Clone this repo:

Branches

  1. 6007428 [avb] Add README.md by Jocelyn Bohr · 2 months ago master
  2. f78afdf Add method to lock the boot state by Jocelyn Bohr · 7 months ago
  3. 051479d Add support to handle device lock state by Jocelyn Bohr · 8 months ago
  4. 70a1259 Add support to delete files from secure storage abstraction. by Jocelyn Bohr · 8 months ago
  5. 86cbb67 Handle requests to read and write permanent product attributes by Jocelyn Bohr · 8 months ago

AVB resource manager

The AVB (Android Verified Boot) resource manager is intended to provide tamper proof storage for data used by libavb. This includes the verified boot lock state, stored rollback index values, and ATX (Android Things eXtension) permanent attributes.

Operations

Reading/Writing Stored Rollback Indexes

Rollback indexes are strictly increasing, and any request to write a value to a rollback index that is smaller than the existing value will fail. A mask (0xF000) is used to map a rollback index to a file, and a file may contain a maximum of 32 rollback indexes. For example, 0xF01F and 0x0001 are valid values for the rollback index, but 0x10000 and 0x0020 are not.

Reading/Writing Verified Boot Lock State

If the lock state is 1, or LOCKED, then verification errors are fatal, and booting MUST fail. If the lock state is 0, or UNLOCKED, the device may boot even when verification fails. When the device changes lock state, all stored rollback indexes are cleared.

Reading/Writing ATX Permanent Attributes

A hash of the attributes MUST be stored in write-once fuses. Once this is written, any subsequent requests to write it will fail. Attributes are stored as an opaque buffer and parsed by the bootloader.

Locking Boot State

Once the AVB resource manager receives a LOCK_BOOT_STATE request, all requests to write to resources will fail until the next reboot. This should be called after libavb has acquired all necessary resources, and before the bootloader passes control to the HLOS. This prevents a compromised HLOS from tampering with AVB resources.

Client Code

Since libavb is executed by the bootloader, the non-secure side API that makes requests to the AVB resource manager is located here.