• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1page.title=Verifying Boot
2@jd:body
3
4<!--
5    Copyright 2015 The Android Open Source Project
6
7    Licensed under the Apache License, Version 2.0 (the "License");
8    you may not use this file except in compliance with the License.
9    You may obtain a copy of the License at
10
11        http://www.apache.org/licenses/LICENSE-2.0
12
13    Unless required by applicable law or agreed to in writing, software
14    distributed under the License is distributed on an "AS IS" BASIS,
15    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16    See the License for the specific language governing permissions and
17    limitations under the License.
18-->
19<div id="qv-wrapper">
20  <div id="qv">
21    <h2>In this document</h2>
22    <ol id="auto-toc">
23    </ol>
24  </div>
25</div>
26
27<p>Verified boot guarantees the integrity of the device software starting from a
28hardware root of trust up to the system partition. During boot, each stage
29verifies the integrity and authenticity of the next stage before executing it.</p>
30
31<p>This capability can be used to warn users of unexpected changes to the
32software when they acquire a used device, for example. It will also provide an
33additional signal of device integrity for remote attestation, and together with
34encryption and Trusted Execution Environment (TEE) root of trust binding, adds
35another layer of protection for user data against malicious system software.</p>
36
37<p>If verification fails at any stage, the user is visibly
38notified.</p>
39
40<h2 id=glossary>Glossary</h2>
41
42<table>
43  <col width="15%">
44  <col width="85%">
45 <tr>
46    <th>Term</th>
47    <th>Definition</th>
48 </tr>
49 <tr>
50    <td>Boot state</td>
51    <td>The boot state of the device describes the level of protection provided
52        to the end user if the device boots. Boot states are GREEN, YELLOW,
53        ORANGE, and RED.</td>
54 </tr>
55 <tr>
56    <td>Device state</td>
57    <td>The device state indicates how freely software can be flashed to the device.
58        Device states are LOCKED and UNLOCKED.</td>
59 </tr>
60 <tr>
61    <td>dm-verity</td>
62    <td>Linux kernel driver for verifying the integrity of a partition at runtime using
63        a hash tree and signed metadata.</td>
64 </tr>
65 <tr>
66    <td>OEM key</td>
67    <td>The OEM key is a fixed, tamper-protected key available to the bootloader that
68        must be used to verify the boot image.</td>
69 </tr>
70</table>
71
72<h2 id=overview>Overview</h2>
73
74<p>In addition to device state—which already exists in devices and controls
75whether the bootloader allows new software to be flashed—verified boot introduces
76the concept of boot state that indicates the state of device integrity.</p>
77
78<h3 id=classes>Classes</h3>
79
80<p>Two implementation classes exist for verified boot. Depending on how
81fully the device implements this specification, they are defined as follows:</p>
82
83<p><strong>Class A</strong>  implements verified boot with full chain of trust
84up to verified partitions. In other words, the implementation supports the
85LOCKED device state, and GREEN and RED boot states.</p>
86
87<p><strong>Class B</strong> implements Class A, and additionally supports the
88UNLOCKED device state and the ORANGE boot state.</p>
89
90<h3 id=verification_keys>Verification keys</h3>
91
92<p>Bootloader integrity is always verified using a hardware root of trust. For
93verifying boot and recovery partitions, the bootloader has a fixed OEM key
94available to it. It always attempts to verify the boot partition using the OEM
95key first and try other possible keys only if this verification fails.</p>
96
97<p>In Class B implementations, it is possible for the user to flash
98software signed with other keys when the device is UNLOCKED. If the device is
99then LOCKED and verification using the OEM key fails, the bootloader tries
100verification using the certificate embedded in the partition signature.
101However, using a partition signed with anything other than the OEM key
102results in a notification or a warning, as described below.</p>
103
104<h3 id=boot_state>Boot state</h3>
105
106<p>A verified device will ultimately boot into one of the four states during
107each boot attempt:</p>
108
109<ul>
110  <li>GREEN, indicating a full chain of trust extending from the bootloader to
111verified partitions, including the bootloader, boot partition, and all verified
112partitions.
113
114  <li>YELLOW, indicating the boot partition has been verified using the
115embedded certificate, and the signature is valid. The bootloader
116displays a warning and the fingerprint of the public key before allowing
117the boot process to continue.
