Chain Verification

Linux secure boot is based on ROM/KM0/KM4 secure boot. The secure boot flow of Linux part is illustrated below.

../../_images/verified_boot_sw_arch.svg

Note

Normally, the kernel cmdline will be Kernel command line: console=ttyS0,1500000 earlycon psci=enable ubi.mtd=8 ubi.block=0,0 ubi.mtd=9 dm-mod.create="system,,0,ro, 0 55928 verity 1 /dev/ubiblock0_0 /dev/ubiblock0_0 4096 4096 6991 6991 sha512 <salt> <hash> 2 ignore_corruption ignore_zero_blocks" root=/dev/dm-0 rootfstype=squashfs. The cmdline is shown when kernel initializing and the content is given by <sdk>/sources/boot/uboot/cmd/realtek_avb.c. Function realtek_organize_cmdline() will abstract the key information and organize a new cmdline for secure boot.

  • The ubi.mtd=8 means the index of rootfs block in mtd, which is used to make mtd8 as character-device ubi0.

  • The ubi.block=0,0 means make character-device ubi0 as block-device ubiblock0, because the dm verity can only be done for block-devices.

  • The dm-mod.create parameters are defined by dm-verity driver. Including the block-device to verify, the size of hash block, the numbers of hash block, the start address of rootfs hash tree, the salt and digest of verification and so on. The digest is the root hash of rootfs which has been verified by VBmeta in uboot.

  • The ubi.block0_0 is attached to dm-0. root=/dev/dm-0 mounts dm-0 to root-filesystem which also means make informations in mtd8 area as rootfs. The dm-verity will do a dynamic hash calculation for any block and its related blocks when user accesses to some blocks in rootfs.

For more details on dm-verity, refer to dm verify.

This section describes the Construction Parameters, Theory of operation, Hash Tree, On-disk format and some examples. The kernel command line is the only start-point for the hash-tree verification of rootfs, and the digest of root-hash for hash-tree will be inserted to VBmeta whose validity is confirmed by the former flow.

Codes of the above framework can be divided into three parts: Flash area, U-Boot area and kernel area. Only the core code directories of each part are listed below.

Area

Directory

Introduction

Flash

<sdk>/sources/yocto/meta-realtek/tools/verified_boot

The script of making secure related images.

U-Boot

<uboot>/cmd/mtd.c

The operations of reading NAND Flash.

<uboot>/cmd/realtek-avb.c

The verification of vbmeta/public key/kernel/dtb.

Kernel

<linux>/drivers/md/*

This directory is provided by GPI Linux kernel named dm-verity, used to verify the hash tree of rootfs.

More for android verified boot, refer to android avb.