本篇android AVB2.0學習總結系統的第四篇，接上篇android AVB2.0（三）Init階段安全啟動流程， 這里介紹一下libavb庫的詳細實現。

請支持原創，原文鏈接：https://blog.csdn.net/jackone12347/article/details/121678254

首先要介紹一下本篇文章的兩個目標，帶著這兩個目標我們來分析一下libavb庫的實現。
1、android AVB是如何完成verify校驗這項任務的？
2、采用了什么樣的設計來完成verify校驗任務？

上篇內容之一：“InitAvbHandle：AVB調用exterlan/avb/libavb庫完成分區的校驗”

沒有源碼的，可以看google提供的路徑：https://android.googlesource.com/platform/system/core/+/master/init/first_stage_mount.cpp

@first_stage_mount.cpp bool FirstStageMountVBootV2::InitAvbHandle() {if (avb_handle_) return true; // Returns true if the handle is already initialized.avb_handle_ = AvbHandle::Open();if (!avb_handle_) {PLOG(ERROR) << "Failed to open AvbHandle";return false;}// Sets INIT_AVB_VERSION here for init to set ro.boot.avb_version in the second stage.setenv("INIT_AVB_VERSION", avb_handle_->avb_version().c_str(), 1);return true; }

實現在fs_avb.cpp中

AvbUniquePtr AvbHandle::Open() { //判斷設備是否lock，這里是通過讀系統屬性ro.boot.verifiedbootstate來判斷的，這個后面我專門搞篇文章來講一下。bool allow_verification_error = IsAvbPermissive();//創建AvbHandle實例AvbUniquePtr avb_handle(new AvbHandle());if (!avb_handle) {LERROR << "Failed to allocate AvbHandle";return nullptr;}//實例化AvbOps管理類對象，私有成員中有AvbOps avb_ops_FsManagerAvbOps avb_ops;AvbSlotVerifyFlags flags = allow_verification_error? AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR: AVB_SLOT_VERIFY_FLAGS_NONE;//調用AvbSlotVerify函數進行verify校驗AvbSlotVerifyResult verify_result =avb_ops.AvbSlotVerify(fs_mgr_get_slot_suffix(), flags, &avb_handle->vbmeta_images_);...//后面verify之后的結果代碼也比較簡單就不分析了，我們重點分析校驗流程

AvbSlotVerify實現在avb_ops.cpp中的avb_slot_verify函數，注意這里requested_partitions默認為空，不管是Uboot中調用libavb庫，還是android init中調用libavb庫，都是類似的處理邏輯。

AvbSlotVerifyResult FsManagerAvbOps::AvbSlotVerify(const std::string& ab_suffix,AvbSlotVerifyFlags flags,std::vector<VBMetaData>* out_vbmeta_images) {const char* requested_partitions[] = {nullptr};// Local resource to store vbmeta images from avb_slot_verify();AvbSlotVerifyData* avb_slot_data;// The |hashtree_error_mode| field doesn't matter as it only// influences the generated kernel cmdline parameters.auto verify_result =avb_slot_verify(&avb_ops_, requested_partitions, ab_suffix.c_str(), flags,AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE, &avb_slot_data);if (!avb_slot_data) return verify_result;

一、入口avb_slot_verify.c
avb_slot_verify函數流程會非常的長，對這個代碼不熟悉的人估計會暈在里面，會有函數嵌套調用。我們分段進行說明：
第一個參數ops，是一個函數結構體對象指針