118
119  <li>ORANGE, indicating a device may be freely modified. Device integrity is
120left to the user to verify out-of-band. The bootloader displays a warning
121to the user before allowing the boot process to continue.
122
123  <li>RED, indicating the device has failed verification. The bootloader
124displays a warning and stops the boot process.
125</ul>
126
127<p>The recovery partition is verified in the exact same way, as well.</p>
128
129<h3 id=device_state>Device state</h3>
130
131<p>The possible device states and their relationship with the four verified
132boot states are:</p>
133<ol>
134  <li>LOCKED, indicating the device cannot be flashed. A LOCKED device
135boots into the GREEN, YELLOW, or RED states during any attempted boot.
136
137  <li>UNLOCKED, indicating the device may be flashed freely and is not intended
138to be verified. An UNLOCKED device always boots to the ORANGE boot state.
139</ol>
140
141<img src="../images/verified_boot.png" alt="Verified boot flow" id="figure1" />
142<p class="img-caption"><strong>Figure 1.</strong> Verified boot flow</p>
143
144<h2 id=detailed_design>Detailed design</h2>
145
146<p>Achieving full chain of trust requires support from both the bootloader and the
147software on the boot partition, which is responsible for mounting further
148partitions. Verification metadata is also appended to the system partition
149and any additional partitions whose integrity should be verified.</p>
150
151<h3 id=bootloader_requirements>Bootloader requirements</h3>
152
153<p>The bootloader is the guardian of the device state and is responsible for
154initializing the TEE and binding its root of trust.</p>
155
156<p>Most importantly, the bootloader verifies the integrity of the boot and/or
157recovery partition before moving execution to the kernel and display the
158warnings specified in the section <a href="#boot_state">Boot state</a>.</p>
159
160<h4 id=changing_device_state>Changing device state</h4>
161
162<p>State changes are performed using the <code>fastboot flashing [unlock |
163lock]</code> command. And to protect user data, <strong>all</strong>
164state transitions wipe the data partitions and ask the user for
165confirmation before data is deleted.</p>
166
167<ol>
168  <li>The UNLOCKED to LOCKED transition is anticipated when a user buys a used
169development device. As a result of locking the device, the user should have
170confidence that it is in a state produced by the device manufacturer, as long
171as there is no warning.
172
173  <li>The LOCKED to UNLOCKED transition is expected in the case where a developer
174wishes to disable verification on the device.
175</ol>
176
177
178<p><code>fastboot</code> commands that alter device state are listed in the table below:</p>
179
180<table>
181  <col width="25%">
182  <col width="75%">
183 <tr>
184    <th><code>fastboot</code> command</th>
185    <th>Description</th>
186 </tr>
187 <tr>
188    <td><code>flashing lock</code></td>
189    <td>
190      <ul>
191        <li>Wipe data after asking the user for confirmation
192        <li>Clear a write-protected bit, readable by the bootloader, indicating
193            the device is unlocked
194      </ul>
195    </td>
196 </tr>
197 <tr>
198    <td><code>flashing unlock</code></td>
199    <td>
200      <ul>
201        <li>If the unlock device setting has not been enabled by the user,
202            abort unlocking
203        <li>Wipe data after asking the user for confirmation
204        <li>Set a write-protected bit, readable by the bootloader, indicating
205            the device is unlocked
206      </ul>
207    </td>
208 </tr>
209</table>
210
211<p>When altering partition contents, the bootloader checks the bits set by
212the above commands as described in the following table:</p>
213
214<table>
215  <col width="25%">
216  <col width="75%">
217 <tr>
218    <th><code>fastboot</code> command</th>
219    <th>Description</th>
220 </tr>
221 <tr>
222    <td><code>flash &lt;partition&gt;</code></td>
223    <td>If the bit set by <code>flashing unlock</code> is set, flash the
224      partition. Otherwise, do not allow flashing.
