• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..--

README.mdD23-Nov-202313 KiB306241

avb_aftl_types.hD23-Nov-20237.5 KiB207113

avb_aftl_util.cD23-Nov-202331.7 KiB933746

avb_aftl_util.hD23-Nov-20235.2 KiB12263

avb_aftl_validate.cD23-Nov-20234.9 KiB12977

avb_aftl_validate.hD23-Nov-20232.2 KiB6024

avb_aftl_verify.cD23-Nov-20237.6 KiB191128

avb_aftl_verify.hD23-Nov-20234.1 KiB10729

avb_ops_aftl.hD23-Nov-20231.7 KiB5318

libavb_aftl.hD23-Nov-20231.5 KiB396

README.md

1# Android Firmware Transparency Log 1.0
2---
3
4This repository contains tools and libraries for working with the Android
5Firmware Transparency Log components of Android Verified Boot. AFTL will be
6used to refer to these components.
7
8[TOC]
9
10# What is it?
11
12The Android Firmware Transparency Log (AFTL) is an implementation of binary
13transparency that leverages cryptographic proofs of inclusion of build images
14using a public append-only ledger. The device manufacturer stores these
15cryptographic proofs, called inclusion proofs, on-device to allow for offline
16validation of the build during system update and device boot. This ensures that
17only a publicly known build is running on the device. Furthermore, it allows
18device manufacturers and other interested parties to audit the information in
19the log to detect unexpected or malicious uses of the publisher's signing keys.
20
21
22## System overview
23
24An AFTL can be implemented using a
25[Trillian](https://github.com/google/trillian) instance which manages a Merkle
26tree with build metadata (particularly the [VBMeta
27struct](https://android.googlesource.com/platform/external/avb/+/refs/heads/master#The-VBMeta-struct))
28and keeps a repository of other data that were made transparent.
29
30![Android Firmware Transparency Log system overview](../docs/aftl-architecture.png)
31
32As part of the finalizing step in the build process the `aftltool` reaches out
33to the **AFTL personality** to submit a manufacturer-signed message (containing
34VBMeta struct and other metadata) to the AFTL. Then the AFTL personality
35submits that data to Trillian to incorporate it into the Merkle tree. After
36integration into the log, the AFTL personality returns the inclusion proof back
37to the `aftltool`, which in turn incorporates the inclusion proof with the
38VBMeta image.
39
40The AFTL uses two sets of keys for authentication and validation, the
41transparency log key and the manufacturer key.
42
43* **Transparency log key:** Used by Trillian to sign inclusion proofs. The
44  public key is embedded with the device for on-device for validation.
45* **Manufacturer key:** Used by OEMs or other build providers to sign
46  submissions sent to the log. This ensures that malicious entries posing as a
47  valid OEM entry cannot be provided to the log. For the log to authenticate
48  messages, the manufacturer key must be shared out-of-band with the AFTL prior
49  to submission.
50
51## The AftlImage struct
52
53The central data structure used for AFTL validation is the `AftlImage` struct.
54The structure is saved on the vbmeta partition, right after the
55`AvbVBMetaImage` struct, as illustrated below.
56
57![Overview of the AftlImage structure](../docs/aftl-image-location.png)
58
59This structure contains the `AftlImageHeader` header that describes the number
60of inclusion proofs (`AftlIcpEntry`) represented by this structure. Each
61inclusion proof has associated metadata, such as the transparency log URL. A
62high-level description of the structures is given below. See
63[aftltool](https://android.googlesource.com/platform/external/avb/+/refs/heads/master/aftltool.py)
64and
65[libavb_aftl](https://android.googlesource.com/platform/external/avb/+/refs/heads/master/libavb_aftl/)
66for more details.
67
68
69![Overview of AftlIcpHeader and AftlIcpEntry](../docs/aftl-image-structure.png)
70
71Each `AftlIcpEntry` structure contains the information required to validate an
72inclusion proof from a specific transparency log server for a given [VBMeta
73structure](https://android.googlesource.com/platform/external/avb/+/master#the-vbmeta-struct)
74given the corresponding transparency log public key. The inclusion proof
75validation process is described in the [inclusion proofs](#inclusion-proofs)
76section of this document.
77
78*Note*: A single `AftlImage` can have multiple inclusion proofs from different
79transparency logs. This allows the device manufacturer to not rely on a single
80transparency log, and ensures that the builds represented by the VBMeta
81structure are deemed transparent in multiple disparate jurisdictions.
82
83## Inclusion proofs
84
85An inclusion proof allows a user to prove that a specific VBMeta structure is
86included in a transparency log. An inclusion proof consists of three parts:
87
