1 <html devsite> 2 <head> 3 <title>Verifying Boot</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>Verified boot guarantees the integrity of the device software starting from a 27 hardware root of trust up to the system partition. During boot, each stage 28 verifies the integrity and authenticity of the next stage before executing it.</p> 29 30 <p>This capability can be used to warn users of unexpected changes to the 31 software when they acquire a used device, for example. It will also provide an 32 additional signal of device integrity for remote attestation, and together with 33 encryption and Trusted Execution Environment (TEE) root of trust binding, adds 34 another layer of protection for user data against malicious system software.</p> 35 36 <p>If verification fails at any stage, the user is visibly 37 notified.</p> 38 39 <h2 id=glossary>Glossary</h2> 40 41 <table> 42 <col width="15%"> 43 <col width="85%"> 44 <tr> 45 <th>Term</th> 46 <th>Definition</th> 47 </tr> 48 <tr> 49 <td>Boot state</td> 50 <td>The boot state of the device describes the level of protection provided 51 to the end user if the device boots. Boot states are GREEN, YELLOW, 52 ORANGE, and RED.</td> 53 </tr> 54 <tr> 55 <td>Device state</td> 56 <td>The device state indicates how freely software can be flashed to the device. 57 Device states are LOCKED and UNLOCKED.</td> 58 </tr> 59 <tr> 60 <td>dm-verity</td> 61 <td>Linux kernel driver for verifying the integrity of a partition at runtime using 62 a hash tree and signed metadata.</td> 63 </tr> 64 <tr> 65 <td>OEM key</td> 66 <td>The OEM key is a fixed, tamper-protected key available to the bootloader that 67 must be used to verify the boot image.</td> 68 </tr> 69 </table> 70 71 <h2 id=overview>Overview</h2> 72 73 <p>In addition to device statewhich already exists in devices and controls 74 whether the bootloader allows new software to be flashedverified boot introduces 75 the concept of boot state that indicates the state of device integrity.</p> 76 77 <h3 id=classes>Classes</h3> 78 79 <p>Two implementation classes exist for verified boot. Depending on how 80 fully the device implements this specification, they are defined as follows:</p> 81 82 <p><strong>Class A</strong> implements verified boot with full chain of trust 83 up to verified partitions. In other words, the implementation supports the 84 LOCKED device state, and GREEN and RED boot states.</p> 85 86 <p><strong>Class B</strong> implements Class A, and additionally supports the 87 UNLOCKED device state and the ORANGE boot state.</p> 88 89 <h3 id=verification_keys>Verification keys</h3> 90 91 <p>Bootloader integrity is always verified using a hardware root of trust. For 92 verifying boot and recovery partitions, the bootloader has a fixed OEM key 93 available to it. It always attempts to verify the boot partition using the OEM 94 key first and try other possible keys only if this verification fails.</p> 95 96 <p>In Class B implementations, it is possible for the user to flash 97 software signed with other keys when the device is UNLOCKED. If the device is 98 then LOCKED and verification using the OEM key fails, the bootloader tries 99 verification using the certificate embedded in the partition signature. 100 However, using a partition signed with anything other than the OEM key 101 results in a notification or a warning, as described below.</p> 102 103 <h3 id=boot_state>Boot state</h3> 104 105 <p>A verified device will ultimately boot into one of the four states during 106 each boot attempt:</p> 107 108 <ul> 109 <li>GREEN, indicating a full chain of trust extending from the bootloader to 110 verified partitions, including the bootloader, boot partition, and all verified 111 partitions. 112 113 <li>YELLOW, indicating the boot partition has been verified using the 114 embedded certificate, and the signature is valid. The bootloader 115 displays a warning and the fingerprint of the public key before allowing 116 the boot process to continue. 117 118 <li>ORANGE, indicating a device may be freely modified. Device integrity is 119 left to the user to verify out-of-band. The bootloader displays a warning 120 to the user before allowing the boot process to continue. 121 122 <li>RED, indicating the device has failed verification. The bootloader 123 displays a warning and stops the boot process. 