在 Android 6.0 Marshmallow 加入了 Verified Boot 功能,以提升装置系统的保安程度。手机装置启动时,就会检查操作系统的完整性,若果操作系统有改动,就会有警示提醒用家。
在 Andorid 7.0 Nougat 这个 Verified Boot 功能会更加严格执行,若果手机装置 Boot Image 或 Verified Partition 有问题或可疑,Android 系统就不会启动,又或是在功能受限制下启动。这个做法可以更有效防止被恶意程式入侵的系统运行。
a device with a corrupt boot image or verified partition will not boot or will boot in a limited capacity with user consent. Such strict checking, though, means that non-malicious data corruption, which previously would be less visible, could now start affecting process functionality more.
有了这项严格执行 Verified Boot,Boot Image/Verified Partition 若果有轻损毁也可能被视为有可疑,导致未能启动。所以 Android 系统亦加设有错误检核程序,错误修复 (error correction) 功能可以将受损的部份作适度还原。在一个 2-3GB 的系统区隔内,修复功能可以修复一个连续达 16-24MB 的区隔。
a technique called interleaving to allow us to recover not only from a loss of an entire 4 KiB source block, but several consecutive blocks, while significantly reducing the space overhead required to achieve usable error correction capabilities compared to the naive implementation
新改进可以更加保障系统安全,不过对于 root 机/custom rom 而言就可能更加难做。若果手机已 unlocked bootloader,要 root 或修改系统部份,仍是无影响的,因为 Verified Boot 只针对 Locked Bootloader 手机装置。将来 Locked Bootloader 手机装置,要 Root 机难度会更加高。
Source: Android Developers Blog