From patchwork Wed Apr 25 13:17:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Igor Opaniuk X-Patchwork-Id: 904232 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=linaro.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="buWj6krd"; dkim-atps=neutral Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 40WLVb4S1xz9s1j for ; Wed, 25 Apr 2018 23:23:19 +1000 (AEST) Received: by lists.denx.de (Postfix, from userid 105) id 4534BC21FA0; Wed, 25 Apr 2018 13:21:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 9A55BC21FDA; Wed, 25 Apr 2018 13:21:01 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id E37B4C21FDF; Wed, 25 Apr 2018 13:18:09 +0000 (UTC) Received: from mail-lf0-f41.google.com (mail-lf0-f41.google.com [209.85.215.41]) by lists.denx.de (Postfix) with ESMTPS id D7413C22005 for ; Wed, 25 Apr 2018 13:18:08 +0000 (UTC) Received: by mail-lf0-f41.google.com with SMTP id g12-v6so9327469lfb.10 for ; Wed, 25 Apr 2018 06:18:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=UYLIJ/O7/CCL8J4SkvDjwXYqgxs9xDfmYsdVFXHWed4=; b=buWj6krdZkm1GUcGF+dDhpFIsKD2iN+E3yD6UYGZqsGuXQgqibStJk4F6QvBhON89G EvcVkK6WlE6c316P8o4yaoHk5zSgQ6BdrM6oXzvVTUs5vpmDj9d44DQTpe8BtmvbmxHw dy8v6O6xnnlx6Y8hdnsullZ5tecsOR8jBOBw8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=UYLIJ/O7/CCL8J4SkvDjwXYqgxs9xDfmYsdVFXHWed4=; b=pLMCgaqmfsoRO13HfbvY/ldyEyiaTkEz+mkK+nPFLjXuNnnXUDZKDux+l5GnVsPtih o10mNXHfNEKCKXaFsIi6SoBLXWJrQWAjxpy1Jv2Ui/immZSQQrP2rJr+RXSfps60ASl9 LqIDloRPAdeOSiGL4A9ymFIaDXHb1BkOr3a1Iy2AaoZuax6bbDM6I5rjvbjaaK7UJqZb CM+MylmfzBoxtUszeaPCqCdRXWgiXIBxvy4LwLGyxB4yv0cFQmeYsZMwrL9NvYFQTYu4 9Mwk6h7w7MhXHPf2pF8OSa8YJ1+N8LlqrkntVF4TkvDgIyHx/Xj7o9eUYmy0HJ21uAZd tb1g== X-Gm-Message-State: ALQs6tBV1QbGwZX2nJ4yRpN8jhbQfGq4XNl1U7AlOVbD9VhJsXWgQVpZ XNdkL1gqVys5veiXeu/n9uSYB9h3Ywrg+A== X-Google-Smtp-Source: AB8JxZoJhjCqxX9YVKKPb7dOk/vv6Joii4tGgW/pK2o78p74irvQzunL13ow3ia668x4B2s6sWsGoA== X-Received: by 10.46.73.73 with SMTP id b9mr11908564ljd.118.1524662287851; Wed, 25 Apr 2018 06:18:07 -0700 (PDT) Received: from localhost ([195.238.93.36]) by smtp.gmail.com with ESMTPSA id f27-v6sm3906057lfb.30.2018.04.25.06.18.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Apr 2018 06:18:06 -0700 (PDT) From: Igor Opaniuk To: u-boot@lists.denx.de Date: Wed, 25 Apr 2018 16:17:57 +0300 Message-Id: <1524662285-19617-1-git-send-email-igor.opaniuk@linaro.org> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 X-Mailman-Approved-At: Wed, 25 Apr 2018 13:20:57 +0000 Cc: trini@konsulko.com, praneeth@ti.com, misael.lopez@ti.com, joakim.bech@linaro.org Subject: [U-Boot] [PATCH 0/8] Initial integration of AVB2.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" This series of patches introduces support of Android Verified Boot 2.0, which provides integrity checking of Android partitions on MMC. It integrates libavb/libavb_ab into the U-boot, provides implementation of AvbOps, subset of `avb` commands to run verification chain (and for debugging purposes), and it enables AVB2.0 verification on AM57xx HS SoC by default. Currently, there is still no support for verification of A/B boot slots and no rollback protection (for storing rollback indexes there are plans to use eMMC RPMB) Libavb/libavb_ab will be deviated from AOSP upstream in the future, that's why minimal amount of changes were introduced into the lib sources, so checkpatch may fail. For additional details check [1] AVB 2.0 README and doc/README.avb2, which is a part of this patchset. [1] https://android.googlesource.com/platform/external/avb/+/master/README.md Igor Opaniuk (8): avb2.0: add Android Verified Boot 2.0 libraries avb2.0: integrate avb 2.0 into the build system avb2.0: implement AVB ops cmd: avb2.0: avb command for performing verification avb2.0: add boot states and dm-verity support am57xx_hs: avb2.0: add support of AVB 2.0 test/py: avb2.0: add tests for avb commands doc: avb2.0: add README about AVB2.0 integration cmd/Kconfig | 15 + cmd/Makefile | 3 + cmd/avb.c | 366 ++++++++ common/Makefile | 2 + common/avb_verify.c | 748 ++++++++++++++++ configs/am57xx_hs_evm_defconfig | 3 + doc/README.avb2 | 100 +++ include/avb/avb_ab_flow.h | 235 ++++++ include/avb/avb_ab_ops.h | 61 ++ include/avb/avb_chain_partition_descriptor.h | 54 ++ include/avb/avb_crypto.h | 147 ++++ include/avb/avb_descriptor.h | 113 +++ include/avb/avb_footer.h | 68 ++ include/avb/avb_hash_descriptor.h | 55 ++ include/avb/avb_hashtree_descriptor.h | 65 ++ include/avb/avb_kernel_cmdline_descriptor.h | 63 ++ include/avb/avb_ops.h | 196 +++++ include/avb/avb_property_descriptor.h | 89 ++ include/avb/avb_rsa.h | 55 ++ include/avb/avb_sha.h | 72 ++ include/avb/avb_slot_verify.h | 239 ++++++ include/avb/avb_sysdeps.h | 97 +++ include/avb/avb_util.h | 259 ++++++ include/avb/avb_vbmeta_image.h | 272 ++++++ include/avb/avb_version.h | 45 + include/avb/libavb.h | 32 + include/avb/libavb_ab.h | 22 + include/avb_verify.h | 97 +++ include/configs/am57xx_evm.h | 11 + include/environment/ti/boot.h | 15 + lib/Kconfig | 20 + lib/Makefile | 2 + lib/libavb/Makefile | 15 + lib/libavb/avb_chain_partition_descriptor.c | 46 + lib/libavb/avb_crypto.c | 355 ++++++++ lib/libavb/avb_descriptor.c | 142 ++++ lib/libavb/avb_footer.c | 36 + lib/libavb/avb_hash_descriptor.c | 43 + lib/libavb/avb_hashtree_descriptor.c | 51 ++ lib/libavb/avb_kernel_cmdline_descriptor.c | 40 + lib/libavb/avb_property_descriptor.c | 167 ++++ lib/libavb/avb_rsa.c | 277 ++++++ lib/libavb/avb_sha256.c | 364 ++++++++ lib/libavb/avb_sha512.c | 362 ++++++++ lib/libavb/avb_slot_verify.c | 1169 ++++++++++++++++++++++++++ lib/libavb/avb_sysdeps_posix.c | 57 ++ lib/libavb/avb_util.c | 385 +++++++++ lib/libavb/avb_vbmeta_image.c | 290 +++++++ lib/libavb/avb_version.c | 16 + lib/libavb_ab/Makefile | 9 + lib/libavb_ab/avb_ab_flow.c | 502 +++++++++++ test/py/tests/test_avb.py | 111 +++ 52 files changed, 8058 insertions(+) create mode 100644 cmd/avb.c create mode 100644 common/avb_verify.c create mode 100644 doc/README.avb2 create mode 100644 include/avb/avb_ab_flow.h create mode 100644 include/avb/avb_ab_ops.h create mode 100644 include/avb/avb_chain_partition_descriptor.h create mode 100644 include/avb/avb_crypto.h create mode 100644 include/avb/avb_descriptor.h create mode 100644 include/avb/avb_footer.h create mode 100644 include/avb/avb_hash_descriptor.h create mode 100644 include/avb/avb_hashtree_descriptor.h create mode 100644 include/avb/avb_kernel_cmdline_descriptor.h create mode 100644 include/avb/avb_ops.h create mode 100644 include/avb/avb_property_descriptor.h create mode 100644 include/avb/avb_rsa.h create mode 100644 include/avb/avb_sha.h create mode 100644 include/avb/avb_slot_verify.h create mode 100644 include/avb/avb_sysdeps.h create mode 100644 include/avb/avb_util.h create mode 100644 include/avb/avb_vbmeta_image.h create mode 100644 include/avb/avb_version.h create mode 100644 include/avb/libavb.h create mode 100644 include/avb/libavb_ab.h create mode 100644 include/avb_verify.h create mode 100644 lib/libavb/Makefile create mode 100644 lib/libavb/avb_chain_partition_descriptor.c create mode 100644 lib/libavb/avb_crypto.c create mode 100644 lib/libavb/avb_descriptor.c create mode 100644 lib/libavb/avb_footer.c create mode 100644 lib/libavb/avb_hash_descriptor.c create mode 100644 lib/libavb/avb_hashtree_descriptor.c create mode 100644 lib/libavb/avb_kernel_cmdline_descriptor.c create mode 100644 lib/libavb/avb_property_descriptor.c create mode 100644 lib/libavb/avb_rsa.c create mode 100644 lib/libavb/avb_sha256.c create mode 100644 lib/libavb/avb_sha512.c create mode 100644 lib/libavb/avb_slot_verify.c create mode 100644 lib/libavb/avb_sysdeps_posix.c create mode 100644 lib/libavb/avb_util.c create mode 100644 lib/libavb/avb_vbmeta_image.c create mode 100644 lib/libavb/avb_version.c create mode 100644 lib/libavb_ab/Makefile create mode 100644 lib/libavb_ab/avb_ab_flow.c create mode 100644 test/py/tests/test_avb.py