From ae58cd7b39207175c8696d7bf38321b1a4c9957a Mon Sep 17 00:00:00 2001 From: Mattijs Korpershoek Date: Wed, 8 Jan 2025 15:38:41 +0100 Subject: bootstd: android: Add missing NULL in the avb partition list When booting an Android build with AVB enabled, it's still possible to deactivate the check for development purposes if the bootloader state is UNLOCKED. This is very useful for development and can be done at flashing time via: $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img However, with bootmeth_android, we cannot boot this way: Scanning bootdev 'mmc@fa10000.bootdev': 0 android ready mmc 0 mmc@fa10000.bootdev.whole ** Booting bootflow 'mmc@fa10000.bootdev.whole' with android avb_vbmeta_image.c:188: ERROR: Hash does not match! avb_slot_verify.c:732: ERROR: vbmeta_a: Error verifying vbmeta image: HASH_MISMATCH get_partition: can't find partition '_a' avb_slot_verify.c:496: ERROR: _a: Error determining partition size. Verification failed, reason: I/O error occurred while trying to load data Boot failed (err=-5) No more bootdevs From the logs we can see that avb tries to read a partition named '_a'. It's doing so because the last element of requested_partitions implicitly is '\0', but the doc explicitly request it to be NULL instead. Add NULL as last element to requested_partitions to avoid this problem. Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android") Reviewed-by: Julien Masson Link: https://lore.kernel.org/r/20250108-avb-disable-verif-v2-1-ba7d3b0d5b6a@baylibre.com Signed-off-by: Mattijs Korpershoek --- boot/bootmeth_android.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'boot/bootmeth_android.c') diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c index d8c92b44a99..4ce89d5bcef 100644 --- a/boot/bootmeth_android.c +++ b/boot/bootmeth_android.c @@ -422,7 +422,7 @@ static int run_avb_verification(struct bootflow *bflow) { struct blk_desc *desc = dev_get_uclass_plat(bflow->blk); struct android_priv *priv = bflow->bootmeth_priv; - const char * const requested_partitions[] = {"boot", "vendor_boot"}; + const char * const requested_partitions[] = {"boot", "vendor_boot", NULL}; struct AvbOps *avb_ops; AvbSlotVerifyResult result; AvbSlotVerifyData *out_data; -- cgit v1.2.3 From 6745cbed6edc06fae7fbc4b360e39c3963d57b13 Mon Sep 17 00:00:00 2001 From: Mattijs Korpershoek Date: Wed, 8 Jan 2025 15:38:42 +0100 Subject: bootstd: android: Allow boot with AVB failures when unlocked When the bootloader is UNLOCKED, it should be possible to boot Android even if AVB reports verification errors [1]. This allows developers to flash modified partitions on userdebug/engineering builds. Developers can do so on unlocked devices with: $ fastboot flash --disable-verity --disable-verification vbmeta vbmeta.img In such case, bootmeth_android refuses to boot. Allow the boot to continue when the device is UNLOCKED and AVB reports verification errors. [1] https://source.android.com/docs/security/features/verifiedboot/boot-flow#unlocked-devices Fixes: 125d9f3306ea ("bootstd: Add a bootmeth for Android") Reviewed-by: Julien Masson Link: https://lore.kernel.org/r/20250108-avb-disable-verif-v2-2-ba7d3b0d5b6a@baylibre.com Signed-off-by: Mattijs Korpershoek --- boot/bootmeth_android.c | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) (limited to 'boot/bootmeth_android.c') diff --git a/boot/bootmeth_android.c b/boot/bootmeth_android.c index 4ce89d5bcef..a5a86b29d7f 100644 --- a/boot/bootmeth_android.c +++ b/boot/bootmeth_android.c @@ -450,17 +450,26 @@ static int run_avb_verification(struct bootflow *bflow) AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE, &out_data); - if (result != AVB_SLOT_VERIFY_RESULT_OK) { - printf("Verification failed, reason: %s\n", - str_avb_slot_error(result)); - avb_slot_verify_data_free(out_data); - return log_msg_ret("avb verify", -EIO); - } - - if (unlocked) - boot_state = AVB_ORANGE; - else + if (!unlocked) { + /* When device is locked, we only accept AVB_SLOT_VERIFY_RESULT_OK */ + if (result != AVB_SLOT_VERIFY_RESULT_OK) { + printf("Verification failed, reason: %s\n", + str_avb_slot_error(result)); + avb_slot_verify_data_free(out_data); + return log_msg_ret("avb verify", -EIO); + } boot_state = AVB_GREEN; + } else { + /* When device is unlocked, we also accept verification errors */ + if (result != AVB_SLOT_VERIFY_RESULT_OK && + result != AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION) { + printf("Unlocked verification failed, reason: %s\n", + str_avb_slot_error(result)); + avb_slot_verify_data_free(out_data); + return log_msg_ret("avb verify unlocked", -EIO); + } + boot_state = AVB_ORANGE; + } extra_args = avb_set_state(avb_ops, boot_state); if (extra_args) { @@ -470,9 +479,11 @@ static int run_avb_verification(struct bootflow *bflow) goto free_out_data; } - ret = avb_append_commandline(bflow, out_data->cmdline); - if (ret < 0) - goto free_out_data; + if (result == AVB_SLOT_VERIFY_RESULT_OK) { + ret = avb_append_commandline(bflow, out_data->cmdline); + if (ret < 0) + goto free_out_data; + } return 0; -- cgit v1.2.3