Lines Matching +full:avb +full:- +full:algorithm
25 """Command-line tool for working with Android Verified Boot images."""
52 """Application-specific errors.
54 These errors represent issues for which a stack-trace should not be
65 class Algorithm(object): class
66 """Contains details about an algorithm.
71 The constant |ALGORITHMS| is a dictionary from human-readable
95 # The PKC1-v1.5 padding is a blob of binary DER of ASN.1 and is
98 'NONE': Algorithm(
105 'SHA256_RSA2048': Algorithm(
112 # PKCS1-v1_5 padding
119 'SHA256_RSA4096': Algorithm(
126 # PKCS1-v1_5 padding
133 'SHA256_RSA8192': Algorithm(
140 # PKCS1-v1_5 padding
147 'SHA512_RSA2048': Algorithm(
154 # PKCS1-v1_5 padding
161 'SHA512_RSA4096': Algorithm(
168 # PKCS1-v1_5 padding
175 'SHA512_RSA8192': Algorithm(
182 # PKCS1-v1_5 padding
214 return number + size - remainder
228 return 2**((number - 1).bit_length())
234 This number is written big-endian, e.g. with the most significant
247 for bit_pos in range(num_bits, 0, -8):
248 octet = (value >> (bit_pos - 8)) & 0xff
256 This number is expected to be in big-endian, e.g. with the most
278 Euclidian algorithm.
292 return (g, x - (b // a) * y, y)
299 |m|). This number only exists if |a| and |m| are co-prime - |None|
308 these numbers are not co-prime.
320 This is just a short-hand for int(string, 0) suitable for use in the
364 args = ['openssl', 'rsa', '-in', key_path, '-modulus', '-noout']
372 args.append('-pubin')
410 # Calculate n0inv = -1/n[0] (mod 2^32)
412 n0inv = b - modinv(key.modulus, b)
423 """Looks up algorithm by type.
429 A tuple with the algorithm name and an |Algorithm| instance.
432 Exception: If the algorithm cannot be found
438 raise AvbError('Unknown algorithm type {}'.format(alg_type))
449 algorithm_name: The algorithm name as per the ALGORITHMS dict.
481 ['openssl', 'rsautl', '-sign', '-inkey', key_path, '-raw'],
565 output_offset: Offset in de-sparsified file where output begins.
584 output_offset: Offset in de-sparsified file.
590 ValueError: If data is not well-formed.
628 For reading, this interface mimics a file object - it has seek(),
711 data_sz = total_sz - struct.calcsize(ImageChunk.FORMAT)
739 raise ValueError('Don\'t care chunk input size is non-zero ({})'.
858 fill_data: Fill data to append - must be four bytes.
859 size: Number of chunk - must be a multiple of four and the block size.
918 self._file_pos) - 1
923 chunk_pos_offset = self._file_pos - chunk.output_offset
924 chunk_pos_to_go = min(chunk.output_size - chunk_pos_offset, to_go)
937 to_go -= chunk_pos_to_go
976 chunk_idx = bisect.bisect_right(self._chunk_output_offsets, size) - 1
979 # Truncation in the middle of a trunk - need to keep the chunk
982 num_to_keep = size - chunk.output_offset
1017 # We've modified the file so re-read all data.
1020 # Truncating to grow - just add a DONT_CARE section.
1021 self.append_dont_care(size - self.image_size)
1025 """Class for AVB descriptor.
1078 padding_size = nbf_with_padding - num_bytes_following
1085 """Verifies contents of the descriptor - used in verify_image sub-command.
1131 self.SIZE - 16 + key_size + 1 + value_size + 1, 8)
1149 o.write(' Prop: {} -> {}\n'.format(self.key, repr(str(self.value))))
1151 o.write(' Prop: {} -> ({} bytes)\n'.format(self.key, len(self.value)))
1159 num_bytes_following = self.SIZE + len(self.key) + len(self.value) + 2 - 16
1161 padding_size = nbf_with_padding - num_bytes_following
1169 """Verifies contents of the descriptor - used in verify_image sub-command.
1189 dm_verity_version: dm-verity version used.
1198 hash_algorithm: Hash algorithm used.
1209 'L' # dm-verity version used
1218 '32s' # hash algorithm used
1245 self.SIZE - 16 + partition_name_len + salt_len + root_digest_len, 8)
1249 # Nuke NUL-bytes at the end.
1254 # Validate UTF-8 - decode() raises UnicodeDecodeError if not valid UTF-8.
