1 page.title=Verifying Boot 2 @jd:body 3 4 <!-- 5 Copyright 2015 The Android Open Source Project 6 7 Licensed under the Apache License, Version 2.0 (the "License"); 8 you may not use this file except in compliance with the License. 9 You may obtain a copy of the License at 10 11 http://www.apache.org/licenses/LICENSE-2.0 12 13 Unless required by applicable law or agreed to in writing, software 14 distributed under the License is distributed on an "AS IS" BASIS, 15 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 See the License for the specific language governing permissions and 17 limitations under the License. 18 --> 19 <div id="qv-wrapper"> 20 <div id="qv"> 21 <h2>In this document</h2> 22 <ol id="auto-toc"> 23 </ol> 24 </div> 25 </div> 26 27 <h2 id=objective>Objective</h2> 28 <p>Verified boot guarantees the integrity of the device software starting from a 29 hardware root of trust up to the system partition. During boot, each stage 30 verifies the integrity and authenticity of the next stage before executing it.</p> 31 32 <p>This capability can be used to warn users of unexpected changes to the 33 software when they acquire a used device, for example. It will also provide an 34 additional signal of device integrity for remote attestation, and together with 35 encryption and Trusted Execution Environment (TEE) root of trust binding, adds 36 another layer of protection for user data against malicious system software.</p> 37 38 <p>Note that if verification fails at any stage, the user must be visibly 39 notified and always be given an option to continue using the device at 40 their own discretion.</p> 41 42 <h2 id=glossary>Glossary</h2> 43 44 <p class="table-caption" id="table1"> 45 <strong>Table 1.</strong> Glossary of terms related to verified boot</p> 46 47 <table> 48 <tr> 49 <td> 50 <p><strong>Term</strong></p> 51 </td> 52 <td> 53 <p><strong>Definition</strong></p> 54 </td> 55 </tr> 56 <tr> 57 <td> 58 <p>Boot state</p> 59 </td> 60 <td> 61 <p>The boot state of the device describes the level of protection provided to the 62 end user if the device boots. Boot states are GREEN, YELLOW, ORANGE, and RED.</p> 63 </td> 64 </tr> 65 <tr> 66 <td> 67 <p>Device state</p> 68 </td> 69 <td> 70 <p>The device state indicates how freely software can be flashed to the device. 71 Device states are LOCKED and UNLOCKED.</p> 72 </td> 73 </tr> 74 <tr> 75 <td> 76 <p>dm-verity</p> 77 </td> 78 <td> 79 <p>Linux kernel driver for verifying the integrity of a partition at runtime using 80 a hash tree and signed metadata.</p> 81 </td> 82 </tr> 83 <tr> 84 <td> 85 <p>Keystore</p> 86 </td> 87 <td> 88 <p>A keystore is a signed collection of public keys.</p> 89 </td> 90 </tr> 91 <tr> 92 <td> 93 <p>OEM key</p> 94 </td> 95 <td> 96 <p>The OEM key is a fixed, tamper-protected key available to the bootloader that 97 must be used to verify the boot image.</p> 98 </td> 99 </tr> 100 </table> 101 102 <h2 id=overview>Overview</h2> 103 104 <p>In addition to device state - which already exists in devices and controls 105 whether the bootloader allows new software to be flashed - we introduce the 106 concept of boot state that indicates the state of device integrity.</p> 107 108 <h3 id=classes>Classes</h3> 109 110 <p>We define two implementation classes for verified boot depending on how 111 fully the device implements this specification, as follows:</p> 112 113 <p><strong>Class A</strong> implements verified boot with full chain of trust 114 up to verified partitions. This implementation must support the LOCKED device 115 state, and GREEN and RED boot states.</p> 116 117 <p><strong>Class B</strong> implements Class A and additionally supports the 118 UNLOCKED device state and the ORANGE boot state.</p> 119 120 <h3 id=verification_keys>Verification keys</h3> 121 122 <p>Bootloader integrity must be verified using a hardware root of trust. For 123 verifying boot and recovery partitions, the bootloader must have a fixed OEM key 124 available to it. It must always attempt to verify the boot partition using the OEM 125 key first and try other possible keys only if this verification fails.