1 <html devsite> 2 <head> 3 <title>Verified Boot</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>Android 4.4 and later supports verified boot through the optional 27 device-mapper-verity (dm-verity) kernel feature, which provides transparent 28 integrity checking of block devices. dm-verity helps prevent persistent rootkits 29 that can hold onto root privileges and compromise devices. This 30 feature helps Android users be sure when booting a device it is in the same 31 state as when it was last used.</p> 32 33 <p>Clever malware with root privileges can hide from detection programs and 34 otherwise mask themselves. The rooting software can do this because it is often 35 more privileged than the detectors, enabling the software to "lie" to the 36 detection programs.</p> 37 38 <p>The dm-verity feature lets you look at a block device, the underlying storage 39 layer of the file system, and determine if it matches its expected 40 configuration. It does this using a cryptographic hash tree. For every block 41 (typically 4k), there is a SHA256 hash.</p> 42 43 <p>Because the hash values are stored in a tree of pages, only the top-level 44 "root" hash must be trusted to verify the rest of the tree. The ability to 45 modify any of the blocks would be equivalent to breaking the cryptographic hash. 46 See the following diagram for a depiction of this structure.</p> 47 48 <img src="../images/dm-verity-hash-table.png" alt="dm-verity-hash-table" id="figure1"/> 49 <p class="img-caption"> 50 <strong>Figure 1.</strong> dm-verity hash table 51 </p> 52 53 <p>A public key is included on the boot partition, which must be verified 54 externally by the OEM. That key is used to verify the signature for that hash 55 and confirm the device's system partition is protected and unchanged.</p> 56 57 <h2 id="prerequisites">Prerequisites</h2> 58 59 <h3 id="verified-boot">Establishing a verified boot flow</h3> 60 <p>To greatly reduce the risk of compromise, verify the kernel using a key 61 burned into the device. For details, see <a href="verified-boot.html">Verifying 62 boot</a>.</p> 63 64 <h3 id="block-otas">Switching to block-oriented OTAs</h3> 65 <p>To enable dm-verity for a device, you must use block-based over-the-air 66 (OTA) updates to ensure all devices use the same system partition. For details, 67 see <a href="/devices/tech/ota/block.html">Block-Based OTAs</a>.</p> 68 69 <h3 id="config-dm-verity">Configuring dm-verity</h3> 70 71 <p>After switching to block-oriented OTAs, incorporate the latest Android kernel 72 or use a stock upstream kernel and enable dm-verity support by including the 73 relevant configuration option <code>CONFIG_DM_VERITY</code>.</p> 74 75 <p>When using the Android kernel, dm-verity is turned on when the kernel is 76 built. For details, see <a href="dm-verity.html">Implementing dm-verity</a>.</p> 77 78 <h2 id="supporting-docs">Supporting documentation</h2> 79 <p><a href="verified-boot.html">Verifying Boot</a><br/> 80 <a href="/devices/tech/ota/block.html">Block-Based OTA</a><br/> 81 <a href="dm-verity.html">Implementing dm-verity</a><br/> 82 <a href="https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity">cryptsetup - 83 dm-verity: device-mapper block integrity checking target</a><br/> 84 <a href="http://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot">The 85 Chromium Projects - Verified Boot</a><br/> 86 <a 87 href="http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/device-mapper/verity.txt">Linux Kernel Documentation: verity.txt</a></p> 88 89 </body> 90 </html> 91