1255 self.partition_name.decode('utf-8')
1262 raise LookupError('root_digest_len doesn\'t match hash algorithm')
1287 o.write(' Version of dm-verity: {}\n'.format(self.dm_verity_version))
1298 o.write(' Hash Algorithm: {}\n'.format(self.hash_algorithm))
1312 encoded_name = self.partition_name.encode('utf-8')
1314 len(self.root_digest) - 16)
1316 padding_size = nbf_with_padding - num_bytes_following
1329 """Verifies contents of the descriptor - used in verify_image sub-command.
1344 digest_padding = round_to_pow2(digest_size) - digest_size
1358 # ... also check that the on-disk hashtree matches
1382 hash_algorithm: Hash algorithm used.
1394 '32s' # hash algorithm used
1419 self.SIZE - 16 + partition_name_len + salt_len + digest_len, 8)
1422 # Nuke NUL-bytes at the end.
1427 # Validate UTF-8 - decode() raises UnicodeDecodeError if not valid UTF-8.
1428 self.partition_name.decode('utf-8')
1435 raise LookupError('digest_len doesn\'t match hash algorithm')
1453 o.write(' Hash Algorithm: {}\n'.format(self.hash_algorithm))
1467 encoded_name = self.partition_name.encode('utf-8')
1469 self.SIZE + len(encoded_name) + len(self.salt) + len(self.digest) - 16)
1471 padding_size = nbf_with_padding - num_bytes_following
1481 """Verifies contents of the descriptor - used in verify_image sub-command.
1511 """A class for kernel command-line descriptors.
1517 kernel_cmdline: The kernel command-line.
1544 expected_size = round_to_multiple(self.SIZE - 16 + kernel_cmdline_length,
1549 # Nuke NUL-bytes at the end.
1552 # Validate UTF-8 - decode() raises UnicodeDecodeError if not valid UTF-8.
1553 self.kernel_cmdline.decode('utf-8')
1575 encoded_str = self.kernel_cmdline.encode('utf-8')
1576 num_bytes_following = (self.SIZE + len(encoded_str) - 16)
1578 padding_size = nbf_with_padding - num_bytes_following
1586 """Verifies contents of the descriptor - used in verify_image sub-command.
1637 self.SIZE - 16 + partition_name_len + public_key_len, 8)
1644 # Validate UTF-8 - decode() raises UnicodeDecodeError if not valid UTF-8.
1645 self.partition_name.decode('utf-8')
1674 encoded_name = self.partition_name.encode('utf-8')
1676 self.SIZE + len(encoded_name) + len(self.public_key) - 16)
1678 padding_size = nbf_with_padding - num_bytes_following
1687 """Verifies contents of the descriptor - used in verify_image sub-command.
1701 '--expected_chain_partition to specify expected '
1760 the image before AVB information was added.
1799 raise LookupError('Given data does not look like a AVB footer.')
1820 """A class for parsing and writing AVB vbmeta images.
1837 'L' # algorithm type
1846 '47sx' + # NUL-terminated release string
1872 # Nuke NUL-bytes at the end of the string.
1946 class Avb(object): class
1947 """Business logic for avbtool command-line tool."""
1957 # meaningful errors if the value passed in via --partition_size is
1958 # too small and when --calc_max_image_size is used. We use
2033 vbmeta_end_offset += image.block_size - (vbmeta_end_offset % image.block_size)
2045 image.append_dont_care(partition_size - vbmeta_end_offset -
2048 # Just reuse the same footer - only difference is that we're
2051 footer_blob_with_padding = ('\0'*(image.block_size - AvbFooter.SIZE) +
2094 output: Output file to write human-readable information to (file object).
2111 o.write('--\n')
2124 o.write('Algorithm: {}\n'.format(alg_name))
2219 AvbDescriptor-derived instances, and the fourth argument is the
2224 image.seek(image.image_size - AvbFooter.SIZE)
2259 image.seek(image.image_size - AvbFooter.SIZE)
2280 """Generate kernel cmdline descriptors for dm-verity.
2286 A list with two AvbKernelCmdlineDescriptor with dm-verity kernel cmdline
2320 c += '" root=/dev/dm-0'
2322 # Now that we have the command-line, generate the descriptor.
2329 # simpler - we just set the root to the partition.
2338 """Generate kernel cmdline descriptors for dm-verity.
2344 A list with two AvbKernelCmdlineDescriptor with dm-verity kernel cmdline
2382 algorithm_name: Name of algorithm to use.
