Lines Matching +full:embedded +full:- +full:trace +full:- +full:extension
25 """Command-line tool for working with Android Verified Boot images."""
56 """Application-specific errors.
58 These errors represent issues for which a stack-trace should not be
74 The constant |ALGORITHMS| is a dictionary from human-readable
98 # The PKC1-v1.5 padding is a blob of binary DER of ASN.1 and is
115 # PKCS1-v1_5 padding
129 # PKCS1-v1_5 padding
143 # PKCS1-v1_5 padding
157 # PKCS1-v1_5 padding
171 # PKCS1-v1_5 padding
185 # PKCS1-v1_5 padding
217 return number + size - remainder
231 return 2**((number - 1).bit_length())
237 This number is written big-endian, e.g. with the most significant
250 for bit_pos in range(num_bits, 0, -8):
251 octet = (value >> (bit_pos - 8)) & 0xff
259 This number is expected to be in big-endian, e.g. with the most
294 return (g, x - (b // a) * y, y)
301 |m|). This number only exists if |a| and |m| are co-prime - |None|
310 these numbers are not co-prime.
321 This is just a short-hand for int(string, 0) suitable for use in the
369 args = ['openssl', 'rsa', '-in', key_path, '-modulus', '-noout']
377 args.append('-pubin')
414 # Calculate n0inv = -1/n[0] (mod 2^32)
416 n0inv = b - modinv(self.modulus, b)
484 ['openssl', 'rsautl', '-sign', '-inkey', self.key_path, '-raw'],
537 """Checks that signature in a vbmeta blob was made by the embedded public key.
545 True if the signature is valid and corresponds to the embedded
624 ['openssl', 'asn1parse', '-genconf', asn1_tmpfile.name, '-out',
625 der_tmpfile.name, '-noout'])
631 ['openssl', 'rsautl', '-verify', '-pubin', '-inkey', der_tmpfile.name,
632 '-keyform', 'DER', '-raw'],
649 if algorithm.lower() == 'blake2b-256':
661 output_offset: Offset in de-sparsified file where output begins.
680 output_offset: Offset in de-sparsified file.
724 For reading, this interface mimics a file object - it has seek(),
750 read_only: True if file is only opened for read-only operations.
816 data_sz = total_sz - struct.calcsize(ImageChunk.FORMAT)
844 raise ValueError('Don\'t care chunk input size is non-zero ({})'.
905 OSError: If ImageHandler was initialized in read-only mode.
910 raise OSError('ImageHandler is in read-only mode.')
942 OSError: If ImageHandler was initialized in read-only mode.
947 raise OSError('ImageHandler is in read-only mode.')
975 fill_data: Fill data to append - must be four bytes.
976 size: Number of chunk - must be a multiple of four and the block size.
979 OSError: If ImageHandler was initialized in read-only mode.
986 raise OSError('ImageHandler is in read-only mode.')
1043 self._file_pos) - 1
1048 chunk_pos_offset = self._file_pos - chunk.output_offset
1049 chunk_pos_to_go = min(chunk.output_size - chunk_pos_offset, to_go)
1062 to_go -= chunk_pos_to_go
1087 OSError: If ImageHandler was initialized in read-only mode.
1090 raise OSError('ImageHandler is in read-only mode.')
1106 chunk_idx = bisect.bisect_right(self._chunk_output_offsets, size) - 1
1109 # Truncation in the middle of a trunk - need to keep the chunk
1112 num_to_keep = size - chunk.output_offset
1147 # We've modified the file so re-read all data.
1150 # Truncating to grow - just add a DONT_CARE section.
1151 self.append_dont_care(size - self.image_size)
1208 padding_size = nbf_with_padding - num_bytes_following
1216 """Verifies contents of the descriptor - used in verify_image sub-command.
1220 image_ext: The extension of the file being verified (e.g. '.img').
1230 # Deletes unused parameters to prevent pylint warning unused-argument.
1270 self.SIZE - 16 + key_size + 1 + value_size + 1, 8)
1275 self.key = data[self.SIZE:(self.SIZE + key_size)].decode('utf-8')
1277 raise LookupError('Key cannot be decoded as UTF-8: {}.'
