| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for signing and verification of coreboot images
supporting VBOOT_CBFS_INTEGRATION. Images with config option
CONFIG_VBOOT_CBFS_INTEGRATION=y will be signed with CBFS metadata hash
in signature. vb2api_get_metadata_hash() should be used to extract hash
value from VBLOCK and then should be used to verify CBFS metadata.
To support full verification, CBFS file data verification should also be
enabled and correctly handled.
BUG=b:197114807
TEST=build with CB:66909 and boot on volteer/voxel with
CONFIG_VBOOT_CBFS_INTEGRATION=y
BRANCH=none
Signed-off-by: Jakub Czapiga <czapiga@google.com>
Change-Id: I4075c84820949be24c423ed14e291c89a0032863
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3811754
Commit-Queue: Julius Werner <jwerner@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A ti50 TPM works with a servov4 as it reports 'ccd_gsc'. With suzyq
'ccd_ti50' is reported. Special case that string in the same way as
cr50.
BUG=b:251281342
BRANCH=None
TEST=sudo futility update -a ./chromeos-firmwareupdate -m factory \
--servo --servo_port=9994 -d
before: Selected Servo V2.
after: Selected CCD.
Change-Id: I1333fac24a023c1c88e708d69196f8da89777ef9
Signed-off-by: Evan Benn <evanbenn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3929938
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Sam McNally <sammc@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:251281342
BRANCH=None
TEST=set_gbb_flags.sh --servo targeting a Nereid succeeded.
Change-Id: Iea83ebacf2bbcdf9da70b38a94017811c07c063e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3929937
Tested-by: Tirath Ramdas <tirath@google.com>
Reviewed-by: Jett Rink <jettrink@chromium.org>
Reviewed-by: Allen Webb <allenwebb@google.com>
Reviewed-by: Sam McNally <sammc@chromium.org>
Commit-Queue: Tirath Ramdas <tirath@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The body_sig pointer is being freed twice. This can lead to
indeterminate behavior and could corrupt memory. Remove superfluous
free to avoid memory corruption.
BUG=b:250952592
TEST=NA
BRANCH=None
Change-Id: Ie4c11e940653550e24829f253d05be08d74620f6
Signed-off-by: Jon Murphy <jpmurphy@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3935032
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Hsuan Ting Chen <roccochen@chromium.org>
Commit-Queue: Julius Werner <jwerner@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BRANCH=none
BUG=none
TEST=cros lint
Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Change-Id: I7710c43c8c70cf257a898f22c42ecbf350e125a2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3925702
Commit-Queue: Jakub Czapiga <czapiga@google.com>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Tested-by: Jakub Czapiga <czapiga@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the default set of test rules.
V2 test plans will be verified in staging before being enabled in prod.
See go/cros-cq-test-config for more details.
BRANCH=None
BUG=b:249150178
TEST=dirmd validate
Change-Id: I7fb7967025019c8cf286294e48573445e3e90d5b
Signed-off-by: Navil Perez <navil@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3927889
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The root public key hash needs to be incorporated into the GSC
firmware. Before this patch the only way to get the hash was to
preform an AP RO firmware signing operation, which, among other things
requires access to the platform private key.
This patch adds another invocation option where only the -r parameter
is passed in, in which case the hash of the public key is printed.
BRANCH=none
BUG=b:247653513
TEST=verified printing root pubk hash:
$ futility gscvd \
-r ./nivviksSigning-MP/root_key_arv_root.vbpubk
Root key body sha256 hash:
b3dba1f89e943d53206e2950e06c3764fe230ef883bb8fd2932a9fb21c281ba1
Change-Id: I41d8396309d43d9d48555453d3339b0b540000c0
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3906635
Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been decided to communicate the list of ranges to cover by the
signature through a preset ranges array in the RO_GSCVD FMAP section
of the AP firmware image.
This patch adds the ability to retrieve ranges from the image in case
the -R command line parameter is not given on the command line when
invoking 'futility gsvd'.
