Skip to content

Chain of Security

Jump to bottom
Wire edited this page Nov 19, 2024 · 3 revisions

Vector's chain of security looks like this (in this order):

  1. PBL - code in the CPU which starts comms with the flash and loads the SBL. It will only load a correctly signed SBL which matches the key hash in the qfuses.
  2. SBL - initializes some hardware, checks ABOOT against a built-in key (prod)
  3. ABOOT - checks the Linux boot partition's signing against a built-in key (prod).
    • on a dev or OSKR bot, this will also append anki.dev to the kernel cmdline to let ramfs know to not initialize dm-verity
  4. boot_<slot> - contains the Linux kernel and ramfs, sets up dm-verity and makes sure the system partition hasn't been modified
  5. system_<slot> - vector go beep boop

(there are two boot slots for OTA updates, ABOOT handles that. a, b (or f, for recovery))

When a bot is unlocked, the only thing that changes is the ABOOT partition. The new ABOOT partition includes a new key to check the boot partition against. Keys exist for dev, prod, and OSKR (and Cozmo 2.0).

The only thing we can create with the OSKR boot image password is a boot image which an OSKR ABOOT can launch. This doesn't matter because DDL already signed unlocked ones.

As for unlock OTAs, a usual OTA contains these files:

manifest.ini
manifest.sha256
apq8009-robot-boot.img.gz
apq8009-robot-sysfs.img.gz

manifest.ini contains OTA information, manifest.sha256 is a signed hash of that (ota_prod.key is used), apq8009-robot-boot.img.gz contains the boot partition, encrypted and compressed, apq8009-robot-system.img.gz contains the system partition, also encrypted and compressed.

An unlock OTA looks like this (iirc):

manifest.ini
manifest.sha256
emmc-appsboot.img.gz
apq8009-robot-boot.img.gz
apq8009-robot-sysfs.img.gz

manifest.ini will say that it is an unlock OTA, letting the update-engine in Vector know that there is an extra partition to be dumped, and that the boot and system images should be dumped to slot f, meaning boot gets dumped to the recovery partition and system goes to recoveryfs.

emmc-appsboot.img.gz is the new OSKR-signed ABOOT, tailored to the robot the OTA was built for. manifest.ini includes a QSN entry which will be checked against the bot's actual QSN, so it will only work on the bot the OTA was built for.

A new recovery partition is needed because ABOOT will check the recovery partition's signing too. If it is still prod, the new OSKR-signed ABOOT won't launch it. It will only launch an OSKR-signed recovery. recoveryfs doesn't need to be swapped out, but it is anyway just to be safe.

The creation of an ABOOT that will work with a prod SBL requires yet another password which we don't have.

Clone this wiki locally