FsManagerAvbOps::FsManagerAvbOps() { //初始化avb_ops_成員的對象，主要有這六個回調函數，這些google設計的非常巧妙，用戶將來可自定義各家的實現方式，google不做限制，只保留空的回調接口，在avb驗證流程中會觸發，后面代碼分析流程中會做介紹。memset(&avb_ops_, 0, sizeof(AvbOps));avb_ops_.read_from_partition = read_from_partition;avb_ops_.read_rollback_index = dummy_read_rollback_index;avb_ops_.validate_vbmeta_public_key = dummy_validate_vbmeta_public_key;avb_ops_.read_is_device_unlocked = dummy_read_is_device_unlocked;avb_ops_.get_unique_guid_for_partition = dummy_get_unique_guid_for_partition;avb_ops_.get_size_of_partition = dummy_get_size_of_partition;// Sets user_data for GetInstanceFromAvbOps() to convert it back to FsManagerAvbOps.avb_ops_.user_data = this; }

我們進入到avb_slot_verify函數中分析

AvbSlotVerifyResult avb_slot_verify(AvbOps* ops,const char* const* requested_partitions,const char* ab_suffix,AvbSlotVerifyFlags flags,AvbHashtreeErrorMode hashtree_error_mode,AvbSlotVerifyData** out_data) {AvbSlotVerifyResult ret;AvbSlotVerifyData* slot_data = NULL;AvbAlgorithmType algorithm_type = AVB_ALGORITHM_TYPE_NONE;bool using_boot_for_vbmeta = false;AvbVBMetaImageHeader toplevel_vbmeta;bool allow_verification_error =(flags & AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR);AvbCmdlineSubstList* additional_cmdline_subst = NULL;/* Fail early if we're missing the AvbOps needed for slot verification. *///先判斷下面五個基本的回調函數接口是否存在，不存在會報錯，即使不實現也需要實現個空內容。avb_assert(ops->read_is_device_unlocked != NULL);avb_assert(ops->read_from_partition != NULL);avb_assert(ops->get_size_of_partition != NULL);avb_assert(ops->read_rollback_index != NULL);avb_assert(ops->get_unique_guid_for_partition != NULL); 。。。//判斷是否沒有vbmeta分區，默認是有vbmeta分區設計的，但是也可以append到其他分區上 這種我們先不考慮if (flags & AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION) {if (ops->validate_public_key_for_partition == NULL) {avb_error("AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION was passed but the ""validate_public_key_for_partition() operation isn't implemented.\n");ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT;goto fail;}} else {//默認我們是使用這種方式，需要校驗vbmeta分區的public key接口是否存在，這個接口用來判斷vbmeta公鑰hash key是否匹配。avb_assert(ops->validate_vbmeta_public_key != NULL);}//alloc分配內存slot_data = avb_calloc(sizeof(AvbSlotVerifyData));if (slot_data == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}slot_data->vbmeta_images =avb_calloc(sizeof(AvbVBMetaData) * MAX_NUMBER_OF_VBMETA_IMAGES);if (slot_data->vbmeta_images == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}slot_data->loaded_partitions =avb_calloc(sizeof(AvbPartitionData) * MAX_NUMBER_OF_LOADED_PARTITIONS);if (slot_data->loaded_partitions == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}//給additional_cmdline_subst也alloc分配內存，這個是后面需要將avb校驗的結果轉成數據append到cmdline中，傳遞給init使用的。additional_cmdline_subst = avb_new_cmdline_subst_list();if (additional_cmdline_subst == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}if (flags & AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION) {...