本篇android AVB2.0學(xué)習(xí)總結(jié)系統(tǒng)的第四篇，接上篇android AVB2.0（三）Init階段安全啟動(dòng)流程， 這里介紹一下libavb庫的詳細(xì)實(shí)現(xiàn)。

請(qǐng)支持原創(chuàng)，原文鏈接：https://blog.csdn.net/jackone12347/article/details/121678254

首先要介紹一下本篇文章的兩個(gè)目標(biāo)，帶著這兩個(gè)目標(biāo)我們來分析一下libavb庫的實(shí)現(xiàn)。
1、android AVB是如何完成verify校驗(yàn)這項(xiàng)任務(wù)的？
2、采用了什么樣的設(shè)計(jì)來完成verify校驗(yàn)任務(wù)？

上篇內(nèi)容之一：“InitAvbHandle：AVB調(diào)用exterlan/avb/libavb庫完成分區(qū)的校驗(yàn)”

沒有源碼的，可以看google提供的路徑：https://android.googlesource.com/platform/system/core/+/master/init/first_stage_mount.cpp

@first_stage_mount.cpp bool FirstStageMountVBootV2::InitAvbHandle() {if (avb_handle_) return true; // Returns true if the handle is already initialized.avb_handle_ = AvbHandle::Open();if (!avb_handle_) {PLOG(ERROR) << "Failed to open AvbHandle";return false;}// Sets INIT_AVB_VERSION here for init to set ro.boot.avb_version in the second stage.setenv("INIT_AVB_VERSION", avb_handle_->avb_version().c_str(), 1);return true; }

實(shí)現(xiàn)在fs_avb.cpp中

AvbUniquePtr AvbHandle::Open() { //判斷設(shè)備是否lock，這里是通過讀系統(tǒng)屬性ro.boot.verifiedbootstate來判斷的，這個(gè)后面我專門搞篇文章來講一下。bool allow_verification_error = IsAvbPermissive();//創(chuàng)建AvbHandle實(shí)例AvbUniquePtr avb_handle(new AvbHandle());if (!avb_handle) {LERROR << "Failed to allocate AvbHandle";return nullptr;}//實(shí)例化AvbOps管理類對(duì)象，私有成員中有AvbOps avb_ops_FsManagerAvbOps avb_ops;AvbSlotVerifyFlags flags = allow_verification_error? AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR: AVB_SLOT_VERIFY_FLAGS_NONE;//調(diào)用AvbSlotVerify函數(shù)進(jìn)行verify校驗(yàn)AvbSlotVerifyResult verify_result =avb_ops.AvbSlotVerify(fs_mgr_get_slot_suffix(), flags, &avb_handle->vbmeta_images_);...//后面verify之后的結(jié)果代碼也比較簡(jiǎn)單就不分析了，我們重點(diǎn)分析校驗(yàn)流程

AvbSlotVerify實(shí)現(xiàn)在avb_ops.cpp中的avb_slot_verify函數(shù)，注意這里requested_partitions默認(rèn)為空，不管是Uboot中調(diào)用libavb庫，還是android init中調(diào)用libavb庫，都是類似的處理邏輯。

AvbSlotVerifyResult FsManagerAvbOps::AvbSlotVerify(const std::string& ab_suffix,AvbSlotVerifyFlags flags,std::vector<VBMetaData>* out_vbmeta_images) {const char* requested_partitions[] = {nullptr};// Local resource to store vbmeta images from avb_slot_verify();AvbSlotVerifyData* avb_slot_data;// The |hashtree_error_mode| field doesn't matter as it only// influences the generated kernel cmdline parameters.auto verify_result =avb_slot_verify(&avb_ops_, requested_partitions, ab_suffix.c_str(), flags,AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE, &avb_slot_data);if (!avb_slot_data) return verify_result;