1299 o.write(' Prop: {} -> {}\n'.format(self.key, printable_value))
1301 o.write(' Prop: {} -> ({} bytes)\n'.format(self.key, len(self.value)))
1309 key_encoded = self.key.encode('utf-8')
1311 self.SIZE + len(key_encoded) + len(self.value) + 2 - 16)
1313 padding_size = nbf_with_padding - num_bytes_following
1322 """Verifies contents of the descriptor - used in verify_image sub-command.
1326 image_ext: The extension of the file being verified (e.g. '.img').
1346 dm_verity_version: dm-verity version used.
1366 'L' # dm-verity version used
1405 self.SIZE - 16 + partition_name_len + salt_len + root_digest_len, 8)
1409 # Nuke NUL-bytes at the end.
1415 ].decode('utf-8')
1417 raise LookupError('Partition name cannot be decoded as UTF-8: {}.'
1454 o.write(' Version of dm-verity: {}\n'.format(self.dm_verity_version))
1478 partition_name_encoded = self.partition_name.encode('utf-8')
1480 + len(self.salt) + len(self.root_digest) - 16)
1482 padding_size = nbf_with_padding - num_bytes_following
1496 """Verifies contents of the descriptor - used in verify_image sub-command.
1500 image_ext: The extension of the file being verified (e.g. '.img').
1518 digest_padding = round_to_pow2(digest_size) - digest_size
1527 # The root digest must match unless it is not embedded in the descriptor.
1532 # ... also check that the on-disk hashtree matches
1538 '--accept_zeroed_hashtree was given'
1599 self.SIZE - 16 + partition_name_len + salt_len + digest_len, 8)
1602 # Nuke NUL-bytes at the end.
1608 ].decode('utf-8')
1610 raise LookupError('Partition name cannot be decoded as UTF-8: {}.'
1649 partition_name_encoded = self.partition_name.encode('utf-8')
1651 len(self.salt) + len(self.digest) - 16)
1653 padding_size = nbf_with_padding - num_bytes_following
1664 """Verifies contents of the descriptor - used in verify_image sub-command.
1668 image_ext: The extension of the file being verified (e.g. '.img').
1701 """A class for kernel command-line descriptors.
1707 kernel_cmdline: The kernel command-line as string.
1734 expected_size = round_to_multiple(self.SIZE - 16 + kernel_cmdline_length,
1739 # Nuke NUL-bytes at the end.
1742 self.SIZE:(self.SIZE + kernel_cmdline_length)].decode('utf-8')
1744 raise LookupError('Kernel command-line cannot be decoded as UTF-8: {}.'
1766 kernel_cmd_encoded = self.kernel_cmdline.encode('utf-8')
1767 num_bytes_following = (self.SIZE + len(kernel_cmd_encoded) - 16)
1769 padding_size = nbf_with_padding - num_bytes_following
1777 """Verifies contents of the descriptor - used in verify_image sub-command.
1781 image_ext: The extension of the file being verified (e.g. '.img').
1832 self.SIZE - 16 + partition_name_len + public_key_len, 8)
1840 ].decode('utf-8')
1842 raise LookupError('Partition name cannot be decoded as UTF-8: {}.'
1872 partition_name_encoded = self.partition_name.encode('utf-8')
1874 self.SIZE + len(partition_name_encoded) + len(self.public_key) - 16)
1876 padding_size = nbf_with_padding - num_bytes_following
1886 """Verifies contents of the descriptor - used in verify_image sub-command.
1890 image_ext: The extension of the file being verified (e.g. '.img').
1903 '--expected_chain_partition to specify expected '
1904 'contents or --follow_chain_partitions.\n'.
2055 zero if the vbmeta image is not a top-level image.
2061 "avbtool 1.0.0 xyz_board Git-234abde89". Is guaranteed to be NUL
2083 '47sx' + # NUL-terminated release string
2110 # Nuke NUL-bytes at the end of the string.
2113 self.release_string = release_string.rstrip(b'\0').decode('utf-8')
2157 release_string_encoded = self.release_string.encode('utf-8')
2172 """Business logic for avbtool command-line tool."""
2182 # meaningful errors if the value passed in via --partition_size is
2183 # too small and when --calc_max_image_size is used. We use
2228 padding_needed = padded_size - len(vbmeta_blob)
2301 raise AvbError('Hash-tree and FEC data must be adjacent.')
2307 data = image.read(image.image_size - zero_end_offset)
2310 # where a magic marker - ZeroHaSH - is placed. Place these markers in the
2317 data_zeroed_firstblock = b'ZeRoHaSH' + b'\0' * (image.block_size - 8)
2319 image.append_fill(b'\0\0\0\0', zero_ht_num_bytes - image.block_size)
2322 image.append_fill(b'\0\0\0\0', zero_fec_num_bytes - image.block_size)
2349 vbmeta_end_offset += image.block_size - (vbmeta_end_offset
2362 image.append_dont_care(partition_size - vbmeta_end_offset -
2365 # Just reuse the same footer - only difference is that we're
2368 footer_blob_with_padding = (b'\0' * (image.block_size - AvbFooter.SIZE) +
2411 output: Output file to write human-readable information to (file object).
2412 atx: If True, show information about Android Things eXtension (ATX).
2433 o.write('--\n')
2466 o.write('Android Things eXtension (ATX):\n')
2496 key_path: None or check that embedded public key matches key at given
2501 the --expected_chain_partition option
2531 print('Verifying image {} using embedded public key'.format(
2551 # The embedded public key is in the auxiliary block at an offset.
2558 raise AvbError('Embedded public key does not match given key.')
2572 # --expect_chain_partition ... however --follow_chain_partitions was
2581 # Honor --follow_chain_partitions - add '--' to make the output more
2585 print('--')
2596 output: Output file to write human-readable information to (file object).
2618 output: Output file to write human-readable information to (file object).
2622 image_ext: The extension to use for chained partition files.
2658 output: Output file to write human-readable information to (file object).
2701 output: Output file to write human-readable information to (file object).
2751 AvbDescriptor-derived instances, and the fourth argument is the
2759 image.seek(image.image_size - AvbFooter.SIZE)
2794 image.seek(image.image_size - AvbFooter.SIZE)
2815 """Generate kernel cmdline descriptors for dm-verity.
2821 A list with two AvbKernelCmdlineDescriptor with dm-verity kernel cmdline
2862 c += '" root=/dev/dm-0'
2864 # Now that we have the command-line, generate the descriptor.
2871 # simpler - we just set the root to the partition.
2880 """Generate kernel cmdline descriptors for dm-verity.
2886 A list with two AvbKernelCmdlineDescriptor with dm-verity kernel cmdline
2982 padding_needed = padded_size - len(vbmeta_blob)
3020 dm-verity kernel cmdline from.
3022 generate dm-verity kernel cmdline descriptors from.
3085 if idx == -1:
3087 # pylint: disable=redefined-variable-type
3090 desc.value = prop[(idx + 1):].encode('utf-8')
3095 if idx == -1:
3101 # pylint: disable=attribute-defined-outside-init
3105 # Add AvbKernelCmdline descriptor for dm-verity from an image, if requested.
3113 # Add AvbKernelCmdline descriptor for dm-verity from desc, if requested.
3120 # Add kernel command-lines.
3138 # The --include_descriptors_from_image option is used in some setups
3194 # Signature offset and size - it's stored right after the hash
3211 padding_bytes = h.auxiliary_data_block_size - len(aux_data_blob)
3233 padding_bytes = h.authentication_data_block_size - len(auth_data_blob)
3272 image.seek(image.image_size - AvbFooter.SIZE)
3284 # If anything goes wrong from here-on, restore the image back to
3294 padding_needed = image.block_size - (image.image_size%image.block_size)
3302 padding_needed = (round_to_multiple(len(vbmeta_blob), image.block_size) -
3312 image.append_dont_care(partition_size - vbmeta_end_offset -
3323 footer_blob_with_padding = (b'\0' * (image.block_size - AvbFooter.SIZE) +
3328 # Truncate back to original size, then re-raise.
3366 dm-verity kernel cmdline from.
3369 calc_max_image_size: Don't store the footer - instead calculate the
3386 raise AvbError('--dynamic_partition_size required when not specifying a '
3390 raise AvbError('--calc_max_image_size not supported with '
3391 '--dynamic_partition_size')
3415 print('{}'.format(partition_size - max_metadata_size))
3424 image.seek(image.image_size - AvbFooter.SIZE)
3440 max_image_size = partition_size - max_metadata_size
3446 # If anything goes wrong from here-on, restore the image back to
3509 padding_needed = image.block_size - (
3519 round_to_multiple(len(vbmeta_blob), image.block_size) -
3528 image.append_dont_care(partition_size - vbmeta_end_offset -
3540 b'\0' * (image.block_size - AvbFooter.SIZE) + footer_blob)
3543 # Truncate back to original size, then re-raise.
3567 more information about dm-verity and these hashes.
3589 dm-verity kernel cmdline from.
3590 setup_as_rootfs_from_kernel: If True, generate dm-verity kernel
3594 calc_max_image_size: Don't store the hashtree or footer - instead
3627 digest_padding = round_to_pow2(digest_size) - digest_size
3644 max_image_size = partition_size - max_metadata_size
3669 image.seek(image.image_size - AvbFooter.SIZE)
3681 # If anything goes wrong from here-on, restore the image back to
3687 image.append_raw('\0' * (rounded_image_size - image.image_size))
3718 padding_needed = image.block_size - (image.image_size%image.block_size)
3753 padding_needed = (round_to_multiple(len(hash_tree), image.block_size) -
3765 padding_needed = (round_to_multiple(len(fec_data), image.block_size) -
3790 padding_needed = (round_to_multiple(len(vbmeta_blob), image.block_size) -
3805 image.append_dont_care(partition_size - image.image_size -
3817 b'\0' * (image.block_size - AvbFooter.SIZE) + footer_blob)
3821 # Truncate back to original size, then re-raise.
3833 a fused, permanent root key. These certificates are fixed-length and fixed-
3840 signature. The signature can be created out-of-band
3843 subject_key_version: A 64-bit version value. If this is None, the number
3893 product_id: A 16-byte Product ID.
3898 EXPECTED_PRODUCT_ID_SIZE = 16 # pylint: disable=invalid-name
3925 EXPECTED_CERTIFICATE_SIZE = 1620 # pylint: disable=invalid-name
3942 via the fastboot interface in response to a 16-byte challenge. This method
3965 EXPECTED_CERTIFICATE_SIZE = 1620 # pylint: disable=invalid-name
3966 EXPECTED_CHALLENGE_SIZE = 16 # pylint: disable=invalid-name
3989 """Calculate the offsets of all the hash-levels in a Merkle-tree.
3992 image_size: The size of the image to calculate a Merkle-tree for.
3994 digest_size: The size of each hash, e.g. 32 for SHA-256.
4007 num_blocks = (size + block_size - 1) // block_size
4045 ['fec', '--print-fec-size', str(image_size), '--roots', str(num_roots)],
4071 ['fec', '--encode', '--roots', str(num_roots), image_filename,
4080 footer_data = fec_data[-footer_size:]
4090 """Generates a Merkle-tree for a file.
4103 A tuple where the first element is the top-level hash as bytes and the
4104 second element is the hash-tree as bytes.
4111 # If there is only one block, returns the top-level hash directly.
4123 # Only read from the file for the first level - for subsequent
4126 image.seek(hash_src_offset + hash_src_size - remaining)
4129 offset = hash_level_offsets[level_num - 1] + hash_src_size - remaining
4133 remaining -= len(data)
4135 hasher.update(b'\0' * (block_size - len(data)))
4143 len(level_output), block_size) - len(level_output))
4146 # Copy level-output into resulting tree.
4160 """Object for avbtool command-line tool."""
4167 """Adds arguments used by several sub-commands.
4172 sub_parser.add_argument('--algorithm',
4176 sub_parser.add_argument('--key',
4180 sub_parser.add_argument('--signing_helper',
4185 sub_parser.add_argument('--signing_helper_with_files',
4190 sub_parser.add_argument('--public_key_metadata',
4194 sub_parser.add_argument('--rollback_index',
4198 sub_parser.add_argument('--rollback_index_location',
4202 # This is used internally for unit tests. Do not include in --help output.