//同上，我們不分析沒有vbmeta分區的情況} else {//加載和校驗vbmeta分區，這個函數流程非常長，我們等會分析，先看完后續的流程ret = load_and_verify_vbmeta(ops,requested_partitions,ab_suffix,flags,allow_verification_error,0 /* toplevel_vbmeta_flags */,0 /* rollback_index_location */,"vbmeta",avb_strlen("vbmeta"),NULL /* expected_public_key */,0 /* expected_public_key_length */,slot_data,&algorithm_type,additional_cmdline_subst);//在設備lock的情況且校驗失敗，直接異常 if (!allow_verification_error && ret != AVB_SLOT_VERIFY_RESULT_OK) {goto fail;}}//根據校驗結果判斷是否可繼續引導啟動if (!result_should_continue(ret)) {goto fail;}//將校驗的結果數據slot_data拷貝給toplevel_vbemta，避免修改原數據。avb_vbmeta_image_header_to_host_byte_order((const AvbVBMetaImageHeader*)slot_data->vbmeta_images[0].vbmeta_data,&toplevel_vbmeta);//根據toplevel_vbmeta vbmete頭信息中flags bit位是否為disable verification， //這個就是傳說中的adb disable-verity修改的那個Bit位了，估計很多人都不知道adb這條命令干了啥，其實就是修改了vbmeta分區Header頭信息中的這個bit位 if (toplevel_vbmeta.flags & AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED) {/* Since verification is disabled we didn't process any* descriptors and thus there's no cmdline... so set root= such* that the system partition is mounted.*/avb_assert(slot_data->cmdline == NULL);// Devices with dynamic partitions won't have system partition.// Instead, it has a large super partition to accommodate *.img files.// See b/119551429 for details.if (has_system_partition(ops, ab_suffix)) {slot_data->cmdline =avb_strdup("root=PARTUUID=$(ANDROID_SYSTEM_PARTUUID)");} else {// The |cmdline| field should be a NUL-terminated string.slot_data->cmdline = avb_strdup("");}if (slot_data->cmdline == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}} else {/* If requested, manage dm-verity mode... *///這里是不是很奇怪，怎么又判斷了hashtree了？其實是google設計的函數共用的功能，這個函數也可以用來校驗其他Hashtree類型的分區，比如system和vendor等AvbHashtreeErrorMode resolved_hashtree_error_mode = hashtree_error_mode;if (hashtree_error_mode ==AVB_HASHTREE_ERROR_MODE_MANAGED_RESTART_AND_EIO) {AvbIOResult io_ret;io_ret = avb_manage_hashtree_error_mode(ops, flags, slot_data, &resolved_hashtree_error_mode);if (io_ret != AVB_IO_RESULT_OK) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO;if (io_ret == AVB_IO_RESULT_ERROR_OOM) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;}goto fail;}//調用avb_append_options追加androidboot.xxx屬性到cmdline中，這個比較簡單就不深入分析了。sub_ret = avb_append_options(ops,flags,slot_data,&toplevel_vbmeta,algorithm_type,hashtree_error_mode,resolved_hashtree_error_mode);if (slot_data->cmdline != NULL && avb_strlen(slot_data->cmdline) != 0) {char* new_cmdline;new_cmdline = avb_sub_cmdline(ops,slot_data->cmdline,ab_suffix,using_boot_for_vbmeta,additional_cmdline_subst);if (new_cmdline != slot_data->cmdline) {if (new_cmdline == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto fail;}avb_free(slot_data->cmdline);slot_data->cmdline = new_cmdline;}}if (out_data != NULL) {*out_data = slot_data;} else {avb_slot_verify_data_free(slot_data);}

