Scribd
Upload
211 views

Device State

The document discusses device state and root of trust in Android verified boot. It explains that devices can be in a locked or unlocked state, and a locked state only allows booting signed software while unlocked allows modification. It also describes how the bootloader checks the root of trust signature during boot to verify authenticity and ensure the device boots properly. Finally, it mentions that some devices allow setting a user-configurable root of trust to support custom builds.

Uploaded by

passionyao yao
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
211 views

Device State

The document discusses device state and root of trust in Android verified boot. It explains that devices can be in a locked or unlocked state, and a locked state only allows booting signed software while unlocked allows modification. It also describes how the bootloader checks the root of trust signature during boot to verify authenticity and ensure the device boots properly. Finally, it mentions that some devices allow setting a user-configurable root of trust to support custom builds.

Uploaded by

passionyao yao
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

2020/4/27 DeviceState|AndroidOpenSourceProject

Device State
The device state indicates how freely software can be ashed to a device and whether veri cation is enforced. Device states are LOCKED
and UNLOCKED. LOCKED devices prevent you from ashing new software to the device, whereas UNLOCKED devices allow modi cation.

When a device powers on, the bootloader rst checks if a device is LOCKED or UNLOCKED. If a device is UNLOCKED, the bootloader shows the
user a warning and then proceeds to boot even if the loaded OS isn't signed by the root of trust.

If the device is LOCKED, the bootloader goes through the steps in Verifying Boot (/security/veri edboot/veri ed-boot) to verify the device's
software. LOCKED devices boot only if the loaded OS is properly signed by the root of trust. For more details, see The boot ow
 (/security/veri edboot/boot- ow).

Changing device state

To change a device's state (/devices/bootloader/unlock-trusty), use the fastboot flashing [unlock | lock] command. To protect user
data, all state transitions wipe the data partitions and ask for user con rmation before data is deleted.

The UNLOCKED to LOCKED transition is anticipated when a user buys a used development device. As a result of locking the device, the user
should have con dence that it is in a state produced by the device manufacturer, as long as there is no warning. The LOCKED to UNLOCKED
transition is expected when a developer wishes to disable veri cation on the device for development purposes.

Root of Trust

Root of trust is the cryptographic key used to sign the copy of Android stored on the device. The private part of the root of trust is known
only to the device manufacturer and is used to sign every version of Android intended for distribution. The public part of the root of trust is
embedded in the device and is stored in a place so it cannot be tampered with (typically read-only storage).

Wh it l d A d id th b tl d th t ft tt if th ti it F d t il thi V if i B t

https://source.android.com/security/verifiedboot/device-state 1/3
2020/4/27 DeviceState|AndroidOpenSourceProject

When it loads Android, the bootloader uses the root of trust to verify authenticity. For more details on this process, see Verifying Boot
 (/security/veri edboot/veri ed-boot). Devices may have multiple boot loaders and as such multiple cryptographic keys may be in play.

User-settable root of trust

Devices can optionally allow the user to con gure the root of trust (for example, a public key). Devices can use this user-settable root of
trust for Veri ed Boot instead of the built-in root of trust. This allows the user to install and use custom versions of Android without
sacri cing the security improvements of Veri ed Boot.

If user-settable root of trust is implemented, it should be done in a way such that:

Physical con rmation is required to set/clear the user-settable root of trust.

The user-settable root of trust can only be set by the end user. It cannot be set at the factory or any intermediate point before the end
user gets the device.

The user-settable root of trust is stored in tamper-evident storage. Tamper-evident means that it's possible to detect if Android has
tampered with the data, for example, if it has been overwritten or changed.

If an user-settable root of trust is set, the device should allow a version of Android signed with either the built-in root of trust or the
user-settable root of trust to boot.

Every time the device boots using the user-settable root of trust, the user should be noti ed that the device is loading a custom
version of Android. For example waring screens, see LOCKED devices with custom key set
 (/security/veri edboot/boot- ow#locked-devices-with-custom-key-set).

One way of implementing user-settable root of trust is to have a virtual partition that can only be ashed or cleared when the device is in
the UNLOCKED state. The Google Pixel 2 devices use this approach and the virtual partition is called avb_custom_key. The format of the
data in this partition is the output of the avbtool extract public key command. Here's an example of how to set the user-settable root

https://source.android.com/security/verifiedboot/device-state 2/3
2020/4/27 DeviceState|AndroidOpenSourceProject
data in this partition is the output of the avbtool extract_public_key command. Here s an example of how to set the user settable root
of trust:

$ avbtool extract_public_key --key key.pem --output pkmd.bin


$ fastboot flash avb_custom_key pkmd.bin

The user-settable root of trust can be cleared by issuing:

$ fastboot erase avb_custom_key

Content and code samples on this page are subject to the licenses described in the Content License (/license). Java is a registered trademark of Oracle and/or its
a liates.

Last updated 2020-01-06.

https://source.android.com/security/verifiedboot/device-state 3/3

You might also like