</p> 126 127 <p>In Class B implementations, it must be possible for the user to flash 128 software signed with other keys when the device is UNLOCKED. If the device is 129 then LOCKED and verification using the OEM key fails, the bootloader must try 130 verification using the certificate embedded in the partition signature. 131 However, using a partition signed with anything other than the OEM key must 132 result in a notification or a warning, as described below.</p> 133 134 <h3 id=boot_state>Boot state</h3> 135 136 <p>A verified device will ultimately boot into one of four states during each boot 137 attempt:</p> 138 139 <ul> 140 <li>GREEN, indicating a full chain of trust extending from the bootloader to 141 verified partitions, including the bootloader, boot partition, and all verified 142 partitions. 143 144 <li>YELLOW, indicating the boot partition has been verified using the 145 embedded certificate, and the signature is valid. The bootloader is required to 146 display a notification and the fingerprint of the public key during boot. 147 148 <li>ORANGE, indicating a device may be freely modified. Device integrity is 149 left to the user to verify out-of-band. The bootloader must display a warning 150 to the user before allowing the boot process to continue. 151 152 <li>RED, indicating the device has failed verification. The bootloader must 153 display a warning to the user before allowing the boot process to continue. 154 </ul> 155 156 <p>The recovery partition must also be verified in the exact same way.</p> 157 158 <h3 id=device_state>Device state</h3> 159 160 <p>The device is required to be in one of two states at all times:</p> 161 162 <ol> 163 <li>LOCKED, indicating the device cannot be flashed. A LOCKED device must 164 boot into the GREEN, YELLOW, or RED states during any attempted boot. 165 166 <li>UNLOCKED, indicating the device may be flashed freely and is not intended 167 to be verified. An UNLOCKED device must always boot to the ORANGE boot state. 168 </ol> 169 170 <img src="../images/verified_boot.png" alt="Verified boot flow" id="figure1" /> 171 <p class="img-caption"><strong>Figure 1.</strong> Verified boot flow</p> 172 173 <h2 id=detailed_design>Detailed design</h2> 174 175 <p>Achieving full chain of trust requires support from both the bootloader and the 176 software on the boot partition, which is responsible for mounting further 177 partitions. Verification metadata must also be appended to the system partition 178 and any additional partitions whose integrity should be verified.</p> 179 180 <h3 id=bootloader_requirements>Bootloader requirements</h3> 181 182 <p>The bootloader is the guardian of the device state and is responsible for 183 initializing the TEE and binding its root of trust.</p> 184 185 <p>Most importantly, the bootloader must verify the integrity of the boot and/or 186 recovery partition before moving execution to the kernel and display the 187 warnings specified in the section <a href="#boot_state">Boot state</a>.</p> 188 189 <h4 id=changing_device_state>Changing device state</h4> 190 191 <p>State changes are performed using the <code>fastboot flashing [unlock | 192 lock]</code> command. And to protect user data, <strong>all</strong> 193 state transitions require a data wipe. Note the user must be asked for 194 confirmation before data is deleted.</p> 195 196 <ol> 197 <li>The UNLOCKED to LOCKED transition is anticipated when a user buys a used 198 development device. As a result of locking the device, the user should have 199 confidence that it is in a state produced by the OEM. 200 201 <li>The LOCKED to UNLOCKED transition is expected in the case where a developer 202 wishes to disable verification on the device. 203 </ol> 204 205 <p>Requirements for <code>fastboot</code> commands that alter device state are listed in the table below:</p> 206 207 <p class="table-caption" id="table2"> 208 <strong>Table 2.