2438 padding_needed = padded_size - len(vbmeta_blob)
2463 algorithm_name: The algorithm name as per the ALGORITHMS dict.
2474 dm-verity kernel cmdline from.
2476 generate dm-verity kernel cmdline descriptors from.
2490 been given and the given algorithm requires one, or the key is
2497 raise AvbError('Unknown algorithm with name {}'.format(algorithm_name))
2538 if idx == -1:
2547 if idx == -1:
2556 # Add AvbKernelCmdline descriptor for dm-verity from an image, if requested.
2564 # Add AvbKernelCmdline descriptor for dm-verity from desc, if requested.
2571 # Add kernel command-lines.
2589 # The --include_descriptors_from_image option is used in some setups
2612 raise AvbError('Key is required for algorithm {}'.format(
2616 raise AvbError('Key is wrong size for algorithm {}'.format(
2645 # Signature offset and size - it's stored right after the hash
2661 padding_bytes = h.auxiliary_data_block_size - len(aux_data_blob)
2685 padding_bytes = h.authentication_data_block_size - len(auth_data_blob)
2721 image.seek(image.image_size - AvbFooter.SIZE)
2733 # If anything goes wrong from here-on, restore the image back to
2743 padding_needed = image.block_size - (image.image_size%image.block_size)
2751 padding_needed = (round_to_multiple(len(vbmeta_blob), image.block_size) -
2761 image.append_dont_care(partition_size - vbmeta_end_offset -
2772 footer_blob_with_padding = ('\0'*(image.block_size - AvbFooter.SIZE) +
2777 # Truncate back to original size, then re-raise
2799 hash_algorithm: Hash algorithm to use.
2802 algorithm_name: Name of algorithm to use.
2811 dm-verity kernel cmdline from.
2814 calc_max_image_size: Don't store the footer - instead calculate the
2848 max_image_size = partition_size - max_metadata_size
2866 image.seek(image.image_size - AvbFooter.SIZE)
2878 # If anything goes wrong from here-on, restore the image back to
2939 padding_needed = image.block_size - (
2949 round_to_multiple(len(vbmeta_blob), image.block_size) -
2958 image.append_dont_care(partition_size - vbmeta_end_offset -
2969 footer_blob_with_padding = ('\0'*(image.block_size - AvbFooter.SIZE) +
2974 # Truncate back to original size, then re-raise
2996 more information about dm-verity and these hashes.
3004 hash_algorithm: Hash algorithm to use.
3008 algorithm_name: Name of algorithm to use.
3017 dm-verity kernel cmdline from.
3018 setup_as_rootfs_from_kernel: If True, generate dm-verity kernel
3022 calc_max_image_size: Don't store the hashtree or footer - instead
3049 digest_padding = round_to_pow2(digest_size) - digest_size
3063 max_image_size = partition_size - max_metadata_size
3081 image.seek(image.image_size - AvbFooter.SIZE)
3093 # If anything goes wrong from here-on, restore the image back to
3099 image.append_raw('\0' * (rounded_image_size - image.image_size))
3128 padding_needed = image.block_size - (image.image_size%image.block_size)
3158 padding_needed = (round_to_multiple(len(hash_tree), image.block_size) -
3167 padding_needed = (round_to_multiple(len(fec_data), image.block_size) -
3191 padding_needed = (round_to_multiple(len(vbmeta_blob), image.block_size) -
3205 image.append_dont_care(partition_size - image.image_size -
3216 footer_blob_with_padding = ('\0'*(image.block_size - AvbFooter.SIZE) +
3221 # Truncate back to original size, then re-raise.
3233 a fused, permanent root key. These certificates are fixed-length and fixed-
3240 signature. The signature can be created out-of-band
3243 subject_key_version: A 64-bit version value. If this is None, the number
3297 product_id: A 16-byte Product ID.
3344 Android Things unlock credentials can be used to authorize the unlock of AVB
3346 via the fastboot interface in response to a 16-byte challenge. This method
3401 """Calculate the offsets of all the hash-levels in a Merkle-tree.
3404 image_size: The size of the image to calculate a Merkle-tree for.
3406 digest_size: The size of each hash, e.g. 32 for SHA-256.
3419 num_blocks = (size + block_size - 1) / block_size
3458 ['fec', '--print-fec-size', str(image_size), '--roots', str(num_roots)],
3483 ['fec', '--encode', '--roots', str(num_roots), image_filename,
3488 footer_data = fec_data[-footer_size:]
3498 """Generates a Merkle-tree for a file.