BRANCH=none
BUG=b:247653513
TEST=verified that both forms of invocation, with and without -R work
as expected, as well as GSCVD verification invocations with and
without the root public key hash
without passing in the ranges:
$ utility gscvd \
-k nivviksSigning-MP/arv_platform.keyblock \
-p nivviksSigning-MP/arv_platform.vbprivk \
-b 52435a5a \
-r nivviksSigning-MP/root_key_arv_root.vbpubk \
--outfile ~/tmp/bios/image-nivviks.signed.bin \
~/tmp/bios/image-nivviks.serial.bin
Will sign the following 3 ranges:
01fe4e00:0001b200
01c07000:00000030
01c07180:00002000
Root key body sha256 hash:
b3dba1f89e943d53206e2950e06c3764fe230ef883bb8fd2932a9fb21c281ba1
with passing in the ranges:
$ futility gscvd \
-R 1c77000:200,1c07000:400,1c16800:100,1c06000:1000,1c08000:100 \
-k nivviksSigning-MP/arv_platform.keyblock \
-p nivviksSigning-MP/arv_platform.vbprivk \
-b 52435a5a \
-r nivviksSigning-MP/root_key_arv_root.vbpubk \
--outfile ~/tmp/bios/image-nivviks.signed.bin \
~/tmp/bios/image-nivviks.serial.bin
Root key body sha256 hash:
b3dba1f89e943d53206e2950e06c3764fe230ef883bb8fd2932a9fb21c281ba1
validate signed image without pub key hash:
futility gscvd ~/tmp/bios/image-nivviks.signed.bin
validate signed image with pub key hash:
$ futility gscvd ~/tmp/bios/image-nivviks.signed.bin \
b3dba1f89e943d53206e2950e06c3764fe230ef883bb8fd2932a9fb21c281ba1
try validating signed image with a corrupted pub key hash:
$ futility gscvd ~/tmp/bios/image-nivviks.signed.bin \
b3dba1f89e943d53206e2950e06c3764fe230ef883bb8fd2932a9fb21c281ba0
ERROR: validate_gscvd_or_read_ranges: Sha256 mismatch
validate proper processing of uninitialized GVD:
$ futility gscvd -k nivviksSigning-MP/arv_platform.keyblock \
-p nivviksSigning-MP/arv_platform.vbprivk \
-b 52435a5a \
-r nivviksSigning-MP/root_key_arv_root.vbpubk \
--outfile ~/tmp/bios/image-nivviks.signed.bin \
~/tmp/bios/image-guybrush.serial.bin
ERROR: validate_gvd: Incorrect gscvd magic ffffffff
ERROR: do_gscvd: Missing --ranges argument and no ranges in...
Change-Id: I586f97083f6d77fdddddd7327c61891197c3cc58
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3905178
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Alyssa Haroldsen <kupiakos@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A trap to delete tempfiles was mistakenly masked.
BUG=b:247920664
BRANCH=None
TEST=get_gbb_flags.sh; ls /tmp/tmp.* | wc -l == 0
Change-Id: I3b783395309ea2acb1bc75ffa19df62f81b90450
Signed-off-by: Evan Benn <evanbenn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3907130
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Commit-Queue: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
BRANCH=None
TEST=None
Signed-off-by: Evan Benn <evanbenn@chromium.org>
Change-Id: Ia2d4426ad0807a51d4b0568bd6a750f8fb6021f7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3907132
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The --allow-multiple-definition linker option was added in CL:6770 to
allow mocking functions. Now that we're exclusively using the weak
attribute (or equivalently test_mockable in vboot_reference) in other
firmware repositories (coreboot, depthcharge) for unit testing, the
--allow-multiple-definition option should no longer be needed.
In addition, one problem with --allow-multiple-definition is that, when
a function being mocked is automatically inlined by compiler
optimization, the mock function may not be called at all, leading to
unexpected behavior. Marking that function as test_mockable can prevent
this situation.
Therefore, add test_mockable to all the functions being mocked, and
remove the linker option from Makefile.
BUG=none
TEST=make -j32 test_setup && make runtests
BRANCH=none
Change-Id: Ifcd8138641d17bff689dd5093cdd69e4da9f0b0c
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3744746
Reviewed-by: Jakub Czapiga <czapiga@google.com>
Commit-Queue: Jakub Czapiga <czapiga@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Crdyboot uses the kernel's own EFI boot stub to actually launch the
kernel, so the "pick apart" operations done by futility on x86 kernels
aren't desired. Skip those operations if the kernel contains the builtin
EFI stub. This will only affect the reven board, as only the reven
kernel config has CONFIG_EFI_STUB enabled.
To detect whether the kernel was built with the EFI stub, check the
first two bytes of kernel data for the COFF header magic bytes "MZ".
