1 files changed, 75 insertions, 25 deletions
diff --git a/lib/avb/libavb/avb_vbmeta_image.h b/lib/avb/libavb/avb_vbmeta_image.h
index 25d3689..0df7126 100644
--- a/lib/avb/libavb/avb_vbmeta_image.h
+++ b/lib/avb/libavb/avb_vbmeta_image.h
@@ -45,9 +45,17 @@ extern "C" {
 #define AVB_MAGIC "AVB0"
 #define AVB_MAGIC_LEN 4
 
-/* The current MAJOR and MINOR versions used - keep in sync with avbtool. */
-#define AVB_MAJOR_VERSION 1
-#define AVB_MINOR_VERSION 0
+/* Maximum size of the release string including the terminating NUL byte. */
+#define AVB_RELEASE_STRING_SIZE 48
+
+/* Flags for the vbmeta image.
+ *
+ * AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED: If this flag is set,
+ * hashtree image verification will be disabled.
+ */
+typedef enum {
+  AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED = (1 << 0)
+} AvbVBMetaImageFlags;
 
 /* Binary format for header of the vbmeta image.
  *
@@ -94,9 +102,13 @@ extern "C" {
  * descriptors. See avb_descriptor_foreach() for a convenience
  * function to iterate over descriptors.
  *
- * This struct is versioned, see the |header_version_major| and
- * |header_version_minor| fields. Compatibility is guaranteed only
- * within the same major version.
+ * This struct is versioned, see the |required_libavb_version_major|
+ * and |required_libavb_version_minor| fields. This represents the
+ * minimum version of libavb required to verify the header and depends
+ * on the features (e.g. algorithms, descriptors) used. Note that this
+ * may be 1.0 even if generated by an avbtool from 1.4 but where no
+ * features introduced after 1.0 has been used. See the VERSIONING AND
+ * COMPATIBILITY section in the README file for more details.
  *
  * All fields are stored in network byte order when serialized. To
  * generate a copy with fields swapped to native byte order, use the
@@ -109,10 +121,11 @@ extern "C" {
 typedef struct AvbVBMetaImageHeader {
   /*   0: Four bytes equal to "AVB0" (AVB_MAGIC). */
   uint8_t magic[AVB_MAGIC_LEN];
-  /*   4: The major version of the vbmeta image header. */
-  uint32_t header_version_major;
-  /*   8: The minor version of the vbmeta image header. */
-  uint32_t header_version_minor;
+
+  /*   4: The major version of libavb required for this header. */
+  uint32_t required_libavb_version_major;
+  /*   8: The minor version of libavb required for this header. */
+  uint32_t required_libavb_version_minor;
 
   /*  12: The size of the signature block. */
   uint64_t authentication_data_block_size;
@@ -137,20 +150,44 @@ typedef struct AvbVBMetaImageHeader {
   /*  72: Length of the public key data. */
   uint64_t public_key_size;
 
-  /*  80: Offset into the "Auxiliary data" block of descriptor data. */
+  /*  80: Offset into the "Auxiliary data" block of public key metadata. */
+  uint64_t public_key_metadata_offset;
+  /*  88: Length of the public key metadata. Must be set to zero if there
+   *  is no public key metadata.
+   */
+  uint64_t public_key_metadata_size;
+
+  /*  96: Offset into the "Auxiliary data" block of descriptor data. */
   uint64_t descriptors_offset;
-  /*  88: Length of descriptor data. */
+  /* 104: Length of descriptor data. */
   uint64_t descriptors_size;
 
-  /*  96: The rollback index which can be used to prevent rollback to
+  /* 112: The rollback index which can be used to prevent rollback to
    *  older versions.
    */
   uint64_t rollback_index;
 
-  /* 104: Padding to ensure struct is size AVB_VBMETA_IMAGE_HEADER_SIZE
+  /* 120: Flags from the AvbVBMetaImageFlags enumeration. This must be
+   * set to zero if the vbmeta image is not a top-level image.
+   */
+  uint32_t flags;
+
+  /* 124: Reserved to ensure |release_string| start on a 16-byte
+   * boundary. Must be set to zeroes.
+   */
+  uint8_t reserved0[4];
+
+  /* 128: The release string from avbtool, e.g. "avbtool 1.0.0" or
+   * "avbtool 1.0.0 xyz_board Git-234abde89". Is guaranteed to be NUL
+   * terminated. Applications must not make assumptions about how this
+   * string is formatted.
+   */
+  uint8_t release_string[AVB_RELEASE_STRING_SIZE];
+
+  /* 176: Padding to ensure struct is size AVB_VBMETA_IMAGE_HEADER_SIZE
    * bytes. This must be set to zeroes.
    */
-  uint8_t reserved[152];
+  uint8_t reserved[80];
 } AVB_ATTR_PACKED AvbVBMetaImageHeader;
 
