This implementation provides the OemLock HAL with AVB support via OP-TEE, using secure persistent storage.
- Service :
android.hardware.oemlock-service.optee - Interface : AIDL
android.hardware.oemlock.IOemLock - Storage Backend : TA AVB persistent values via OP-TEE RPMB
- Legacy Properties (maintained for compatibility):
ro.boot.carrier_unlock_allowed: Carrier authorization (read-only)persist.vendor.oemlock.device_unlock_allowed: Device/user authorization
- Fastboot Commands :
fastboot flashing unlock: Unlock the devicefastboot flashing lock: Lock the devicefastboot getvar unlocked: Get unlock/lock statefastboot flashing get_unlock_ability: Get unlock ability
- Storage Backend : TA AVB persistent values via OP-TEE RPMB
- Persistent Key :
"unlock_ability"(shared with Android HAL)
Android Settings → OEMlock HAL → TA AVB Persist Storage ← U-Boot Fastboot
↓ ↓ ↓ ↓
User Toggle → setOemUnlockAllowed → "unlock_ability" → get_unlock_ability
- Primary: TA AVB persistent values (key:
"unlock_ability") - Secondary: Legacy lock state commands (backward compatibility)
- Security: RPMB storage through OP-TEE secure world
- Consistency: Single source of truth across Android and U-Boot
# From Android Settings
Settings → System → Developer options → OEM unlocking [ON]# Check unlock ability
fastboot flashing get_unlock_ability # Should return "1"
# Unlock (with confirmation)
fastboot flashing unlock
# WARNING: Unlocking the bootloader will void your warranty...
# Type 'yes' to confirm unlock: yes
# Verify state
fastboot getvar unlocked # Should return "yes"# Lock
fastboot flashing lock
# Verify state
fastboot getvar unlocked # Should return "no"PRODUCT_PACKAGES += android.hardware.oemlock-service.optee# OemLock HAL
PRODUCT_COPY_FILES += \
hardware/ti/am62x/oemlock/android.hardware.oemlock-service.optee.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/android.hardware.oemlock-service.optee.rc
DEVICE_MANIFEST_FILE += hardware/ti/am62x/oemlock/android.hardware.oemlock-service.optee.xmlCONFIG_OPTEE_TA_AVB=y
CONFIG_FASTBOOT=y
CONFIG_FASTBOOT_FLASH=yTA_AVB_CMD_READ_PERSIST_VALUE: Read persistent valuesTA_AVB_CMD_WRITE_PERSIST_VALUE: Write persistent valuesTA_AVB_CMD_READ_LOCK_STATE: Read legacy lock stateTA_AVB_CMD_WRITE_LOCK_STATE: Write legacy lock state
- Dual Authorization : Carrier + User consent required
- User Confirmation : Interactive unlock confirmation in fastboot
- Factory Reset : Recommended after unlock for security
- Secure Storage : RPMB via OP-TEE secure world
- Tamper Resistance : Persistent values cannot be modified without proper authorization
- Secure Persistence : Unlock state survives reboots and factory resets
- Cross-Platform Sync : Android ↔ Bootloader synchronization via TA AVB
- Bypass Protection : No environment variable dependencies
- State Consistency : Single source of truth in secure storage
- Security : Stored in RPMB, not in volatile environment
- Persistence : Survives U-Boot environment resets
- Consistency : Shared between Android HAL and U-Boot fastboot
- Tamper Resistance : Protected by OP-TEE security model
# Via adb - check legacy properties
adb shell getprop ro.boot.flash.locked
adb shell getprop persist.vendor.oemlock.device_unlock_allowed
# Via Settings UI
Settings → System → Developer options → OEM unlocking
# HAL service logs
adb logcat | grep -i oemlock# Basic state checks
fastboot flashing get_unlock_ability # Should return "1" if enabled
fastboot getvar unlocked # Current lock state
# Full unlock/lock cycle
fastboot flashing unlock # Unlock with confirmation
fastboot getvar unlocked # Should return "yes"
fastboot flashing lock # Lock device
fastboot getvar unlocked # Should return "no"
# Critical partitions (if implemented)
fastboot getvar critical_unlocked
fastboot flashing unlock_critical
fastboot flashing lock_critical# In U-Boot console (for debugging)
=> optee_avb read_persist unlock_ability
=> optee_avb write_persist unlock_ability 1-
unlock_ability = 0
- Check OEM unlocking in Developer Options
- Verify TA AVB persist storage:
optee_avb read_persist unlock_ability - Check HAL logs:
adb logcat | grep -i oemlock
-
TA AVB communication failed
- Verify CONFIG_OPTEE_TA_AVB=y in U-Boot
- Check OP-TEE and TA AVB are loaded correctly
- Verify RPMB storage is accessible
-
Permission denied
- Check service user/group permissions
- Verify SELinux policies for HAL service
- Ensure libteec permissions are correct
-
State inconsistency
- HAL detects and auto-corrects inconsistencies
- Check HAL initialization logs for sync messages
- Verify both persist values and legacy properties
# U-Boot debugging
=> optee_avb read_persist unlock_ability
=> optee_avb read_lock_state
=> printenv fastboot.unlock_ability # Legacy (should be deprecated)
# Android debugging
adb logcat | grep -i oemlock
adb logcat | grep -i "TA AVB"
adb shell getprop | grep unlockIf migrating from environment variable implementation:
- HAL will auto-sync on first boot
- Check HAL logs for "Syncing unlock ability" messages
- Verify persist storage contains correct values
- Environment variables are maintained for compatibility but not used
OemLock.h: Header with TA AVB command definitionsOemLock.cpp: Main HAL implementation with persist value supportservice.cpp: Service entry pointAndroid.bp: Build configuration
readPersistValue(): Read from TA AVB secure storagewritePersistValue(): Write to TA AVB secure storagesetOemUnlockAllowedByDevice(): Update unlock abilityisOemUnlockAllowedByDevice(): Query unlock ability
"unlock_ability": Combined unlock state (carrier && device)"critical_lock_state": Critical partitions lock state