我們回到load_and_verify_vbmeta這個函數，看下如何加載和校驗vbmeta分區及vbmeta下的子分區的

static AvbSlotVerifyResult load_and_verify_vbmeta(AvbOps* ops,const char* const* requested_partitions,const char* ab_suffix,AvbSlotVerifyFlags flags,bool allow_verification_error,AvbVBMetaImageFlags toplevel_vbmeta_flags,int rollback_index_location,const char* partition_name,size_t partition_name_len,const uint8_t* expected_public_key,size_t expected_public_key_length,AvbSlotVerifyData* slot_data,AvbAlgorithmType* out_algorithm_type,AvbCmdlineSubstList* out_additional_cmdline_subst) { ...//在分析load_and_verify_vbmeta前，我們先看一下AvbVBMetaImageHeader結構體AvbVBMetaImageHeader vbmeta_header;

不分析AvbVBMetaImageHeader 結構體，估計很難明白這個函數是在校驗啥東東。

//能看到AvbVBMetaImageHeader頭信息中主要由三部分組成 Header data： vbmeta的header數據，固定長度256字節。 Authentication data：認證校驗數據，長度不固定，主要包含簽名和公鑰等信息。 Auxiliary data：輔助數據，主要包含vbmeta中其他分區的descriptor描述信息。* +-----------------------------------------+* | Header data - fixed size |* +-----------------------------------------+* | Authentication data - variable size |* +-----------------------------------------+* | Auxiliary data - variable size |* +-----------------------------------------+//每一項參數，代碼中都有進行說明 typedef struct AvbVBMetaImageHeader {魔術AVB0占四個字節/* 0: Four bytes equal to "AVB0" (AVB_MAGIC). */uint8_t magic[AVB_MAGIC_LEN];AVB的版本號信息1.0.0/* 4: The major version of libavb required for this header. */uint32_t required_libavb_version_major;/* 8: The minor version of libavb required for this header. */uint32_t required_libavb_version_minor;簽名信息長度和輔助信息長度/* 12: The size of the signature block. */uint64_t authentication_data_block_size;/* 20: The size of the auxiliary data block. */uint64_t auxiliary_data_block_size;使用的簽名算法類型/* 28: The verification algorithm used, see |AvbAlgorithmType| enum. */uint32_t algorithm_type;簽名數據的在header中的Body的Hash偏移位置/* 32: Offset into the "Authentication data" block of hash data. */uint64_t hash_offset;數據Body的Hash大小/* 40: Length of the hash data. */uint64_t hash_size;簽名數據的偏移位置/* 48: Offset into the "Authentication data" block of signature data. */uint64_t signature_offset;簽名數據的大小/* 56: Length of the signature data. */uint64_t signature_size;公鑰的偏移位置/* 64: Offset into the "Auxiliary data" block of public key data. */uint64_t public_key_offset;公鑰的長度/* 72: Length of the public key data. */uint64_t public_key_size;公鑰metadata的偏移位置和長度/* 80: Offset into the "Auxiliary data" block of public key metadata. */uint64_t public_key_metadata_offset;/* 88: Length of the public key metadata. Must be set to zero if there* is no public key metadata.*/uint64_t public_key_metadata_size;子分區的descriptor描述信息的偏移位置和長度/* 96: Offset into the "Auxiliary data" block of descriptor data. */uint64_t descriptors_offset;/* 104: Length of descriptor data. */uint64_t descriptors_size;vbmeta的rollback回滾值/* 112: The rollback index which can be used to prevent rollback to* older versions.*/uint64_t rollback_index;vbmeta的flags標志位，是否disable-verification等/* 120: Flags from the AvbVBMetaImageFlags enumeration. This must be* set to zero if the vbmeta image is not a top-level image.*/uint32_t flags;預留的字節，為將來可擴展準備/* 124: Reserved to ensure |release_string| start on a 16-byte* boundary. Must be set to zeroes.*/uint8_t reserved0[4];/* 128: The release string from avbtool, e.g. "avbtool 1.0.0" or* "avbtool 1.0.0 xyz_board Git-234abde89". Is guaranteed to be NUL* terminated. Applications must not make assumptions about how this* string is formatted.*/uint8_t release_string[AVB_RELEASE_STRING_SIZE];/* 176: Padding to ensure struct is size AVB_VBMETA_IMAGE_HEADER_SIZE* bytes. This must be set to zeroes.*/uint8_t reserved[80]; } AVB_ATTR_PACKED AvbVBMetaImageHeader;