一、入口avb_slot_verify.c
avb_slot_verify函數(shù)流程會(huì)非常的長(zhǎng)，對(duì)這個(gè)代碼不熟悉的人估計(jì)會(huì)暈在里面，會(huì)有函數(shù)嵌套調(diào)用。我們分段進(jìn)行說明：
第一個(gè)參數(shù)ops，是一個(gè)函數(shù)結(jié)構(gòu)體對(duì)象指針

FsManagerAvbOps::FsManagerAvbOps() { //初始化avb_ops_成員的對(duì)象，主要有這六個(gè)回調(diào)函數(shù)，這些google設(shè)計(jì)的非常巧妙，用戶將來可自定義各家的實(shí)現(xiàn)方式，google不做限制，只保留空的回調(diào)接口，在avb驗(yàn)證流程中會(huì)觸發(fā)，后面代碼分析流程中會(huì)做介紹。memset(&avb_ops_, 0, sizeof(AvbOps));avb_ops_.read_from_partition = read_from_partition;avb_ops_.read_rollback_index = dummy_read_rollback_index;avb_ops_.validate_vbmeta_public_key = dummy_validate_vbmeta_public_key;avb_ops_.read_is_device_unlocked = dummy_read_is_device_unlocked;avb_ops_.get_unique_guid_for_partition = dummy_get_unique_guid_for_partition;avb_ops_.get_size_of_partition = dummy_get_size_of_partition;// Sets user_data for GetInstanceFromAvbOps() to convert it back to FsManagerAvbOps.avb_ops_.user_data = this; }

