X6833B: Re-configure AVB flags to match stock

* We have a very, very broken bootloader. LK is extremely
  fussy about our AVB setup, and if either --flags 3 is set
  (hashtree verification disabled), or the wrong AVB algorithm
  is used, it will cause the bootloader to crash shortly after
  loading the boot image, which can be seen from the bootloader logs:

* [1111] [avb] img_auth_required = 0
  [1116] invalid pubk size
  [1116] avb_slot_verify.c[1116] :[1116] 851[1116] : ERROR: [1116] vbmeta_a[1116] : Public key used to sign data rejected.
  [1370] [AVB20] malloc: heap size not enough
  [1370] avb_util.c[1370] :[1370] 224[1370] : ERROR: [1370] Failed to allocate memory.
  [1370] [avb] boot/recovery vfy time = 270 ms
  [1370] mblock_create mblock start: 0xb0c00000 size: 0x8c00000 name: avb
  [1371] [avb] avb_ret = 1
  [1371] [avb] ret = 0
  [6694] panic (caller 0x4822b7f1): ASSERT at (platform/common/boot/boot_info.c:616): g_boot_info.hdr_loaded

* Re-enable hashtree verification and match the AVB algorithm
  with what MediaTek does on stock. Also create vbmeta images
  for system, product and vendor partitions since that is done
  as well. Use test keys for signing to make our lives easier.

* Also change BOARD_AVB_RECOVERY* to BOARD_AVB_BOOT*, AVB
  recovery flags are no-ops on A/B devices since the recovery
  ramdisk is in the boot image, so we should be enabling
  chained vbmeta for boot instead.

Change-Id: I66c03f819178d00db956095e835e8e304ab1aab7
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Signed-off-by: dodyirawan85 <40514988+dodyirawan85@users.noreply.github.com>
This commit is contained in:
bengris32 2023-07-19 09:46:32 +01:00 committed by dodyirawan85
parent 406ee82a5f
commit f744f4b3cf

View file

@ -115,11 +115,25 @@ VENDOR_SECURITY_PATCH := 2023-10-05
# Verified Boot # Verified Boot
BOARD_AVB_ENABLE := true BOARD_AVB_ENABLE := true
BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 3 BOARD_AVB_ALGORITHM := SHA256_RSA2048
BOARD_AVB_RECOVERY_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem BOARD_AVB_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_AVB_RECOVERY_ALGORITHM := SHA256_RSA4096
BOARD_AVB_RECOVERY_ROLLBACK_INDEX := 1 BOARD_AVB_BOOT_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_AVB_RECOVERY_ROLLBACK_INDEX_LOCATION := 1 BOARD_AVB_BOOT_ALGORITHM := SHA256_RSA2048
BOARD_AVB_BOOT_ROLLBACK_INDEX := 1
BOARD_AVB_BOOT_ROLLBACK_INDEX_LOCATION := 1
BOARD_AVB_VBMETA_SYSTEM := product system
BOARD_AVB_VBMETA_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_AVB_VBMETA_SYSTEM_ALGORITHM := SHA256_RSA2048
BOARD_AVB_VBMETA_SYSTEM_ROLLBACK_INDEX := 1
BOARD_AVB_VBMETA_SYSTEM_ROLLBACK_INDEX_LOCATION := 2
BOARD_AVB_VBMETA_VENDOR := vendor
BOARD_AVB_VBMETA_VENDOR_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem
BOARD_AVB_VBMETA_VENDOR_ALGORITHM := SHA256_RSA2048
BOARD_AVB_VBMETA_VENDOR_ROLLBACK_INDEX := 1
BOARD_AVB_VBMETA_VENDOR_ROLLBACK_INDEX_LOCATION := 3
# VNDK # VNDK
BOARD_VNDK_VERSION := current BOARD_VNDK_VERSION := current