124 </ul> 125 126 <p>The recovery partition is verified in the exact same way, as well.</p> 127 128 <h3 id=device_state>Device state</h3> 129 130 <p>The possible device states and their relationship with the four verified 131 boot states are:</p> 132 <ol> 133 <li>LOCKED, indicating the device cannot be flashed. A LOCKED device 134 boots into the GREEN, YELLOW, or RED states during any attempted boot. 135 136 <li>UNLOCKED, indicating the device may be flashed freely and is not intended 137 to be verified. An UNLOCKED device always boots to the ORANGE boot state. 138 </ol> 139 140 <img src="../images/verified_boot.png" alt="Verified boot flow" id="figure1" /> 141 <p class="img-caption"><strong>Figure 1.</strong> Verified boot flow</p> 142 143 <h2 id=detailed_design>Detailed design</h2> 144 145 <p>Achieving full chain of trust requires support from both the bootloader and the 146 software on the boot partition, which is responsible for mounting further 147 partitions. Verification metadata is also appended to the system partition 148 and any additional partitions whose integrity should be verified.</p> 149 150 <h3 id=bootloader_requirements>Bootloader requirements</h3> 151 152 <p>The bootloader is the guardian of the device state and is responsible for 153 initializing the TEE and binding its root of trust.</p> 154 155 <p>Most importantly, the bootloader verifies the integrity of the boot and/or 156 recovery partition before moving execution to the kernel and display the 157 warnings specified in the section <a href="#boot_state">Boot state</a>.</p> 158 159 <h4 id=changing_device_state>Changing device state</h4> 160 161 <p>State changes are performed using the <code>fastboot flashing [unlock | 162 lock]</code> command. And to protect user data, <strong>all</strong> 163 state transitions wipe the data partitions and ask the user for 164 confirmation before data is deleted.</p> 165 166 <ol> 167 <li>The UNLOCKED to LOCKED transition is anticipated when a user buys a used 168 development device. As a result of locking the device, the user should have 169 confidence that it is in a state produced by the device manufacturer, as long 170 as there is no warning. 171 172 <li>The LOCKED to UNLOCKED transition is expected in the case where a developer 173 wishes to disable verification on the device. 174 </ol> 175 176 177 <p><code>fastboot</code> commands that alter device state are listed in the table below:</p> 178 179 <table> 180 <col width="25%"> 181 <col width="75%"> 182 <tr> 183 <th><code>fastboot</code> command</th> 184 <th>Description</th> 185 </tr> 186 <tr> 187 <td><code>flashing lock</code></td> 188 <td> 189 <ul> 190 <li>Wipes data after asking the user for confirmation. 191 <li>Clears a write-protected bit to lock the device. 192 Because the bit is write-protected, only the 193 bootloader can change it. 194 </ul> 195 </td> 196 </tr> 197 <tr> 198 <td><code>flashing unlock</code></td> 199 <td> 200 <ul> 201 <li>If the unlock device setting has not been enabled by the user, 202 aborts unlocking 203 <li>Wipes data after asking the user for confirmation 204 <li>Sets a write-protected bit to unlock the device. 205 Because the bit is write-protected, only the 206 bootloader can change it. 207 </ul> 208 </td> 209 </tr> 210 </table> 211 212 <p>When altering partition contents, the bootloader checks the bits set by 213 the above commands as described in the following table:</p> 214 215 <table> 216 <col width="25%"> 217 <col width="75%"> 218 <tr> 219 <th><code>fastboot</code> command</th> 220 <th>Description</th> 221 </tr> 222 <tr> 223 <td><code>flash <partition></code></td> 224 <td>If the bit set by <code>flashing unlock</code> is set, flash the 225 partition. Otherwise, do not allow flashing. 226 </td> 227 </tr> 228 </table> 229 230 <p>The same checks should be performed for any <code>fastboot</code> command 231 that can be used to change the contents of partitions.</p> 232 233 <p class="note"><strong>Note</strong>: Class B implementations support 234 changing device state.</p> 235 236 <h4 id=binding_tee_root_of_trust>Binding TEE root of trust</h4> 237 238 <p>If TEE is available, the bootloader passes the following information to 239 the TEE after boot/recovery partition verification and TEE initialization 240 to bind the Keymaster root of trust:</p> 241 242 <ol> 243 <li>the public key that was used to sign the boot partition 244 <li>the current device state (LOCKED or UNLOCKED) 245 </ol> 246 247 <p>This changes the keys derived by the TEE. Taking disk encryption as an example, 248 this prevents user data from being decrypted when the device state changes.