From f744f4b3cfee095ccb99f7e8492056fe2ccf8493 Mon Sep 17 00:00:00 2001 From: bengris32 Date: Wed, 19 Jul 2023 09:46:32 +0100 Subject: [PATCH] X6833B: Re-configure AVB flags to match stock * We have a very, very broken bootloader. LK is extremely fussy about our AVB setup, and if either --flags 3 is set (hashtree verification disabled), or the wrong AVB algorithm is used, it will cause the bootloader to crash shortly after loading the boot image, which can be seen from the bootloader logs: * [1111] [avb] img_auth_required = 0 [1116] invalid pubk size [1116] avb_slot_verify.c[1116] :[1116] 851[1116] : ERROR: [1116] vbmeta_a[1116] : Public key used to sign data rejected. [1370] [AVB20] malloc: heap size not enough [1370] avb_util.c[1370] :[1370] 224[1370] : ERROR: [1370] Failed to allocate memory. [1370] [avb] boot/recovery vfy time = 270 ms [1370] mblock_create mblock start: 0xb0c00000 size: 0x8c00000 name: avb [1371] [avb] avb_ret = 1 [1371] [avb] ret = 0 [6694] panic (caller 0x4822b7f1): ASSERT at (platform/common/boot/boot_info.c:616): g_boot_info.hdr_loaded * Re-enable hashtree verification and match the AVB algorithm with what MediaTek does on stock. Also create vbmeta images for system, product and vendor partitions since that is done as well. Use test keys for signing to make our lives easier. * Also change BOARD_AVB_RECOVERY* to BOARD_AVB_BOOT*, AVB recovery flags are no-ops on A/B devices since the recovery ramdisk is in the boot image, so we should be enabling chained vbmeta for boot instead. Change-Id: I66c03f819178d00db956095e835e8e304ab1aab7 Signed-off-by: bengris32 Signed-off-by: dodyirawan85 <40514988+dodyirawan85@users.noreply.github.com> --- BoardConfig.mk | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/BoardConfig.mk b/BoardConfig.mk index ea8a002..bc69d0f 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -115,11 +115,25 @@ VENDOR_SECURITY_PATCH := 2023-10-05 # Verified Boot BOARD_AVB_ENABLE := true -BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 3 -BOARD_AVB_RECOVERY_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem -BOARD_AVB_RECOVERY_ALGORITHM := SHA256_RSA4096 -BOARD_AVB_RECOVERY_ROLLBACK_INDEX := 1 -BOARD_AVB_RECOVERY_ROLLBACK_INDEX_LOCATION := 1 +BOARD_AVB_ALGORITHM := SHA256_RSA2048 +BOARD_AVB_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem + +BOARD_AVB_BOOT_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem +BOARD_AVB_BOOT_ALGORITHM := SHA256_RSA2048 +BOARD_AVB_BOOT_ROLLBACK_INDEX := 1 +BOARD_AVB_BOOT_ROLLBACK_INDEX_LOCATION := 1 + +BOARD_AVB_VBMETA_SYSTEM := product system +BOARD_AVB_VBMETA_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem +BOARD_AVB_VBMETA_SYSTEM_ALGORITHM := SHA256_RSA2048 +BOARD_AVB_VBMETA_SYSTEM_ROLLBACK_INDEX := 1 +BOARD_AVB_VBMETA_SYSTEM_ROLLBACK_INDEX_LOCATION := 2 + +BOARD_AVB_VBMETA_VENDOR := vendor +BOARD_AVB_VBMETA_VENDOR_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem +BOARD_AVB_VBMETA_VENDOR_ALGORITHM := SHA256_RSA2048 +BOARD_AVB_VBMETA_VENDOR_ROLLBACK_INDEX := 1 +BOARD_AVB_VBMETA_VENDOR_ROLLBACK_INDEX_LOCATION := 3 # VNDK BOARD_VNDK_VERSION := current