225    </td>
226 </tr>
227</table>
228
229<p>The same checks should be performed for any <code>fastboot</code> command
230that can be used to change the contents of partitions.</p>
231
232<p class="note"><strong>Note</strong>: Class B implementations support
233changing device state.</p>
234
235<h4 id=binding_tee_root_of_trust>Binding TEE root of trust</h4>
236
237<p>If TEE is available, the bootloader passes the following information to
238the TEE after boot/recovery partition verification and TEE initialization
239to bind the Keymaster root of trust:</p>
240
241<ol>
242  <li>the public key that was used to sign the boot partition
243  <li>the current device state (LOCKED or UNLOCKED)
244</ol>
245
246<p>This changes the keys derived by the TEE. Taking disk encryption as an example,
247this prevents user data from being decrypted when the device state changes.</p>
248
249<p class="note"><strong>Note:</strong> This means if the system software or the
250device state changes, encrypted user data will no longer be accessible as the
251TEE will attempt to use a different key to decrypt the data.</p>
252
253<h4 id="initializing-attestation">Initializing attestation</h4>
254<p>
255Similar to root of trust binding, if TEE is available, the bootloader passes it
256the following information to initialize attestation:
257</p>
258<ol>
259<li>the current boot state (GREEN, YELLOW, ORANGE)
260<li>the operating system version
261<li>the operating system security patch level
262</ol>
263<h4 id=booting_into_recovery>Booting into recovery</h4>
264
265<p>The recovery partition should be verified in exactly the same manner as the
266boot partition.</p>
267
268<h4 id=comm_boot_state>Communicating boot state</h4>
269
270<p>System software needs to be able to determine the verification status of
271previous stages. The bootloader specifies the current boot state as a
272parameter on the kernel command line (or through the device tree under
273<code>firmware/android/verifiedbootstate</code>) as described in the table
274below:</p>
275
276<table>
277  <tr>
278    <th>Kernel command line parameter</th>
279    <th>Description</th>
280  </tr>
281  <tr>
282    <td><code>androidboot.verifiedbootstate=green</code></td>
283    <td>Device has booted into GREEN boot state.<br>
284        Boot partition has been verified using the OEM key and it’s valid.</td>
285  </tr>
286  <tr>
287    <td><code>androidboot.verifiedbootstate=yellow</code></td>
288    <td>Device has booted into YELLOW boot state.<br>
289	Boot partition has been verified using the certificate embedded into
290        the signature and it’s valid.</td>
291  </tr>
292  <tr>
293    <td><code>androidboot.verifiedbootstate=orange</code></td>
294    <td>Device has booted into ORANGE boot state.<br>
295        The device is unlocked and no verification has been performed.</td>
296  </tr>
297</table>
298<p class="note"><strong>Note</strong>: The device cannot boot into kernel when
299in the RED boot state, and therefore the kernel command line never includes the
300parameter <code>androidboot.verifiedbootstate=red</code>.</p>
301
302<h3 id=boot_partition>Boot partition</h3>
303
304<p>Once execution has moved to the boot partition, the software there is responsible
305for setting up verification of further partitions. Due to its large size, the
306system partition typically cannot be verified similarly to previous parts but is
307verified as it’s being accessed instead using the dm-verity kernel driver or a
308similar solution.</p>
309
310<p>If dm-verity is used to verify large partitions, the signature of the verity
311metadata appended to each verified partition is verified before the
312partition is mounted and dm-verity is set up for it.</p>
313
314<h4 id=managing_dm-verity>Managing dm-verity</h4>
315
316<p>Implemented as a device mapper target in kernel, dm-verity adds a layer
317on top of a partition and verifies each read block against a hash tree passed to
318it during setup. If it comes across a block that fails to verify, it makes the
319block inaccessible to user space.</p>
320
321<p>When mounting partitions during boot, fs_mgr sets up dm-verity for a
322partition if the <code>verify</code> fs_mgr flag is specified for it in the
323device’s fstab. Verity metadata signature is verified against the public key
324in <code>/verity_key</code>.</p>
325
326<h4 id=recovering_from_dm-verity_errors>Recovering from dm-verity errors</h4>
327
328<p>Because the system partition is by far larger than the boot partition, the
329probability of verification errors is also higher. Specifically, there is a
330larger probability of unintentional disk corruption, which will cause a
331verification failure and can potentially make an otherwise functional device
332unusable if a critical block in the partition can no longer be accessed.
333Forward error correction can be used with dm-verity to mitigate this risk.
334Providing this alternative recovery path is recommended, though it comes at the
335expense of increasing metadata size.</p>
336
337<p>
338By default, dm-verity is configured to function in a “restart” mode where it
339immediately restarts the device when a corrupted block is detected. This makes
340it possible to safely warn the user when the device is corrupted, or to fall
341back to device specific recovery, if available.