Tested by running `vbutil_kernel --pack` on two amd64 kernels, one with
CONFIG_EFI_STUB enabled and one with it disabled. Full command:
futility --debug vbutil_kernel
--pack out.img
--keyblock /usr/share/vboot/devkeys/recovery_kernel.keyblock
--signprivate /usr/share/vboot/devkeys/recovery_kernel_data_key.vbprivk
--version 1
--config config.txt
--bootloader /lib64/bootstub/bootstub.efi
--vmlinuz vmlinuz.bin
--arch amd64
In the kernel with the EFI stub the debug output includes "EFI boot stub
detected", the other one does not.
BUG=b:238316304
TEST=Test two kernels as described above
TEST=Test booting through crdyboot
BRANCH=none
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
Change-Id: I14640eadce2a1e41a262921cb6ab96962b6b3a22
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3900403
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Emit a warning and continue when OpenSSL is newer than expected. The
chroot still uses an older version.
BUG=b:245993083, b:246328810
BRANCH=none
TEST=make -C ~/cosarm/src/platform/vboot_reference/ USE_FLASHROM=0
See that the errors become warnings
Signed-off-by: Simon Glass <sjg@chromium.org>
Change-Id: I85afba4007da3bc7c37abc04d744185c3362ad99
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3887562
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Utility programs in vboot sometimes use subprocess_run to execute
another program like flashrom or cbfstool. This change makes it easier
to debug these utilities by logging executed subprocess and its
arguments.
This change also fixes futility vb2ex_printf() implementation.
Previously use of VB2_DEBUG_RAW() calling vb2ex_printf(NULL, ...) was
unnecessarily trying to print NULL as function name, which was not
intended behavior.
TEST=sign image and look for "Run: cbfstool ..."
BUG=none
BRANCH=none
Signed-off-by: Jakub Czapiga <czapiga@google.com>
Change-Id: I613d4af4af4370425cbbedc2d7de29a488533c6a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3878593
Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add vb2api_inject_kernel_subkey for bootloaders that only want to use
vboot for loading and verifying the kernel. The intended usage is:
vb2api_init();
vb2api_inject_kernel_subkey();
vb2api_load_kernel();
BUG=b:237093169
BRANCH=none
TEST=make && make runtests
Change-Id: Iea6e31826f89ec754496427427d124a35285c463
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3732807
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running auxfw sync after EC sync is intentional, and the order should
not be swapped. Therefore add a check in the mock vb2api_auxfw_sync().
BUG=none
TEST=make run2tests
BRANCH=none
Change-Id: I60104378d4abf509cd379dc30818d79dd0606ee3
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3863492
Reviewed-by: Hsuan Ting Chen <roccochen@chromium.org>
Commit-Queue: Hsuan Ting Chen <roccochen@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch moves the connection to the vb2ex_hwcrypto API further down
the stack, into the low-level vb2_digest and vb2_hash APIs. These
functions will now take an extra allow_hwcrypto argument that the caller
can use to deny or allow hwcrypto by policy. If allowed, the function
will try HW crypto first and fall back to the software implementation if
the selected algorithm is not supported. vb2_hwcrypto_allowed() is made
available to external callers as a vb2api function to make that decision
in most cases (for others, like userspace tools and testing, HW crypto
is generally not used anyway and they can just pass `false`).
Since vb2ex_hwcrypto_digest_init() takes a data_size argument for the
total amount of bytes expected, vb2_digest_init() will now also need to
take this extra argument. But since the total data size cannot always be
known in advance, callers are allowed to pass 0 to indicate that the
size is unknown. The software implementations work either way, and HW
crypto implementations will now need to check if data_size is 0 and
return HWCRYPTO_UNSUPPORTED if they cannot handle this case.
While we're touching everything anyway, let's take this opportunity to
retire the vb2_digest_buffer() API in favor of the newer and usually
more convenient vb2_hash_calculate(), so we can limit the amount of
separate APIs we have to support going forward.
BRANCH=none
BUG=b:240624460
TEST=runtests
Signed-off-by: Julius Werner <jwerner@chromium.org>
Cq-Depend: chromium:3854282
Change-Id: I34c3f54e31742619d422d1cd871bdb77ad0439b7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3825558
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commits adds support for the `ensure_amd_psp_flags` script which
only needs to be few on certain AMD boards.
