src/devices/tech/security/verifiedboot/index.jd - platform/docs/source.android.com - Git at Google

 page.title=Verified Boot
 @jd:body

 <!--
     Copyright 2015 The Android Open Source Project

     Licensed under the Apache License, Version 2.0 (the "License");
     you may not use this file except in compliance with the License.
     You may obtain a copy of the License at

         http://www.apache.org/licenses/LICENSE-2.0

     Unless required by applicable law or agreed to in writing, software
     distributed under the License is distributed on an "AS IS" BASIS,
     WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     See the License for the specific language governing permissions and
     limitations under the License.
 -->
 <div id="qv-wrapper">
   <div id="qv">
     <h2>In this document</h2>
     <ol id="auto-toc">
     </ol>
   </div>
 </div>

 <h2 id="introduction">Introduction</h2>

 <p>Android 4.4 and later supports verified boot through the optional
 device-mapper-verity (dm-verity) kernel feature, which provides transparent
 integrity checking of block devices. dm-verity helps prevent persistent rootkits
 that can hold onto root privileges and compromise devices. This experimental
 feature helps Android users be sure when booting a device it is in the same
 state as when it was last used.</p>

 <p>Clever malware with root privileges can hide from detection programs and
 otherwise mask themselves. The rooting software can do this because it is often
 more privileged than the detectors, enabling the software to "lie" to the
 detection programs.</p>

 <p>The dm-verity feature lets you look at a block device, the underlying storage
 layer of the file system, and determine if it matches its expected
 configuration. It does this using a cryptographic hash tree. For every block
 (typically 4k), there is a SHA256 hash.</p>

 <p>Since the hash values are stored in a tree of pages, only the top-level
 "root" hash must be trusted to verify the rest of the tree. The ability to
 modify any of the blocks would be equivalent to breaking the cryptographic hash.
 See the following diagram for a depiction of this structure.</p>

 <img src="../images/dm-verity-hash-table.png" alt="dm-verity-hash-table" id="figure1"/>
 <p class="img-caption">
   <strong>Figure 1.</strong> dm-verity hash table
 </p>

 <p>A public key is included on the boot partition, which must be verified
 externally by the OEM. That key is used to verify the signature for that hash
 and confirm the device's system partition is protected and unchanged.</p>

 <h2 id="prerequisites">Prerequisites</h2>

 <h3 id="verified-boot">Establishing a verified boot flow</h3>
 <p>To greatly reduce the risk of compromise, verify the kernel using a key
 burned into the device. For details, see <a href="verified-boot.html">Verified
 boot</a>.</p>

 <h3 id="block-otas">Switching to block-oriented OTAs</h3>
 <p>To enable dm-verity for a device, you must use block-based over-the-air
 (OTA) updates to ensure all devices use the same system partition. For details,
 see <a href="{@docRoot}devices/tech/ota/block.html">Block-Based OTAs</a>.</p>

 <h3 id="config-dm-verity">Configuring dm-verity</h3>

 <p>After switching to block-oriented OTAs, incorporate the latest Android kernel
 or use a stock upstream kernel and enable dm-verity support by including the
 relevant configuration option <code>CONFIG_DM_VERITY</code>.</p>

 <p>When using the Android kernel, dm-verity is turned on when the kernel is
 built. For details, see <a href="dm-verity.html">Implementing dm-verity</a>.</p>

 <h2 id="supporting-docs">Supporting documentation</h2>
 <p><a href="verified-boot.html">Verifying Boot</a><br/>
 <a href="{@docRoot}devices/tech/ota/block.html">Block-Based OTA</a><br/>
 <a href="dm-verity.html">Implementing dm-verity</a><br/>
 <a href="https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity">cryptsetup -
 dm-verity: device-mapper block integrity checking target</a><br/>
 <a href="http://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot">The
 Chromium Projects - Verified Boot</a><br/>
 <a
 href="http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/device-mapper/verity.txt">Linux Kernel Documentation: verity.txt</a></p>

 <p>For additional assistance, contact
 <a href="mailto:[email protected]">[email protected]</a>.</p>
	page.title=Verified Boot
	@jd:body

	<!--
	Copyright 2015 The Android Open Source Project

	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<div id="qv-wrapper">
	<div id="qv">
	<h2>In this document</h2>
	<ol id="auto-toc">
	</ol>
	</div>
	</div>

	<h2 id="introduction">Introduction</h2>

	<p>Android 4.4 and later supports verified boot through the optional
	device-mapper-verity (dm-verity) kernel feature, which provides transparent
	integrity checking of block devices. dm-verity helps prevent persistent rootkits
	that can hold onto root privileges and compromise devices. This experimental
	feature helps Android users be sure when booting a device it is in the same
	state as when it was last used.</p>

	<p>Clever malware with root privileges can hide from detection programs and
	otherwise mask themselves. The rooting software can do this because it is often
	more privileged than the detectors, enabling the software to "lie" to the
	detection programs.</p>

	<p>The dm-verity feature lets you look at a block device, the underlying storage
	layer of the file system, and determine if it matches its expected
	configuration. It does this using a cryptographic hash tree. For every block
	(typically 4k), there is a SHA256 hash.</p>

	<p>Since the hash values are stored in a tree of pages, only the top-level
	"root" hash must be trusted to verify the rest of the tree. The ability to
	modify any of the blocks would be equivalent to breaking the cryptographic hash.
	See the following diagram for a depiction of this structure.</p>

	<img src="../images/dm-verity-hash-table.png" alt="dm-verity-hash-table" id="figure1"/>
	<p class="img-caption">
	<strong>Figure 1.</strong> dm-verity hash table
	</p>

	<p>A public key is included on the boot partition, which must be verified
	externally by the OEM. That key is used to verify the signature for that hash
	and confirm the device's system partition is protected and unchanged.</p>

	<h2 id="prerequisites">Prerequisites</h2>

	<h3 id="verified-boot">Establishing a verified boot flow</h3>
	<p>To greatly reduce the risk of compromise, verify the kernel using a key
	burned into the device. For details, see <a href="verified-boot.html">Verified
	boot</a>.</p>

	<h3 id="block-otas">Switching to block-oriented OTAs</h3>
	<p>To enable dm-verity for a device, you must use block-based over-the-air
	(OTA) updates to ensure all devices use the same system partition. For details,
	see <a href="{@docRoot}devices/tech/ota/block.html">Block-Based OTAs</a>.</p>

	<h3 id="config-dm-verity">Configuring dm-verity</h3>

	<p>After switching to block-oriented OTAs, incorporate the latest Android kernel
	or use a stock upstream kernel and enable dm-verity support by including the
	relevant configuration option <code>CONFIG_DM_VERITY</code>.</p>

	<p>When using the Android kernel, dm-verity is turned on when the kernel is
	built. For details, see <a href="dm-verity.html">Implementing dm-verity</a>.</p>

	<h2 id="supporting-docs">Supporting documentation</h2>
	<p><a href="verified-boot.html">Verifying Boot</a><br/>
	<a href="{@docRoot}devices/tech/ota/block.html">Block-Based OTA</a><br/>
	<a href="dm-verity.html">Implementing dm-verity</a><br/>
	<a href="https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity">cryptsetup -
	dm-verity: device-mapper block integrity checking target</a><br/>
	<a href="http://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot">The
	Chromium Projects - Verified Boot</a><br/>
	<a
	href="http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blob;f=Documentation/device-mapper/verity.txt">Linux Kernel Documentation: verity.txt</a></p>

	<p>For additional assistance, contact
	<a href="mailto:[email protected]">[email protected]</a>.</p>