</p> 249 250 <p class="note"><strong>Note:</strong> This means if the system software or the 251 device state changes, encrypted user data will no longer be accessible as the 252 TEE will attempt to use a different key to decrypt the data.</p> 253 254 <h4 id="initializing-attestation">Initializing attestation</h4> 255 <p> 256 Similar to root of trust binding, if TEE is available, the bootloader passes it 257 the following information to initialize attestation: 258 </p> 259 <ol> 260 <li>the current boot state (GREEN, YELLOW, ORANGE) 261 <li>the operating system version 262 <li>the operating system security patch level 263 </ol> 264 <h4 id=booting_into_recovery>Booting into recovery</h4> 265 266 <p>The recovery partition should be verified in exactly the same manner as the 267 boot partition.</p> 268 269 <h4 id=comm_boot_state>Communicating boot state</h4> 270 271 <p>System software needs to be able to determine the verification status of 272 previous stages. The bootloader specifies the current boot state as a 273 parameter on the kernel command line (or through the device tree under 274 <code>firmware/android/verifiedbootstate</code>) as described in the table 275 below:</p> 276 277 <table> 278 <tr> 279 <th>Kernel command line parameter</th> 280 <th>Description</th> 281 </tr> 282 <tr> 283 <td><code>androidboot.verifiedbootstate=green</code></td> 284 <td>Device has booted into GREEN boot state.<br> 285 Boot partition has been verified using the OEM key and its valid.</td> 286 </tr> 287 <tr> 288 <td><code>androidboot.verifiedbootstate=yellow</code></td> 289 <td>Device has booted into YELLOW boot state.<br> 290 Boot partition has been verified using the certificate embedded into 291 the signature and its valid.</td> 292 </tr> 293 <tr> 294 <td><code>androidboot.verifiedbootstate=orange</code></td> 295 <td>Device has booted into ORANGE boot state.<br> 296 The device is unlocked and no verification has been performed.</td> 297 </tr> 298 </table> 299 <p class="note"><strong>Note</strong>: The device cannot boot into kernel when 300 in the RED boot state, and therefore the kernel command line never includes the 301 parameter <code>androidboot.verifiedbootstate=red</code>.</p> 302 303 <h3 id=boot_partition>Boot partition</h3> 304 305 <p>Once execution has moved to the boot partition, the software there is responsible 306 for setting up verification of further partitions. Due to its large size, the 307 system partition typically cannot be verified similarly to previous parts but is 308 verified as its being accessed instead using the dm-verity kernel driver or a 309 similar solution.</p> 310 311 <p>If dm-verity is used to verify large partitions, the signature of the verity 312 metadata appended to each verified partition is verified before the 313 partition is mounted and dm-verity is set up for it.</p> 314 315 <h4 id=managing_dm-verity>Managing dm-verity</h4> 316 317 <p>Implemented as a device mapper target in kernel, dm-verity adds a layer 318 on top of a partition and verifies each read block against a hash tree passed to 319 it during setup. If it comes across a block that fails to verify, it makes the 320 block inaccessible to user space.</p> 321 322 <p>When mounting partitions during boot, fs_mgr sets up dm-verity for a 323 partition if the <code>verify</code> fs_mgr flag is specified for it in the 324 devices fstab. Verity metadata signature is verified against the public key 325 in <code>/verity_key</code>.</p> 326 327 <h4 id=recovering_from_dm-verity_errors>Recovering from dm-verity errors</h4> 328 329 <p>Because the system partition is by far larger than the boot partition, the 330 probability of verification errors is also higher. Specifically, there is a 331 larger probability of unintentional disk corruption, which will cause a 332 verification failure and can potentially make an otherwise functional device 333 unusable if a critical block in the partition can no longer be accessed. 334 Forward error correction can be used with dm-verity to mitigate this risk. 335 Providing this alternative recovery path is recommended, though it comes at the 336 expense of increasing metadata size.