在 Android 6.0 Marshmallow 加入了 Verified Boot 功能,以提升裝置系統的保安程度。手機裝置啟動時,就會檢查操作系統的完整性,若果操作系統有改動,就會有警示提醒用家。
在 Andorid 7.0 Nougat 這個 Verified Boot 功能會更加嚴格執行,若果手機裝置 Boot Image 或 Verified Partition 有問題或可疑,Android 系統就不會啟動,又或是在功能受限制下啟動。這個做法可以更有效防止被惡意程式入侵的系統運行。
a device with a corrupt boot image or verified partition will not boot or will boot in a limited capacity with user consent. Such strict checking, though, means that non-malicious data corruption, which previously would be less visible, could now start affecting process functionality more.
有了這項嚴格執行 Verified Boot,Boot Image/Verified Partition 若果有輕損毁也可能被視為有可疑,導致未能啟動。所以 Android 系統亦加設有錯誤檢核程序,錯誤修復 (error correction) 功能可以將受損的部份作適度還原。在一個 2-3GB 的系統區隔內,修復功能可以修復一個連續達 16-24MB 的區隔。
a technique called interleaving to allow us to recover not only from a loss of an entire 4 KiB source block, but several consecutive blocks, while significantly reducing the space overhead required to achieve usable error correction capabilities compared to the naive implementation
新改進可以更加保障系統安全,不過對於 root 機/custom rom 而言就可能更加難做。若果手機已 unlocked bootloader,要 root 或修改系統部份,仍是無影響的,因為 Verified Boot 只針對 Locked Bootloader 手機裝置。將來 Locked Bootloader 手機裝置,要 Root 機難度會更加高。
Source: Android Developers Blog