参考资料:
Android Verified Boot 2.0: https://android.googlesource.com/platform/external/avb/+/master/README.md
avbtool verify_image
命令及参数说明:
$ ./avbtool verify_image -h usage: avbtool verify_image [-h] --image IMAGE [--key KEY] [--expected_chain_partition PART_NAME:ROLLBACK_SLOT:KEY_PATH] [--follow_chain_partitions] [--accept_zeroed_hashtree] optional arguments: -h, --help show this help message and exit --image IMAGE Image to verify --key KEY Check embedded public key matches KEY --expected_chain_partition PART_NAME:ROLLBACK_SLOT:KEY_PATH Expected chain partition --follow_chain_partitions Follows chain partitions even when not specified with the --expected_chain_partition option --accept_zeroed_hashtree Accept images where the hashtree or FEC data is zeroed out
实例:
android/out/target/product/evb/obj/avb_chain_keys/vbmeta_system.avbpubkey,avb_chain_keys目录在编译完成之后会被删掉,本地修改了编译过程保留了这个文件做的测试。
ssa@SS-SHAP02:~/aosp11$ ./android/external/avb/avbtool verify_image --image ~/tmp/gmsversion/download_images/vbmeta_system.img Verifying image /home/ssa/tmp/gmsversion/download_images/vbmeta_system.img using embedded public key vbmeta: Successfully verified SHA256_RSA2048 vbmeta struct in /home/ssa/tmp/gmsversion/download_images/vbmeta_system.img product: Successfully verified sha1 hashtree of /home/ssa/tmp/gmsversion/download_images/product.img for image of 1995071488 bytes system: Successfully verified sha1 hashtree of /home/ssa/tmp/gmsversion/download_images/system.img for image of 816340992 bytes system_ext: Successfully verified sha1 hashtree of /home/ssa/tmp/gmsversion/download_images/system_ext.img for image of 459300864 bytes ssa@SS-SHAP02:~/aosp11$ ./android/external/avb/avbtool verify_image --image ~/tmp/gmsversion/download_images/vbmeta.img --key android/vendor/vendor/common/keytools/veritykey_rsa4096.pem --expected_chain_partition vbmeta_system:2:android/out/target/product/evb/obj/avb_chain_keys/vbmeta_system.avbpubkey Verifying image /home/ssa/tmp/gmsversion/download_images/vbmeta.img using key at android/vendor/vendor/common/keytools/veritykey_rsa4096.pem vbmeta: Successfully verified SHA256_RSA4096 vbmeta struct in /home/ssa/tmp/gmsversion/download_images/vbmeta.img vbmeta_system: Successfully verified chain partition descriptor matches expected data boot: Successfully verified sha256 hash of /home/ssa/tmp/gmsversion/download_images/boot.img for image of 27578368 bytes dtbo: Successfully verified sha256 hash of /home/ssa/tmp/gmsversion/download_images/dtbo.img for image of 1167483 bytes vendor_boot: Successfully verified sha256 hash of /home/ssa/tmp/gmsversion/download_images/vendor_boot.img for image of 43204608 bytes vendor: Successfully verified sha1 hashtree of /home/ssa/tmp/gmsversion/download_images/vendor.img for image of 1130254336 bytes
avbtool make_vbmeta_image
用于生成vbmeta partition。
命令及参数说明:
./avbtool make_vbmeta_image -h usage: avbtool make_vbmeta_image [-h] [--output OUTPUT] [--padding_size NUMBER] [--algorithm ALGORITHM] [--key KEY] [--signing_helper APP] [--signing_helper_with_files APP] [--public_key_metadata KEY_METADATA] [--rollback_index ROLLBACK_INDEX] [--append_to_release_string STR] [--prop KEY:VALUE] [--prop_from_file KEY:PATH] [--kernel_cmdline CMDLINE] [--setup_rootfs_from_kernel IMAGE] [--include_descriptors_from_image IMAGE] [--print_required_libavb_version] [--chain_partition PART_NAME:ROLLBACK_SLOT:KEY_PATH] [--flags FLAGS] [--set_hashtree_disabled_flag] optional arguments: -h, --help show this help message and exit --output OUTPUT Output file name --padding_size NUMBER If non-zero, pads output with NUL bytes so its size is a multiple of NUMBER (default: 0) --algorithm ALGORITHM Algorithm to use (default: NONE) --key KEY Path to RSA private key file --signing_helper APP Path to helper used for signing --signing_helper_with_files APP Path to helper used for signing using files --public_key_metadata KEY_METADATA Path to public key metadata file --rollback_index ROLLBACK_INDEX Rollback Index --append_to_release_string STR Text to append to release string --prop KEY:VALUE Add property --prop_from_file KEY:PATH Add property from file --kernel_cmdline CMDLINE Add kernel cmdline --setup_rootfs_from_kernel IMAGE, --generate_dm_verity_cmdline_from_hashtree IMAGE Adds kernel cmdline to set up IMAGE --include_descriptors_from_image IMAGE Include descriptors from image --print_required_libavb_version Don't store the footer - instead calculate the required libavb version for the given options. --chain_partition PART_NAME:ROLLBACK_SLOT:KEY_PATH Allow signed integrity-data for partition --flags FLAGS VBMeta flags --set_hashtree_disabled_flag Set the HASHTREE_DISABLED flag
实例:
out/host/linux-x86/bin/avbtool make_vbmeta_image --algorithm SHA256_RSA2048 --key xxx/testkey_rsa2048.pem --padding_size 4096 --rollback_index 1672876800 --include_descriptors_from_image out/target/product/evb/system.img --include_descriptors_from_image out/target/product/evb/system_ext.img --include_descriptors_from_image out/target/product/evb/product.img --output out/target/product/evb/vbmeta_system.img