</p> 337 338 <p> 339 By default, dm-verity is configured to function in a restart mode where it 340 immediately restarts the device when a corrupted block is detected. This makes 341 it possible to safely warn the user when the device is corrupted, or to fall 342 back to device specific recovery, if available. 343 </p> 344 345 <p> 346 To make it possible for users to still access their data, dm-verity switches 347 to I/O Error (EIO) mode if the device boots with known corruption. When in EIO mode, 348 dm-verity returns I/O errors for any reads that access corrupted blocks but 349 allows the device to keep running. Keeping track of the current mode requires 350 persistently storing dm-verity state. The state can be managed either by fs_mgr 351 or the bootloader: 352 </p> 353 354 <ol> 355 <li>To manage dm-verity state in fs_mgr, an additional argument is specified to 356 the <code>verify</code> flag to inform fs_mgr where to store dm-verity state. 357 For example, to store the state on the metadata partition, specify 358 <code>verify=/path/to/metadata</code>. 359 <p class="note"><strong>Note:</strong> fs_mgr switches dm-verity to EIO 360 mode after the first corruption has been detected and resets the mode 361 back to restart after the metadata signature of any verified partition 362 has changed.</p> 363 </li> 364 <li>Alternatively, to manage dm-verity state in the bootloader, pass the current 365 mode to the kernel in the <code>androidboot.veritymode</code> command line 366 parameter as follows: 367 368 <table> 369 <tr> 370 <th>Kernel command line parameter</th> 371 <th>Description</th> 372 </tr> 373 <tr> 374 <td><code>androidboot.veritymode=enforcing</code></td> 375 <td>Set up dm-verity in the default restart mode.</td> 376 </tr> 377 <tr> 378 <td><code>androidboot.veritymode=eio</code></td> 379 <td>Set up dm-verity in EIO mode.</td> 380 </tr> 381 </table> 382 383 <p class="note"> 384 <strong>Note:</strong> Managing state in the bootloader also requires the kernel 385 to set the restart reason correctly when the device restarts due to dm-verity. 386 After corruption has been detected, the bootloader should switch back to 387 restart mode when any of the verified partitions have changed.</p> 388 </li> 389 </ol> 390 391 <p> 392 If dm-verity is not started in the restart mode for any reason, or verity 393 metadata cannot be verified, a warning displays to the user if the device is 394 allowed to boot, similar to the one shown before booting into the RED boot 395 state. The user must consent to the device to continue booting in EIO mode. If 396 user consent is not received in 30 seconds, the device powers off. 397 </p> 398 399 <p class="note"> 400 <strong>Note:</strong> dm-verity never starts in logging mode to prevent 401 unverified data from leaking into userspace. 402 </p> 403 404 405 406 <h3 id=verified_partition>Verified partition</h3> 407 408 <p>In a verified device, the system partition is always verified. But any 409 other read-only partition should also be set to be verified, as well. Any 410 read-only partition that contains executable code is verified on a 411 verified device. This includes vendor and OEM partitions, if they exist, for example.</p> 412 413 <p>To verify a partition, signed verity metadata is 414 appended to it. The metadata consists of a hash tree of the partition contents 415 and a verity table containing signed parameters and the root of the hash tree. 416 If this information is missing or invalid when dm-verity is set up for the 417 partition, the device doesn't boot.</p> 418 419 <h2 id=implementation_details>Implementation details</h2> 420 421 <h3 id=key_types_and_sizes>Key types and sizes</h3> 422 423 <p>The OEM key used in AOSP is an RSA key with a modulus of 2048 bits or 424 higher and a public exponent of 65537 (F4), meeting the CDD requirements of 425 equivalent or greater strength than such a key.</p> 426 427 <p>Note that the OEM key typically cannot be rotated if it's compromised, so 428 protecting it is important, preferably using a Hardware Security Module (HSM) 429 or a similar solution. It's also recommended to use a different key for each 430 type of device.