我們進(jìn)入到avb_slot_verify函數(shù)中分析

AvbSlotVerifyResult avb_slot_verify(AvbOps* ops,const char* const* requested_partitions,const char* ab_suffix,AvbSlotVerifyFlags flags,AvbHashtreeErrorMode hashtree_error_mode,AvbSlotVerifyData** out_data) {AvbSlotVerifyResult ret;AvbSlotVerifyData* slot_data = NULL;AvbAlgorithmType algorithm_type = AVB_ALGORITHM_TYPE_NONE;bool using_boot_for_vbmeta = false;AvbVBMetaImageHeader toplevel_vbmeta;bool allow_verification_error =(flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR);AvbCmdlineSubstList* additional_cmdline_subst = NULL;/* Fail early if we're missing the AvbOps needed for slot verification. *///先判斷下面五個(gè)基本的回調(diào)函數(shù)接口是否存在，不存在會(huì)報(bào)錯(cuò)，即使不實(shí)現(xiàn)也需要實(shí)現(xiàn)個(gè)空內(nèi)容。avb_assert(ops->read_is_device_unlocked != NULL);avb_assert(ops->read_from_partition != NULL);avb_assert(ops->get_size_of_partition != NULL);avb_assert(ops->read_rollback_index != NULL);avb_assert(ops->get_unique_guid_for_partition != NULL); 。。。//判斷是否沒有vbmeta分區(qū)，默認(rèn)是有vbmeta分區(qū)設(shè)計(jì)的，但是也可以append到其他分區(qū)上 這種我們先不考慮if (flags & AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION) {if (ops->validate_public_key_for_partition == NULL) {avb_error("AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION was passed but the ""validate_public_key_for_partition() operation isn't implemented.\n");ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT;goto fail;}} else {//默認(rèn)我們是使用這種方式，需要校驗(yàn)vbmeta分區(qū)的public key接口是否存在，這個(gè)接口用來判斷vbmeta公鑰hash key是否匹配。avb_assert(ops->validate_vbmeta_public_key != NULL);}//alloc分配內(nèi)存slot_data = avb_calloc(sizeof(AvbSlotVerifyData));if (slot_data == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}slot_data->vbmeta_images =avb_calloc(sizeof(AvbVBMetaData) * MAX_NUMBER_OF_VBMETA_IMAGES);if (slot_data->vbmeta_images == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}slot_data->loaded_partitions =avb_calloc(sizeof(AvbPartitionData) * MAX_NUMBER_OF_LOADED_PARTITIONS);if (slot_data->loaded_partitions == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}//給additional_cmdline_subst也alloc分配內(nèi)存，這個(gè)是后面需要將avb校驗(yàn)的結(jié)果轉(zhuǎn)成數(shù)據(jù)append到cmdline中，傳遞給init使用的。additional_cmdline_subst = avb_new_cmdline_subst_list();if (additional_cmdline_subst == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}if (flags & AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION) {...//同上，我們不分析沒有vbmeta分區(qū)的情況} else {//加載和校驗(yàn)vbmeta分區(qū)，這個(gè)函數(shù)流程非常長(zhǎng)，我們等會(huì)分析，先看完后續(xù)的流程ret = load_and_verify_vbmeta(ops,requested_partitions,ab_suffix,flags,allow_verification_error,0 /* toplevel_vbmeta_flags */,0 /* rollback_index_location */,"vbmeta",avb_strlen("vbmeta"),NULL /* expected_public_key */,0 /* expected_public_key_length */,slot_data,&algorithm_type,additional_cmdline_subst);//在設(shè)備lock的情況且校驗(yàn)失敗，直接異常 if (!allow_verification_error && ret != AVB_SLOT_VERIFY_RESULT_OK) {goto fail;}}//根據(jù)校驗(yàn)結(jié)果判斷是否可繼續(xù)引導(dǎo)啟動(dòng)if (!result_should_continue(ret)) {goto fail;}//將校驗(yàn)的結(jié)果數(shù)據(jù)slot_data拷貝給toplevel_vbemta，避免修改原數(shù)據(jù)。avb_vbmeta_image_header_to_host_byte_order((const AvbVBMetaImageHeader*)slot_data->vbmeta_images[0].vbmeta_data,&toplevel_vbmeta);//根據(jù)toplevel_vbmeta vbmete頭信息中flags bit位是否為disable verification， //這個(gè)就是傳說中的adb disable-verity修改的那個(gè)Bit位了，估計(jì)很多人都不知道adb這條命令干了啥，其實(shí)就是修改了vbmeta分區(qū)Header頭信息中的這個(gè)bit位 if (toplevel_vbmeta.flags & AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED) {/* Since verification is disabled we didn't process any* descriptors and thus there's no cmdline... so set root= such* that the system partition is mounted.*/avb_assert(slot_data->cmdline == NULL);// Devices with dynamic partitions won't have system partition.// Instead, it has a large super partition to accommodate *.img files.// See b/119551429 for details.if (has_system_partition(ops, ab_suffix)) {slot_data->cmdline =avb_strdup("root=PARTUUID=$(ANDROID_SYSTEM_PARTUUID)");} else {// The |cmdline| field should be a NUL-terminated string.slot_data->cmdline = avb_strdup("");}if (slot_data->cmdline == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}} else {/* If requested, manage dm-verity mode... *///這里是不是很奇怪，怎么又判斷了hashtree了？其實(shí)是google設(shè)計(jì)的函數(shù)共用的功能，這個(gè)函數(shù)也可以用來校驗(yàn)其他Hashtree類型的分區(qū)，比如system和vendor等AvbHashtreeErrorMode resolved_hashtree_error_mode = hashtree_error_mode;if (hashtree_error_mode ==AVB_HASHTREE_ERROR_MODE_MANAGED_RESTART_AND_EIO) {AvbIOResult io_ret;io_ret = avb_manage_hashtree_error_mode(ops, flags, slot_data, &resolved_hashtree_error_mode);if (io_ret != AVB_IO_RESULT_OK) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO;if (io_ret == AVB_IO_RESULT_ERROR_OOM) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;}goto fail;}//調(diào)用avb_append_options追加androidboot.xxx屬性到cmdline中，這個(gè)比較簡(jiǎn)單就不深入分析了。sub_ret = avb_append_options(ops,flags,slot_data,&toplevel_vbmeta,algorithm_type,hashtree_error_mode,resolved_hashtree_error_mode);if (slot_data->cmdline != NULL && avb_strlen(slot_data->cmdline) != 0) {char* new_cmdline;new_cmdline = avb_sub_cmdline(ops,slot_data->cmdline,ab_suffix,using_boot_for_vbmeta,additional_cmdline_subst);if (new_cmdline != slot_data->cmdline) {if (new_cmdline == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}avb_free(slot_data->cmdline);slot_data->cmdline = new_cmdline;}}if (out_data != NULL) {*out_data = slot_data;} else {avb_slot_verify_data_free(slot_data);}

