diff options
| author | Bill Richardson <wfrichar@chromium.org> | 2016-09-11 02:55:52 -0700 |
|---|---|---|
| committer | chrome-bot <chrome-bot@chromium.org> | 2016-09-12 17:36:22 -0700 |
| commit | afa7350dccee079673831ef16a7c60a9a74ba77f (patch) | |
| tree | cef658e17bfe4596593c8e87f22033c2e4a892d7 /host | |
| parent | b94145a309131f23d49a08dd94fc26247621da65 (diff) | |
| download | vboot-afa7350dccee079673831ef16a7c60a9a74ba77f.tar.gz | |
make_dev_firmware.sh should use key.versions filestabilize-8798.B
The 'key.versions' file is used by the image signing scripts to
ensure that newly generated keys and re-signed buildbot images
have the correct version numbers to avoid rollback in
officially-signed Chrome OS images.
If a skilled user is re-keying her Chromebook to use personal
keys in normal mode (which requires disabling WP and changing the
GBB and VBLOCK_A/B), she can avoid clearing the TPM rollback
counters if make_dev_firmware.sh will obtain the firmware_version
from the key.versions file in her personal key directory.
BUG=none
BRANCH=none
TEST=make runtests, manual tests
Extract an MP-signed BIOS from a Chromebook Peppy.
flashrom -p host -r peppy.bin
Resign it without this CL:
make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy.bin
Resign it with this CL:
make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new.bin
Confirm no difference:
cmp dev_peppy.bin dev_peppy_new.bin
Temporarily edit tests/devkeys/key.versions to contain
firmware_key_version=2
firmware_version=3
kernel_key_version=4
kernel_version=5
Resign again:
make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new2.bin
Confirm that the only difference is the firmware version in VBLOCK_A/B:
futility show dev_peppy_new*.bin
Change-Id: I133f1b58fb969eaeb239a44a4800750c4eee1d5f
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/383887
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Diffstat (limited to 'host')
0 files changed, 0 insertions, 0 deletions