BRANCH=none
BUG=b:202397678
TEST=Verified that ensure_amd_psp_flags executes correctly
Change-Id: I6ae61083113497d1c63b5ed5a0bd608c525a0c6e
Signed-off-by: Robert Zieba <robertzieba@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3821000
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit updates the `ensure_amd_psp_flags` script so that it will
ignore any artifacts that do not contain valid AMD AP images as long as
there are no soft-fuse bitsets present for the given board. This allows
all logic to be contained within this script.
BRANCH=none
BUG=b:202397678
TEST=Verified that script still works on AMD artifacts, tested that
Intel and ARM artifacts are ignored
Change-Id: I17a9414a36fbeb4a0ae9792c2e036deccd089870
Signed-off-by: Robert Zieba <robertzieba@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3860383
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Declaring struct vb2_context in 2api.h creates problems with circular
dependencies if other API functions need to rely on data types in
headers that in return need the vb2_context definition. This patch
solves that problem by factoring vb2_context out into its own header.
BRANCH=none
BUG=b:240624460
TEST=none
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I3d6a94e6e3d69cfa29d1f1415552446051a50c57
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3825557
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Kangheui Won <khwon@chromium.org>
Tested-by: Jakub Czapiga <czapiga@google.com>
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=none
TEST=Ran script with new arg and ensured it disabled verity
BRANCH=none
Change-Id: I2cf4ca1a0a7b3663b05f7b2ef35fb6f9261b00a9
Signed-off-by: Steven 'Steve' Kendall <skend@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3825117
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes flashrom_get_wp() use the new libflashrom WP interface that
was recently added to flashrom and moves it to host/lib/flashrom_drv.c
with the other libflashrom wrapper functions.
BUG=b:223291615
BRANCH=none
TEST=flashrom --wp-disable; futility update -i image.bin \
futility prints: `Write protection: 0 (disabled; HW=0, SW=0).`
TEST=flashrom --wp-enable; futility update -i image.bin \
futility prints: `Write protection: 0 (disabled; HW=0, SW=1).`
Change-Id: Ib13eeb2f1f718443271b074969ff69e66149f401
Signed-off-by: Nikolai Artemiev <nartemiev@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3540785
Commit-Queue: Edward O'Callaghan <quasisec@chromium.org>
Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:231084609
BRANCH=None
TEST=None
Change-Id: Id76f2469faa13c136c6ec2761577acec4ad810e5
Signed-off-by: Evan Benn <evanbenn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3831833
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In vb2_get_gbb, abort if gbb_offset is zero. This ensures that functions
like vb2api_gbb_get_flags won't try to read garbage GBB data if the
context hasn't been properly initialized.
Some additional changes made to fix tests:
1. In vb2_set_boot_mode, don't access GBB unless needed.
2. In vb2api_get_dev_default_boot_target, use vb2api_gbb_get_flags
instead of vb2_get_gbb to make it easier to mock. This is needed for
depthcharge tests.
3. Make vb2api_get_debug_info tolerant of GBB not being set. This is
needed for depthcharge tests.
BUG=b:237093169
BRANCH=none
TEST=make && make runtests
Cq-Depend: chromium:3820402
Change-Id: I921d6cc4a5d91c8114c5e46748b4576a1e7716d0
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3817941
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The script doesn't work on betty without --force. And in turn
dev_features_rootfs_verification doesn't work as well.
BUG=None
TEST=copy the script to betty and run
BRANCH=none
Change-Id: I70f48b97b470bb04fb9f5fff751df83c44d7defe
Signed-off-by: Shao-Chuan Lee <shaochuan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3818089
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a general security test script. This allows
some logic to be moved out of the signer as well as providing a single
entry point for the security tests run by the signer.
BRANCH=none
BUG=b:202397678
TEST=Verified that correct security tests ran with/without
`--keyset-is-mp`
Change-Id: Ib4c779a90d2fe9160c278f20d7ec61242f1d68cc
Signed-off-by: Robert Zieba <robertzieba@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3820999
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit changes the order of the arguments for this script from
`<board> <image>` to `<image> <board>`. This brings the script in-line
with the existing ensure scripts.
BRANCH=none
BUG=b:202397678
TEST=Verified that script works with guybrush image
Change-Id: I7bf31eb0b6ab667b1c3c0e71c2388531bb3f1bc0
Signed-off-by: Robert Zieba <robertzieba@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3820998
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In CL:3788136 the zephyr EC image is renamed from zephyr.bin to ec.bin.