我們回到load_and_verify_vbmeta這個(gè)函數(shù)，看下如何加載和校驗(yàn)vbmeta分區(qū)及vbmeta下的子分區(qū)的

static AvbSlotVerifyResult load_and_verify_vbmeta(AvbOps* ops,const char* const* requested_partitions,const char* ab_suffix,AvbSlotVerifyFlags flags,bool allow_verification_error,AvbVBMetaImageFlags toplevel_vbmeta_flags,int rollback_index_location,const char* partition_name,size_t partition_name_len,const uint8_t* expected_public_key,size_t expected_public_key_length,AvbSlotVerifyData* slot_data,AvbAlgorithmType* out_algorithm_type,AvbCmdlineSubstList* out_additional_cmdline_subst) { ...//在分析load_and_verify_vbmeta前，我們先看一下AvbVBMetaImageHeader結(jié)構(gòu)體AvbVBMetaImageHeader vbmeta_header;

不分析AvbVBMetaImageHeader 結(jié)構(gòu)體，估計(jì)很難明白這個(gè)函數(shù)是在校驗(yàn)啥東東。

//能看到AvbVBMetaImageHeader頭信息中主要由三部分組成 Header data： vbmeta的header數(shù)據(jù)，固定長(zhǎng)度256字節(jié)。 Authentication data：認(rèn)證校驗(yàn)數(shù)據(jù)，長(zhǎng)度不固定，主要包含簽名和公鑰等信息。 Auxiliary data：輔助數(shù)據(jù)，主要包含vbmeta中其他分區(qū)的descriptor描述信息。* +-----------------------------------------+* | Header data - fixed size |* +-----------------------------------------+* | Authentication data - variable size |* +-----------------------------------------+* | Auxiliary data - variable size |* +-----------------------------------------+//每一項(xiàng)參數(shù)，代碼中都有進(jìn)行說明 typedef struct AvbVBMetaImageHeader {魔術(shù)AVB0占四個(gè)字節(jié)/* 0: Four bytes equal to "AVB0" (AVB_MAGIC). */uint8_t magic[AVB_MAGIC_LEN];AVB的版本號(hào)信息1.0.0/* 4: The major version of libavb required for this header. */uint32_t required_libavb_version_major;/* 8: The minor version of libavb required for this header. */uint32_t required_libavb_version_minor;簽名信息長(zhǎng)度和輔助信息長(zhǎng)度/* 12: The size of the signature block. */uint64_t authentication_data_block_size;/* 20: The size of the auxiliary data block. */uint64_t auxiliary_data_block_size;使用的簽名算法類型/* 28: The verification algorithm used, see |AvbAlgorithmType| enum. */uint32_t algorithm_type;簽名數(shù)據(jù)的在header中的Body的Hash偏移位置/* 32: Offset into the "Authentication data" block of hash data. */uint64_t hash_offset;數(shù)據(jù)Body的Hash大小/* 40: Length of the hash data. */uint64_t hash_size;簽名數(shù)據(jù)的偏移位置/* 48: Offset into the "Authentication data" block of signature data. */uint64_t signature_offset;簽名數(shù)據(jù)的大小/* 56: Length of the signature data. */uint64_t signature_size;公鑰的偏移位置/* 64: Offset into the "Auxiliary data" block of public key data. */uint64_t public_key_offset;公鑰的長(zhǎng)度/* 72: Length of the public key data. */uint64_t public_key_size;公鑰metadata的偏移位置和長(zhǎng)度/* 80: Offset into the "Auxiliary data" block of public key metadata. */uint64_t public_key_metadata_offset;/* 88: Length of the public key metadata. Must be set to zero if there* is no public key metadata.*/uint64_t public_key_metadata_size;子分區(qū)的descriptor描述信息的偏移位置和長(zhǎng)度/* 96: Offset into the "Auxiliary data" block of descriptor data. */uint64_t descriptors_offset;/* 104: Length of descriptor data. */uint64_t descriptors_size;vbmeta的rollback回滾值/* 112: The rollback index which can be used to prevent rollback to* older versions.*/uint64_t rollback_index;vbmeta的flags標(biāo)志位，是否disable-verification等/* 120: Flags from the AvbVBMetaImageFlags enumeration. This must be* set to zero if the vbmeta image is not a top-level image.*/uint32_t flags;預(yù)留的字節(jié)，為將來可擴(kuò)展準(zhǔn)備/* 124: Reserved to ensure |release_string| start on a 16-byte* boundary. Must be set to zeroes.*/uint8_t reserved0[4];/* 128: The release string from avbtool, e.g. "avbtool 1.0.0" or* "avbtool 1.0.0 xyz_board Git-234abde89". Is guaranteed to be NUL* terminated. Applications must not make assumptions about how this* string is formatted.*/uint8_t release_string[AVB_RELEASE_STRING_SIZE];/* 176: Padding to ensure struct is size AVB_VBMETA_IMAGE_HEADER_SIZE* bytes. This must be set to zeroes.*/uint8_t reserved[80]; } AVB_ATTR_PACKED AvbVBMetaImageHeader;

