avb_verify: Add support for persist independt upgrade verify("-U")

Verify and compare rollback index between image and partition directly, and the same rollback index is allowed. Usage avb_verify -U <image> <partition> <key> Signed-off-by: wangjianyu3 <[email protected]>
open-vela · Dec 28, 2024 · ab83bf0 · ab83bf0
1 parent 2baac07
commit ab83bf0
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 7 deletions.
diff --git a/verify/avb_main.c b/verify/avb_main.c
@@ -33,9 +33,10 @@ void usage(const char* progname)
 int main(int argc, char* argv[])
 {
     AvbSlotVerifyFlags flags = 0;
+    const char* image = NULL;
     int ret;
 
-    while ((ret = getopt(argc, argv, "bchiI:")) != -1) {
+    while ((ret = getopt(argc, argv, "bchiI:U:")) != -1) {
         switch (ret) {
         case 'b':
             break;
@@ -57,6 +58,11 @@ int main(int argc, char* argv[])
             }
             return 1;
             break;
+        case 'U':
+            flags |= UTILS_AVB_VERIFY_LOCAL_FLAG_NOKV;
+            image = optarg;
+            g_rollback_index = 0;
+            break;
         default:
             usage(argv[0]);
             return 10;
@@ -72,6 +78,11 @@ int main(int argc, char* argv[])
     ret = avb_verify(argv[optind], argv[optind + 1], argv[optind + 2], flags);
     if (ret != 0)
         avb_printf("%s error %d\n", argv[0], ret);
+    else if (image) {
+        ret = avb_verify(image, argv[optind + 1], argv[optind + 2], flags);
+        if (ret != 0)
+            avb_printf("%s verify %s error %d\n", argv[0], image, ret);
+    }
 
     return ret;
 }
diff --git a/verify/avb_verify.c b/verify/avb_verify.c
@@ -33,6 +33,8 @@
 #define AVB_DEVICE_UNLOCKED "persist.avb.unlocked"
 #define AVB_ROLLBACK_LOCATION "persist.avb.rollback.%zu"
 
+uint64_t g_rollback_index;
+
 static AvbIOResult read_from_partition(AvbOps* ops,
     const char* partition,
     int64_t offset,
@@ -154,6 +156,14 @@ static AvbIOResult read_rollback_index(AvbOps* ops,
     return AVB_IO_RESULT_OK;
 }
 
+static AvbIOResult read_rollback_index_tmp(AvbOps* ops,
+    size_t rollback_index_location,
+    uint64_t* out_rollback_index)
+{
+    *out_rollback_index = g_rollback_index;
+    return AVB_IO_RESULT_OK;
+}
+
 AvbIOResult write_rollback_index(AvbOps* ops,
     size_t rollback_index_location,
     uint64_t rollback_index)
@@ -168,6 +178,14 @@ AvbIOResult write_rollback_index(AvbOps* ops,
     return AVB_IO_RESULT_OK;
 }
 
+AvbIOResult write_rollback_index_tmp(AvbOps* ops,
+    size_t rollback_index_location,
+    uint64_t rollback_index)
+{
+    g_rollback_index = rollback_index;
+    return AVB_IO_RESULT_OK;
+}
+
 static AvbIOResult read_is_device_unlocked(AvbOps* ops, bool* out_is_unlocked)
 {
 #ifdef CONFIG_UTILS_AVB_VERIFY_ENABLE_DEVICE_LOCK
@@ -178,6 +196,12 @@ static AvbIOResult read_is_device_unlocked(AvbOps* ops, bool* out_is_unlocked)
     return AVB_IO_RESULT_OK;
 }
 
+static AvbIOResult read_is_device_unlocked_false(AvbOps* ops, bool* out_is_unlocked)
+{
+    *out_is_unlocked = false;
+    return AVB_IO_RESULT_OK;
+}
+
 static AvbIOResult get_unique_guid_for_partition(AvbOps* ops,
     const char* partition,
     char* guid_buf,
@@ -278,13 +302,13 @@ int avb_verify(const char* partition, const char* key, const char* suffix, AvbSl
         get_preloaded_partition,
         write_to_partition,
         validate_vbmeta_public_key,
-        read_rollback_index,
-        write_rollback_index,
-        read_is_device_unlocked,
+        (flags & UTILS_AVB_VERIFY_LOCAL_FLAG_NOKV) ? read_rollback_index_tmp : read_rollback_index,
+        (flags & UTILS_AVB_VERIFY_LOCAL_FLAG_NOKV) ? write_rollback_index_tmp : write_rollback_index,
+        (flags & UTILS_AVB_VERIFY_LOCAL_FLAG_NOKV) ? read_is_device_unlocked_false : read_is_device_unlocked,
         get_unique_guid_for_partition,
         get_size_of_partition,
-        read_persistent_value,
-        write_persistent_value,
+        (flags & UTILS_AVB_VERIFY_LOCAL_FLAG_NOKV) ? NULL : read_persistent_value,
+        (flags & UTILS_AVB_VERIFY_LOCAL_FLAG_NOKV) ? NULL : write_persistent_value,
         validate_public_key_for_partition
     };
     const char* partitions[] = {
@@ -297,7 +321,7 @@ int avb_verify(const char* partition, const char* key, const char* suffix, AvbSl
 
     ret = avb_slot_verify(&ops,
         partitions, suffix ? suffix : "",
-        flags | AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION,
+        (flags & ~UTILS_AVB_VERIFY_LOCAL_FLAG_MASK) | AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION,
         AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
         &slot_data);
 

diff --git a/verify/avb_verify.h b/verify/avb_verify.h
@@ -23,13 +23,18 @@
 extern "C" {
 #endif
 
+#define UTILS_AVB_VERIFY_LOCAL_FLAG_MASK 0xf000
+#define UTILS_AVB_VERIFY_LOCAL_FLAG_NOKV 0x8000
+
 struct avb_hash_desc_t {
     uint64_t image_size;
     uint8_t hash_algorithm[32]; /* Ref: struct AvbHashDescriptor */
     uint32_t digest_len;
     uint8_t digest[64]; /* Max: sha512 */
 };
 
+extern uint64_t g_rollback_index;
+
 int avb_verify(const char* partition, const char* key, const char* suffix, AvbSlotVerifyFlags flags);
 int avb_hash_desc(const char* full_partition_name, struct avb_hash_desc_t* desc);
 void avb_hash_desc_dump(const struct avb_hash_desc_t* desc);