libfs_avb not in dmesg & Magisk removed when bootloader locked

[ShockedCoder]

Phone: Fairphone 5 ROM: CalyxOS

I followed the instructions and executing adb shell su -c 'dmesg | grep libfs_avb' returned nothing.

I read on another issue that proceeding with locking the bootloader would help, so I did that, but it erased Magisk alongside the userdata.

I saw on another issue that providing /proc/cmdline and /proc/bootconfig would help:

/proc/cmdline

cgroup_disable=pressure log_buf_len=256K earlycon=msm_geni_serial,0x994000 rcupdate.rcu_expedited=1 rcu_nocbs=0-7 kpti=off console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memcg=1 lpm_levels.sleep_disabled=1 msm_rtb.filter=0x237 service_locator.enable=1 androidboot.usbcontroller=a600000.dwc3 swiotlb=0 loop.max_part=7 cgroup.memory=nokmem,nosocket pcie_ports=compact iptable_raw.raw_before_defrag=1 ip6table_raw.raw_before_defrag=1 androidboot.verifiedbootstate=orange androidboot.keymaster=1 androidboot.vbmeta.device=PARTUUID=1204575c-3d72-5998-8f90-1c3c1009c798 androidboot.vbmeta.avb_version=1.0 androidboot.vbmeta.device_state=unlocked androidboot.vbmeta.hash_alg=sha256 androidboot.vbmeta.size=8768 androidboot.vbmeta.digest=f109df185982518c848c9acbcfabce794129c4fd976f7f5b0c1b4ae6d9f113fb androidboot.vbmeta.invalidate_on_error=yes androidboot.veritymode=enforcing androidboot.bootdevice=1d84000.ufshc androidboot.fstab_suffix=default androidboot.boot_devices=soc/1d84000.ufshc androidboot.baseband=msm msm_drm.dsi_display0=qcom,mdss_dsi_rm692e5_boe_amoled_cmd: androidboot.slot_suffix=_a rootwait ro init=/init androidboot.dtbo_idx=44 androidboot.dtb_idx=12 androidboot.force_normal_boot=1 androidboot.CID=STD androidboot.LOCALE=en androidboot.insecure=false androidboot.uartflag=false

I don't have /proc/bootconfig though.

This is my first time using a custom ROM or rooting, so I'm not sure what other information to provide to be able to help in debugging.

[ShockedCoder]

I decided to start following the Update instructions, since the absence of Magisk and the dmesg message were the only issues.

Magisk asked for "some additional setup" before it can start working, I noticed the superuser tab wasn't grayed out, but the modules were, so I accepted. After the reboot, I am able to use superuser permissions, my bootloader is locked and I have no noticeable/visible problems.

I attempted to search for libfs_avb in dmesg, but it was still absent.

I'm keeping this issue open in-case there is indeed something wrong, but I'm not experienced enough to notice it.

[chenxiaolong]

I suspect what's happening is that your device's log buffer is too small. Does dmesg | head show the timestamps starting at 0? On my device, the libfs_avb messages appear during the first couple seconds.

If you're not able to see the messages when checking immediately after a reboot, then there's probably no way for you do to this step on-device. It's possible to manually verify this off-device too. It's up to you whether you want to do this. I marked the step as [Optional] in the instructions since it's more about checking that your custom ROM didn't make mistakes in implementing AVB. Custom ROMs that are explicitly intended for locked-bootloader setups, like CalyxOS, are unlikely to get this wrong.

But in case you're interested in manually verifying, this is how you would do it:

1. Run avbroot's own signature verification against your patched OTA. For example, the output should look something like this: ``` ❯ avbroot ota verify -i FP5-ota_update-24506020.zip --public-key-avb avb.key --cert-ota ota.crt 0.000s INFO Verifying whole-file signature 3.374s WARN Whole-file signature is valid, but its trust is unknown 3.375s INFO Verifying payload 9.937s INFO Extracting partition images to temporary directory 9.937s INFO Extracting from the payload: abl, aop, bluetooth, boot, cpucp, devcfg, dsp, dtbo, featenabler, hyp, imagefv, keymaster, modem, multiimgoem, odm, product, qupfw, shrm, studybk, system, system_ext, tz, uefisecapp, vbmeta, vbmeta_system, vendor, vendor_boot, xbl, xbl_config 16.234s INFO Successfully extracted OTA 16.235s INFO Verifying partition hashes 18.964s INFO Checking ramdisk's otacerts.zip 19.272s INFO Verifying AVB signatures 19.273s WARN vbmeta has a signed vbmeta header, but parent does not list a trusted key 19.273s INFO vbmeta_system has a signed vbmeta header 19.273s INFO Verifying hash descriptor for: vendor_boot 19.273s INFO Verifying hash descriptor for: boot 19.273s INFO Verifying hash tree descriptor for: system 19.273s INFO Verifying hash tree descriptor for: product 19.274s INFO Verifying hash descriptor for: dtbo 19.274s INFO Verifying hash tree descriptor for: system_ext 19.274s INFO Verifying hash tree descriptor for: odm 19.274s INFO Verifying hash tree descriptor for: vendor 22.276s INFO Signatures are all valid! ``` Make a note of the partition names listed in the `Verifying hash tree descriptor for` lines. In this example, it would be `odm`, `product`, `system`, `system_ext`, and `vendor`. 2. Extract the `vendor_boot` image from the OTA: ```bash avbroot ota extract -i ota.zip.patched -d extracted mkdir extracted/vendor_boot cd extracted/vendor_boot avbroot boot unpack -i ../vendor_boot.img avbroot cpio unpack -i ramdisk.img.0 ``` 3. Check that avb is enabled in the fstab file for the same list of partitions as in step 1. For example: ``` ❯ grep avb cpio_tree/first_stage_ramdisk/system/etc/fstab.default | awk '{print $1}' system system_ext product vendor odm ```

[chenxiaolong]

I'm keeping this issue open in-case there is indeed something wrong, but I'm not experienced enough to notice it.

Based on what you've said, you should be good to go.

[ShockedCoder]

Based on what you've said, you should be good to go.

In that case, I'll close the issue then. Thank you for your work and assistance 😄