Therefore we don't need to check the existence of zephyr.bin anymore.
BUG=b:239887568
TEST=make runtests -j
BRANCH=none
Cq-Depend: chromium:3788136
Change-Id: Icd82baff93d2019cfd90b982e9c25b45cbf611c3
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3795458
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Yidi Lin <yidilin@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make cbfstool_truncate() fail critically on subprocess execution error.
cbfstool is mandatory, so it should always be available.
If subprocess_run(), then either cbfstool is not available, or code is
incorrect, so it should not return.
BUG=none
TEST=make runfutiltests
BRANCH=none
Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Change-Id: I17089d0cc2512a25f25cafe616caa79845a7e078
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3804563
Commit-Queue: Jakub Czapiga <czapiga@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Jakub Czapiga <czapiga@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Recent discussions have brought us to the conclusion that we probably
want to include the SI_DESC section on Intel mainboards in the GSCVD
verified areas, since it contains soft straps that may affect
pre-coreboot behavior. The problem is that while this section itself
generally doesn't change, it is part of the larger Intel-specific SI_ALL
section that also contains the ME code and data -- which _can_ be
overwritten, so we usually place it in the RW part of the flash. The
section is instead protected from unauthorized software access by
platform-specific mechanisms.
This patch modifies `futility gscvd` so that it will also accept
verification ranges in an SI_ALL region (if it exists), not just in
WP_RO.
BRANCH=none
BUG=none
TEST=Modified coreboot to add SI_DESC range, verified ranges on Joxer.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Iacff931f7cb34a41d3d878eee395b97ba2452c2d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3794950
Reviewed-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
VbExDiskGetInfo and VbDiskFreeInfo are removed. Also, remove
VB2_DISK_FLAG_REMOVABLE and VB2_DISK_FLAG_FIXED since depthcharge
doesn't need them anymore.
BUG=b:172339016
BRANCH=none
TEST=make runtests
TEST=make test-screenshot
TEST=FW_NAME=tomato emerge-cherry depthcharge
Cq-Depend: chromium:3760812
Signed-off-by: Hsin-Te Yuan <yuanhsinte@google.com>
Change-Id: I30d142508992b8c634ab4f919cc1b1b1edb23f14
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3762078
Reviewed-by: Hsuan Ting Chen <roccochen@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move VbTryLoadKernel() and VbTryLoadMiniOsKernel() to depthcharge.
In addition, expose LoadKernel() and LoadMiniOsKernel() as
vb2api_load_kernel() and vb2api_load_minos_kernel(), respectively.
Since we remove VbTryLoadKernel() in vb2api_normal_boot(), rename
vb2api_normal_boot() to check_kernel_version() and call it in
vb2api_kernel_finalize().
Also, rename VbSelectAndLoadKernelParams, VbDiskInfo, and
VbExDiskHandle_t as vb2_kernel_params, vb2_disk_info, and
vb2ex_disk_handle_t, respectively.
BUG=b:172339016
BRANCH=none
TEST=make runtests
TEST=FW_NAME=tomato emerge-cherry depthcharge
Cq-Depend: chromium:3758201
Signed-off-by: Hsin-Te Yuan <yuanhsinte@google.com>
Change-Id: Iaf182ca81797fee24c6104dac9d4770ff75c7fb2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3755923
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new API named `vb2api_get_fw_boot_info` to get
the FW slot information like tries, current boot slot, previous boot
slot, previous boot status and boot mode.
Additionally, moved the required data structures from 2api.h to newly
created 2info.h file to keep vboot information and inline functions
for coreboot/eventlog usage.
BUG=b:215615970
TEST=Able to compile the Google/Kano board using the emerge command.
Signed-off-by: Subrata Banik <subratabanik@google.com>
Change-Id: Ib3f197c851dc4b445dbf64868c3f9157a4f6c9fe
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3737570
Auto-Submit: Subrata Banik <subratabanik@chromium.org>
Commit-Queue: Yu-Ping Wu <yupingso@chromium.org>
Tested-by: Subrata Banik <subratabanik@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
crrev.com/c/3665477 started using `--unpack` rather than
`--sb_extract` for self-extracting firmware update bundles.
Unfortunately, existing prebuilt artifacts used by signer tests are
old and only support `--sb_extract`, and hence fail with recent
vboot_reference that includes this change.
