search

chenxiaolong / avbroot

Sign (and root) Android A/B OTAs with custom keys while preserving Android Verified Boot
GNU General Public License v3.0
436 stars 41 forks source link

Verifying signed OTA fails #291

Closed juleast closed 1 month ago

juleast commented 1 month ago

What are the conditions for an OTA zip to be properly signed? Does it require a specific configuration when compiling the OTA zip first? I tried to sign the OTA zip for DerpFest for my device but trying to verify it back produces this error:

avbroot ota verify --input ota.zip.patched --cert-ota ota.crt --public-key-avb avb_pkmd.bin
  0.000s  INFO Verifying whole-file signature
  3.530s  INFO Verifying payload
 10.422s  INFO Extracting partition images to temporary directory
 10.422s  INFO Extracting from the payload: boot, dtbo, system, vbmeta, vendor
 55.849s  INFO Successfully extracted OTA
 55.849s  INFO Verifying partition hashes
 67.212s  INFO Checking ramdisk\'s otacerts.zip
 67.463s  INFO Verifying AVB signatures
 67.464s  INFO vbmeta has a signed vbmeta header
 67.464s  INFO Verifying hash tree descriptor for: system
 67.464s  INFO Verifying hash tree descriptor for: vendor
 67.464s  INFO Verifying hash descriptor for: dtbo
 67.464s  INFO Verifying hash descriptor for: boot
 73.381s ERROR Failed to verify hash tree descriptor for: system

Caused by:
    "fec_size" field is out of bounds

I wasn't sure what this error meant.

chenxiaolong commented 1 month ago

Can you post a link to the OTA? Or if it's not publicly available, can you extract the OTA with:

avbroot ota extract -i ota.zip -d extracted -a

and post the output of:

avbroot avb info -i extracted/system.img

fec_size is a field in the AVB metadata that specifies how big the FEC (forward error correction) data is. FEC data is used to correct small errors if a partition happens to get corrupted.

I'm thinking either the fec_size is somehow invalid or it's exceeding avbroot's internal limit (~32 MiB). The latter would be really easy to fix.

juleast commented 1 month ago

I've run the command you asked for. Here is the output. I've captured the output to a logfile because it was too long. system.log

chenxiaolong commented 1 month ago

Thanks. Yep, so it's just hitting avbroot's internal limit. (The limit exists so that a corrupt/malicious OTA can't cause avbroot to use up the entire system's memory.)

I'll increase the limit and release a new version of avbroot.

juleast commented 1 month ago

Thank you for the update! I will try it again when I get home.

chenxiaolong commented 1 month ago

No problem! 3.2.1 will be released in a few minutes with the change.