3504 hash_alg_name: The hash algorithm, e.g. 'sha256' or 'sha1'.
3511 A tuple where the first element is the top-level hash and the
3512 second element is the hash-tree.
3523 # Only read from the file for the first level - for subsequent
3526 image.seek(hash_src_offset + hash_src_size - remaining)
3529 offset = hash_level_offsets[level_num - 1] + hash_src_size - remaining
3533 remaining -= len(data)
3535 hasher.update('\0' * (block_size - len(data)))
3541 len(level_output), block_size) - len(level_output))
3544 # Copy level-output into resulting tree.
3558 """Object for avbtool command-line tool."""
3562 self.avb = Avb()
3565 """Adds arguments used by several sub-commands.
3570 sub_parser.add_argument('--algorithm',
3571 help='Algorithm to use (default: NONE)',
3572 metavar='ALGORITHM',
3574 sub_parser.add_argument('--key',
3578 sub_parser.add_argument('--signing_helper',
3583 sub_parser.add_argument('--signing_helper_with_files',
3588 sub_parser.add_argument('--public_key_metadata',
3592 sub_parser.add_argument('--rollback_index',
3596 # This is used internally for unit tests. Do not include in --help output.
3597 sub_parser.add_argument('--internal_release_string',
3599 sub_parser.add_argument('--append_to_release_string',
3602 sub_parser.add_argument('--prop',
3606 sub_parser.add_argument('--prop_from_file',
3610 sub_parser.add_argument('--kernel_cmdline',
3614 # TODO(zeuthen): the --setup_rootfs_from_kernel option used to be called
3615 # --generate_dm_verity_cmdline_from_hashtree. Remove support for the latter
3617 sub_parser.add_argument('--setup_rootfs_from_kernel',
3618 '--generate_dm_verity_cmdline_from_hashtree',
3622 sub_parser.add_argument('--include_descriptors_from_image',
3627 sub_parser.add_argument('--print_required_libavb_version',
3628 help=('Don\'t store the footer - '
3632 # These are only allowed from top-level vbmeta and boot-in-lieu-of-vbmeta.
3633 sub_parser.add_argument('--chain_partition',
3634 help='Allow signed integrity-data for partition',
3637 sub_parser.add_argument('--flags',
3641 sub_parser.add_argument('--set_hashtree_disabled_flag',
3646 """Adds arguments used by add_*_footer sub-commands.
3651 sub_parser.add_argument('--use_persistent_digest',
3655 'with --do_not_use_ab when an A/B suffix is '
3658 sub_parser.add_argument('--do_not_use_ab',
3678 """Command-line processor.
3692 sub_parser.add_argument('--key',
3695 sub_parser.add_argument('--output',
3703 sub_parser.add_argument('--output',
3706 sub_parser.add_argument('--padding_size',
3708 help='If non-zero, pads output with NUL bytes so '
3717 sub_parser.add_argument('--image',
3720 sub_parser.add_argument('--partition_size',
3723 sub_parser.add_argument('--partition_name',
3726 sub_parser.add_argument('--hash_algorithm',
3727 help='Hash algorithm to use (default: sha256)',
3729 sub_parser.add_argument('--salt',
3731 sub_parser.add_argument('--calc_max_image_size',
3732 help=('Don\'t store the footer - '
3737 sub_parser.add_argument('--output_vbmeta_image',
3740 sub_parser.add_argument('--do_not_append_vbmeta_image',
3750 sub_parser.add_argument('--image',
3753 sub_parser.add_argument('--partition_size',
3757 sub_parser.add_argument('--vbmeta_image',
3764 sub_parser.add_argument('--image',
3767 sub_parser.add_argument('--partition_size',
3770 sub_parser.add_argument('--partition_name',
3773 sub_parser.add_argument('--hash_algorithm',
3774 help='Hash algorithm to use (default: sha1)',
3776 sub_parser.add_argument('--salt',
3778 sub_parser.add_argument('--block_size',
3782 # TODO(zeuthen): The --generate_fec option was removed when we
3787 sub_parser.add_argument('--generate_fec',
3790 sub_parser.add_argument('--do_not_generate_fec',
3791 help='Do not generate forward-error-correction codes',
3793 sub_parser.add_argument('--fec_num_roots',
3797 sub_parser.add_argument('--calc_max_image_size',
3798 help=('Don\'t store the hashtree or footer - '
