Boot flow

The recommended boot flow for a device is as follows:

Verified boot flow

Figure 1. Verified boot flow.

Flow for A/B devices

If the device is using A/B, the boot flow is slightly different. The slot to boot must first be marked as SUCCESSFUL using the Boot Control HAL before updating the Rollback Protection metadata.

If there's a platform update that fails (isn't marked SUCCESSFUL), the A/B stack falls back to the other slot, which still has the previous version of Android in it. However, if the Rollback Protection-metadata had been set, the previous version can't boot because of Rollback Protection.

Communicat Verified Boot state to users

After determining the boot state of a device, you need to communicate that state to the user. If the device doesn't have any issues, then proceed without displaying anything. Verified Boot issues fall into these categories:

  • YELLOW: Warning screen for LOCKED devices with custom root of trust set
  • ORANGE: Warning screen for UNLOCKED devices
  • RED (eio): Warning screen for dm-verity corruption
  • RED (no os found): No valid OS found

LOCKED devices with custom root of trust

Example YELLOW screen:

Yellow device warning screen

Show a YELLOW screen on every boot if the device is LOCKED, a custom root of trust has been set, and the image was signed with this custom root of trust. The YELLOW screen is dismissed after ten seconds and the device continues booting. If the user presses the power button, the "Press power button to pause" text changes to "Press power button to continue" and the screen is never dismissed (though the device may dim or turn off the screen to protect against burn-in). If pressed again, the screen is dismissed and the phone continues booting.

For the hex-number, use the first 8 digits of the sha256 of the libavb representation of the public key used for verification, for example d14a028c.

Suggested text:

Your device has loaded a different operating system.

Visit this link on another device to learn more:

g.co/ABH

ID: hex-number

Press power button to pause

UNLOCKED devices

Example ORANGE screen:

Orange device warning screen

Show an ORANGE screen on every boot if the device is UNLOCKED. The ORANGE screen is dismissed after ten seconds and the device continues booting. If the user presses the power button, "Press power button to pause" text changes to "Press power button to continue" and the screen is never dismissed (the device may dim and/or turn off the screen if needed to protect against burn-in or similar). If pressed again, the screen is dismissed and the phone continues booting.

For the hex-number, use the first 8 digits of the sha256 of the libavb representation of the public key used for verification, for example d14a028c.

Suggested text:

The boot loader is unlocked and software integrity can't be guaranteed. Any data stored on the device may be available to attackers. Don't store any sensitive data on the device.

Visit this link on another device to learn more:

g.co/ABH

ID: hex-number

Press power button to pause.

dm-verity corruption

Example RED eio screen:

Red eio device warning screen

Show a RED eio screen if a valid version of Android is found and the device is currently in the eio dm-verity mode. The user needs to click the power button to continue. If the user hasn't acknowledged the warning screen within 30 seconds, the device powers off (to protect the screen against burn-in and save power).

Suggested text:

Your device is corrupt. It can't be trusted and might not work properly.

Visit this link on another device to learn more:

g.co/ABH

Press power button to continue.

No valid OS found

Example RED screen:

Red corrupt device warning screen

Show a RED screen is shown if no valid version of Android can be found. The device can't continue booting. If the user hasn't acknowledged the warning screen within 30 seconds, the device powers off to protect the screen against burn-in and save power.

For the hex-number, use the first 8 digits of the sha256 of the libavb representation of the public key used for verification, for example d14a028c.

Suggested text:

No valid operating system could be found. The device won't boot.

Visit this link on another device to learn more:

g.co/ABH

ID: hex-number

Press power button to power off.

Unlock confirmation

Example screen:

UNLOCK device warning screen

Show an unlock confirmation screen in response to the fastboot flashing unlock command being executed through the fastboot interface. Focus is initially on Don't unlock. If the user hasn't interacted with the warning screen within 30 seconds, the screen disappears and the command fails.

Suggested text:

If you unlock the bootloader, you can install custom operating system software on this phone. A custom OS isn't subject to the same level of testing as the original OS, and can cause your phone and installed apps to stop working properly. Software integrity can't be guaranteed with a custom OS so any data stored on the phone while the bootloader is unlocked may be at risk.

To prevent unauthorized access to your personal data, unlocking the bootloader also deletes all personal data on your phone.

Press the Volume Up/Volume Down to select whether to unlock the bootloader, then the power button to continue.

Unlock

Unlock bootloader.

Don't unlock

Don't unlock bootloader and restart phone.

Lock confirmation

Show a lock confirmation screen in response to the fastboot flashing lock command being executed through the fastboot interface. Focus is initially on Don't lock. If the user hasn't interacted with the warning screen within 30 seconds, the screen disappears and the command fails.

Text:

If you lock the bootloader, you can't install custom operating system software on this phone. To prevent unauthorized access to your personal data, locking the bootloader also deletes all personal data on your phone.

Press the Volume Up/Volume Down to select whether to lock the bootloader, then the power button to continue.

Lock

Lock bootloader.

Don't lock

Don't lock bootloader and restart phone.

Communicate Verified Boot state to Android

Example screen:

LOCK confirmation device warning screen

The bootloader communicates Verified Boot state to Android through kernel-command parameters, or through bootconfig starting with Android 12. It sets the androidboot.verifiedbootstate option to one of the following values:

  • green: if device is LOCKED and user-settable root of trust isn't used
  • yellow: if device is LOCKED and user-settable root of trust is used
  • orange: if device is UNLOCKED

The androidboot.veritymode option is set to eio or restart depending on which state the boot loader is in with respect to handling dm-verity errors. For more details, see Handling verification errors.