FORUMS
Remove All Ads from XDA

Signing boot images for Android Verified Boot (AVB) [v8]

11,416 posts
Thanks Meter: 88,137
 
By Chainfire, Moderator Emeritus / Senior Recognized Developer - Where is my shirt? on 3rd May 2017, 12:16 PM
Post Reply Email Thread
5th May 2017, 11:36 AM |#11  
Senior Member
Thanks Meter: 313
 
Donate to Me
More
is it possible to sign the boot image in recovery?
Hi @Chainfire ! Thank you for this great find (and for everything else what you have done for us during the last years )!!
I would like to ask one question... Do you think it would be possible to sign the boot image on the fly in recovery? For example when changing the recovery image, before flashing the boot image back?
Your instructions use "dalvikvm" on android, and I ran the command successfully under a running android system. But what about recovery ?
I would be interested in your thoughts on this
Or am I completely wrong, and images "dumped" via dd can't be signed and flashed back?

I would really appreciate if you could point me in the right direction, how it could be possible to do this. (create an executable instead of the BootSignature.jar file? leave this, because it is not possible? start a java vm under recovery? ....)


Thanks in advance!
5th May 2017, 12:04 PM |#12  
Chainfire's Avatar
OP Moderator Emeritus / Senior Recognized Developer - Where is my shirt?
Thanks Meter: 88,137
 
Donate to Me
More
Quote:
Originally Posted by gubacsek

Hi @Chainfire ! Thank you for this great find (and for everything else what you have done for us during the last years )!!
I would like to ask one question... Do you think it would be possible to sign the boot image on the fly in recovery? For example when changing the recovery image, before flashing the boot image back?
Your instructions use "dalvikvm" on android, and I ran the command successfully under a running android system. But what about recovery ?
I would be interested in your thoughts on this
Or am I completely wrong, and images "dumped" via dd can't be signed and flashed back?

I would really appreciate if you could point me in the right direction, how it could be possible to do this. (create an executable instead of the BootSignature.jar file? leave this, because it is not possible? start a java vm under recovery? ....)


Thanks in advance!

Yes, this is possible - I have already tested this on my PIxel XL. SuperSU ZIP will do exactly this in a future update, and @Dees_Troy is also aware of all of this, so I assume TWRP will be updated to do this sooner or later as well.

If I can find the time I'll make a ZIP that does this.
The Following 20 Users Say Thank You to Chainfire For This Useful Post: [ View ]
5th May 2017, 02:11 PM |#13  
Senior Member
Thanks Meter: 313
 
Donate to Me
More
Quote:
Originally Posted by Chainfire

Yes, this is possible - I have already tested this on my PIxel XL. SuperSU ZIP will do exactly this in a future update, and @Dees_Troy is also aware of all of this, so I assume TWRP will be updated to do this sooner or later as well.

If I can find the time I'll make a ZIP that does this.

Okay! I am very curious about how you solve it... Until then, I'll experiment a bit further


Can't wait to see your result!

Thanks! And have a very nice weekend!
5th May 2017, 06:09 PM |#14  
Chainfire's Avatar
OP Moderator Emeritus / Senior Recognized Developer - Where is my shirt?
Thanks Meter: 88,137
 
Donate to Me
More
I have attached a flashable ZIP to the opening post. Just flash it after SuperSU / custom boot image / whatever to fix the current boot image.

Quote:
Originally Posted by gubacsek

Okay! I am very curious about how you solve it... Until then, I'll experiment a bit further Can't wait to see your result!

The Following 32 Users Say Thank You to Chainfire For This Useful Post: [ View ]
GuestK00143
5th May 2017, 06:50 PM |#15  
Guest
Thanks Meter: 0
 
More
Quote:
Originally Posted by Chainfire

I have attached a flashable ZIP to the opening post. Just flash it after SuperSU / custom boot image / whatever to fix the current boot image.

Thank you so much, it worked beautifully on my VZW Pixel with the May update.
5th May 2017, 07:40 PM |#16  
mtw4991's Avatar
Senior Member
Flag Orlando, FL
Thanks Meter: 291
 
More
working fine on the May update with May bootloader, FK, TWRP and SuperSU
Outstanding as usual!
5th May 2017, 09:25 PM |#17  
Senior Member
Thanks Meter: 313
 
Donate to Me
More
Quote:
Originally Posted by Chainfire

I have attached a flashable ZIP to the opening post. Just flash it after SuperSU / custom boot image / whatever to fix the current boot image.

I almost got it I could install TWRP and root but only by signing the boot images on my laptop...
I had a few errors (mounting /system did create a /system/system mount point, and I tried to copy the dalvikvm binary to the zip :P), and I wouldn't ever have thought of clearing LD_LIBRARY_PATH

Thank you very much for this solution, and your time spent on this! I learnt a lot today
Nice job!
5th May 2017, 09:33 PM |#18  
ashyx's Avatar
Recognized Contributor
Thanks Meter: 9,722
 
Donate to Me
More
Quote:
Originally Posted by Chainfire

Various Android devices support Android Verified Boot (AVB). A part of this is more commonly known as dm-verity, which verifies system (and vendor) partition integrity. AVB can however also verify boot images, and stock firmwares generally include signed boot images. Of course this does not mean that all signed boot images are using AVB, many OEMs have their own signature verification scheme.

