首先引用一位大神的文章:
Signingboot images for Android Verified Boot (AVB) [v8]
Various Android devices support Android Verified Boot (AVB). A partof this is more commonly known as dm-verity, which verifies system (and vendor)partition integrity. AVB can however also verify boot images, and stockfirmwares generally include signed boot images. Of course this does not meanthat all signed boot images are using AVB, many OEMs have their own signatureverification scheme.Note: AOSP is moving towards the use of avbtool (taken from Brillo),the following is the old way for signing boot images.
Bootloaders might or might not accept unsigned boot images, andmight or might not accept boot images signed with our own keys (rather than theOEM's keys). This depends on the device, bootloader version, and bootloaderunlock state.
For example, with the bootloader unlocked, the Google Pixel (and XL)devices accepted unsigned boot images up to (but not including) the May 2017release. From the May 2017 release onwards, the boot images must be signed ifflashed (booted works without), but may be signed with your own key rather thanthe OEM's.Note: The situation changes when you re-lock the bootloader. I havenot tested this, but documentation implies that (one of) the keys used in the currentboot image must be used for future flashes until it is unlocked again.
Generatingcustom signing keys
Thefollowing openssl commands generate all the keys we need. Execute themline-by-line rather than copying the whole block, as you will be asked forinput.
Code:
private key
private key
opensslgenrsa -f4 -out verifiedboot.pem 2048
opensslpkcs8 -in verifiedboot.pem -topk8 -outform DER -out verifiedboot.pk8 -nocrypt
public key
opensslreq -new -x509 -sha256 -key verifiedboot.pem -out verifiedboot.x509.pem
opensslx509 -outform DER -in verifiedboot.x509.pem -out verifiedboot.x509.der
public key
opensslreq -new -x509 -sha256 -key verifiedboot.pem -out verifiedboot.x509.pem
opensslx509 -outform DER -in verifiedboot.x509.pem -out verifiedboot.x509.der
For future signings, you do not need the .pem files, and they cansafely be deleted once the .pk8 and .der files are generated. In AOSP'simplementation, they were never even written to disk in the first place.
Security-wise, documentation states it isadvisable to use a different set of keys for each device you support; thoughobviously this doesn't matter much if the device is running with the bootloaderin unlocked state.
Signing the boot image
Download the attachedBootSignature.jar file (built from AOSP sources), and sign the boot image usingthe keys generated above with the following commands:
Code:
java-jar BootSignature.jar /boot boot.img verifiedboot.pk8 verifiedboot.x509.derboot_signed.img
java-jar BootSignature.jar -verify boot_signed.img
Instead of /boot, /recovery and othervalues may be used. Their use should be obvious.
From Android
Attached is also BootSignature_Android.jar, which is a versionProGuard-reduced against SDK 21 and then dexed. Provided /system is mounted asis usual on Android (on the Pixel (XL), TWRP mounts this differently bydefault!), it can be used like this:
Code:
dalvikvm-cp BootSignature_Android.jar com.android.verity.BootSignature /boot boot.imgverifiedboot.pk8 verifiedboot.x509.der boot_signed.img
dalvikvm-cp BootSignature_Android.jar com.android.verity.BootSignature -verifyboot_signed.img
The base command can be extended as followsto make it able to run without any precompiled files present on the device:
Code:
/system/bin/dalvikvm -Xbootclasspath:/system/framework/core-oj.jar:/system/framework/core-libart.jar:/system/framework/conscrypt.jar:/system/framework/bouncycastle.jar-Xnodex2oat -Xnoimage-dex2oat -cp BootSignature_Android.jarcom.android.verity.BootSignature ...
FlashableZIP
Attached is also VerifiedBootSigner.zip, thisis a flashable ZIP for FlashFire/TWRP/etc that signs the currently flashed bootimage, if it isn't signed already. You can simply flash this after installing aSuperSU version or custom boot image or whatever that doesn't sign the bootimage itself already.I'vetried to make it very portable (borrowing ample script from the SuperSU ZIP, aswell as its signing keys), but I have only tested it on my Pixel XL.
Notethat it does depend on Android files in the system partition, so if (aside fromthe unsigned boot image) your system isn't functional, the ZIP may not workeither.
Ifthe boot image is already signed when you flash the ZIP, it will offer to abortor force re-sign.
Ifyou place custom.pk8 and custom.x509.der files inside the ZIP, these keys willbe used for flashing
instead of SuperSU's default keys. Additionally,/tmp/avb/custom.pk8 and /tmp/avb/custom.x509.der will override any keys fromthe ZIP.
There is some more documentation in theupdate-binary file inside the ZIP as well.
Note: If you're using TWRP's manual slotselection on the Pixel (XL), you must be using TWRP-v3.1.0-RC2 or newer, or itwill not work as expected.Todo
-test what happens when the bootloader is re-locked on multiple devicessupporting AVB
-test what happens when dm-verity is kept enabled on a custom/modified bootimage with a different image signature than dm-verity signature
上文转自xda,原作者:Chainfire,链接forum.xda-developers.com/android/software-hacking/signing-boot-images-android-verified-t3600606/post72143133#post72143133
为了在上锁状态下使用第三方rom和recovery,但由于厂家有avb验证,dmverify验证,还有bl锁,就需要对boot和recovery进行签名,之前一直用某位大神修改的twrp,上锁后也能用,就是签了名的rec,一直苦于找不到img签名的方法,无意之间逛论坛发现了,作者是Chainfire,就是那个开发3d神器的大神,你大爷果然是你大爷。
首先需要升级到需要jdk8,然后执行上面签名的命令,如下图:
由于使用第三方签名证书,导致进入rec时黄字,your device has loaded a different oprating system,不过无影响,能够正常进入recovery,同大家在不解锁情况下刷入magisk一样显黄字,因为magisk也使用了私有证书签名boot,不知道之前那位大佬是怎么处理的,他的rec不显黄字,同理可以实现在上锁状态下使用第三方rom,没尝试过,你问为什么想不解锁刷三方ROM,那啥,为了折腾。
签名所需工具可在xda原帖下载。
文章由本人原创,已在一加论坛发布,转载注明出处。
