AVBTOOL | The main job of avbtool is to create vbmeta

AVBTOOL is a C library. AVBTOOL has no bugs, it has no vulnerabilities, it has a Permissive License and it has low support. You can download it from GitHub.

The main job of avbtool is to create vbmeta.img which is the top-level object for verified boot. This image is designed to go into the vbmeta partition (or, if using A/B, the slot in question e.g. vbmeta_a or vbmeta_b) and be of minimal size (for out-of-band updates). The vbmeta image is cryptographically signed and contains verification data (e.g. cryptographic digests) for verifying boot.img, system.img, and other partitions/images. The vbmeta image can also contain references to other partitions where verification data is stored as well as a public key indicating who should sign the verification data. This indirection provides delegation, that is, it allows a 3rd party to control content on a given partition by including their public key in vbmeta.img. By design, this authority can be easily revoked by simply updating vbmeta.img with new descriptors for the partition in question. Storing signed verification data on other images - for example boot.img and system.img - is also done with avbtool. In addition to avbtool, a library - libavb - is provided. This library performs all verification on the device side e.g. it starts by loading the vbmeta partition, checks the signature, and then goes on to load the boot partition for verification. This library is intended to be used in both boot loaders and inside Android. It has a simple abstraction for system dependencies (see avb_sysdeps.h) as well as operations that the boot loader or OS is expected to implement (see avb_ops.h). The main entry point for verification is avb_slot_verify(). It is expected that most devices will use A/B (e.g. multiple copies of the OS in separate so-called 'slots') in addition to AVB. While managing A/B metadata and associated metadata (e.g. managing stored_rollback_index[n] locations) is outside the scope of libavb, enough interfaces are exposed so the boot loader can integrate its A/B stack with libavb. In particular avb_slot_verify() takes a slot_suffix parameter and its result struct AvbSlotVerifyData convey the rollback indexes in the image that was verified. AVB also includes an A/B implementation that boot loaders may optionally use. This implementation is in the libavb_ab library and integrates with image verification including updating the stored_rollback_index[n] locations on the device as needed. The bootloader can use this through the avb_ab_flow() function which in turn calls avb_slot_verify() as needed. In libavb_ab, A/B metadata is stored in the misc partition using a format private to libavb_ab in the location on misc reserved for this. For more information about the misc.img file format see the bootloader_message.h file in AOSP. A/B metadata can be written to misc.img using the set_ab_metadata sub-command of avbtool. A/B metadata is comprised of data for each slo and per-slot metadata has a priority field (0 to 15), number of tries remaining for attempting to boot the slot (0 to 7), and a flag to indicate whether the slot has successfully booted. A/B metadata integrity is provided by a simple magic marker and a CRC-32 checksum. If invalid A/B metadata is detected, the behavior is to reset the A/B metadata to a known state where both slots are given seven boot tries. An implementation of a boot_control HAL using AVB-specific A/B metadata is also provided. Android Things has specific requirements and validation logic for the vbmeta public key. An extension is provided in libavb_atx which performs this validation as an implementatio of libavb's public key validation operation (see avb_validate_vbmeta_public_key() in avb_ops.h).