好了，知道vbmeta頭結構體后，我們繼續分析load_and_verify_vbmeta代碼

//alloc申請內存vbmeta_buf = avb_malloc(vbmeta_size);if (vbmeta_buf == NULL) {ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;goto out;}//觸發avb_ops.cpp中第一個回調函數，本文的下面段落中有說明//android側只實現了這一個回調函數，其余的都留給廠商自己實現了，在UBOOT中就可以開發定制了。io_ret = ops->read_from_partition(ops,full_partition_name,vbmeta_offset,vbmeta_size,vbmeta_buf,&vbmeta_num_read);//加載完vbmeta數據后，需要對vbmeta數據進行校驗，調用avb_vbmeta_image_verify函數//本文下面專門講，這里先分析后續的流程vbmeta_ret =avb_vbmeta_image_verify(vbmeta_buf, vbmeta_num_read, &pk_data, &pk_len);//vbmeta基礎數據verify通過后，校驗一下公鑰hash是否匹配，是否本次andorid源碼編譯產生的key//這個數據是在android編譯的時候產生的，//validate_vbmeta_public_key是第二個回調函數，廠家可自定義實現，比如把key存儲中其他地方//android默認為空，直接返回avb_assert(is_main_vbmeta);io_ret = ops->validate_vbmeta_public_key(ops,pk_data,pk_len,pk_metadata,pk_metadata_len,&key_is_trusted);//緊接著會校驗vbmeta的rollback回滾值，android默認為空，直接返回//這是第三個回調函數io_ret = ops->read_rollback_index(ops, rollback_index_location_to_use, &stored_rollback_index);//同時下面代碼還有rollback_index回滾值的比較判斷，主要是比較存儲中的index值和vbmeta中的index值//更新策略為:當vbmeta中的index大于存儲中的值，將存儲中的值更新到存儲空間；//如果vbmeta中的index小于存儲中的值，啟動boot失敗，防止用戶降級版本。//android默認為空實現，默認index為0，不需要更新寫入。//加載vbmeta中descrptor其他分區的信息，比如vbmeta_system/boot/vendor_boot等分區的信息descriptors =avb_descriptor_get_all(vbmeta_buf, vbmeta_num_read, &num_descriptors);for (n = 0; n < num_descriptors; n++) {AvbDescriptor desc;if (!avb_descriptor_validate_and_byteswap(descriptors[n], &desc)) {avb_errorv(full_partition_name, ": Descriptor is invalid.\n", NULL);ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA;goto out;} //如果decriptor分區是hash類型，比如boot分區，調用load_and_verify_hash_partition計算hash并進行比較switch (desc.tag) {case AVB_DESCRIPTOR_TAG_HASH: {AvbSlotVerifyResult sub_ret;sub_ret = load_and_verify_hash_partition(ops,requested_partitions,ab_suffix,allow_verification_error,descriptors[n],slot_data);if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) {ret = sub_ret;if (!allow_verification_error || !result_should_continue(ret)) {goto out;}}} break;case AVB_DESCRIPTOR_TAG_CHAIN_PARTITION: {case AVB_DESCRIPTOR_TAG_KERNEL_CMDLINE: {//如果是hashtree類型，比如system分區，調用read_persistent_digest讀此分區的digest信息case AVB_DESCRIPTOR_TAG_HASHTREE: {ret = read_persistent_digest(ops,part_name,digest_len,NULL /* initial_digest */,digest_buf);好了，這個函數到這里就基本上差不多了。

現在這個函數中，還有兩個子函數還沒有分析，

1、read_from_partition函數
其中ReadFromPartition的實現比較簡單，找到vbmeta的dev節點名稱，打開fd，調用read函數，將64KB的vbmeta數據全加載出來。

