1## 9.10\. Device Integrity 2 3The following requirements ensures there is transparancy to the status of the 4device integrity. Device implementations: 5 6* [C-0-1] MUST correctly report through the System API method 7`PersistentDataBlockManager.getFlashLockState()` whether their bootloader 8state permits flashing of the system image. The `FLASH_LOCK_UNKNOWN` state is 9reserved for device implementations upgrading from an earlier version of Android 10where this new system API method did not exist. 11 12Verified boot is a feature that guarantees the integrity of the device 13software. If a device implementation supports the feature, it: 14 15* [C-1-1] MUST declare the platform feature flag 16`android.software.verified_boot`. 17* [C-2-1] MUST perform verification on every boot sequence. 18* [C-3-1] MUST start verification from an immutable hardware key that is the 19root of trust and go all the way up to the system partition. 20* [C-4-1] MUST implement each stage of verification to check the integrity 21and authenticity of all the bytes in the next stage before executing the code in 22the next stage. 23* [C-5-1] MUST use verification algorithms as strong as current 24recommendations from NIST for hashing algorithms (SHA-256) and public key 25sizes (RSA-2048). 26* [C-6-1] MUST NOT allow boot to complete when system verification fails, 27unless the user consents to attempt booting anyway, in which case the data from 28any non-verified storage blocks MUST not be used. 29* [C-7-1] MUST NOT allow verified partitions on the device to be modified 30unless the user has explicitly unlocked the boot loader. 31* [SR] If there are multiple discrete chips in the device (e.g. radio, 32specialized image processor), the boot process of each of those chips is 33STRONGLY RECOMMENDED to verify every stage upon booting. 34* [SR] STRONGLY RECOMMENDED to use tamper-evident storage: for when the 35bootloader is unlocked. Tamper-evident storage means that the boot loader can 36detect if the storage has been tampered with from inside the 37HLOS (High Level Operating System). 38* [SR] STRONGLY RECOMMENDED to prompt the user, while using the device, and 39require physical confirmation before allowing a transition from boot loader 40locked mode to boot loader unlocked mode. 41* [SR] STRONGLY RECOMMENDED to implement rollback protection for the HLOS 42(e.g. boot, system partitions) and to use tamper-evident storage for storing the 43metadata used for determining the minimum allowable OS version. 44* SHOULD implement rollback protection for any component with persistent 45firmware (e.g. modem, camera) and SHOULD use tamper-evident storage for 46storing the metadata used for determining the minimum allowable version. 47 48The upstream Android Open Source Project provides a preferred implementation of 49this feature in the [`external/avb/`](http://android.googlesource.com/platform/external/avb/) 50repository, which can be integrated into the boot loader used for loading 51Android. 52 53Device implementations with Advanced Encryption Standard (AES) crypto 54performance above 50 MiB/seconds: 55 56* [C-8-1] MUST support verified boot for device integrity. 57 58If a device implementation is already launched without supporting verified boot 59on an earlier version of Android, such a device can not add support for this 60feature with a system software update and thus are exempted from the 61requirement.