Note: AOSP is moving towards the use of avbtool (taken from Brillo), the following is the old way for signing boot images.

Bootloaders might or might not accept unsigned boot images, and might or might not accept boot images signed with our own keys (rather than the OEM's keys). This depends on the device, bootloader version, and bootloader unlock state.

For example, with the bootloader unlocked, the Google Pixel (and XL) devices accepted unsigned boot images up to (but not including) the May 2017 release. From the May 2017 release onwards, the boot images must be signed if flashed (booted works without), but may be signed with your own key rather than the OEM's.

Note: The situation changes when you re-lock the bootloader. I have not tested this, but documentation implies that (one of) the keys used in the current boot image must be used for future flashes until it is unlocked again.

Generating custom signing keys

The following openssl commands generate all the keys we need. Execute them line-by-line rather than copying the whole block, as you will be asked for input.



For future signings, you do not need the .pem files, and they can safely be deleted once the .pk8 and .der files are generated. In AOSP's implementation, they were never even written to disk in the first place.

Security-wise, documentation states it is advisable to use a different set of keys for each device you support; though obviously this doesn't matter much if the device is running with the bootloader in unlocked state.

Signing the boot image

Download the attached BootSignature.jar file (built from AOSP sources), and sign the boot image using the keys generated above with the following commands:



Instead of /boot, /recovery and other values may be used. Their use should be obvious.

From Android

Attached is also BootSignature_Android.jar, which is a version ProGuard-reduced against SDK 21 and then dexed. Provided /system is mounted as is usual on Android (on the Pixel (XL), TWRP mounts this differently by default!), it can be used like this:



Flashable ZIP

Attached is also VerifiedBootSigner.zip, this is a flashable ZIP for FlashFire/TWRP/etc that signs the currently flashed boot image, if it isn't signed already. You can simply flash this after installing a SuperSU version or custom boot image or whatever that doesn't sign the boot image itself already.

I've tried to make it very portable (borrowing ample script from the SuperSU ZIP, as well as its signing keys), but I have only tested it on my Pixel XL.

Note that it does depend on Android files in the system partition, so if (aside from the unsigned boot image) your system isn't functional, the ZIP may not work either.

Todo
- test what happens when the bootloader is re-locked on multiple devices supporting AVB
- test what happens when dm-verity is kept enabled on a custom/modified boot image with a different image signature than dm-verity signature

So are Samsungs latest devices now using this. Reason I ask is because in the S8 and Tab S3 stock firmware there is a META-DATA folder in the AP firmware tar. Inside is a fota.zip containing various folders with all sorts of utilities and files, one of which is BootSignature.jar.
It seems it is required to flash the META-DATA folder with the boot.img in ODIN or it will not boot. So I'm guessing the boot.img is being signed as part of the flashing process?
The Following User Says Thank You to ashyx For This Useful Post: [ View ] Gift ashyx Ad-Free
5th May 2017, 10:19 PM |#19  
Chainfire's Avatar
OP Moderator Emeritus / Senior Recognized Developer - Where is my shirt?
Thanks Meter: 88,137
 
Donate to Me
More
Quote:
Originally Posted by ashyx

So are Samsungs latest devices now using this. Reason I ask is because in the S8 and Tab S3 stock firmware there is a META-DATA folder in the AP firmware tar. Inside is a fota.zip containing various folders with all sorts of utilities and files, one of which is BootSignature.jar.
It seems it is required to flash the META-DATA folder with the boot.img in ODIN or it will not boot. So I'm guessing the boot.img is being signed as part of the flashing process?

Possibly. Which S8 are you talking about? I thought there was already working TWRP for S8 Exynos that didn't require anything special?
The Following User Says Thank You to Chainfire For This Useful Post: [ View ]
5th May 2017, 10:29 PM |#20  
ashyx's Avatar
Recognized Contributor
Thanks Meter: 9,722
 
Donate to Me
More
Quote:
Originally Posted by Chainfire

Possibly. Which S8 are you talking about? I thought there was already working TWRP for S8 Exynos that didn't require anything special?

New S8. Qualcomm Snapdragon 835 MSM8998 bootloader locked versions.

It's got an eng kernel available, but it's a no go with your s7 script due to no adb write access.
https://forum.xda-developers.com/gal...3597473/page54
6th May 2017, 01:17 AM |#21  
Senior Member
Thanks Meter: 32
 
More
The zip for signing work perfectly on Google Pixel not XL
Flash SuperSU
Flash Zip for Signing
Reboot and enjoy
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes