The build system signs the VBMeta struct in VBMeta image with the AVB private key and stores one copy of the public key in the signed VBMeta image. During AVB verification, U-Boot validates the public key first, and then uses the public key to authenticate the signed VBMeta image.
There is another pair of asymmetric keys (AVB boot keys) to sign the VBMeta struct in the boot image, which would be built as chained partition. For more information about chained partitions, see Android Verified Boot 2.0.
Custom keys should be used for production. To generate and configure your keys, follow these steps:
You are responsible for storing and protecting the private keys. Loss of the private keys will result in not being able to sign artifacts with the affected keys. |
1. Generate custom AVB keys
A pair of asymmetric keys, AVB keys, are used to sign the VBMeta struct in the VBMeta image:
-
Generate the private key with OpenSSL. For example, to generate a RSA-4096 private key called
custom_rsa4096_private.pem
:$ openssl genpkey -algorithm RSA \ -pkeyopt rsa_keygen_bits:4096 \ -outform PEM \ -out custom_rsa4096_private.pem
-
Extract the corresponding public key from the private key. Use
avbtool
located at/usr/local/dea-11.0-r2/external/avb
.$ /usr/local/dea-11.0-r2/external/avb/avbtool extract_public_key \ --key custom_rsa4096_private.pem \ --output custom_rsa4096_public.bin
SHA256_RSA4096 and SHA256_RSA2048 are recommended algorithms to sign the images. Cryptographic Acceleration and Assurance Module (CAAM) of ConnectCore 8M Mini can help accelerate the hash calculation.
2. Generate custom AVB boot keys
The boot image is built as a chained partition and the VBMeta struct in boot image is signed by a pair of asymmetric keys, AVB boot keys.
To generate the private key with OpenSSL, for example, a RSA-2048 private key called custom_rsa2048_private.pem
, execute:
$ openssl genpkey -algorithm RSA \
-pkeyopt rsa_keygen_bits:2048 \
-outform PEM \
-out custom_rsa2048_private.pem
SHA256_RSA4096 and SHA256_RSA2048 are recommended algorithms to sign the images for ConnectCore 8M Mini, whose CAAM can help accelerate the hash calculation.
3. Sign with your AVB keys
To use your keys to sign the images for production you can:
Sign development images with your custom keys
Build using test/development keys and sign the resulting images with your custom keys in a secure production environment.
Configure the build system to use your keys
-
Set AVB key.
Set
BOARD_AVB_ALGORITHM
andBOARD_AVB_KEY_PATH
defined atdevice/digi/imx8m/ccimx8mmdvk/BoardConfig.mk
:BOARD_AVB_ALGORITHM := SHA256_RSA4096 BOARD_AVB_KEY_PATH := ${your-key-directory}/custom_rsa4096_private.pem
By default, the build system uses the algorithm SHA256_RSA4096 and the private AVB key
device/digi/common/security/testkey_rsa4096.pem
to sign the VBMeta struct in VBMeta image.Its corresponding public key is
device/digi/common/security/testkey_public_rsa4096.bin
. -
Set AVB boot key to sign the boot image.
Configure
BOARD_AVB_BOOT_ALGORITHM
andBOARD_AVB_BOOT_KEY_PATH
defined atdevice/digi/imx8m/ccimx8mmdvk/BoardConfig.mk
:BOARD_AVB_BOOT_ALGORITHM := SHA256_RSA2048 BOARD_AVB_BOOT_KEY_PATH := ${your-key-directory}/custom_rsa2048_private.pem
By default, the build system uses the algorithm SHA256_RSA2048 and the private AVB boot key
external/avb/test/data/testkey_rsa2048.pem
to sign the boot image.