From 9b54801b5865e4e09266c272222dfff70e0aac93 Mon Sep 17 00:00:00 2001 From: Bowgo Tsai Date: Tue, 14 May 2019 16:57:03 +0800 Subject: [PATCH] Appending per-partition os_version into AVB props os_version is important for keymaster version binding, where it refuses to perform operations with a key that is bound to an old system version. This ensures that an attacker who discovers a weakness in an old version of system or TEE software cannot roll a device back to the vulnerable version and use keys created with the newer version. Previously, os_version for system.img is added into boot.img header for bootloader to read the value then pass to TEE before booting the HLOS. However, with project Treble to modularize each partition, all images are now in the trajectory to be built independently (still on-going). Also, in the Generic System Image (GSI) compliance test, the os_version in OEM's boot.img cannot reflect the actual version of GSI. This CL adds per-partition os_versions into AVB metadata, which is readable by bootloader via libavb without file system dependency. It's still unclear for how os_version in non-system partition should be used. We just add them for completeness here. See more details in: https://source.android.com/security/keystore/version-binding Bug: 132233601 Test: build and avbtool info_image $OUT/vbmeta.img - Prop: com.android.build.boot.os_version -> '10' - Prop: com.android.build.system.os_version -> '10' - Prop: com.android.build.system.security_patch -> '2019-06-05' - Prop: com.android.build.vendor.os_version -> '10' - Prop: com.android.build.vendor.security_patch -> '2019-06-05' - Prop: com.android.build.product.os_version -> '10' - Prop: com.android.build.product.security_patch -> '2019-06-05' Change-Id: I21a77420f2e8a3456f7a8cae5158eb8fc41319e7 --- core/Makefile | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/core/Makefile b/core/Makefile index bbd7426c6d..57a05d4b1a 100644 --- a/core/Makefile +++ b/core/Makefile @@ -3067,18 +3067,30 @@ ifneq ($(words $(sort $(INTERNAL_AVB_PARTITIONS_IN_CHAINED_VBMETA_IMAGES))),$(wo $(error BOARD_AVB_VBMETA_SYSTEM and BOARD_AVB_VBMETA_VENDOR cannot have duplicates) endif -# Appends security patch level as a AVB property descriptor +# Appends os version and security patch level as a AVB property descriptor BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS += \ + --prop com.android.build.system.os_version:$(PLATFORM_VERSION) \ --prop com.android.build.system.security_patch:$(PLATFORM_SECURITY_PATCH) BOARD_AVB_PRODUCT_ADD_HASHTREE_FOOTER_ARGS += \ + --prop com.android.build.product.os_version:$(PLATFORM_VERSION) \ --prop com.android.build.product.security_patch:$(PLATFORM_SECURITY_PATCH) BOARD_AVB_PRODUCT_SERVICES_ADD_HASHTREE_FOOTER_ARGS += \ + --prop com.android.build.product_services.os_version:$(PLATFORM_VERSION) \ --prop com.android.build.product_services.security_patch:$(PLATFORM_SECURITY_PATCH) -# The following vendor- and odm-specific images needs explicitly set per board. +BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS += \ + --prop com.android.build.boot.os_version:$(PLATFORM_VERSION) + +BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS += \ + --prop com.android.build.vendor.os_version:$(PLATFORM_VERSION) + +BOARD_AVB_ODM_ADD_HASHTREE_FOOTER_ARGS += \ + --prop com.android.build.odm.os_version:$(PLATFORM_VERSION) + +# The following vendor- and odm-specific images needs explicit SPL set per board. ifdef BOOT_SECURITY_PATCH BOARD_AVB_BOOT_ADD_HASH_FOOTER_ARGS += \ --prop com.android.build.boot.security_patch:$(BOOT_SECURITY_PATCH)