out/host/linux-x86/bin/avbtool make_vbmeta_image --include_descriptors_from_image out/target/product/evb/boot.img --include_descriptors_from_image out/target/product/evb/vendor_boot.img --include_descriptors_from_image out/target/product/evb/vendor.img --include_descriptors_from_image out/target/product/evb/dtbo.img --chain_partition vbmeta_system:2:out/target/product/evb/obj/avb_chain_keys/vbmeta_system.avbpubkey --algorithm SHA256_RSA4096 --key vendor/xxx/common/keytools/veritykey_rsa4096.pem --padding_size 4096 --output out/target/product/evb/vbmeta.img
avbtool add_hash_footer
命令及参数说明:
$ ./avbtool add_hash_footer -h usage: avbtool add_hash_footer [-h] [--image IMAGE] [--partition_size PARTITION_SIZE] [--partition_name PARTITION_NAME] [--hash_algorithm HASH_ALGORITHM] [--salt SALT] [--calc_max_image_size] [--output_vbmeta_image OUTPUT_VBMETA_IMAGE] [--do_not_append_vbmeta_image] [--algorithm ALGORITHM] [--key KEY] [--signing_helper APP] [--signing_helper_with_files APP] [--public_key_metadata KEY_METADATA] [--rollback_index ROLLBACK_INDEX] [--append_to_release_string STR] [--prop KEY:VALUE] [--prop_from_file KEY:PATH] [--kernel_cmdline CMDLINE] [--setup_rootfs_from_kernel IMAGE] [--include_descriptors_from_image IMAGE] [--print_required_libavb_version] [--chain_partition PART_NAME:ROLLBACK_SLOT:KEY_PATH] [--flags FLAGS] [--set_hashtree_disabled_flag] [--use_persistent_digest] [--do_not_use_ab] optional arguments: -h, --help show this help message and exit --image IMAGE Image to add hashes to --partition_size PARTITION_SIZE Partition size --partition_name PARTITION_NAME Partition name --hash_algorithm HASH_ALGORITHM Hash algorithm to use (default: sha256) --salt SALT Salt in hex (default: /dev/urandom) --calc_max_image_size Don't store the footer - instead calculate the maximum image size leaving enough room for metadata with the given partition size. --output_vbmeta_image OUTPUT_VBMETA_IMAGE Also write vbmeta struct to file --do_not_append_vbmeta_image Do not append vbmeta struct or footer to the image --algorithm ALGORITHM Algorithm to use (default: NONE) --key KEY Path to RSA private key file --signing_helper APP Path to helper used for signing --signing_helper_with_files APP Path to helper used for signing using files --public_key_metadata KEY_METADATA Path to public key metadata file --rollback_index ROLLBACK_INDEX Rollback Index --append_to_release_string STR Text to append to release string --prop KEY:VALUE Add property --prop_from_file KEY:PATH Add property from file --kernel_cmdline CMDLINE Add kernel cmdline --setup_rootfs_from_kernel IMAGE, --generate_dm_verity_cmdline_from_hashtree IMAGE Adds kernel cmdline to set up IMAGE --include_descriptors_from_image IMAGE Include descriptors from image --print_required_libavb_version Don't store the footer - instead calculate the required libavb version for the given options. --chain_partition PART_NAME:ROLLBACK_SLOT:KEY_PATH Allow signed integrity-data for partition --flags FLAGS VBMeta flags --set_hashtree_disabled_flag Set the HASHTREE_DISABLED flag --use_persistent_digest Use a persistent digest on device instead of storing the digest in the descriptor. This cannot be used with A/B so must be combined with --do_not_use_ab when an A/B suffix is expected at runtime. --do_not_use_ab The partition does not use A/B even when an A/B suffix is present. This must not be used for vbmeta or chained partitions.
实例:
out/host/linux-x86/bin/avbtool add_hash_footer --image out/target/product/evb/dtbo.img --partition_size 0x01800000 --partition_name dtbo --prop com.android.build.dtbo.fingerprint:xxx/evb/evb:11/RD2A.211001.002/xxx:userdebug/test-keys out/host/linux-x86/bin/avbtool add_hash_footer --image out/target/product/evb/vendor_boot.img --partition_size 0x06000000 --partition_name vendor_boot --prop com.android.build.vendor_boot.fingerprint:xxx/evb/evb:11/RD2A.211001.002/xxx:userdebug/test-keys out/host/linux-x86/bin/avbtool add_hash_footer --image out/target/product/evb/boot.img --partition_size 0x06000000 --partition_name boot --prop com.android.build.boot.fingerprint:xxx/evb/evb:11/RD2A.211001.002/xxx:userdebug/test-keys --prop com.android.build.boot.os_version:11 --prop com.android.build.boot.security_patch:2023-01-05
avbtool extract_public_key
命令及参数说明:
$ ./avbtool extract_public_key -h usage: avbtool extract_public_key [-h] --key KEY --output OUTPUT optional arguments: -h, --help show this help message and exit --key KEY Path to RSA private key file --output OUTPUT Output file name
实例:
out/host/linux-x86/bin/avbtool extract_public_key --key external/avb/test/data/testkey_rsa2048.pem --output out/target/product/evb/boot/obj/avb_chain_keys/vbmeta_system.avbpubkey