Android Verified Boot

Android 8.0 and higher includes a reference implementation of Verified Boot called Android Verified Boot (AVB) or Verified Boot 2.0. AVB is a version of Verified Boot that works with Project Treble architecture, which separates the Android framework from the underlying vendor implementation.

AVB is integrated with the Android Build System and enabled by a single line, which takes care of generating and signing all necessary dm-verity metadata. For more information, see Build System Integration.

AVB provides libavb, which is a C library to be used at boot time for verifying Android. You can integrate libavb with your bootloader by implementing a platform-specific functionality for I/O, providing the root of trust, and getting/setting rollback protection metadata.

AVB's key features include delegating updates for different partitions, a common footer format for signing partitions, and protection from attackers rolling back to a vulnerable version of Android.

For more implementation details, see /platform/external/avb/