好了，知道vbmeta頭結(jié)構(gòu)體后，我們繼續(xù)分析load_and_verify_vbmeta代碼

//alloc申請(qǐng)內(nèi)存vbmeta_buf = avb_malloc(vbmeta_size);if (vbmeta_buf == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto out;}//觸發(fā)avb_ops.cpp中第一個(gè)回調(diào)函數(shù)，本文的下面段落中有說明//android側(cè)只實(shí)現(xiàn)了這一個(gè)回調(diào)函數(shù)，其余的都留給廠商自己實(shí)現(xiàn)了，在UBOOT中就可以開發(fā)定制了。io_ret = ops->read_from_partition(ops,full_partition_name,vbmeta_offset,vbmeta_size,vbmeta_buf,&vbmeta_num_read);//加載完vbmeta數(shù)據(jù)后，需要對(duì)vbmeta數(shù)據(jù)進(jìn)行校驗(yàn)，調(diào)用avb_vbmeta_image_verify函數(shù)//本文下面專門講，這里先分析后續(xù)的流程vbmeta_ret =avb_vbmeta_image_verify(vbmeta_buf, vbmeta_num_read, &pk_data, &pk_len);//vbmeta基礎(chǔ)數(shù)據(jù)verify通過后，校驗(yàn)一下公鑰hash是否匹配，是否本次andorid源碼編譯產(chǎn)生的key//這個(gè)數(shù)據(jù)是在android編譯的時(shí)候產(chǎn)生的，//validate_vbmeta_public_key是第二個(gè)回調(diào)函數(shù)，廠家可自定義實(shí)現(xiàn)，比如把key存儲(chǔ)中其他地方//android默認(rèn)為空，直接返回avb_assert(is_main_vbmeta);io_ret = ops->validate_vbmeta_public_key(ops,pk_data,pk_len,pk_metadata,pk_metadata_len,&key_is_trusted);//緊接著會(huì)校驗(yàn)vbmeta的rollback回滾值，android默認(rèn)為空，直接返回//這是第三個(gè)回調(diào)函數(shù)io_ret = ops->read_rollback_index(ops, rollback_index_location_to_use, &stored_rollback_index);//同時(shí)下面代碼還有rollback_index回滾值的比較判斷，主要是比較存儲(chǔ)中的index值和vbmeta中的index值//更新策略為:當(dāng)vbmeta中的index大于存儲(chǔ)中的值，將存儲(chǔ)中的值更新到存儲(chǔ)空間；//如果vbmeta中的index小于存儲(chǔ)中的值，啟動(dòng)boot失敗，防止用戶降級(jí)版本。//android默認(rèn)為空實(shí)現(xiàn)，默認(rèn)index為0，不需要更新寫入。//加載vbmeta中descrptor其他分區(qū)的信息，比如vbmeta_system/boot/vendor_boot等分區(qū)的信息descriptors =avb_descriptor_get_all(vbmeta_buf, vbmeta_num_read, &num_descriptors);for (n = 0; n < num_descriptors; n++) {AvbDescriptor desc;if (!avb_descriptor_validate_and_byteswap(descriptors[n], &desc)) {avb_errorv(full_partition_name, ": Descriptor is invalid.\n", NULL);ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;goto out;} //如果decriptor分區(qū)是hash類型，比如boot分區(qū)，調(diào)用load_and_verify_hash_partition計(jì)算hash并進(jìn)行比較switch (desc.tag) {case AVB_DESCRIPTOR_TAG_HASH: {AvbSlotVerifyResult sub_ret;sub_ret = load_and_verify_hash_partition(ops,requested_partitions,ab_suffix,allow_verification_error,descriptors[n],slot_data);if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) {ret = sub_ret;if (!allow_verification_error || !result_should_continue(ret)) {goto out;}}} break;case AVB_DESCRIPTOR_TAG_CHAIN_PARTITION: {case AVB_DESCRIPTOR_TAG_KERNEL_CMDLINE: {//如果是hashtree類型，比如system分區(qū)，調(diào)用read_persistent_digest讀此分區(qū)的digest信息case AVB_DESCRIPTOR_TAG_HASHTREE: {ret = read_persistent_digest(ops,part_name,digest_len,NULL /* initial_digest */,digest_buf);好了，這個(gè)函數(shù)到這里就基本上差不多了。