static AvbIOResult read_from_partition(AvbOps* ops, const char* partition, int64_t offset,size_t num_bytes, void* buffer, size_t* out_num_read) {return FsManagerAvbOps::GetInstanceFromAvbOps(ops)->ReadFromPartition(partition, offset, num_bytes, buffer, out_num_read); }AvbIOResult FsManagerAvbOps::ReadFromPartition(const char* partition, int64_t offset,size_t num_bytes, void* buffer,size_t* out_num_read) {std::string path = "/dev/block/by-name/"s + partition;// Ensures the device path (a symlink created by init) is ready to access.if (!WaitForFile(path, 1s)) {LERROR << "Device path not found: " << path;// Falls back to logical path if the physical path is not found.// This mostly only works for emulator (no bootloader). Because in normal// device, bootloader is unable to read logical partitions. So if libavb in// the bootloader failed to read a physical partition, it will failed to boot// the HLOS and we won't reach the code here.path = GetLogicalPath(partition);if (path.empty() || !WaitForFile(path, 1s)) return AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION;LINFO << "Fallback to use logical device path: " << path;}android::base::unique_fd fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_CLOEXEC)));if (fd < 0) {PERROR << "Failed to open " << path;return AVB_IO_RESULT_ERROR_IO;}// If offset is negative, interprets its absolute value as the// number of bytes from the end of the partition.if (offset < 0) {off64_t total_size = lseek64(fd, 0, SEEK_END);if (total_size == -1) {PERROR << "Failed to lseek64 to end of the partition";return AVB_IO_RESULT_ERROR_IO;}offset = total_size + offset;// Repositions the offset to the beginning.if (lseek64(fd, 0, SEEK_SET) == -1) {PERROR << "Failed to lseek64 to the beginning of the partition";return AVB_IO_RESULT_ERROR_IO;}}// On Linux, we never get partial reads from block devices (except// for EOF).ssize_t num_read = TEMP_FAILURE_RETRY(pread64(fd, buffer, num_bytes, offset));if (num_read < 0 || (size_t)num_read != num_bytes) {PERROR << "Failed to read " << num_bytes << " bytes from " << path << " offset " << offset;return AVB_IO_RESULT_ERROR_IO;}if (out_num_read != nullptr) {*out_num_read = num_read;}return AVB_IO_RESULT_OK; }

