Verifying signed OTA fails

Question

Verifying signed OTA fails

juleast opened this issue 8 months ago · 5 comments

What are the conditions for an OTA zip to be properly signed? Does it require a specific configuration when compiling the OTA zip first? I tried to sign the OTA zip for DerpFest for my device but trying to verify it back produces this error:

avbroot ota verify --input ota.zip.patched --cert-ota ota.crt --public-key-avb avb_pkmd.bin
  0.000s  INFO Verifying whole-file signature
  3.530s  INFO Verifying payload
 10.422s  INFO Extracting partition images to temporary directory
 10.422s  INFO Extracting from the payload: boot, dtbo, system, vbmeta, vendor
 55.849s  INFO Successfully extracted OTA
 55.849s  INFO Verifying partition hashes
 67.212s  INFO Checking ramdisk\'s otacerts.zip
 67.463s  INFO Verifying AVB signatures
 67.464s  INFO vbmeta has a signed vbmeta header
 67.464s  INFO Verifying hash tree descriptor for: system
 67.464s  INFO Verifying hash tree descriptor for: vendor
 67.464s  INFO Verifying hash descriptor for: dtbo
 67.464s  INFO Verifying hash descriptor for: boot
 73.381s ERROR Failed to verify hash tree descriptor for: system

Caused by:
    "fec_size" field is out of bounds

I wasn't sure what this error meant.

Answer 1 · 2024-05-24T13:39:12.000Z

Can you post a link to the OTA? Or if it's not publicly available, can you extract the OTA with:

avbroot ota extract -i ota.zip -d extracted -a

and post the output of:

avbroot avb info -i extracted/system.img

fec_size is a field in the AVB metadata that specifies how big the FEC (forward error correction) data is. FEC data is used to correct small errors if a partition happens to get corrupted.

I'm thinking either the fec_size is somehow invalid or it's exceeding avbroot's internal limit (~32 MiB). The latter would be really easy to fix.

Answer 2 · 2024-05-24T16:09:32.000Z

I've run the command you asked for. Here is the output. I've captured the output to a logfile because it was too long.
system.log

Answer 3 · 2024-05-24T22:04:04.000Z

Thanks. Yep, so it's just hitting avbroot's internal limit. (The limit exists so that a corrupt/malicious OTA can't cause avbroot to use up the entire system's memory.)

I'll increase the limit and release a new version of avbroot.

Answer 4 · 2024-05-24T22:26:48.000Z

Thank you for the update! I will try it again when I get home.

Answer 5 · 2024-05-24T22:30:26.000Z

No problem! 3.2.1 will be released in a few minutes with the change.