現(xiàn)在這個(gè)函數(shù)中，還有兩個(gè)子函數(shù)還沒有分析，

1、read_from_partition函數(shù)
其中ReadFromPartition的實(shí)現(xiàn)比較簡(jiǎn)單，找到vbmeta的dev節(jié)點(diǎn)名稱，打開fd，調(diào)用read函數(shù)，將64KB的vbmeta數(shù)據(jù)全加載出來。

static AvbIOResult read_from_partition(AvbOps* ops, const char* partition, int64_t offset,size_t num_bytes, void* buffer, size_t* out_num_read) {return FsManagerAvbOps::GetInstanceFromAvbOps(ops)->ReadFromPartition(partition, offset, num_bytes, buffer, out_num_read); }AvbIOResult FsManagerAvbOps::ReadFromPartition(const char* partition, int64_t offset,size_t num_bytes, void* buffer,size_t* out_num_read) {std::string path = "/dev/block/by-name/"s + partition;// Ensures the device path (a symlink created by init) is ready to access.if (!WaitForFile(path, 1s)) {LERROR << "Device path not found: " << path;// Falls back to logical path if the physical path is not found.// This mostly only works for emulator (no bootloader). Because in normal// device, bootloader is unable to read logical partitions. So if libavb in// the bootloader failed to read a physical partition, it will failed to boot// the HLOS and we won't reach the code here.path = GetLogicalPath(partition);if (path.empty() || !WaitForFile(path, 1s)) return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;LINFO << "Fallback to use logical device path: " << path;}android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_CLOEXEC)));if (fd < 0) {PERROR << "Failed to open " << path;return AVB_IO_RESULT_ERROR_IO;}// If offset is negative, interprets its absolute value as the// number of bytes from the end of the partition.if (offset < 0) {off64_t total_size = lseek64(fd, 0, SEEK_END);if (total_size == -1) {PERROR << "Failed to lseek64 to end of the partition";return AVB_IO_RESULT_ERROR_IO;}offset = total_size + offset;// Repositions the offset to the beginning.if (lseek64(fd, 0, SEEK_SET) == -1) {PERROR << "Failed to lseek64 to the beginning of the partition";return AVB_IO_RESULT_ERROR_IO;}}// On Linux, we never get partial reads from block devices (except// for EOF).ssize_t num_read = TEMP_FAILURE_RETRY(pread64(fd, buffer, num_bytes, offset));if (num_read < 0 || (size_t)num_read != num_bytes) {PERROR << "Failed to read " << num_bytes << " bytes from " << path << " offset " << offset;return AVB_IO_RESULT_ERROR_IO;}if (out_num_read != nullptr) {*out_num_read = num_read;}return AVB_IO_RESULT_OK; }

