unknown key, vbmeta structs
without any signature, and so on. Basically the spirit here is that an
unlocked device should be able to boot an image built on your local
workstation and e.g. signed with your own keys.

To easily enable such operations with avb_slot_verify() and
avb_ab_flow(), we introduce a boolean |allow_verification_error|
parameter in each function. If this is false everything is as before
and we'll abort verification as soon as something doesn't verify.

On the other hand, if |allow_verification_error| is true then we'll
keep going and only bail if e.g. the AVB metadata is invalid, _not_ if
it fails verification.

This is designed so callers can set |allow_verification_error| to true
exactly if the device is unlocked.

Callers of avb_slot_verify() where |allow_verification_error| is set
to true are guaranteed that AVB_SLOT_VERIFY_RESULT_OK is returned if,
and only if, the slot verified correctly.

Introduce AVB_AB_FLOW_RESULT_OK_WITH_VERIFICATION_ERROR in addition to
AVB_AB_FLOW_RESULT_OK so avb_ab_flow() users can make a distinction
whether the image verified or not. The new value can only returned if
|allow_verification_error| is set to true.

In both cases - avb_slot_verify() and avb_ab_flow() - the bootloader
has enough information to determine if the slot to boot cannot be
verified. For example, the device can convey to the user that the OS
it's about to boot is unverified and request the user to click
through. On the other hand if the slot did verify (despite the device
being unlocked) the bootloader can nicely avoid such a kludge.

Add some new test cases to verify correct operation both if
|allow_verification_error| is true or false.

Test: New unit tests and all unit tests pass.
Test: Tested in UEFI-based bootloader in qemu.
Bug: 32949911

Change-Id: I218c8761c201d2e8e4dc73eaebfb1ac2742e0726
8 files changed
tree: 6554794899e94fb8955d32bd18936a3ce914828c
  1. boot_control/
  2. libavb/
  3. libavb_ab/
  4. test/
  5. .clang-format ⇨ ../../build/tools/brillo-clang-format
  6. Android.mk
  7. avbtool
  8. LICENSE
  9. README