Use existing str_avb_slot_error() function for obtaining
verification fail reason details.
Take into account device lock state for setting correct
androidboot.verifiedbootstate kernel cmdline parameter.
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Signed-off-by: Igor Opaniuk <igor.opaniuk@gmail.com>
Link: https://lore.kernel.org/r/20240209192045.3961832-7-igor.opaniuk@foundries.io
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Simplify and add more context for prints where it's needed.
Signed-off-by: Igor Opaniuk <igor.opaniuk@gmail.com>
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Link: https://lore.kernel.org/r/20240209192045.3961832-5-igor.opaniuk@foundries.io
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Move SPDX license identifiers to the first line, so it conforms
to license placement rule [1]:
Placement:
The SPDX license identifier in kernel files shall be added at the first
possible line in a file which can contain a comment. For the majority
of files this is the first line, except for scripts which require the
'#!PATH_TO_INTERPRETER' in the first line. For those scripts the SPDX
identifier goes into the second line.
[1] https://www.kernel.org/doc/Documentation/process/license-rules.rst
Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
Signed-off-by: Igor Opaniuk <igor.opaniuk@gmail.com>
Link: https://lore.kernel.org/r/20240209192045.3961832-3-igor.opaniuk@foundries.io
Signed-off-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>
It is a pain to have to specify the value 10 in each call. Add a new
dectoul() function and update the code to use it.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is a pain to have to specify the value 16 in each call. Add a new
hextoul() function and update the code to use it.
Add a proper comment to simple_strtoul() while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
We should not use typedefs in U-Boot. They cannot be used as forward
declarations which means that header files must include the full header to
access them.
Drop the typedef and rename the struct to remove the _s suffix which is
now not useful.
This requires quite a few header-file additions.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add optional parameter to 'avb verify' sub-command, so that user is able
to specify which slot to use, in case when user's partitions are
slotted. If that parameter is omitted, the behavior of 'avb verify' will
be the same as before, so user API is content.
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Reviewed-by: Igor Opaniuk <igor.opaniuk@gmail.com>
Acked-by: Igor Opaniuk <igor.opaniuk@gmail.com>
When building U-Boot with AVB enabled, compiler shows next warnings:
cmd/avb.c: In function 'do_avb_read_pvalue':
cmd/avb.c:371:18: warning: format '%ld' expects argument of type
'long int', but argument 2 has type 'size_t'
{aka 'unsigned int'} [-Wformat=]
printf("Read %ld bytes, value = %s\n", bytes_read,
~~^ ~~~~~~~~~~
%d
cmd/avb.c: In function 'do_avb_write_pvalue':
cmd/avb.c:404:19: warning: format '%ld' expects argument of type
'long int', but argument 2 has type '__kernel_size_t'
{aka 'unsigned int'} [-Wformat=]
printf("Wrote %ld bytes\n", strlen(value) + 1);
~~^ ~~~~~~~~~~~~~~~~~
%d
Fix those by using "%zu" specified.
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Reviewed-by: Igor Opaniuk <igor.opaniuk@gmail.com>
AVB 2.0 spec. revision 1.1 introduces support for named persistent values
that must be tamper evident and allows AVB to store arbitrary key-value
pairs [1].
Introduce implementation of two additional AVB operations
read_persistent_value()/write_persistent_value() for retrieving/storing
named persistent values.
Correspondent pull request in the OP-TEE OS project repo [2].
[1]: https://android.googlesource.com/platform/external/avb/+/android-9.0.0_r22
[2]: https://github.com/OP-TEE/optee_os/pull/2699
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Sam Protsenko <semen.protsenko@linaro.org>
Signed-off-by: Igor Opaniuk <igor.opaniuk@gmail.com>
Prior to this patch was do_avb_write_rb() reading supplied rb_idx as a
hexadecimal number while do_avb_read_rb() printed the read out rb_idx as
decimal number. For consistency change do_avb_read_rb() to print rb_idx
as a hexadecimal number too.
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Igor Opaniuk <igor.opaniuk@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
1. Add initial support of boot states mode (red, green, yellow)
2. Add functions for enforcing dm-verity configurations
Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>
Enable a "avb" command to execute Android Verified
Boot 2.0 operations. It includes such subcommands:
avb init - initialize avb2 subsystem
avb read_rb - read rollback index
avb write_rb - write rollback index
avb is_unlocked - check device lock state
avb get_uuid - read and print uuid of a partition
avb read_part - read data from partition
avb read_part_hex - read data from partition and output to stdout
avb write_part - write data to partition
avb verify - run full verification chain
Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>