342</p>
343
344<p>
345To make it possible for users to still access their data, dm-verity switches
346to I/O Error (EIO) mode if the device boots with known corruption. When in EIO mode,
347dm-verity returns I/O errors for any reads that access corrupted blocks but
348allows the device to keep running. Keeping track of the current mode requires
349persistently storing dm-verity state. The state can be managed either by fs_mgr
350or the bootloader:
351</p>
352
353<ol>
354  <li>To manage dm-verity state in fs_mgr, an additional argument is specified to
355      the <code>verify</code> flag to inform fs_mgr where to store dm-verity state.
356      For example, to store the state on the metadata partition, specify
357      <code>verify=/path/to/metadata</code>.
358      <p class="note"><strong>Note:</strong> fs_mgr switches dm-verity to EIO
359       mode after the first corruption has been detected and resets the mode
360       back to “restart” after the metadata signature of any verified partition
361       has changed.</p>
362  </li>
363  <li>Alternatively, to manage dm-verity state in the bootloader, pass the current
364      mode to the kernel in the <code>androidboot.veritymode</code> command line
365      parameter as follows:
366
367      <table>
368        <tr>
369          <th>Kernel command line parameter</th>
370          <th>Description</th>
371        </tr>
372        <tr>
373          <td><code>androidboot.veritymode=enforcing</code></td>
374          <td>Set up dm-verity in the default “restart” mode.</td>
375        </tr>
376        <tr>
377          <td><code>androidboot.veritymode=eio</code></td>
378          <td>Set up dm-verity in EIO mode.</td>
379        </tr>
380      </table>
381
382      <p class="note">
383      <strong>Note:</strong> Managing state in the bootloader also requires the kernel
384      to set the restart reason correctly when the device restarts due to dm-verity.
385      After corruption has been detected, the bootloader should switch back to
386      “restart” mode when any of the verified partitions have changed.</p>
387  </li>
388</ol>
389
390<p>
391If dm-verity is not started in the “restart” mode for any reason, or verity
392metadata cannot be verified, a warning displays to the user if the device is
393allowed to boot, similar to the one shown before booting into the RED boot
394state. The user must consent to the device to continue booting in EIO mode. If
395user consent is not received in 30 seconds, the device powers off.
396</p>
397
398<p class="note">
399<strong>Note:</strong> dm-verity never starts in logging mode to prevent
400unverified data from leaking into userspace.
401</p>
402
403
404
405<h3 id=verified_partition>Verified partition</h3>
406
407<p>In a verified device, the system partition is always verified. But any
408other read-only partition should also be set to be verified, as well. Any
409read-only partition that contains executable code is verified on a
410verified device. This includes vendor and OEM partitions, if they exist, for example.</p>
411
412<p>To verify a partition, signed verity metadata is
413appended to it. The metadata consists of a hash tree of the partition contents
414and a verity table containing signed parameters and the root of the hash tree.
