Android System Securing, Hardening, & Privacy

Building a Secure Android Boot Flow: From Bootloader to System Partition with AVB

By Antigravity Research Published May 30, 2026 ⏱️ 7 Min Read
Google AdSense Native Placement - Horizontal Top-Post banner

Introduction: The Imperative for a Secure Android Boot

In the evolving landscape of mobile security, ensuring the integrity of an Android device from the moment it powers on is paramount. Malicious actors frequently target the boot process, seeking to inject persistent malware or manipulate system components before the main OS even loads. This is where Android Verified Boot (AVB) steps in, establishing a cryptographic chain of trust from the hardware root of trust right through to the system partition. This article delves into the intricacies of AVB, explaining its core components, practical implementation, and how it hardens the Android boot flow against sophisticated attacks.

Understanding Android Verified Boot (AVB)

Android Verified Boot is a security mechanism designed to detect and prevent malicious or unintended modifications to the operating system software. It ensures that all executed code comes from a trusted source, starting from the bootloader and extending through all critical partitions. AVB 2.0, the current standard, builds upon earlier iterations by offering enhanced rollback protection, dynamic partitions support, and more robust verification algorithms.

Why AVB is Critical for Device Security:

  • Integrity Protection: Cryptographically verifies every stage of the boot process, ensuring no part of the OS has been tampered with.
  • Malware Prevention: Thwarts persistent malware injections at the bootloader or kernel level.
  • Rollback Protection: Prevents attackers from downgrading devices to older, vulnerable software versions.
  • User Confidence: Assures users that their device is running legitimate, untampered software.

The Secure Boot Chain Explained

The AVB chain of trust is a meticulous process, where each stage cryptographically verifies the next. This chain originates from an immutable hardware root of trust and extends to the entire Android system.

1. Hardware Root of Trust

The foundation of AVB is an immutable hardware component, typically a Read-Only Memory (ROM) or eFuse within the System-on-Chip (SoC). This hardware contains a public key or hash that is used to verify the initial bootloader. It’s the ultimate source of trust that cannot be altered.

2. Initial Bootloader (IBL) Verification

The hardware root of trust verifies the first stage bootloader (IBL or Primary Bootloader). If the IBL’s signature matches the embedded public key, execution proceeds. Otherwise, the device halts or enters a recovery state, signaling a boot integrity failure.

3. Secondary Bootloader and `vbmeta.img`

The IBL, once verified, loads and verifies subsequent bootloader stages. Eventually, a bootloader component is responsible for verifying the `vbmeta.img` partition. The `vbmeta.img` is a crucial metadata image that contains cryptographic hashes and sizes of all verified partitions (e.g., `boot.img`, `system.img`, `vendor.img`, `dtbo.img`). It also includes rollback index information.

avbtool make_vbmeta_image     --output vbmeta.img     --algorithm SHA256_RSA4096     --key avb/testkey_rsa4096.pem     --public_key_metadata avb/testkey_rsa4096.avbpubkey     --setup_dm_verity_on_partition system:avb/system_pubkey.pem     --setup_dm_verity_on_partition vendor:avb/vendor_pubkey.pem     --chain_partition boot:1:avb/boot_pubkey.pem

This command demonstrates creating a `vbmeta.img` that references public keys for system and vendor partitions and chains verification to the `boot` partition.

4. Boot Image (`boot.img`) Verification

The bootloader uses the hash descriptor from `vbmeta.img` to verify the `boot.img`, which contains the kernel and ramdisk. If verification succeeds, the kernel is loaded and initialized.

avbtool add_hash_footer     --image boot.img     --partition_name boot     --partition_size $(stat -c %s boot.img)     --algorithm SHA256_RSA4096     --key avb/boot_key.pem

This command adds an AVB footer to the `boot.img`, allowing its integrity to be verified.

5. Partition Verification with `dm-verity`

Once the kernel is running, it takes over the verification process for read-only partitions like `system`, `vendor`, `product`, and `odm`. This is achieved through `dm-verity` (device-mapper verity). `dm-verity` creates a virtual block device that exposes the verified data, ensuring that any attempt to read tampered data results in an I/O error.

The `fstab.avb.` file defines how these partitions are mounted with `dm-verity` and which hash tree and salt to use. These values are derived from `vbmeta.img` during boot.

# Example fstab.avb entry for system partition/dev/block/by-name/system /system ext4 ro,barrier=1,noatime,nodiratime,data=ordered wait,avb,avb_keys=/avb/vbmeta_keys.img:/avb/system_pubkey.img

6. Rollback Protection

AVB integrates rollback protection by maintaining a rollback index for each verified partition. This index is stored in tamper-resistant hardware (e.g., Replay Protected Memory Block – RPMB or eFuses). During an update, the new software’s index must be greater than or equal to the stored index. If an attacker tries to flash an older, vulnerable image, its lower rollback index will be rejected, preventing a downgrade attack.