88*  A `SignedVBMetaPrimaryAnnotation` structure containing the hash of the
89VBMeta structure (and other build meta information) that is signed with the
90manufacturer key.
91*  A set of sibling node hashes (`Proof`) in a Merkle tree on the path from the
92leaf node in question, which represents the logged annotation, to the root
93node.
94*  A `TrillianLogRootDescriptor` structure containing the log's root hash,
95along with related metadata, which is signed by the transparency log’s private
96key.
97
98Validation of an inclusion proof can be performed with the following steps,
99which are implemented in both `aftltool` and `libavb_aftl`.
100
1011.  Calculate the hash of the VBMeta structure stored on the device.
1021.  Determine if the hash matches the hash stored in the
103`SignedVBMetaPrimaryAnnotation` structure inside the `AftlImage` on device. If
104it does, continue validation.
1051.  Given the set of hashes provided from the transparency log as part of the
106inclusion proof, attempt to recalculate the root hash. Details of the process
107can be found [here](https://www.certificate-transparency.org/log-proofs-work)
108in the Merkle Audit Proofs section.
1091.  Check the calculated root hash against the log's root hash from the
110inclusion proof. If it matches, continue validation.
1111.  Finally, verify the log root signature given the calculated root hash and
112the public key of the transparency log that is stored on device. If the
113signature is valid, the inclusion proof is valid.
114
115# Tools and libraries
116
117This section contains information about the tools and libraries added to AVB
118repository or modified to include AFTL support.
119
120## aftltool and libavb\_aftl
121
122The main purpose of
123[aftltool](https://android.googlesource.com/platform/external/avb/+/refs/heads/master/aftltool.py)
124is to add an inclusion proof to an existing `vbmeta.img` to be used
125for transparency checks at boot or system update time. This enhanced image is
126stored in the `vbmeta` partition or in the `vbmeta_a` and
127`vbmeta_b` slots when using A/B  and will still be of minimal size
128(for out-of-band updates). Creation, query, and verification tasks can be
129performed with `aftltool`.
130
131In addition to the `aftltool`, the
132[libavb](https://android.googlesource.com/platform/external/avb/+/master/libavb/)
133library comes with an extension called
134[libavb\_aftl](https://android.googlesource.com/platform/external/avb/+/master/libavb_aftl/).
135This component performs all verification on the device side related to AFTL and
136inclusion proofs. That is, it loads the `vbmeta` partition, checks
137the VBMeta structure signature, walks through each inclusion proof stored in
138the `AftlImage`, and validates them against a trusted transparency
139log key stored on the device.
140
141This library is intended to be used in both the boot loader and inside Android
142as part of the OTA client. The main entry point for verification is
143`aftl_slot_verify()`, which is intended to be called after `vbmeta`
144verification is done via `avb_slot_verify()`.
145
146## Files and directories
147
148* `libavb_aftl/`
149  + An implementation of AFTL inclusion proof validation. This
150    code is designed to be highly portable so it can be used in as many contexts
151    as possible. This code requires a C99-compliant C compiler. Only the content
152    declared in `libavb_aftl.h` is considered public. The other files are
153    considered internal to the implementation and may change without notice.
154* `libavb_aftl/README.md`
155  + This document.
156* `test/`
157  + Unit tests for `libavb_aftl.`
158* `test/data/`
159  + Test data for the `aftltool` and `libavb_aftl` unit tests.
160* `aftltool`
161  + A symlink to `aftltool.py`.
162* `aftltool.py`
163  + A tool written in Python for working with images related to AFTL.
164* `Android.bp`
165  + Build rules for `aftltool`,  `libavb_aftl` (a static library
166    for use on the device), host-side libraries (for unit tests), and unit
167    tests.
168* `aftltool_test.py`
169  + Source-code for `aftltool` related unit tests.
170* `aftltool_integration_test.py`
171  + Source-code for `aftltool` related integration tests against
172    a live transparency log.
173
174## Portability
175
176The `libavb_aftl` code is intended to be used in bootloaders in devices that
177will load Android or other operating systems. The suggested approach is to copy
178the appropriate header and C files mentioned in the previous section into the
179boot loader and integrate as appropriate. The library is intended to be highly
180portable, working on both little and big endian architectures, as well as
18132-bit and 64-bit variants of each. It is also intended to work in environments
182without the standard C library and runtime.
183
