diff options
| author | Bill Richardson <wfrichar@chromium.org> | 2011-11-09 09:11:34 -0800 |
|---|---|---|
| committer | Bill Richardson <wfrichar@chromium.org> | 2011-11-10 14:03:56 -0800 |
| commit | fa9d7782e837848a1aeb0e95295fa48ac23f7a26 (patch) | |
| tree | 567ca898cae73ba4c5c879d1e7f57882b398bb08 /firmware/lib/vboot_nvstorage.c | |
| parent | 9b717be86ba6155a7542bf1649dd3ab2dbc2dc3b (diff) | |
| download | vboot-fa9d7782e837848a1aeb0e95295fa48ac23f7a26.tar.gz | |
Dev-mode only boots official kernels by default
Although we're now using a single unified BIOS, it is pretty nice to be able
to get a shell in developer mode while still using verified boot for the
kernel and filesystem. Alex & ZGB implemented this by requiring the dev-mode
user to install a special dev-mode BIOS. We don't do that, but we DO require
setting a special flag with "crossystem" to accomplish the same thing.
In order to allow booting a self-signed kernel, you must boot in developer
mode, open a shell, and run this:
crossystem dev_boot_custom=1
Special note to internal developers: If you're in the habit (as I am) of
booting directly from a USB stick in dev-mode, you'll have to run this:
crossystem dev_boot_custom=1 dev_boot_usb=1
Just using dev_boot_usb=1 is no longer enough, because the USB kernel is
signed using the recovery key and by pressing Ctrl-U, we validate it with
the kernel data key. That worked before this change because any self-signed
kernel was fine, and that's how the USB key was treated. Now it actually
requires a verified signature until you enable dev_boot_custom=1 also.
BUG=chrome-os-partner:5954
TEST=manual
Boot once in normal mode, which clears the special flags. Then switch to
developer mode. You should be able to boot and get a root shell.
Run
crossystem dev_boot_usb=1
Obtain a USB recovery image that's keyed differently. For example, if you're
testing with dev-keys, use a PVT-signed image or vice-versa.
Reboot into dev-mode with the USB recovery stick inserted. At the dev-mode
screen, press Ctrl-U. You should hear a single beep, but it should not boot.
Press Ctrl-D to boot from the hard drive, log in to a shell and run
crossystem dev_boot_custom=1
Repeat the previous test. This time when you press Ctrl-U, it should boot
the recovery image. Turn the system off before it does anything.
That's it.
Change-Id: I1811ee9a188974b3f94c83c52b00b60028b86c69
Reviewed-on: https://gerrit.chromium.org/gerrit/11442
Tested-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Diffstat (limited to 'firmware/lib/vboot_nvstorage.c')
| -rw-r--r-- | firmware/lib/vboot_nvstorage.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/firmware/lib/vboot_nvstorage.c b/firmware/lib/vboot_nvstorage.c index 86fafb04..75910ed0 100644 --- a/firmware/lib/vboot_nvstorage.c +++ b/firmware/lib/vboot_nvstorage.c @@ -28,6 +28,7 @@ #define DEV_FLAGS_OFFSET 4 #define DEV_BOOT_USB_MASK 0x01 +#define DEV_BOOT_CUSTOM_MASK 0x02 #define FIRMWARE_FLAGS_OFFSET 5 #define FIRMWARE_TEST_ERR_FUNC_MASK 0x38 @@ -142,6 +143,10 @@ int VbNvGet(VbNvContext* context, VbNvParam param, uint32_t* dest) { *dest = (raw[DEV_FLAGS_OFFSET] & DEV_BOOT_USB_MASK ? 1 : 0); return 0; + case VBNV_DEV_BOOT_CUSTOM: + *dest = (raw[DEV_FLAGS_OFFSET] & DEV_BOOT_CUSTOM_MASK ? 1 : 0); + return 0; + default: return 1; } @@ -227,6 +232,13 @@ int VbNvSet(VbNvContext* context, VbNvParam param, uint32_t value) { raw[DEV_FLAGS_OFFSET] &= ~DEV_BOOT_USB_MASK; break; + case VBNV_DEV_BOOT_CUSTOM: + if (value) + raw[DEV_FLAGS_OFFSET] |= DEV_BOOT_CUSTOM_MASK; + else + raw[DEV_FLAGS_OFFSET] &= ~DEV_BOOT_CUSTOM_MASK; + break; + default: return 1; } |