</strong> <code>fastboot</code> commands</p> 209 210 <table> 211 <tr> 212 <td> 213 <p><strong><code>fastboot</code> command</strong></p> 214 </td> 215 <td> 216 <p><strong>Requirements</strong></p> 217 </td> 218 </tr> 219 <tr> 220 <td> 221 <code> 222 flashing lock</code></td> 223 <td> 224 <ul> 225 <li>Wipe data after asking the user for confirmation 226 <li>Clear a write-protected bit indicating the device is unlocked 227 </ul> 228 </td> 229 </tr> 230 <tr> 231 <td> 232 <code> 233 flashing unlock</code></td> 234 <td> 235 <ul> 236 <li>Wipe data after asking the user for confirmation 237 <li>Set a write-protected bit indicating the device is unlocked 238 </ul> 239 </td> 240 </tr> 241 </table> 242 243 <p>When altering partition contents, the bootloader must check the bits set by 244 the above commands as described in the following table:</p> 245 246 <p class="table-caption" id="table3"> 247 <strong>Table 3.</strong> <code>fastboot</code> command requirements</p> 248 249 <table> 250 <tr> 251 <td> 252 <p><strong><code>fastboot</code> command</strong></p> 253 </td> 254 <td> 255 <p><strong>Requirements</strong></p> 256 </td> 257 </tr> 258 <tr> 259 <td> 260 <code> 261 flash <partition></code></td> 262 <td> 263 <p>If the bit set by <code>flashing unlock</code> is set, flash the 264 partition. Otherwise, do not allow flashing.<p> 265 </td> 266 </tr> 267 </table> 268 269 <p>The same checks should be performed for any <code>fastboot</code> command 270 that can be used to change the contents of partitions.</p> 271 272 <p class="note"><strong>Note</strong>: Class B implementations must support 273 changing device state.</p> 274 275 <h4 id=binding_tee_root_of_trust>Binding TEE root of trust</h4> 276 277 <p>If TEE is available, the bootloader should pass the following information to 278 the TEE to bind the Keymaster root of trust, after partition verification and 279 TEE initialization:</p> 280 281 <ol> 282 <li>the public key that was used to sign the boot partition 283 <li>the current device state (LOCKED or UNLOCKED) 284 </ol> 285 286 <p>This changes the keys derived by the TEE. Taking disk encryption as an example, 287 this prevents user data from being decrypted when the device state changes.</p> 288 289 <p class="note"><strong>Note:</strong> This means if the system software or the 290 device state changes, encrypted user data will no longer be accessible as the 291 TEE will attempt to use a different key to decrypt the data.</p> 292 293 <h4 id=booting_into_recovery>Booting into recovery</h4> 294 295 <p>The recovery partition should be verified in exactly the same manner as the 296 boot partition.</p> 297 298 <h4 id=comm_boot_state>Communicating boot state</h4> 299 300 <p>System software needs to be able to determine the verification status of 301 previous stages. The bootloader must specify the current boot state as a 302 parameter on the kernel command line (or through the device tree under 303 <code>firmware/android/verifiedbootstate</code>) as described in the table 304 below:</p> 305 306 <p class="table-caption" id="table4"> 307 <strong>Table 4.</strong> Kernel command line parameters</p> 308 309 <table> 310 <tr> 311 <th>Kernel command line parameter</th> 312 <th>Description</th> 313 </tr> 314 <tr> 315 <td><code>androidboot.verifiedbootstate=green</code></td> 316 <td>Device has booted into GREEN boot state.<br> 317 Boot partition has been verified using the OEM key and its valid.</td> 318 </tr> 319 <tr> 320 <td><code>androidboot.verifiedbootstate=yellow</code></td> 321 <td>Device has booted into YELLOW boot state.<br> 322 Boot partition has been verified using the certificate embedded into 323 the signature and its valid.</td> 324 </tr> 325 <tr> 326 <td><code>androidboot.verifiedbootstate=orange</code></td> 327 <td>Device has booted into ORANGE boot state.<br> 328 The device is unlocked and no verification has been performed.</td> 329 </tr> 330 <tr> 331 <td><code>androidboot.verifiedbootstate=red</code></td> 332 <td>Device has booted into RED boot state.<br> 333 The device has failed verification.</td> 334 </tr> 335 </table> 336 337 <h3 id=boot_partition>Boot partition</h3> 338 339 <p>Once execution has moved to the boot partition, the software there is responsible 340 for setting up verification of further partitions. Due to its large size, the 341 system partition typically cannot be verified similarly to previous parts but must be 342 verified as its being accessed instead using the dm-verity kernel driver or a 343 similar solution.