2、avb_vbmeta_image_verify函數
這個函數因為這里面涉及到RSA算法的驗簽流程，內容也很多，慢慢分析一下。

AvbVBMetaVerifyResult avb_vbmeta_image_verify(const uint8_t* data,size_t length,const uint8_t** out_public_key_data,size_t* out_public_key_length) {...//首先判斷是不是以“AVB0”開頭的，vim打開vbmeta.img就可以看到是以AVB0開頭/* Ensure magic is correct. */if (avb_safe_memcmp(data, AVB_MAGIC, AVB_MAGIC_LEN) != 0) {avb_error("Magic is incorrect.\n");goto out;}//把數據拷貝到到h AvbVBMetaImageHeader中avb_vbmeta_image_header_to_host_byte_order((const AvbVBMetaImageHeader*)data,&h);//比較avbtool的版本號 avbtool 1.10if ((h.required_libavb_version_major != AVB_VERSION_MAJOR) ||(h.required_libavb_version_minor > AVB_VERSION_MINOR)) {avb_error("Mismatch between image version and libavb version.\n");ret = AVB_VBMETA_VERIFY_RESULT_UNSUPPORTED_VERSION;goto out;} //判斷authentication和auxiliary數據大小是不是64字節的整數倍if ((h.authentication_data_block_size & 0x3f) != 0 ||(h.auxiliary_data_block_size & 0x3f) != 0) {avb_error("Block size is not a multiple of 64.\n");goto out;}//判斷hash和signature內容在vbmeta header中uint64_t hash_end;if (!avb_safe_add(&hash_end, h.hash_offset, h.hash_size) ||hash_end > h.authentication_data_block_size) {avb_error("Hash is not entirely in its block.\n");goto out;}uint64_t signature_end;if (!avb_safe_add(&signature_end, h.signature_offset, h.signature_size) ||signature_end > h.authentication_data_block_size) {avb_error("Signature is not entirely in its block.\n");goto out;}//判斷public key和public key metadata內容在vbmeta header中/* Ensure public key is entirely in the Auxiliary data block. */uint64_t pubkey_end;if (!avb_safe_add(&pubkey_end, h.public_key_offset, h.public_key_size) ||pubkey_end > h.auxiliary_data_block_size) {avb_error("Public key is not entirely in its block.\n");goto out;}/* Ensure public key metadata (if set) is entirely in the Auxiliary* data block. */if (h.public_key_metadata_size > 0) {uint64_t pubkey_md_end;if (!avb_safe_add(&pubkey_md_end,h.public_key_metadata_offset,h.public_key_metadata_size) ||pubkey_md_end > h.auxiliary_data_block_size) {avb_error("Public key metadata is not entirely in its block.\n");goto out;}}//判斷RSA algorithm的type和長度是不是符合if (h.algorithm_type == AVB_ALGORITHM_TYPE_NONE) {ret = AVB_VBMETA_VERIFY_RESULT_OK_NOT_SIGNED;avb_error("pis algoth type none AVB_VBMETA_VERIFY_RESULT_OK_NOT_SIGNED!\n");goto out;}/* Ensure algorithm field is supported. */algorithm = avb_get_algorithm_data(h.algorithm_type);if (!algorithm) {avb_error("Invalid or unknown algorithm.\n");goto out;}/* Bail if the embedded hash size doesn't match the chosen algorithm. */if (h.hash_size != algorithm->hash_len) {avb_error("Embedded hash has wrong size.\n");goto out;}//到這里基本的檢查項就完成了，接下來就是驗證數據是不是匹配了header_block = data;authentication_block = header_block + sizeof(AvbVBMetaImageHeader);auxiliary_block = authentication_block + h.authentication_data_block_size;//我們編譯vbmeta應該是使用的SHA256_RSA4096，所以走下面這段邏輯switch (h.algorithm_type) {/* Explicit fall-through: */case AVB_ALGORITHM_TYPE_SHA256_RSA2048:case AVB_ALGORITHM_TYPE_SHA256_RSA4096:case AVB_ALGORITHM_TYPE_SHA256_RSA8192:avb_sha256_init(&sha256_ctx);avb_sha256_update(&sha256_ctx, header_block, sizeof(AvbVBMetaImageHeader));avb_sha256_update(&sha256_ctx, auxiliary_block, h.auxiliary_data_block_size);computed_hash = avb_sha256_final(&sha256_ctx);break;//驗證hash是否相等if (avb_safe_memcmp(authentication_block + h.hash_offset,computed_hash,h.hash_size) != 0) {avb_error("Hash does not match!\n");ret = AVB_VBMETA_VERIFY_RESULT_HASH_MISMATCH;goto out;}//驗證signature簽名是否匹配verification_result =avb_rsa_verify(auxiliary_block + h.public_key_offset,h.public_key_size,authentication_block + h.signature_offset,h.signature_size,authentication_block + h.hash_offset,h.hash_size,algorithm->padding,algorithm->padding_len); }

---

---------------------------------------------- 分割一下 ------------------------------------------------------------
我們單獨來分析一下，一共有兩個驗證，一個是hash比較，一個是signature簽名比較。
在了解下面這段之前，可以先看看我之前寫過的博客python實現RSA加密解密 及 簽名驗簽功能
簡單看下第3節 “私鑰簽名 公鑰驗簽”，要理解下面這個函數的內容，得先看一下vbmeta.img鏡像header的簽名打包流程，將新創建一篇博客太記錄吧，本篇內容有點長。
請見AVB之鏡像的簽名及驗證簽名詳解
hash比較

avb_sha256_init(&sha256_ctx);avb_sha256_update(&sha256_ctx, header_block, sizeof(AvbVBMetaImageHeader));avb_sha256_update(&sha256_ctx, auxiliary_block, h.auxiliary_data_block_size);computed_hash = avb_sha256_final(&sha256_ctx);

signature簽名比較

verification_result =avb_rsa_verify(auxiliary_block + h.public_key_offset,h.public_key_size,authentication_block + h.signature_offset,h.signature_size,authentication_block + h.hash_offset,h.hash_size,algorithm->padding,algorithm->padding_len);

總結

以上是生活随笔為你收集整理的android AVB2.0（四）libavb库介绍的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。