415If this information is missing or invalid when dm-verity is set up for the
416partition, the device doesn't boot.</p>
417
418<h2 id=implementation_details>Implementation details</h2>
419
420<h3 id=key_types_and_sizes>Key types and sizes</h3>
421
422<p>The OEM key used in AOSP is an RSA key with a modulus of 2048 bits or
423higher and a public exponent of 65537 (F4), meeting the CDD requirements of
424equivalent or greater strength than such a key.</p>
425
426<p>Note that the OEM key typically cannot be rotated if it's compromised, so
427protecting it is important, preferably using a Hardware Security Module (HSM)
428or a similar solution. It's also recommended to use a different key for each
429type of device.</p>
430
431<h3 id=signature_format>Signature format</h3>
432
433<p>The signature on an Android verifiable boot image is an ASN.1 DER-encoded
434message, which can be parsed with a decoder similar to the one found at: <a
435href="https://android.googlesource.com/platform/bootable/recovery/+/f4a6ab27b335b69fbc419a9c1ef263004b561265/asn1_decoder.cpp">platform/bootable/recovery/asn1_decoder.cpp</a><br/>
436The message format itself is as follows:</p>
437
438<pre>
439AndroidVerifiedBootSignature DEFINITIONS ::=
440     BEGIN
441          FormatVersion ::= INTEGER
442          Certificate ::= Certificate
443          AlgorithmIdentifier  ::=  SEQUENCE {
444               algorithm OBJECT IDENTIFIER,
445               parameters ANY DEFINED BY algorithm OPTIONAL
446          }
447          AuthenticatedAttributes ::= SEQUENCE {
448                 target CHARACTER STRING,
449                 length INTEGER
450          }
451
452          Signature ::= OCTET STRING
453     END
454</pre>
455
456<p>The <code>Certificate</code> field is the full X.509 certificate containing
457the public key used for signing, as defined by <a
458href="http://tools.ietf.org/html/rfc5280#section-4.1.1.2">RFC5280</a> section
4594.1. When LOCKED, the bootloader uses the OEM key for verification
460first, and only boot to YELLOW or RED states if the embedded certificate is
461used for verification instead.</p>
462
463<p>The remaining structure is similar to that defined by <a
464href="http://tools.ietf.org/html/rfc5280#section-4.1.1.2">RFC5280</a> sections
4654.1.1.2 and 4.1.1.3 with the exception of the
466<code>AuthenticatedAttributes</code> field. This field contains the length of
467the image to be verified as an integer and the partition where the image can
468be found (boot, recovery, etc.).</p>
469
470<h3 id=signing_and_verifying_an_image>Signing and verifying an image</h3>
471
472<p><strong>To produce a signed image:</strong></p>
473<ol>
474  <li>Generate the unsigned image.
475  <li>0-pad the image to the next page size boundary (omit this step if already
476aligned).
477  <li>Populate the fields of the <code>AuthenticatedAttributes</code> section
478      above based on the padded image and desired target partition.
479  <li>Append the <code>AuthenticatedAttributes</code> structure above to the image.
480  <li>Sign the image.
481</ol>
482
483<p><strong>To verify the image:</strong></p>
484<ol>
485  <li>Determine the size of the image to be loaded including padding (e.g. by reading
486a header).
487  <li>Read the signature located at the offset above.
488  <li>Validate the contents of the <code>AuthenticatedAttributes</code> field.
489      If these values do not validate, treat it as a signature validation error.
490  <li>Verify the image and <code>AuthenticatedAttributes</code> sections.
491</ol>
492
493<h3 id=user_experience>User experience</h3>
494
495<p>A user in the GREEN boot state should see no additional user interaction besides that
496required by normal device boot. In ORANGE and YELLOW boot states, the user sees a
497warning for at least five seconds. Should the user interact with the device during
498this time, the warning remains visible at least 30 seconds longer, or until
499the user dismisses the warning. In the RED boot state, the warning is shown for
500at least 30 seconds, after which the device powers off.</p>
501
502<p>Sample user interaction screens for other states are shown in the following table:</p>
503
504<table>
505 <tr>
506    <th>Device state</th>
507    <th>Sample UX</th>
508    <th> </th>
509 </tr>
510 <tr>
511    <td>YELLOW</td>
512    <td><img src="../images/boot_yellow1.png" alt="Yellow device state 1" id="figure2" />
513        <p class="img-caption"><strong>Figure 2.</strong> Before user interaction</p>
514    </td>
515    <td><img src="../images/boot_yellow2.png" alt="Yellow device state 2" id="figure3" />
516        <p class="img-caption"><strong>Figure 3.</strong> After user interaction</p>
517    </td>
518 </tr>
519 <tr>
520    <td>ORANGE</td>
521    <td><img src="../images/boot_orange.png" alt="Orange device state" id="figure4" />
522        <p class="img-caption"><strong>Figure 4.</strong> Warning that device is
523        unlocked and can’t be verified.</p>
524    </td>
525    <td> </td>
526 </tr>
527 <tr>
528    <td>RED</td>
529    <td><img src="../images/boot_red1.png" alt="Red device state" id="figure5" />
530        <p class="img-caption"><strong>Figure 5.</strong> Verified boot failure
531        warning</p>
532    </td>
533    <td><img src="../images/boot_red2.png" alt="Red device state" id="figure6" />
534        <p class="img-caption"><strong>Figure 6.</strong> Booting into EIO mode
535        warning</p>
536    </td>
537 </tr>
538</table>
539