The random key is generated on the device and is invisible to anyone. The device may no longer boot up if the
RPMB key message is destroyed.
NOTE
8.10 AVB key provision
The AVB key consists of a pair of public and private keys. The private key is used by the host to sign the vbmeta image. The
public key is used by AVB to authenticate the vbmeta image. The relationships between the private key, the public key, and the
vbmeta are as follows:
Figure 1. Relationship between AVB key and vbmeta
8.10.1 How to specify the AVB key
The OpenSSL provides some commands to generate the private key. For example, you can use the following commands to
generate the RSA-4096 private key test_rsa4096_private.pem:
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -outform PEM -out test_rsa4096_private.pem
The public key can be extracted from the private key. The avbtool in ${MY_ANDROID}/external/avb supports such commands.
You can get the public key test_rsa4096_public.bin with the following commands:
avbtool extract_public_key --key test_rsa4096_private.pem --output test_rsa4096_public.bin
By default, the Android build system uses the algorithm SHA256_RSA4096 with the private key from ${MY_ANDROID}/
external/avb/test/data/testkey_rsa4096.pem. This can be overridden by setting the BOARD_AVB_ALGORITHM and
BOARD_AVB_KEY_PATH to use different algorithm and private key:
BOARD_AVB_ALGORITHM := <algorithm-type>
BOARD_AVB_KEY_PATH := <key-path>
Algorithm SHA256_RSA4096 is recommended since Cryptographic Acceleration and Assurance Module (CAAM) can help
accelerate the hash calculation.
NXP Semiconductors
Customized Configuration
Android
™
User's Guide, Rev. P9.0.0_2.3.2, 6 March 2020
User's Guide
28 / 31