2、avb_vbmeta_image_verify函數(shù)
這個(gè)函數(shù)因?yàn)檫@里面涉及到RSA算法的驗(yàn)簽流程，內(nèi)容也很多，慢慢分析一下。

AvbVBMetaVerifyResult avb_vbmeta_image_verify(const uint8_t* data,size_t length,const uint8_t** out_public_key_data,size_t* out_public_key_length) {...//首先判斷是不是以“AVB0”開頭的，vim打開vbmeta.img就可以看到是以AVB0開頭/* Ensure magic is correct. */if (avb_safe_memcmp(data, AVB_MAGIC, AVB_MAGIC_LEN) != 0) {avb_error("Magic is incorrect.\n");goto out;}//把數(shù)據(jù)拷貝到到h AvbVBMetaImageHeader中avb_vbmeta_image_header_to_host_byte_order((const AvbVBMetaImageHeader*)data,&h);//比較avbtool的版本號(hào) avbtool 1.10if ((h.required_libavb_version_major != AVB_VERSION_MAJOR) ||(h.required_libavb_version_minor > AVB_VERSION_MINOR)) {avb_error("Mismatch between image version and libavb version.\n");ret = AVB_VBMETA_VERIFY_RESULT_UNSUPPORTED_VERSION;goto out;} //判斷authentication和auxiliary數(shù)據(jù)大小是不是64字節(jié)的整數(shù)倍if ((h.authentication_data_block_size & 0x3f) != 0 ||(h.auxiliary_data_block_size & 0x3f) != 0) {avb_error("Block size is not a multiple of 64.\n");goto out;}//判斷hash和signature內(nèi)容在vbmeta header中uint64_t hash_end;if (!avb_safe_add(&hash_end, h.hash_offset, h.hash_size) ||hash_end > h.authentication_data_block_size) {avb_error("Hash is not entirely in its block.\n");goto out;}uint64_t signature_end;if (!avb_safe_add(&signature_end, h.signature_offset, h.signature_size) ||signature_end > h.authentication_data_block_size) {avb_error("Signature is not entirely in its block.\n");goto out;}//判斷public key和public key metadata內(nèi)容在vbmeta header中/* Ensure public key is entirely in the Auxiliary data block. */uint64_t pubkey_end;if (!avb_safe_add(&pubkey_end, h.public_key_offset, h.public_key_size) ||pubkey_end > h.auxiliary_data_block_size) {avb_error("Public key is not entirely in its block.\n");goto out;}/* Ensure public key metadata (if set) is entirely in the Auxiliary* data block. */if (h.public_key_metadata_size > 0) {uint64_t pubkey_md_end;if (!avb_safe_add(&pubkey_md_end,h.public_key_metadata_offset,h.public_key_metadata_size) ||pubkey_md_end > h.auxiliary_data_block_size) {avb_error("Public key metadata is not entirely in its block.\n");goto out;}}//判斷RSA algorithm的type和長(zhǎng)度是不是符合if (h.algorithm_type == AVB_ALGORITHM_TYPE_NONE) {ret = AVB_VBMETA_VERIFY_RESULT_OK_NOT_SIGNED;avb_error("pis algoth type none AVB_VBMETA_VERIFY_RESULT_OK_NOT_SIGNED!\n");goto out;}/* Ensure algorithm field is supported. */algorithm = avb_get_algorithm_data(h.algorithm_type);if (!algorithm) {avb_error("Invalid or unknown algorithm.\n");goto out;}/* Bail if the embedded hash size doesn't match the chosen algorithm. */if (h.hash_size != algorithm->hash_len) {avb_error("Embedded hash has wrong size.\n");goto out;}//到這里基本的檢查項(xiàng)就完成了，接下來就是驗(yàn)證數(shù)據(jù)是不是匹配了header_block = data;authentication_block = header_block + sizeof(AvbVBMetaImageHeader);auxiliary_block = authentication_block + h.authentication_data_block_size;//我們編譯vbmeta應(yīng)該是使用的SHA256_RSA4096，所以走下面這段邏輯switch (h.algorithm_type) {/* Explicit fall-through: */case AVB_ALGORITHM_TYPE_SHA256_RSA2048:case AVB_ALGORITHM_TYPE_SHA256_RSA4096:case AVB_ALGORITHM_TYPE_SHA256_RSA8192:avb_sha256_init(&sha256_ctx);avb_sha256_update(&sha256_ctx, header_block, sizeof(AvbVBMetaImageHeader));avb_sha256_update(&sha256_ctx, auxiliary_block, h.auxiliary_data_block_size);computed_hash = avb_sha256_final(&sha256_ctx);break;//驗(yàn)證hash是否相等if (avb_safe_memcmp(authentication_block + h.hash_offset,computed_hash,h.hash_size) != 0) {avb_error("Hash does not match!\n");ret = AVB_VBMETA_VERIFY_RESULT_HASH_MISMATCH;goto out;}//驗(yàn)證signature簽名是否匹配verification_result =avb_rsa_verify(auxiliary_block + h.public_key_offset,h.public_key_size,authentication_block + h.signature_offset,h.signature_size,authentication_block + h.hash_offset,h.hash_size,algorithm->padding,algorithm->padding_len); }

