Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verifying signed OTA fails #291

Closed
juleast opened this issue May 24, 2024 · 5 comments · Fixed by #293
Closed

Verifying signed OTA fails #291

juleast opened this issue May 24, 2024 · 5 comments · Fixed by #293
Assignees
@chenxiaolong

Comments

@juleast
Copy link

juleast commented May 24, 2024

What are the conditions for an OTA zip to be properly signed? Does it require a specific configuration when compiling the OTA zip first? I tried to sign the OTA zip for DerpFest for my device but trying to verify it back produces this error:

avbroot ota verify --input ota.zip.patched --cert-ota ota.crt --public-key-avb avb_pkmd.bin
  0.000s  INFO Verifying whole-file signature
  3.530s  INFO Verifying payload
 10.422s  INFO Extracting partition images to temporary directory
 10.422s  INFO Extracting from the payload: boot, dtbo, system, vbmeta, vendor
 55.849s  INFO Successfully extracted OTA
 55.849s  INFO Verifying partition hashes
 67.212s  INFO Checking ramdisk\'s otacerts.zip
 67.463s  INFO Verifying AVB signatures
 67.464s  INFO vbmeta has a signed vbmeta header
 67.464s  INFO Verifying hash tree descriptor for: system
 67.464s  INFO Verifying hash tree descriptor for: vendor
 67.464s  INFO Verifying hash descriptor for: dtbo
 67.464s  INFO Verifying hash descriptor for: boot
 73.381s ERROR Failed to verify hash tree descriptor for: system

Caused by:
    "fec_size" field is out of bounds

I wasn't sure what this error meant.
@chenxiaolong chenxiaolong self-assigned this May 24, 2024
@chenxiaolong
Copy link
Owner

Can you post a link to the OTA? Or if it's not publicly available, can you extract the OTA with:

avbroot ota extract -i ota.zip -d extracted -a

and post the output of:

avbroot avb info -i extracted/system.img

fec_size is a field in the AVB metadata that specifies how big the FEC (forward error correction) data is. FEC data is used to correct small errors if a partition happens to get corrupted.

I'm thinking either the fec_size is somehow invalid or it's exceeding avbroot's internal limit (~32 MiB). The latter would be really easy to fix.

@juleast
Copy link
Author

juleast commented May 24, 2024
edited
Loading

I've run the command you asked for. Here is the output. I've captured the output to a logfile because it was too long.
system.log

@chenxiaolong
Copy link
Owner

Thanks. Yep, so it's just hitting avbroot's internal limit. (The limit exists so that a corrupt/malicious OTA can't cause avbroot to use up the entire system's memory.)

I'll increase the limit and release a new version of avbroot.

chenxiaolong added a commit that referenced this issue May 24, 2024
@chenxiaolong
avb: Bump hashtree and FEC size limits to accommodate 8 GiB images
ae1050b 
Fixes: #291

Signed-off-by: Andrew Gunnerson <[email protected]>
@chenxiaolong chenxiaolong mentioned this issue May 24, 2024
Merged
chenxiaolong added a commit that referenced this issue May 24, 2024
@chenxiaolong
avb: Bump hashtree and FEC size limits to accommodate 8 GiB images
bc7358a 
Fixes: #291

Signed-off-by: Andrew Gunnerson <[email protected]>
@juleast
Copy link
Author

juleast commented May 24, 2024

Thank you for the update! I will try it again when I get home.

@chenxiaolong
Copy link
Owner

No problem! 3.2.1 will be released in a few minutes with the change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chenxiaolong chenxiaolong

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

avb: Bump hashtree and FEC size limits to accommodate 8 GiB images chenxiaolong/avbroot
2 participants
@chenxiaolong @juleast