Verifying system_other Partition

Implementation

Android-powered devices with Android 9 and lower that have A/B partitions can use the inactive system_other partition (for example, system_bwhen slot_a is active) to store preoptimized VDEX/ODEX files. When system_other is used, ro.cp_system_other_odex is set to 1 for the package manager service to set sys.cppreopt=requested for cppreopts.rc to act on it.

In Android 10, libfs_avb is introduced to support standalone AVB verification for the system_other partition. The VBMeta struct of such a partition is appended to the end of the partition, to be verified by an expected public key from the file system. The Android build system supports signing system_other.img while including the corresponding signing key under /product/etc/security/avb/system_other.avbpubkey. The release tool sign_target_files_apks.py also supports replacing the signing key to a release version.

A/B devices launched before Android 10 have a physical system_other partition, even if it's upgraded to Android 10 with PRODUCT_RETROFIT_DYNAMIC_PARTITIONS set to true.

A/B devices launched with Android 10 must have a logical system_other partition. The following example shows a typical fstab.postinstall file that enables AVB on system_other.

#<dev> <mnt_point> <type>  <mnt_flags options>  <fs_mgr_flags>
system /postinstall ext4 ro,nosuid,nodev,noexec
slotselect_other,logical,avb_keys=/product/etc/security/avb/system_other.avbpubkey

Devices that need to enable AVB on the system_other partition should place the fstab file in the product partition and set the property ro.postinstall.fstab.prefix to /product.

# Use /product/etc/fstab.postinstall to mount system_other. PRODUCT_PRODUCT_PROPERTIES += \
ro.postinstall.fstab.prefix=/product

PRODUCT_COPY_FILES += \
$(LOCAL_PATH)/fstab.postinstall:$(TARGET_COPY_OUT_PRODUCT)/etc/fstab.postinstall