u-boot/doc/README.avb2

1 Android Verified Boot 2.0
4 Boot 2.0 in U-boot
7 ---------------------------------
8 Verified Boot establishes a chain of trust from the bootloader to system images
10   - Android Boot image: Linux kernel + ramdisk. RAW hashing of the whole
13   - system/vendor partitions: verifying root hash of dm-verity hashtrees.
16 Integrity of the bootloader (U-boot BLOB and environment) is out of scope.
21 1.1. AVB using OP-TEE (optional)
22 ---------------------------------
23 If AVB is configured to use OP-TEE (see 4. below) rollback indexes and
25 OP-TEE (https://www.op-tee.org/) which is a secure OS leveraging ARM
29 2. AVB 2.0 U-BOOT SHELL COMMANDS
30 -----------------------------------
34 avb init <dev> - initialize avb 2.0 for <dev>
35 avb verify - run verification process using hash data from vbmeta structure
36 avb read_rb <num> - read rollback index at location <num>
37 avb write_rb <num> <rb> - write rollback index <rb> to <num>
38 avb is_unlocked - returns unlock status of the device
39 avb get_uuid <partname> - read and print uuid of partition <partname>
40 avb read_part <partname> <offset> <num> <addr> - read <num> bytes from
42 avb write_part <partname> <offset> <num> <addr> - write <num> bytes to
46 3. PARTITIONS TAMPERING (EXAMPLE)
47 -----------------------------------
48 Boot or system/vendor (dm-verity metadata section) is tampered:
51 avb_slot_verify.c:175: ERROR: boot: Hash of data does not match digest in
65 -----------------------------------
72 OP-TEE:
78 Then add `avb verify` invocation to your android boot sequence of commands,
83         echo AVB verification OK. Continue boot; \
91        echo Trying to boot Android from eMMC ...;       \
104 BOARD_BOOTIMAGE_PARTITION_SIZE := <boot partition size>
106 After flashing U-boot don't forget to update environment and write new
108 => env default -f -a
109 => setenv partitions $partitions_android