Implementing AVB: A Practical Deep Dive

Integrating AVB into an Android build requires careful management of cryptographic keys and configuration within the build system.

Key Generation and Management

The `avbtool` is indispensable for AVB. First, generate your signing keys:

# Generate a 4096-bit RSA keyavbtool generate_key --output_key avb/testkey_rsa4096.pem --size 4096# Extract the public key for embedding in vbmetaavbtool extract_public_key --input_key avb/testkey_rsa4096.pem --output_pubkey avb/testkey_rsa4096.avbpubkey

These keys are used to sign your `vbmeta.img` and generate hash footers for other partitions. The public key must be securely embedded into the device’s bootloader or `vbmeta.img` for verification.

Integrating AVB into the Android Build System

To enable AVB in your device’s AOSP build configuration, modify your `device.mk` or `BoardConfig.mk` files:

  • BOARD_AVB_ENABLE := true: Enables AVB for the device.
  • BOARD_AVB_ALGORITHM := SHA256_RSA4096: Specifies the signing algorithm.
  • BOARD_AVB_VBMETA_KEY_PATH := device/<vendor>/<device>/avb/testkey_rsa4096.pem: Path to the private key for `vbmeta.img`.
  • BOARD_AVB_VBMETA_ADD_HASHTREE_FOOTER_ARGS := $(BOARD_AVB_SYSTEM_ADD_HASHTREE_FOOTER_ARGS) $(BOARD_AVB_VENDOR_ADD_HASHTREE_FOOTER_ARGS): Configures adding hash tree footers to partitions.
  • BOARD_AVB_BOOT_KEY_PATH := device/<vendor>/<device>/avb/boot_key.pem: Path to the private key for `boot.img`.

The Android build system will then use `avbtool` to sign and integrate the necessary AVB metadata during image creation.

Monitoring and Debugging AVB

During development or troubleshooting, understanding the device’s boot state is crucial. You can query AVB status via `fastboot`:

fastboot getvar all

Look for variables like `verified_boot` and `current-slot`. The `bootctl` utility (available via `adb shell` on a running device) can also provide insights:

adb shell bootctl get-current-slotadb shell bootctl get-boot-state

Common AVB states include:

  • GREEN: Verified boot is active and all images are loaded correctly.
  • YELLOW: Verified boot is active, but the device is running custom software (e.g., unlocked bootloader) or has minor integrity issues. This often presents a warning to the user.
  • RED: Verified boot has detected severe corruption or unauthorized modifications, preventing the device from booting or requiring user intervention.

Hardening and Best Practices

Beyond basic implementation, several practices enhance AVB’s effectiveness:

  • Secure Key Management: Private keys used for signing must be stored in highly secure environments (e.g., Hardware Security Modules – HSMs). Never expose them.
  • Unique Keys per Device/Product Line: While a single key can sign all images for a product, consider a robust key hierarchy.
  • Integrate with A/B Updates: AVB works seamlessly with A/B (seamless) updates, ensuring that both slots are verified before and after an update, enhancing reliability and security.
  • Monitor for Boot State Changes: Implement telemetry to detect devices entering yellow or red boot states, indicating potential tampering or issues in the field.

Conclusion

Android Verified Boot is an indispensable component of modern Android security. By establishing a robust, cryptographic chain of trust from the hardware root through to the critical system partitions, AVB effectively mitigates a wide array of boot-time attacks and ensures device integrity. A thorough understanding and careful implementation of AVB are essential for any developer or OEM committed to delivering secure, trustworthy Android experiences. As threats evolve, so too will AVB, continuing to be the bedrock of Android’s secure boot architecture.

Android Mobile Specs & Compare Directory

Are you researching mobile hardware properties, processor SoCs, GPU chipsets, or RAM configurations? Access our complete specs catalog to compare up to 5 devices side-by-side!

Compare Devices Specs →
Google AdSense Inline Placement - Content Footer banner
Tags: #Android Security #AVB #Bootloader #dm-verity #Verified Boot

Related Technical Guides

Bypassing Root Detection: A Deep Dive into Common Exploits & Countermeasures for Developers

May 30, 2026

Performance Impact of Seccomp-BPF on Android Native Code: Benchmarking & Optimization

May 30, 2026

Forensic Analysis: Tracing OEM Telemetry & Data Collection Mechanisms in Android Firmware

May 30, 2026