</p> 344 345 <p>If dm-verity is used to verify large partitions, the signature of the verity 346 metadata appended to each verified partition must be verified before the 347 partition is mounted and dm-verity is set up for it.</p> 348 349 <h4 id=managing_dm-verity>Managing dm-verity</h4> 350 351 <p>By default, dm-verity operates in enforcing mode and verifies each block read 352 from the partition against a hash tree passed to it during setup. If it 353 comes across a block that fails to verify, it returns an I/O error and makes 354 the block with unexpected contents inaccessible to user space. Depending on 355 which block is corrupted, this may cause some of the programs that reside on 356 the partition to malfunction.</p> 357 358 <p>If dm-verity is always enforcing against correctly signed metadata, nothing 359 more needs be done. However, using an optional verity table parameter, dm-verity 360 can be configured to function in a logging mode where it detects and logs 361 errors but allows I/O to be completed despite them. If dm-verity is not started 362 in enforcing mode for any reason, or verity metadata cannot be verified, a 363 warning must be displayed to the user if the device is allowed to boot, similar 364 to the one shown before booting into the RED state.</p> 365 366 <img src="../images/dm-verity_mgmt.png" alt="dm-verity management" id="figure2" /> 367 <p class="img-caption"><strong>Figure 2.</strong> dm-verity management</p> 368 369 <h4 id=recovering_from_dm-verity_errors>Recovering from dm-verity errors</h4> 370 371 <p>Since the system partition is by far larger than the boot partition, the 372 probability of verification errors is also higher. Specifically, there is a 373 larger probability of unintentional disk corruption, which will cause a 374 verification failure and can potentially make an otherwise functional device 375 unusable if a critical block in the partition can no longer be accessed.</p> 376 377 <p>If dm-verity is always in enforcing mode, nothing further needs to be done. 378 If logging mode is implemented and dm-verity detects an error while in 379 enforcing mode, the device must be rebooted and dm-verity must be started in 380 logging mode during all subsequent restarts until any of the verified 381 partitions is reflashed or changed by an OTA update. This means dm-verity state 382 should be stored in a persistent flag. When a verified partition has been 383 changed, the flag must be cleared and dm-verity must again be started in 384 enforcing mode. Anytime dm-verity is not started in enforcing mode, a warning 385 must be shown to the user before any of the verified partitions are 386 mounted. No unverified data must be allowed to leak to user space without the 387 user being warned.</p> 388 389 <h3 id=verified_partition>Verified partition</h3> 390 391 <p>In a verified device, the system partition must always be verified. But any 392 other read-only partition should also be set to be verified, as well. Any 393 read-only partition that contains executable code must be verified on a 394 verified device. This includes vendor and OEM partitions, if they exist, for example.</p> 395 396 <p>In order for a partition to be verified, signed verity metadata must be 397 appended to it. The metadata consists of a hash tree of the partition contents 398 and a verity table containing signed parameters and the root of the hash tree. 399 If this information is missing or invalid when dm-verity is set up for the 400 partition, the user must be warned.</p> 401 402 <h2 id=implementation_details>Implementation details</h2> 403 404 <h3 id=key_types_and_sizes>Key types and sizes</h3> 405 406 <p>The OEM key is recommended to be an RSA key with a modulus of 2048 bits or 407 higher and a public exponent of 65537 (F4). The OEM key is required to be of 408 equivalent or greater strength than such a key.