Sign bootconfig partitions
We need to verify the bootconfig partitions. Otherwise, attackers can
compose a random bootconfig partition, and use it instead of the
prebuilt ones. Then they would be able to modify the behavior of the VM.
Now, bootconfig partitions are signed using avb just like other
partitions. In addition, the disk 1 where the bootconfig is in has
a new vbmeta partition. The partition has the bootconfig partition as
the chained partition. This vbmeta partition can be used to add more
bootconfig-like partitions in the future.
Bug: 203031847
Test: run microdroid test app
Change-Id: I66c7defd07785fcb13180a368786151bd973cc65
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 274b7ed..44b547e 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -335,25 +335,93 @@
cmd: "cat $(in) > $(out)",
}
+vbmeta {
+ name: "microdroid_vbmeta_bootconfig",
+ partition_name: "vbmeta",
+ private_key: ":avb_testkey_rsa4096",
+ chained_partitions: [
+ {
+ name: "bootconfig",
+ private_key: ":avb_testkey_rsa4096",
+ },
+ ],
+}
+
+// See external/avb/avbtool.py
+// MAX_VBMETA_SIZE=64KB, MAX_FOOTER_SIZE=4KB
+avb_hash_footer_kb = "68"
+
// TODO(b/203031847) sign these bootconfig images using avb
prebuilt_etc {
name: "microdroid_bootconfig_normal",
- src: "bootconfig.normal",
+ src: ":microdroid_bootconfig_normal_gen",
filename: "microdroid_bootconfig.normal",
}
prebuilt_etc {
name: "microdroid_bootconfig_app_debuggable",
- src: "bootconfig.app_debuggable",
+ src: ":microdroid_bootconfig_app_debuggable_gen",
filename: "microdroid_bootconfig.app_debuggable",
}
prebuilt_etc {
name: "microdroid_bootconfig_full_debuggable",
- src: "bootconfig.full_debuggable",
+ src: ":microdroid_bootconfig_full_debuggable_gen",
filename: "microdroid_bootconfig.full_debuggable",
}
+// TODO(jiyong): make a new module type that does the avb signing
+genrule {
+ name: "microdroid_bootconfig_normal_gen",
+ tools: ["avbtool"],
+ srcs: [
+ "bootconfig.normal",
+ ":avb_testkey_rsa4096",
+ ],
+ out: ["microdroid_bootconfig.normal"],
+ cmd: "cp $(location bootconfig.normal) $(out) && " +
+ "$(location avbtool) add_hash_footer " +
+ "--algorithm SHA256_RSA4096 " +
+ "--partition_name bootconfig " +
+ "--key $(location :avb_testkey_rsa4096) " +
+ "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
+ "--image $(out)",
+}
+
+genrule {
+ name: "microdroid_bootconfig_app_debuggable_gen",
+ tools: ["avbtool"],
+ srcs: [
+ "bootconfig.app_debuggable",
+ ":avb_testkey_rsa4096",
+ ],
+ out: ["microdroid_bootconfig.app_debuggable"],
+ cmd: "cp $(location bootconfig.app_debuggable) $(out) && " +
+ "$(location avbtool) add_hash_footer " +
+ "--algorithm SHA256_RSA4096 " +
+ "--partition_name bootconfig " +
+ "--key $(location :avb_testkey_rsa4096) " +
+ "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
+ "--image $(out)",
+}
+
+genrule {
+ name: "microdroid_bootconfig_full_debuggable_gen",
+ tools: ["avbtool"],
+ srcs: [
+ "bootconfig.full_debuggable",
+ ":avb_testkey_rsa4096",
+ ],
+ out: ["microdroid_bootconfig.full_debuggable"],
+ cmd: "cp $(location bootconfig.full_debuggable) $(out) && " +
+ "$(location avbtool) add_hash_footer " +
+ "--algorithm SHA256_RSA4096 " +
+ "--partition_name bootconfig " +
+ "--key $(location :avb_testkey_rsa4096) " +
+ "--partition_size $$(( " + avb_hash_footer_kb + " * 1024 + ( $$(stat --format=%s $(out)) + 4096 - 1 ) / 4096 * 4096 )) " +
+ "--image $(out)",
+}
+
prebuilt_etc {
name: "microdroid_fstab",
src: "fstab.microdroid",
@@ -375,10 +443,6 @@
filename: "microdroid_bootloader",
}
-// See external/avb/avbtool.py
-// MAX_VBMETA_SIZE=64KB, MAX_FOOTER_SIZE=4KB
-avb_hash_footer_kb = "68"
-
// TODO(b/193504286) remove this when prebuilt bootloader exposes pubkey as well.
genrule {
name: "microdroid_bootloader_gen",