3804 sub_parser.add_argument('--output_vbmeta_image',
3807 sub_parser.add_argument('--do_not_append_vbmeta_image',
3811 # This is different from --setup_rootfs_from_kernel insofar that
3814 sub_parser.add_argument('--setup_as_rootfs_from_kernel',
3823 sub_parser.add_argument('--image',
3827 sub_parser.add_argument('--keep_hashtree',
3834 sub_parser.add_argument('--image',
3838 sub_parser.add_argument('--partition_size',
3846 sub_parser.add_argument('--image',
3850 sub_parser.add_argument('--output',
3859 sub_parser.add_argument('--image',
3863 sub_parser.add_argument('--key',
3867 sub_parser.add_argument('--expected_chain_partition',
3875 sub_parser.add_argument('--misc_image',
3880 sub_parser.add_argument('--slot_data',
3892 sub_parser.add_argument('--output',
3896 sub_parser.add_argument('--subject',
3900 sub_parser.add_argument('--subject_key',
3904 sub_parser.add_argument('--subject_key_version',
3908 sub_parser.add_argument('--subject_is_intermediate_authority',
3912 sub_parser.add_argument('--usage',
3916 sub_parser.add_argument('--authority_key',
3919 sub_parser.add_argument('--signing_helper',
3924 sub_parser.add_argument('--signing_helper_with_files',
3934 sub_parser.add_argument('--output',
3938 sub_parser.add_argument('--root_authority_key',
3942 sub_parser.add_argument('--product_id',
3951 sub_parser.add_argument('--output',
3955 sub_parser.add_argument('--intermediate_key_certificate',
3959 sub_parser.add_argument('--product_key_certificate',
3968 sub_parser.add_argument('--output',
3972 sub_parser.add_argument('--intermediate_key_certificate',
3976 sub_parser.add_argument('--unlock_key_certificate',
3980 sub_parser.add_argument('--challenge',
3986 sub_parser.add_argument('--unlock_key',
3988 'provided if using --challenge.',
3990 sub_parser.add_argument('--signing_helper',
3995 sub_parser.add_argument('--signing_helper_with_files',
4010 """Implements the 'version' sub-command."""
4014 """Implements the 'extract_public_key' sub-command."""
4015 self.avb.extract_public_key(args.key, args.output)
4018 """Implements the 'make_vbmeta_image' sub-command."""
4020 self.avb.make_vbmeta_image(args.output, args.chain_partition,
4021 args.algorithm, args.key,
4035 """Implements the 'append_vbmeta_image' sub-command."""
4036 self.avb.append_vbmeta_image(args.image.name, args.vbmeta_image.name,
4040 """Implements the 'add_hash_footer' sub-command."""
4042 self.avb.add_hash_footer(args.image.name if args.image else None,
4045 args.salt, args.chain_partition, args.algorithm,
4064 """Implements the 'add_hashtree_footer' sub-command."""
4067 # '--generate_fec' option above.
4069 sys.stderr.write('The --generate_fec option is deprecated since FEC '
4071 '--do_not_generate_fec to not generate FEC.\n')
4072 self.avb.add_hashtree_footer(args.image.name if args.image else None,
4077 args.salt, args.chain_partition, args.algorithm,
4097 """Implements the 'erase_footer' sub-command."""
4098 self.avb.erase_footer(args.image.name, args.keep_hashtree)
4101 """Implements the 'resize_image' sub-command."""
4102 self.avb.resize_image(args.image.name, args.partition_size)
4105 """Implements the 'set_ab_metadata' sub-command."""
4106 self.avb.set_ab_metadata(args.misc_image, args.slot_data)
4109 """Implements the 'info_image' sub-command."""
4110 self.avb.info_image(args.image.name, args.output)
4113 """Implements the 'verify_image' sub-command."""
4114 self.avb.verify_image(args.image.name, args.key,
4118 """Implements the 'make_atx_certificate' sub-command."""
4119 self.avb.make_atx_certificate(args.output, args.authority_key,
4129 """Implements the 'make_atx_permanent_attributes' sub-command."""
4130 self.avb.make_atx_permanent_attributes(args.output,
4135 """Implements the 'make_atx_metadata' sub-command."""
4136 self.avb.make_atx_metadata(args.output,
4141 """Implements the 'make_atx_unlock_credential' sub-command."""
4142 self.avb.make_atx_unlock_credential(