struct AvbSlotVerifyData

AvbSlotVerifyData contains data needed to boot a particular slot

and is returned by avb_slot_verify() if partitions in a slot are

successfully verified.

All data pointed to by this struct - including data in each item in

the |partitions| array - will be freed when the

avb_slot_verify_data_free() function is called.

The |ab_suffix| field is the copy of the of |ab_suffix| field

passed to avb_slot_verify(). It is the A/B suffix of the slot. This

value includes the leading underscore - typical values are "" (if

no slots are in use), "_a" (for the first slot), and "_b" (for the

second slot).

The VBMeta images that were checked are available in the

|vbmeta_images| field. The field |num_vbmeta_images| contains the

number of elements in this array. The first element -

vbmeta_images[0] - is guaranteed to be from the partition with the

top-level vbmeta struct. This is usually the "vbmeta" partition in

the requested slot but if there is no "vbmeta" partition it can

also be the "boot" partition.

The partitions loaded and verified from from the slot are

accessible in the |loaded_partitions| array. The field

|num_loaded_partitions| contains the number of elements in this

array. The order of partitions in this array may not necessarily be

the same order as in the passed-in |requested_partitions| array.

Rollback indexes for the verified slot are stored in the

|rollback_indexes| field. Note that avb_slot_verify() will NEVER

modify stored_rollback_index[n] locations e.g. it will never use

the write_rollback_index() AvbOps operation. Instead it is the job

of the caller of avb_slot_verify() to do this based on e.g. A/B

policy and other factors. See libavb_ab/avb_ab_flow.c for an

example of how to do this.

The |cmdline| field is a NUL-terminated string in UTF-8 resulting

from concatenating all |AvbKernelCmdlineDescriptor| and then

performing proper substitution of the variables

$(ANDROID_SYSTEM_PARTUUID), $(ANDROID_BOOT_PARTUUID), and

$(ANDROID_VBMETA_PARTUUID) using the

get_unique_guid_for_partition() operation in |AvbOps|. Additionally

$(ANDROID_VERITY_MODE) will be replaced with the proper dm-verity

option depending on the value of |hashtree_error_mode|.

Additionally, the |cmdline| field will have the following kernel

command-line options set (unless verification is disabled, see

below):

androidboot.veritymode: This is set to 'disabled' if the

AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED flag is set in top-level

vbmeta struct. Otherwise it is set to 'enforcing' if the

passed-in hashtree error mode is AVB_HASHTREE_ERROR_MODE_RESTART

or AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE, 'eio' if it's

set to AVB_HASHTREE_ERROR_MODE_EIO, and 'logging' if it's set to

AVB_HASHTREE_ERROR_MODE_LOGGING.

androidboot.veritymode.managed: This is set to 'yes' only

if hashtree validation isn't disabled and the passed-in hashtree

error mode is AVB_HASHTREE_ERROR_MODE_MANAGED_RESTART_AND_EIO.

androidboot.vbmeta.invalidate_on_error: This is set to 'yes' only

if hashtree validation isn't disabled and the passed-in hashtree

error mode is AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE.

androidboot.vbmeta.device_state: set to "locked" or "unlocked"

depending on the result of the result of AvbOps's

read_is_unlocked() function.

androidboot.vbmeta.{hash_alg, size, digest}: Will be set to

the digest of all images in |vbmeta_images|.

androidboot.vbmeta.device: This is set to the value

PARTUUID=$(ANDROID_VBMETA_PARTUUID) before substitution so it

will end up pointing to the vbmeta partition for the verified

slot. If there is no vbmeta partition it will point to the boot

partition of the verified slot. If the flag

AVB_SLOT_VERIFY_FLAGS_NO_VBMETA_PARTITION is used, this is not

set.

androidboot.vbmeta.avb_version: This is set to the decimal value

of AVB_VERSION_MAJOR followed by a dot followed by the decimal

value of AVB_VERSION_MINOR, for example "1.0" or "1.4". This

version number represents the vbmeta file format version

supported by libavb copy used in the boot loader. This is not

necessarily the same version number of the on-disk metadata for

the slot that was verified.

Note that androidboot.slot_suffix is not set in the |cmdline| field

in |AvbSlotVerifyData| - you will have to set this yourself.

If the |AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED| flag is set

in the top-level vbmeta struct then only the top-level vbmeta

struct is verified and descriptors will not processed. The return

value will be set accordingly (if this flag is set via 'avbctl

disable-verification' then the return value will be

|AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION|) and

|AvbSlotVerifyData| is returned. Additionally all partitions in the

|requested_partitions| are loaded and the |cmdline| field is set to

"root=PARTUUID=$(ANDROID_SYSTEM_PARTUUID)" and the GUID for the

appropriate system partition is substituted in. Note that none of

the androidboot.* options mentioned above will be set.

The |resolved_hashtree_error_mode| is the the value of the passed

avb_slot_verify()'s |hashtree_error_mode| parameter except that it never has

the value AVB_HASHTREE_ERROR_MODE_MANAGED_RESTART_AND_EIO. If this value was

passed in, then the restart/eio state machine is used resulting in

|resolved_hashtree_error_mode| being set to either

AVB_HASHTREE_ERROR_MODE_RESTART or AVB_HASHTREE_ERROR_MODE_EIO. If set to

AVB_HASHTREE_ERROR_MODE_EIO the boot loader should present a RED warning

screen for the user to click through before continuing to boot.

This struct may grow in the future without it being considered an

ABI break.