---

---------------------------------------------- 分割一下 ------------------------------------------------------------
我們單獨(dú)來分析一下，一共有兩個(gè)驗(yàn)證，一個(gè)是hash比較，一個(gè)是signature簽名比較。
在了解下面這段之前，可以先看看我之前寫過的博客python實(shí)現(xiàn)RSA加密解密 及 簽名驗(yàn)簽功能
簡(jiǎn)單看下第3節(jié) “私鑰簽名 公鑰驗(yàn)簽”，要理解下面這個(gè)函數(shù)的內(nèi)容，得先看一下vbmeta.img鏡像header的簽名打包流程，將新創(chuàng)建一篇博客太記錄吧，本篇內(nèi)容有點(diǎn)長(zhǎng)。
請(qǐng)見AVB之鏡像的簽名及驗(yàn)證簽名詳解
hash比較

avb_sha256_init(&sha256_ctx);avb_sha256_update(&sha256_ctx, header_block, sizeof(AvbVBMetaImageHeader));avb_sha256_update(&sha256_ctx, auxiliary_block, h.auxiliary_data_block_size);computed_hash = avb_sha256_final(&sha256_ctx);

signature簽名比較

verification_result =avb_rsa_verify(auxiliary_block + h.public_key_offset,h.public_key_size,authentication_block + h.signature_offset,h.signature_size,authentication_block + h.hash_offset,h.hash_size,algorithm->padding,algorithm->padding_len);

總結(jié)

以上是生活随笔為你收集整理的android AVB2.0（四）libavb库介绍的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。