https://android.googlesource.com/platform/external/avb/+/master/README.md#Rollback-Protection
Chained partitions need not use a footer - it is permissible to have a chained partition point to a partition where the VBMeta struct is at the beginning (e.g. just like the vbmeta partition). This is useful for use-cases where all hash- and hashtree-descriptors for the partitions owned by an entire organization are stored in a dedicated partition, for example vbmeta_google. In this example the hashtree descriptor for system is in the vbmeta_google partition meaning that the bootloader doesn't need to access the system partition at all which is helpful if the system partition is managed as a logical partition (via e.g. LVM techniques or similar).
AVB includes Rollback Protection which is used to protect against known security flaws. Each VBMeta struct has a rollback index baked into it like the following:
These numbers are referred to as rollback_index[n] and are increased for each image as security flaws are discovered and fixed. Additionally the device stores the last seen rollback index in tamper-evident storage:
and these are referred to as stored_rollback_index[n].
Rollback protection is having the device reject an image unless rollback_index[n] >= stored_rollback_index[n] for all n, and having the device increase stored_rollback_index[n] over time. Exactly how this is done is discussed in the Updating Stored Rollback Indexes section.
AVB has been designed to work with A/B by requiring that the A/B suffix is never used in any partition names stored in descriptors. Here's an example with two slots:
Note how the rollback indexes differ between slots - for slot A the rollback indexes are [42, 101] and for slot B they are [43, 103] .
In version 1.1 or later, avbtool supports --do_not_use_ab for add_hash_footer and add_hashtree_footer operations. This makes it possible to work with a partition that does not use A/B and should never have the prefix. This corresponds to the AVB_HASH[TREE]_DESCRIPTOR_FLAGS_DO_NOT_USE_AB flags.
The VBMeta digest is a digest over all VBMeta structs including the root struct (e.g. in the vbmeta partition) and all VBMeta structs in chained partitions. This digest can be calculated at build time using avbtool calculate_vbmeta_digest and also at runtime using the avb_slot_verify_data_calculate_vbmeta_digest() function. It is also set on the kernel command-line as androidboot.vbmeta.digest, see the avb_slot_verify() documentation for exact details.
This digest can be used together with libavb in userspace inside the loaded operating system to verify authenticity of the loaded vbmeta structs. This is useful if the root-of-trust and/or stored rollback indexes are only available while running in the boot loader.
Additionally, if the VBMeta digest is included in hardware-backed attestation data a relying party can extract the digest and compare it with list of digests for known good operating systems which, if found, provides additional assurance about the device the application is running on.
For factory images of Pixel 3 and later devices, the pixel_factory_image_verify.py located in tools/transparency is a convenience tool for downloading, verifying and calcuating VBMeta Digests.
$ pixel_factory_image_verify.py <https://dl.google.com/dl/android/aosp/image.zip>
Fetching file from: <https://dl.google.com/dl/android/aosp/image.zip>
Successfully downloaded file.
Successfully unpacked factory image.
Successfully unpacked factory image partitions.
Successfully verified VBmeta.
Successfully calculated VBMeta Digest.
The VBMeta Digest for factory image is: 1f329b20a2dd69425e7a29566ca870dad51d2c579311992d41c9ba9ba05e170e