 /* Copies |src| to |dest|, byte-swapping fields in the process.
@@ -171,25 +208,35 @@ void avb_vbmeta_image_header_to_host_byte_order(const AvbVBMetaImageHeader* src,
  * AVB_VBMETA_VERIFY_RESULT_OK_NOT_SIGNED is returned if the vbmeta
  * image header is valid but there is no signature or hash.
  *
- * AVB_VERIFY_INVALID_VBMETA_HEADER is returned if the header of
- * the vbmeta image is invalid, for example, invalid magic or
- * inconsistent data.
+ * AVB_VBMETA_VERIFY_RESULT_INVALID_VBMETA_HEADER is returned if the
+ * header of the vbmeta image is invalid, for example, invalid magic
+ * or inconsistent data.
+ *
+ * AVB_VBMETA_VERIFY_RESULT_UNSUPPORTED_VERSION is returned if a) the
+ * vbmeta image requires a minimum version of libavb which exceeds the
+ * version of libavb used; or b) the vbmeta image major version
+ * differs from the major version of libavb in use.
  *
- * AVB_VERIFY_HASH_MISMATCH is returned if the hash stored in the
- * "Authentication data" block does not match the calculated hash.
+ * AVB_VBMETA_VERIFY_RESULT_HASH_MISMATCH is returned if the hash
+ * stored in the "Authentication data" block does not match the
+ * calculated hash.
  *
- * AVB_VERIFY_SIGNATURE_MISMATCH is returned if the signature stored
- * in the "Authentication data" block is invalid or doesn't match the
- * public key stored in the vbmeta image.
+ * AVB_VBMETA_VERIFY_RESULT_SIGNATURE_MISMATCH is returned if the
+ * signature stored in the "Authentication data" block is invalid or
+ * doesn't match the public key stored in the vbmeta image.
  */
 typedef enum {
   AVB_VBMETA_VERIFY_RESULT_OK,
   AVB_VBMETA_VERIFY_RESULT_OK_NOT_SIGNED,
   AVB_VBMETA_VERIFY_RESULT_INVALID_VBMETA_HEADER,
+  AVB_VBMETA_VERIFY_RESULT_UNSUPPORTED_VERSION,
   AVB_VBMETA_VERIFY_RESULT_HASH_MISMATCH,
   AVB_VBMETA_VERIFY_RESULT_SIGNATURE_MISMATCH,
 } AvbVBMetaVerifyResult;
 
+/* Get a textual representation of |result|. */
+const char* avb_vbmeta_verify_result_to_string(AvbVBMetaVerifyResult result);
+
 /* Checks that vbmeta image at |data| of size |length| is a valid
  * vbmeta image. The complete contents of the vbmeta image must be
  * passed in. It's fine if |length| is bigger than the actual image,
@@ -205,7 +252,8 @@ typedef enum {
  * |out_public_key_data| is non-NULL, it will be set to point inside
  * |data| for where the serialized public key data is stored and
  * |out_public_key_length|, if non-NULL, will be set to the length of
- * the public key data.
+ * the public key data. If there is no public key in the metadata then
+ * |out_public_key_data| is set to NULL.
  *
  * See the |AvbVBMetaVerifyResult| enum for possible return values.
  *
@@ -230,7 +278,9 @@ typedef enum {
  * integrity data for a whole set of partitions.
  */
 AvbVBMetaVerifyResult avb_vbmeta_image_verify(
-    const uint8_t* data, size_t length, const uint8_t** out_public_key_data,
+    const uint8_t* data,
+    size_t length,
+    const uint8_t** out_public_key_data,
     size_t* out_public_key_length) AVB_ATTR_WARN_UNUSED_RESULT;
 
 #ifdef __cplusplus