</p> 431 432 <h3 id=signature_format>Signature format</h3> 433 434 <p>The signature on an Android verifiable boot image is an ASN.1 DER-encoded 435 message, which can be parsed with a decoder similar to the one found at: <a 436 href="https://android.googlesource.com/platform/bootable/recovery/+/f4a6ab27b335b69fbc419a9c1ef263004b561265/asn1_decoder.cpp">platform/bootable/recovery/asn1_decoder.cpp</a><br/> 437 The message format itself is as follows:</p> 438 439 <pre class="devsite-click-to-copy"> 440 AndroidVerifiedBootSignature DEFINITIONS ::= 441 BEGIN 442 FormatVersion ::= INTEGER 443 Certificate ::= Certificate 444 AlgorithmIdentifier ::= SEQUENCE { 445 algorithm OBJECT IDENTIFIER, 446 parameters ANY DEFINED BY algorithm OPTIONAL 447 } 448 AuthenticatedAttributes ::= SEQUENCE { 449 target CHARACTER STRING, 450 length INTEGER 451 } 452 453 Signature ::= OCTET STRING 454 END 455 </pre> 456 457 <p>The <code>Certificate</code> field is the full X.509 certificate containing 458 the public key used for signing, as defined by <a 459 href="http://tools.ietf.org/html/rfc5280#section-4.1.1.2">RFC5280</a> section 460 4.1. When LOCKED, the bootloader uses the OEM key for verification 461 first, and only boot to YELLOW or RED states if the embedded certificate is 462 used for verification instead.</p> 463 464 <p>The remaining structure is similar to that defined by <a 465 href="http://tools.ietf.org/html/rfc5280#section-4.1.1.2">RFC5280</a> sections 466 4.1.1.2 and 4.1.1.3 with the exception of the 467 <code>AuthenticatedAttributes</code> field. This field contains the length of 468 the image to be verified as an integer and the partition where the image can 469 be found (boot, recovery, etc.).</p> 470 471 <h3 id=signing_and_verifying_an_image>Signing and verifying an image</h3> 472 473 <p><strong>To produce a signed image:</strong></p> 474 <ol> 475 <li>Generate the unsigned image. 476 <li>0-pad the image to the next page size boundary (omit this step if already 477 aligned). 478 <li>Populate the fields of the <code>AuthenticatedAttributes</code> section 479 above based on the padded image and desired target partition. 480 <li>Append the <code>AuthenticatedAttributes</code> structure above to the image. 481 <li>Sign the image. 482 </ol> 483 484 <p><strong>To verify the image:</strong></p> 485 <ol> 486 <li>Determine the size of the image to be loaded including padding (e.g. by reading 487 a header). 488 <li>Read the signature located at the offset above. 489 <li>Validate the contents of the <code>AuthenticatedAttributes</code> field. 490 If these values do not validate, treat it as a signature validation error. 491 <li>Verify the image and <code>AuthenticatedAttributes</code> sections. 492 </ol> 493 494 <h3 id=user_experience>User experience</h3> 495 496 <p>A user in the GREEN boot state should see no additional user interaction besides that 497 required by normal device boot. In ORANGE and YELLOW boot states, the user sees a 498 warning for at least five seconds. Should the user interact with the device during 499 this time, the warning remains visible at least 30 seconds longer, or until 500 the user dismisses the warning. In the RED boot state, the warning is shown for 501 at least 30 seconds, after which the device powers off.</p> 502 503 <p>Sample user interaction screens for other states are shown in the following table:</p> 504 505 <table> 506 <tr> 507 <th>Device state</th> 508 <th>Sample UX</th> 509 <th> </th> 510 </tr> 511 <tr> 512 <td>YELLOW</td> 513 <td><img src="../images/boot_yellow1.png" alt="Yellow device state 1" id="figure2" /> 514 <p class="img-caption"><strong>Figure 2.</strong> Before user interaction</p> 515 </td> 516 <td><img src="../images/boot_yellow2.png" alt="Yellow device state 2" id="figure3" /> 517 <p class="img-caption"><strong>Figure 3.</strong> After user interaction</p> 518 </td> 519 </tr> 520 <tr> 521 <td>ORANGE</td> 522 <td><img src="../images/boot_orange.png" alt="Orange device state" id="figure4" /> 523 <p class="img-caption"><strong>Figure 4.</strong> Warning that device is 524 unlocked and cant be verified.</p> 525 </td> 526 <td> </td> 527 </tr> 528 <tr> 529 <td>RED</td> 530 <td><img src="../images/boot_red1.png" alt="Red device state" id="figure5" /> 531 <p class="img-caption"><strong>Figure 5.</strong> Verified boot failure 532 warning</p> 533 </td> 534 <td><img src="../images/boot_red2.png" alt="Red device state" id="figure6" /> 535 <p class="img-caption"><strong>Figure 6.</strong> Booting into EIO mode 536 warning</p> 537 </td> 538 </tr> 539 </table> 540 541 </body> 542 </html> 543
