dmverity

dm-verity on android

1. Keys needed for dm-verity

android default keys are located at build/target/product/security. They have 4 paris of keys
{platform/testkey/media/shared}.x509.pem and {platform/testkey/media/shared}.pk8.

What are they:

key name type
xx.x509.pem x509 PEM Certificate
xx.pk8 PKCS#8 PrivateKeyInfo

dm-verity will use build/target/product/security/verity.pk8 by default

2. How to generate root/system image

system.img is combined of 3 part:

raw ext4 system.img
    standard ext4 image with all system files
verity.img : 
    sha256 hashtree, 
    generated from google's build_verity_tree
    source: system/extras/verity/build_verity_tree.cpp
verity_metadata.img : 
    dm-verity metadata, 
    generated from google's build_verity_metadata.py
    source: system/extras/verity/build_verity_metadata.py

misc

prop:

  • partition.system.verified == 1
  • partition.vendor.verified == 1

when system or vendor partition is dm-verity enabled, user can use “adb disable-verity” to disable verity.

Optimizing dm-verity performance:

https://source.android.com/devices/tech/security/verifiedboot/dm-verity.html

To get the best performance out of dm-verity, you should:

In the kernel, turn on NEON SHA-2 for ARMv7 and the SHA-2 extensions for ARMv8.
Experiment with different read-ahead and prefetch_cluster settings to find the best configuration for your device.