</p> 409 410 <h3 id=signature_format>Signature format</h3> 411 412 <p>The signature on an Android verifiable boot image is an ASN.1 DER-encoded 413 message, which can be parsed with a decoder similar to the one found at: <a 414 href="https://android.googlesource.com/platform/bootable/recovery/+/f4a6ab27b335b69fbc419a9c1ef263004b561265/asn1_decoder.cpp">platform/bootable/recovery/asn1_decoder.cpp</a><br/> 415 The message format itself is as follows:</p> 416 417 <pre> 418 AndroidVerifiedBootSignature DEFINITIONS ::= 419 BEGIN 420 FormatVersion ::= INTEGER 421 Certificate ::= Certificate OPTIONAL 422 AlgorithmIdentifier ::= SEQUENCE { 423 algorithm OBJECT IDENTIFIER, 424 parameters ANY DEFINED BY algorithm OPTIONAL 425 } 426 AuthenticatedAttributes ::= SEQUENCE { 427 target CHARACTER STRING, 428 length INTEGER 429 } 430 431 Signature ::= OCTET STRING 432 END 433 </pre> 434 435 <p>The <code>Certificate</code> field is the full X.509 certificate containing 436 the public key used for signing, as defined by <a 437 href="http://tools.ietf.org/html/rfc5280#section-4.1.1.2">RFC5280</a> section 438 4.1. When LOCKED, the bootloader must always use the OEM key for verification 439 first, and only boot to YELLOW or RED states if the embedded certificate is 440 used for verification instead.</p> 441 442 <p>The remaining structure is similar to that defined by <a 443 href="http://tools.ietf.org/html/rfc5280#section-4.1.1.2">RFC5280</a> sections 444 4.1.1.2 and 4.1.1.3 with the exception of the 445 <code>AuthenticatedAttributes</code> field. This field contains the length of 446 the image to be verified as an integer and the partition where the image can 447 be found (boot, recovery, etc.).</p> 448 449 <h3 id=signing_and_verifying_an_image>Signing and verifying an image</h3> 450 451 <p>To produce a signed image:</p> 452 <ol> 453 <li>Generate the unsigned image. 454 <li>0-pad the image to the next page size boundary (omit this step if already 455 aligned). 456 <li>Populate the fields of the <code>AuthenticatedAttributes</code> section 457 above based on the padded image and desired target partition. 458 <li>Append the <code>AuthenticatedAttributes</code> structure above to the image. 459 <li>Sign the image. 460 </ol> 461 462 <p>To verify the image:</p> 463 <ol> 464 <li>Determine the size of the image to be loaded including padding (eg, by reading 465 a header). 466 <li>Read the signature located at the offset above. 467 <li>Validate the contents of the <code>AuthenticatedAttributes</code> field. 468 If these values do not validate, treat it as a signature validation error. 469 <li>Verify the image and <code>AuthenticatedAttributes</code> sections. 470 </ol> 471 472 <h3 id=user_experience>User experience</h3> 473 474 <p>A user in the GREEN boot state should see no additional user interaction besides that 475 required by normal device boot. In other boot states, the user must see a 476 warning for at least five seconds. Should the user interact with the device during 477 this time, the warning must remain visible at least 30 seconds longer, or until 478 the user dismisses the warning.</p> 479 480 <p>Sample user interaction screens for other states are shown in the following table:</p> 481 482 <p class="table-caption" id="table5"> 483 <strong>Table 5.</strong> Sample user interaction screens</p> 484 485 <table> 486 <tr> 487 <td> 488 <p><strong>Device state</strong></p> 489 </td> 490 <td> 491 <p><strong>Sample UX</strong></p> 492 </td> 493 </tr> 494 <tr> 495 <td> 496 <p>YELLOW (before and after user interaction)</p> 497 </td> 498 <td> 499 <img src="../images/boot_yellow1.png" alt="Yellow device state 1" id="figure4" /> 500 <p class="img-caption"><strong>Figure 3.</strong> Yellow state example 1 UI</p> 501 </td> 502 <td> 503 <img src="../images/boot_yellow2.png" alt="Yellow device state 2" id="figure5" /> 504 <p class="img-caption"><strong>Figure 4.</strong> Yellow state example 2 UI</p> 505 </td> 506 507 </tr> 508 <tr> 509 <td> 510 <p>ORANGE</p> 511 </td> 512 <td> 513 <img src="../images/boot_orange.png" alt="Orange device state" id="figure6" /> 514 <p class="img-caption"><strong>Figure 5.</strong> Orange state example UI</p> 515 </td> 516 </tr> 517 <tr> 518 <td> 519 <p>RED</p> 520 </td> 521 <td> 522 <img src="../images/boot_red.png" alt="Red device state" id="figure7" /> 523 <p class="img-caption"><strong>Figure 6.</strong> Red state example UI</p> 524 </td> 525 </tr> 526 </table> 527