4203 sub_parser.add_argument('--internal_release_string',
4205 sub_parser.add_argument('--append_to_release_string',
4208 sub_parser.add_argument('--prop',
4212 sub_parser.add_argument('--prop_from_file',
4216 sub_parser.add_argument('--kernel_cmdline',
4220 # TODO(zeuthen): the --setup_rootfs_from_kernel option used to be called
4221 # --generate_dm_verity_cmdline_from_hashtree. Remove support for the latter
4223 sub_parser.add_argument('--setup_rootfs_from_kernel',
4224 '--generate_dm_verity_cmdline_from_hashtree',
4228 sub_parser.add_argument('--include_descriptors_from_image',
4233 sub_parser.add_argument('--print_required_libavb_version',
4234 help=('Don\'t store the footer - '
4238 # These are only allowed from top-level vbmeta and boot-in-lieu-of-vbmeta.
4239 sub_parser.add_argument('--chain_partition',
4240 help='Allow signed integrity-data for partition',
4243 sub_parser.add_argument('--flags',
4247 sub_parser.add_argument('--set_hashtree_disabled_flag',
4252 """Adds arguments used by add_*_footer sub-commands.
4257 sub_parser.add_argument('--use_persistent_digest',
4261 'with --do_not_use_ab when an A/B suffix is '
4264 sub_parser.add_argument('--do_not_use_ab',
4284 """Command-line processor.
4296 sub_parser.add_argument('--image_size',
4300 sub_parser.add_argument('--start_byte',
4304 sub_parser.add_argument('--output',
4316 sub_parser.add_argument('--key',
4319 sub_parser.add_argument('--output',
4327 sub_parser.add_argument('--output',
4330 sub_parser.add_argument('--padding_size',
4332 help='If non-zero, pads output with NUL bytes so '
4342 sub_parser.add_argument('--image',
4345 sub_parser.add_argument('--partition_size',
4348 sub_parser.add_argument('--dynamic_partition_size',
4351 sub_parser.add_argument('--partition_name',
4354 sub_parser.add_argument('--hash_algorithm',
4357 sub_parser.add_argument('--salt',
4359 sub_parser.add_argument('--calc_max_image_size',
4360 help=('Don\'t store the footer - '
4365 sub_parser.add_argument('--output_vbmeta_image',
4368 sub_parser.add_argument('--do_not_append_vbmeta_image',
4378 sub_parser.add_argument('--image',
4381 sub_parser.add_argument('--partition_size',
4385 sub_parser.add_argument('--vbmeta_image',
4393 sub_parser.add_argument('--image',
4396 sub_parser.add_argument('--partition_size',
4400 sub_parser.add_argument('--partition_name',
4403 sub_parser.add_argument('--hash_algorithm',
4406 sub_parser.add_argument('--salt',
4408 sub_parser.add_argument('--block_size',
4412 # TODO(zeuthen): The --generate_fec option was removed when we
4417 sub_parser.add_argument('--generate_fec',
4421 '--do_not_generate_fec',
4422 help='Do not generate forward-error-correction codes',
4424 sub_parser.add_argument('--fec_num_roots',
4428 sub_parser.add_argument('--calc_max_image_size',
4429 help=('Don\'t store the hashtree or footer - '
4435 sub_parser.add_argument('--output_vbmeta_image',
4438 sub_parser.add_argument('--do_not_append_vbmeta_image',
4442 # This is different from --setup_rootfs_from_kernel insofar that
4445 sub_parser.add_argument('--setup_as_rootfs_from_kernel',
4448 sub_parser.add_argument('--no_hashtree',
4451 sub_parser.add_argument('--check_at_most_once',
4460 sub_parser.add_argument('--image',
4464 sub_parser.add_argument('--keep_hashtree',
4471 sub_parser.add_argument('--image',
4480 sub_parser.add_argument('--image',
4484 sub_parser.add_argument('--output',
4487 sub_parser.add_argument('--padding_size',
4489 help='If non-zero, pads output with NUL bytes so '
4498 sub_parser.add_argument('--image',
4502 sub_parser.add_argument('--partition_size',
4510 sub_parser.add_argument('--image',
4514 sub_parser.add_argument('--output',
4518 sub_parser.add_argument('--atx',
4520 'eXtension (ATX).'),
4527 sub_parser.add_argument('--image',
4531 sub_parser.add_argument('--key',
4532 help='Check embedded public key matches KEY',
4535 sub_parser.add_argument('--expected_chain_partition',
4540 '--follow_chain_partitions',
4542 'specified with the --expected_chain_partition option'),
4545 '--accept_zeroed_hashtree',
4553 sub_parser.add_argument('--image',
4557 sub_parser.add_argument('--output',
4561 sub_parser.add_argument('--json',
4569 sub_parser.add_argument('--image',
4573 sub_parser.add_argument('--hash_algorithm',
4576 sub_parser.add_argument('--output',
4585 sub_parser.add_argument('--image',
4589 sub_parser.add_argument('--hashtree_disabled',
4592 sub_parser.add_argument('--output',
4600 sub_parser.add_argument('--misc_image',
4605 sub_parser.add_argument('--slot_data',
4616 help='Create an Android Things eXtension (ATX) certificate.')
