### Signing Helper with Files Invocation Example Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Example of using `--signing_helper_with_files`. This method uses a temporary file for communication, which is useful if the signing helper outputs diagnostics to STDOUT. The helper writes the signature back into the provided file. ```bash /path/to/my_signing_program_with_files SHA256_RSA2048 \ /path/to/publickey.pem /tmp/path/to/communication_file ``` -------------------------------- ### Create Chained VBMeta Images Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Configure the build system to create additional vbmeta partitions for independent updates of specific image subsets. This example sets up vbmeta_system.img for system, system_ext, and product images. ```makefile BOARD_AVB_VBMETA_SYSTEM := system system_ext product BOARD_AVB_VBMETA_SYSTEM_KEY_PATH := external/avb/test/data/testkey_rsa2048.pem BOARD_AVB_VBMETA_SYSTEM_ALGORITHM := SHA256_RSA2048 BOARD_AVB_VBMETA_SYSTEM_ROLLBACK_INDEX_LOCATION := 1 ``` -------------------------------- ### Build the Verifier Tool Source: https://github.com/platform/external/avb/blob/main-kernel/tools/transparency/verify/README.md Build the verifier executable using Go. Ensure Go 1.17 or later is installed. ```bash go build cmd/verifier/verifier.go ``` -------------------------------- ### Signing Helper Invocation Example Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Example of using `--signing_helper` with a custom signing program. The program receives the algorithm and public key as arguments, and signs data provided via STDIN, returning the signature via STDOUT. ```bash /path/to/my_signing_program SHA256_RSA2048 /path/to/publickey.pem ``` -------------------------------- ### Run the Verifier Tool Source: https://github.com/platform/external/avb/blob/main-kernel/tools/transparency/verify/README.md Execute the verifier with the payload path and log type. The log type can be 'pixel' or 'google_system_apk'. ```bash ./verifier --payload_path=${PAYLOAD_PATH} --log_type= ``` -------------------------------- ### Additional Arguments for boot.img Hash Footer Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Specify additional options for avbtool add_hash_footer when processing boot.img. This can include hash algorithm and salt configurations. ```makefile BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS := --hash_algorithm SHA256 --salt abcdef123456 ``` -------------------------------- ### Enable AVB in Android Build System Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Set this variable to true to enable Android Verified Boot. This will generate a vbmeta.img containing descriptors for various system images. ```makefile BOARD_AVB_ENABLE := true ``` -------------------------------- ### Configure GKI 2.0 Boot Image Integration Source: https://github.com/platform/external/avb/blob/main-kernel/README.md These board variables are used when incorporating a certified GKI boot.img into a device codebase. Adjust settings per device requirements. ```makefile # Uses a prebuilt boot.img TARGET_NO_KERNEL := true BOARD_PREBUILT_BOOTIMAGE := device/${company}/${board}/boot.img # Enables chained vbmeta for the boot.img so it can be updated independently, # without updating the vbmeta.img. The following configs are optional. # When they're absent, the hash of the boot.img will be stored then signed in # the vbmeta.img. BOARD_AVB_BOOT_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem BOARD_AVB_BOOT_ALGORITHM := SHA256_RSA4096 BOARD_AVB_BOOT_ROLLBACK_INDEX := $(PLATFORM_SECURITY_PATCH_TIMESTAMP) BOARD_AVB_BOOT_ROLLBACK_INDEX_LOCATION := 2 ``` -------------------------------- ### Additional Arguments for system.img Hashtree Footer Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Specify additional options for avbtool add_hashtree_footer when processing system.img. This allows for custom hash algorithms, salts, block sizes, and disabling FEC generation. ```makefile BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS := --hash_algorithm SHA512 --salt fedcba654321 --block_size 4096 --do_not_generate_fec ``` -------------------------------- ### Configure AVB Algorithm and Key Path Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Override the default SHA256_RSA4096 algorithm and test key. Use a secure key and algorithm suitable for your device's security requirements. The public part of the key must be available to the bootloader. ```makefile BOARD_AVB_ALGORITHM := SHA512_RSA4096 BOARD_AVB_KEY_PATH := /path/to/rsa_key_4096bits.pem ``` -------------------------------- ### Resize Image with Avbtool Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Use `resize_image` to adjust the size of an image. Specify the image file and the desired partition size. ```bash $ avbtool resize_image \ --image IMAGE \ --partition_size SIZE ``` -------------------------------- ### Additional Arguments for make_vbmeta_image Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Pass extra options to the avbtool make_vbmeta_image command. This allows for advanced configurations such as adding properties, chaining partitions, or using custom signing helpers. ```makefile BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS := --prop com.android.build.version=1.0 \ --chain_partition system_other ``` -------------------------------- ### Generate vbmeta image with avbtool Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Use `make_vbmeta_image` to generate the content for the vbmeta partition. This command supports various options for algorithm, key, rollback index, and chaining partitions. ```bash avbtool make_vbmeta_image \ [--output OUTPUT] \ [--algorithm ALGORITHM] [--key /path/to/key_used_for_signing_or_pub_key] \ [--public_key_metadata /path/to/pkmd.bin] \ [--rollback_index NUMBER] [--rollback_index_location NUMBER] \ [--include_descriptors_from_image /path/to/image.bin] \ [--setup_rootfs_from_kernel /path/to/image.bin] \ [--chain_partition part_name:rollback_index_location:/path/to/key1.bin] \ [--chain_partition_do_not_use_ab part_name:rollback_index_location:/path/to/key.bin] \ [--signing_helper /path/to/external/signer] \ [--signing_helper_with_files /path/to/external/signer_with_files] \ [--print_required_libavb_version] \ [--append_to_release_string STR] ``` -------------------------------- ### Print Required Libavb Version Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Use `--print_required_libavb_version` with commands like `make_vbmeta_image`, `add_hash_footer`, and `add_hashtree_footer` to determine the minimum libavb version required for the generated vbmeta struct. ```bash $ avbtool make_vbmeta_image \ --algorithm SHA256_RSA2048 --key /path/to/key.pem \ --include_descriptors_from_image /path/to/boot.img \ --include_descriptors_from_image /path/to/system.img \ --print_required_libavb_version 1.0 ``` -------------------------------- ### Flash Custom Key to Virtual Partition Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Flashes the extracted public key to the `avb_custom_key` virtual partition. This operation requires the device to be in the UNLOCKED state. ```bash fastboot flash avb_custom_key pkmd.bin ``` -------------------------------- ### Additional Arguments for vendor.img Hashtree Footer Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Specify additional options for avbtool add_hashtree_footer when processing vendor.img. This allows for custom hash algorithms, salts, block sizes, and disabling FEC generation. ```makefile BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS := --hash_algorithm SHA256 --salt 123456abcdef --block_size 4096 --do_not_generate_fec ``` -------------------------------- ### Verify and Calculate VBMeta Digest for Factory Images Source: https://github.com/platform/external/avb/blob/main-kernel/README.md This script downloads, verifies, and calculates the VBMeta Digest for factory images. It can accept a URL or a local file path. ```python pixel_factory_image_verify.py https://dl.google.com/dl/android/aosp/image.zip ``` ```python pixel_factory_image_verify.py image.zip ``` -------------------------------- ### Additional Arguments for dtbo.img Hash Footer Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Specify additional options for avbtool add_hash_footer when processing dtbo.img. This can include hash algorithm and salt configurations. ```makefile BOARD_AVB_DTBO_ADD_HASH_FOOTER_ARGS := --hash_algorithm SHA256 --salt 0123456789 ``` -------------------------------- ### Calculate Maximum Image Size Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Use `--calc_max_image_size` with `add_hash_footer` or `add_hashtree_footer` to determine the maximum image size that will fit within a given partition size after adding footers. ```bash $ avbtool add_hash_footer --partition_size $((10*1024*1024)) \ --calc_max_image_size 10416128 ``` ```bash $ avbtool add_hashtree_footer --partition_size $((10*1024*1024)) \ --calc_max_image_size 10330112 ``` -------------------------------- ### Verify Image with Chained Partition Check Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Verifies image digests and checks chained partitions, including rollback index and public key matching. Assumes images are in the same directory with the same file extension as the vbmeta image. ```bash $ avbtool verify_image \ --image /path/to/vbmeta.img \ --key my_key.pem \ --expect_chained_partition foobar:8:foobar_vendor_key.avbpubkey ``` ```text Verifying image /path/to/vbmeta.img using key at my_key.pem vbmeta: Successfully verified SHA256_RSA4096 vbmeta struct in /path_to/vbmeta.img boot: Successfully verified sha256 hash of /path/to/boot.img for image of 10543104 bytes system: Successfully verified sha1 hashtree of /path/to/system.img for image of 1065213952 bytes foobar: Successfully verified chain partition descriptor matches expected data ``` -------------------------------- ### Add hashtree footer with avbtool Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Use `add_hashtree_footer` to add an integrity footer with the root digest and salt for a hashtree to an existing image. The hashtree is also appended to the image. This command supports various hashing algorithms and FEC options. ```bash avbtool add_hashtree_footer \ --partition_name PARTNAME --partition_size SIZE \ [--image IMAGE] \ [--algorithm ALGORITHM] [--key /path/to/key_used_for_signing_or_pub_key] \ [--public_key_metadata /path/to/pkmd.bin] \ [--rollback_index NUMBER] [--rollback_index_location NUMBER] \ [--hash_algorithm HASH_ALG] [--salt HEX] [--block_size SIZE] \ [--include_descriptors_from_image /path/to/image.bin] \ [--setup_rootfs_from_kernel /path/to/image.bin] \ [--setup_as_rootfs_from_kernel] \ [--output_vbmeta_image OUTPUT_IMAGE] [--do_not_append_vbmeta_image] \ [--do_not_generate_fec] [--fec_num_roots FEC_NUM_ROOTS] \ [--signing_helper /path/to/external/signer] [--signing_helper_with_files /path/to/external/signer_with_files] \ [--print_required_libavb_version] \ [--append_to_release_string STR] \ [--calc_max_image_size] \ [--do_not_use_ab] \ [--no_hashtree] \ [--use_persistent_digest] \ [--check_at_most_once] ``` -------------------------------- ### Print Partition Digests Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Prints hash and hashtree digests embedded in verified metadata for partitions. It follows chain partitions and supports JSON output. ```bash $ avbtool print_partition_digests --image /path/to/vbmeta.img ``` ```text system: ddaa513715fd2e22f3c1cea3c1a1f98ccb515fc6 boot: 5cba9a418e04b5f9e29ee6a250f6cdbe30c6cec867c59d388f141c3fedcb28c1 vendor: 06993a9e85e46e53d3892881bb75eff48ecadaa8 ``` -------------------------------- ### Configure AVB Invocation Logging Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Configures logging for all avbtool command lines by setting the AVB_INVOCATION_LOGFILE environment variable. This is useful for debugging integrations. ```bash $ export AVB_INVOCATION_LOGFILE='/tmp/avb_invocation.log' $ ./avbtool.py version $ ./avbtool.py version $ cat /tmp/avb_invocation.log ``` ```text ./avbtool.py version ./avbtool.py version ``` -------------------------------- ### Add integrity footer with avbtool Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Use `add_hash_footer` to add an integrity footer containing the hash for an entire partition to an existing image. This command allows specifying partition details, algorithm, key, and rollback information. ```bash avbtool add_hash_footer \ --partition_name PARTNAME --partition_size SIZE \ [--image IMAGE] \ [--algorithm ALGORITHM] [--key /path/to/key_used_for_signing_or_pub_key] \ [--public_key_metadata /path/to/pkmd.bin] \ [--rollback_index NUMBER] [--rollback_index_location NUMBER] \ [--hash_algorithm HASH_ALG] [--salt HEX] \ [--include_descriptors_from_image /path/to/image.bin] \ [--setup_rootfs_from_kernel /path/to/image.bin] \ [--output_vbmeta_image OUTPUT_IMAGE] [--do_not_append_vbmeta_image] \ [--signing_helper /path/to/external/signer] \ [--signing_helper_with_files /path/to/external/signer_with_files] \ [--print_required_libavb_version] \ [--append_to_release_string STR] \ [--calc_max_image_size] \ [--do_not_use_ab] \ [--use_persistent_digest] ``` -------------------------------- ### Google System APK Transparency Log Payload Format Source: https://github.com/platform/external/avb/blob/main-kernel/tools/transparency/verify/README.md The payload for Google System APKs includes the hash, hash description, package name, and package version code, each on a new line. ```text \n\n\n\n ``` -------------------------------- ### Append VBMeta Image to an Image Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Use `append_vbmeta_image` to append a VBMeta blob to the end of another image. This is useful when not using separate VBMeta partitions. Ensure `SIZE_OF_BOOT_PARTITION` is correctly specified. ```bash $ cp boot.img boot-with-vbmeta-appended.img $ avbtool append_vbmeta_image \ --image boot-with-vbmeta-appended.img \ --partition_size SIZE_OF_BOOT_PARTITION \ --vbmeta_image vbmeta.img $ fastboot flash boot boot-with-vbmeta-appended.img ``` -------------------------------- ### Extract Public Key for Custom Key Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Extracts the public key from a private key file for use with AVB custom keys. This is typically done in an unlocked state. ```bash avbtool extract_public_key --key key.pem --output pkmd.bin ``` -------------------------------- ### Conditional Rollback Index Update for A/B Slots Source: https://github.com/platform/external/avb/blob/main-kernel/README.md This C++ pseudo-code shows how to conditionally update rollback indexes for A/B slots. The update only occurs if the slot is marked as successful, ensuring that the device can fall back to an older slot if the new update fails. ```c++ if (is_slot_is_marked_as_successful(slot->ab_suffix)) { if (!update_stored_rollback_indexes_for_slot(ops, slot)) { // TODO: handle error. } } ``` -------------------------------- ### Zero Out Hashtree and FEC Data Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Use `zero_hashtree` to zero out the hashtree and FEC data in an image. This can reduce image size but requires recalculation at runtime. Applications should check for the magic string `ZeRoHaSH` to detect if recalculation is needed. ```bash $ avbtool zero_hashtree --image IMAGE ``` -------------------------------- ### Calculate VBMeta Digest Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Calculates the vbmeta digest for image files using a specified hash algorithm. It follows chain partition descriptors to load necessary files. ```bash $ avbtool calculate_vbmeta_digest \ --hash_algorithm sha256 \ --image /path/to/vbmeta.img ``` ```text a20fdd01a6638c55065fe08497186acde350d6797d59a55d70ffbcf41e95c2f5 ``` -------------------------------- ### Pixel Transparency Log Payload Format Source: https://github.com/platform/external/avb/blob/main-kernel/tools/transparency/verify/README.md The payload for Pixel Factory images consists of the build fingerprint and the vbmeta digest, separated by a newline. ```text \n\n ``` -------------------------------- ### Set Rollback Index Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Specify the rollback index to prevent rollback attacks. Increasing this value on each update ensures that older, potentially vulnerable versions of the software cannot be flashed. ```makefile BOARD_AVB_ROLLBACK_INDEX := 5 ``` -------------------------------- ### Update Stored Rollback Indexes for a Slot Source: https://github.com/platform/external/avb/blob/main-kernel/README.md This C++ pseudo-code demonstrates how to update the stored rollback indexes for a given slot based on the rollback indexes found in the AVB metadata. It iterates through rollback index locations, reads the current stored index, and writes a new one if the rollback index from the slot data is greater. ```c++ // The |slot_data| parameter should be the AvbSlotVerifyData returned // by avb_slot_verify() for the slot we're about to boot. // bool update_stored_rollback_indexes_for_slot(AvbOps* ops, AvbSlotVerifyData* slot_data) { for (int n = 0; n < AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS; n++) { uint64_t rollback_index = slot_data->rollback_indexes[n]; if (rollback_index > 0) { AvbIOResult io_ret; uint64_t current_stored_rollback_index; io_ret = ops->read_rollback_index(ops, n, ¤t_stored_rollback_index); if (io_ret != AVB_IO_RESULT_OK) { return false; } if (rollback_index > current_stored_rollback_index) { io_ret = ops->write_rollback_index(ops, n, rollback_index); if (io_ret != AVB_IO_RESULT_OK) { return false; } } } } return true; } ``` -------------------------------- ### Add Hash Footer without Hashtree Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Use `--no_hashtree` with `avbtool add_hashtree_footer` to omit the hashtree blob, adding only its descriptor to the vbmeta struct. This signals applications to recalculate the hashtree. ```bash $ avbtool add_hashtree_footer --no_hashtree ``` -------------------------------- ### Erase Image Footer with Avbtool Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Use `erase_footer` to remove the integrity footer from an image. The hashtree can optionally be preserved. ```bash $ avbtool erase_footer --image IMAGE [--keep_hashtree] ``` -------------------------------- ### Erase Custom Key from Virtual Partition Source: https://github.com/platform/external/avb/blob/main-kernel/README.md Erases the `avb_custom_key` virtual partition to remove the custom key. This operation requires the device to be in the UNLOCKED state. ```bash fastboot erase avb_custom_key ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.