184As in libavb, if the `AVB_ENABLE_DEBUG` preprocessor symbol is set, the code
185will include useful debug information and run-time checks.
186
187## Versioning and compatibility
188
189The `libavb_aftl` library follows the [versioning of
190libavb](https://android.googlesource.com/platform/external/avb/+/master#Versioning-and-Compatibility).
191
192## Using aftltool
193
194The content for the vbmeta partition is assumed to have been generated
195previously using `avbtool`. Instructions can be found in the
196[README.md](https://android.googlesource.com/platform/external/avb/+/master/README.md)
197for libavb. After the VBMeta partition is generated, it can be extended with
198inclusion proofs from transparency logs in the following manner:
199
200
201```
202aftltool make_icp_from_vbmeta \
203      --vbmeta_image_path /path/to/image.bin \
204      --output OUTPUT \
205      [--signing_helper /path/to/external/signer]  \
206      [--signing_helper_with_files /path/to/external/signer_with_files] \
207      --version_incremental STR \
208      --transparency_log_servers host:port,/path/to/log_key.pub \
209      --manufacturer_key /path/to/priv_key \
210      [--padding_size NUM]
211```
212
213The
214[version\_incremental](https://developer.android.com/reference/android/os/Build.VERSION#INCREMENTAL)
215is a part of the build fingerprint which allows for tagging the transparency
216log entry for easier tracking.
217
218An example of how to use the `make_icp_from_vbmeta` command is as follows:
219
220```
221aftltool make_icp_from_vbmeta \
222      --vbmeta_image_path ./vbmeta.img \
223      --output ./vbmeta_icp.img \
224      --version_incremental 99999999 \
225      --transparency_log_servers \
226        log.aftl-android.com:9000,/aftl-log-rsa-pub.pem \
227      --manufacturer_key ./manufacturer-rsa.pem \
228      --algorithm SHA256_RSA4096 \
229      --padding 4096
230```
231
232The AFTL information can be viewed in a human readable format in the following
233manner:
234
235```
236aftltool info_image_icp \
237      --vbmeta_image_path /path/to/image.bin \
238      [--output OUTPUT]
239```
240
241An example using `info_image_icp` is as follows:
242
243```
244aftltool info_image_icp --vbmeta_image_path ./vbmeta.img
245```
246
247Verification of an AFTL enhanced vbmeta image can be performed with the
248following command:
249
250```
251aftltool verify_image_icp \
252      --vbmeta_image_path /path/to/image.bin \
253      --transparency_log_pub_keys [TRANSPARENCY_LOG_PUB_KEYS [TRANSPARENCY_LOG_PUB_KEYS ...]]
254[--output OUTPUT]
255```
256
257An example using `verify_image_icp` is as follows:
258
259```
260aftltool verify_image_icp --vbmeta_image_path ./vbmeta.img --transparency_log_pub_keys ./log_pub_key.pem
261```
262
263More information on the options can be found using `aftltool --help`.
264
265# Build system integration
266
267AFTL modifications only will work if AVB is enabled in the build. In Android,
268AVB is enabled in an `Android.mk` file by the `BOARD_AVB_ENABLE` variable as
269described in the AVB
270[README.md](https://android.googlesource.com/platform/external/avb/#Build-System-Integration).
271
272When calling the
273[sign\_target\_files\_apks.py](https://android.googlesource.com/platform/build/+/master/tools/releasetools/sign_target_files_apks.py)
274script, the following parameters must be set:
275
276*  `--aftl_tool_path`, the location of aftltool.py
277*  `--aftl_server`, the address of the transparency log
278*  `--aftl_key_path`, which gives the path to the DER encoded transparency log public key
279*  `--aftl_manufacturer_key_path`, which gives the path to the DER encoded OEM
280  private key. Note: This key is different to the signing key used to sign VBMeta
281  structure
282
283Remember that the public part of the transparency log keys need to be available
284to the bootloader of the device to validate the inclusion proofs.
285
286# Device integration
287
288This section discusses recommendations and best practices for integrating
289`libavb` AFTL support with a device boot loader. It's important to emphasize
290that these are just recommendations. Most of these recommendations are the same
291as those for AVB.
292
293## Recommended bootflow
294
295The boot flow should ensure checking of the inclusion proofs independent of the
296unlock state of the device. It is recommended to present the user with a
297warning in case transparency checks fail.
298
299AFTL modifies this flow in the following manner: as soon as a valid OS has been
300found, search for an `AftlImage` for each VBMeta image and validate their
301inclusion proofs (this is done by the `aftl_slot_verify` function). The result
302of the verification can be appended to the kernel command line for further
303processing by the OS.
304
305![Recommended boot flow for a device using AFTL](../docs/aftl-boot-flow.png)
306