4617 sub_parser.add_argument('--output',
4621 sub_parser.add_argument('--subject',
4625 sub_parser.add_argument('--subject_key',
4629 sub_parser.add_argument('--subject_key_version',
4633 sub_parser.add_argument('--subject_is_intermediate_authority',
4637 sub_parser.add_argument('--usage',
4641 sub_parser.add_argument('--authority_key',
4644 sub_parser.add_argument('--signing_helper',
4649 sub_parser.add_argument('--signing_helper_with_files',
4658 help='Create Android Things eXtension (ATX) permanent attributes.')
4659 sub_parser.add_argument('--output',
4663 sub_parser.add_argument('--root_authority_key',
4667 sub_parser.add_argument('--product_id',
4675 help='Create Android Things eXtension (ATX) metadata.')
4676 sub_parser.add_argument('--output',
4680 sub_parser.add_argument('--intermediate_key_certificate',
4684 sub_parser.add_argument('--product_key_certificate',
4692 help='Create an Android Things eXtension (ATX) unlock credential.')
4693 sub_parser.add_argument('--output',
4697 sub_parser.add_argument('--intermediate_key_certificate',
4701 sub_parser.add_argument('--unlock_key_certificate',
4705 sub_parser.add_argument('--challenge',
4711 sub_parser.add_argument('--unlock_key',
4713 'provided if using --challenge.',
4715 sub_parser.add_argument('--signing_helper',
4720 sub_parser.add_argument('--signing_helper_with_files',
4741 """Implements the 'version' sub-command."""
4745 """Implements the 'generate_test_image' sub-command."""
4749 """Implements the 'extract_public_key' sub-command."""
4753 """Implements the 'make_vbmeta_image' sub-command."""
4771 """Implements the 'append_vbmeta_image' sub-command."""
4776 """Implements the 'add_hash_footer' sub-command."""
4801 """Implements the 'add_hashtree_footer' sub-command."""
4804 # '--generate_fec' option above.
4806 sys.stderr.write('The --generate_fec option is deprecated since FEC '
4808 '--do_not_generate_fec to not generate FEC.\n')
4838 """Implements the 'erase_footer' sub-command."""
4842 """Implements the 'zero_hashtree' sub-command."""
4846 """Implements the 'extract_vbmeta_image' sub-command."""
4851 """Implements the 'resize_image' sub-command."""
4855 """Implements the 'set_ab_metadata' sub-command."""
4859 """Implements the 'info_image' sub-command."""
4863 """Implements the 'verify_image' sub-command."""
4870 """Implements the 'print_partition_digests' sub-command."""
4874 """Implements the 'calculate_vbmeta_digest' sub-command."""
4879 """Implements the 'calculate_kernel_cmdline' sub-command."""
4884 """Implements the 'make_atx_certificate' sub-command."""
4895 """Implements the 'make_atx_permanent_attributes' sub-command."""
4901 """Implements the 'make_atx_metadata' sub-command."""
4907 """Implements the 'make_atx_unlock_credential' sub-command."""