This change simply reverts the option back to `--sb_extract` for
unpacking self-extracting bundles.
BRANCH=None
BUG=b:179170462
BUG=b:202397678
TEST=unittests
Change-Id: I528346a5d593caba7ca822820b9a38e994f0ea94
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3792485
Commit-Queue: Josh Horwich <jhorwich@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Prameet Shah <phshah@chromium.org>
Tested-by: Josh Horwich <jhorwich@chromium.org>
Auto-Submit: Josh Horwich <jhorwich@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds --keyset option for sign command for BIOS_IMAGE,
RAW_FIRMWARE, RAW_KERNEL and KERN_PREAMBLE file types. The default value
of this option is '/usr/share/vboot/devkeys'. It allows futility to load
public and private keys, and keyblocks from under this path, when they
were not provided manually using their respective options.
Files loaded by default for BIOS_IMAGE and RAW_FIRMWARE:
- ${keysetdir}/firmware_data_key.vbprivk
- ${keysetdir}/firmware.keyblock
- ${keysetdir}/kernel_subkey.vbpubk
Files loaded by default for RAW_KERNEL:
- ${keysetdir}/kernel_data_key.vbprivk
- ${keysetdir}/kernel.keyblock
File loaded by default for KERN_PREAMBLE:
- ${keysetdir}/kernel_data_key.vbprivk
BUG=none
BRANCH=none
TEST=make runfutiltests
Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Change-Id: Ic4026d501d88e0de7d2c6f52c7494c639d08bd15
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3740601
Auto-Submit: Jakub Czapiga <czapiga@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Julius Werner <jwerner@chromium.org>
Tested-by: Jakub Czapiga <czapiga@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `--manifest` (do_manifest) command needs to scan most firmware
images in the archive to build up the right information. That can be ~2s
for a 200MB archive even though we just need the version string. 2s is
usually fast enough for developers when they want to check the archive
contents, but that is too slow if the boot time scripts (for example,
CSME updater) need to collect the information.
As a result, we want to allow overriding how the updater gets the
manifest. For most systems that the firmware archive is created by the
buildbot or the signerbot, the scripts can use "--manifest --fast" to
retrieve the cached JSON manifest file.
BUG=b:238908603
TEST=make; run test
BRANCH=None
Change-Id: I5d7dead4d0a43129fd31dd035aac63deaee42a08
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3775703
Reviewed-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In preparation for moving VbTryLoadKernel to depthcharge, move the
VB2_NV_DISPLAY_REQUEST check from vb2api_normal_boot to
vb2api_kernel_phase2.
BUG=b:172339016
BRANCH=none
TEST=make runtests
Signed-off-by: Hsin-Te Yuan <yuanhsinte@google.com>
Change-Id: I3629d8dbbcaba23220152543ba77558c8bbcdc7b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3752431
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Hsuan Ting Chen <roccochen@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce set_boot_mode to set up the corresponding ctx flags and call
vb2_set_boot_mode to set ctx->boot_mode to be consistent with those
flags.
BUG=none
BRANCH=none
TEST=make runtests
Signed-off-by: Hsin-Te Yuan <yuanhsinte@google.com>
Change-Id: I7020639521af30bcdb6edcfac4c1a5b21ca8815e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3750959
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Hsuan Ting Chen <roccochen@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create tests/common/ to put some common files.
BUG=none
BRANCH=none
TEST=make runtests
Signed-off-by: Hsin-Te Yuan <yuanhsinte@google.com>
Change-Id: I8918b7a1e62d47fca6074ef123e2de6f46f1aa00
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3754814
Reviewed-by: Hsuan Ting Chen <roccochen@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We only check COV=1 in `make coverage` before. This will result in
deleting all files in the current working directory if we accidentally
tried `make coverage_init`.
Hide coverage_init and coverage_html if COV is not set.
BUG=none
BRANCH=none
TEST=make coverage_init and see the error message
TEST=make clean && COV=1 make coverage -j
Signed-off-by: Hsuan Ting Chen <roccochen@chromium.org>
Change-Id: I2d22b211b3d9e59d12faa0ab3d1c2ca8433598f7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3747419
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, make coverage is broken due to two issues:
1. The optimization option -O0 ignores the inline specifier in
firmware/2lib/2sha256_x86.c:46 and 52. This will violate the
compile-time constraint "i" and cause a build failure.
Fix this issue by using -Og instead of -O0.
2. The coverage_html requires ${COV_INFO}.* files which are generated in
coverage_init and runtests. We need to add prerequisites to prevent
potential errors while running with "-j".
BUG=none
BRANCH=none
TEST=make clean && COV=1 make coverage -j
Signed-off-by: Hsuan Ting Chen <roccochen@chromium.org>
Change-Id: If1f9de1dbc56f36afead9045c1f95349a5fa156c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3755927
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the hash file of auxfw is not found in the CBFS, VB2_ERROR_UNKNOWN
will be returned from vb2ex_auxfw_check(), causing the device to enter
reboot loop. Similar to how we handle missing ecrw.hash, vb2api_fail()
should be called, so that the device will try to boot from the other
slot, and if the hash is still missing, recovery will be triggered.
Call vb2api_fail() from vb2api_auxfw_sync() using the 3-argument form of
VB2_TRY(). Add a unit test to prevent regression.
BUG=b:237745301
TEST=make run2tests
TEST=emerge-corsola libpayload
BRANCH=none
Change-Id: I789c63b10201bd1852bc087199ec7b226ec85ba8
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3742863
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pass VbSelectAndLoadKernelParams kparams as a function argument instead
of using global variable kparams_ptr. Remove VbSelectAndLoadKernel and
replace its tests with the unit tests for vb2_set_boot_mode,
vb2api_kernel_phase2, vb2api_kernel_finalize, and vb2api_normal_boot.
BUG=b:172339016
BRANCH=none
TEST=make runtests
Cq-Depend: chromium:3731710
Signed-off-by: Hsin-Te Yuan <yuanhsinte@google.com>
Change-Id: I26895ced5e310b2894b9d42d0ad5514d3b0b930a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3731412
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since crrev.com/c/2511121 we no longer use xattrs when using
unsquashfs on the Android system image. A side-effect of this change
is the loss of capabilities for a handful of Android binaries such as
/system/bin/run-as.
This change records the capabilities on the system image and applies
them manually to the output system image.
BUG=b:179170462
BRANCH=None
TEST=unittests
TEST=Locally sign hatch (ARC R) and kevin (ARC P) base images and
verify signed base image's system.raw.img contents
Signed-off-by: Josh Horwich <jhorwich@chromium.org>
Change-Id: Ied824d5ebf7a5139e71341abca810b14e67623e0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3723017
Reviewed-by: Allen Webb <allenwebb@google.com>
Tested-by: Josh Horwich <jhorwich@chromium.org>
Reviewed-by: Prameet Shah <phshah@chromium.org>
Commit-Queue: Josh Horwich <jhorwich@chromium.org>
Reviewed-by: Yury Khmel <khmel@google.com>
Reviewed-by: Yury Khmel <khmel@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=none
TEST=make runtests
BRANCH=none
Signed-off-by: Hsin-Te Yuan <yuanhsinte@google.com>
Change-Id: I406bcf806a6bbe21faa5f069381b73d43a7550b2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3737566
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Tested-by: Hsuan Ting Chen <roccochen@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Using enum types in serialized data structures is dangerous, because
their width may depend on compiler settings. This patch changes the data
type for (vb2_context).boot_mode to uint8_t to make sure the struct
layout will be the same in all environments. Since we only defined boot
modes up to 5 for now (and our systems are always little endian), the
structure remains binary compatible with serializations of the previous
version (so no struct version change should be necessary).
BRANCH=none
BUG=none
TEST=make runtests
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I82bc8e665ea51adaaf1f5d94986c22bd62e58bba
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3751833
Reviewed-by: Hsuan Ting Chen <roccochen@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Subrata Banik <subratabanik@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch moves the `vb2_fw_result` enum definition from 2nvstorage.h
to 2api.h as 2api.h is the only header file which is getting included
by the vb2_api.h.
The direction is to keep all required data structure needed by coreboot
inside 2api.h only.
The follow-up patch would like to implement a new API which would allow
to get the slot information and vboot logic as part of coreboot will
call into this API to retrieve this info prior storing into the elog
while booting.
BUG=b:215615970
TEST=Able to compile the Google/Kano board using the emerge command.
Signed-off-by: Subrata Banik <subratabanik@google.com>
Change-Id: I35a4d34d1032dbf354b161feb6fcd68221a039a8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3737569
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Auto-Submit: Subrata Banik <subratabanik@chromium.org>
Commit-Queue: Subrata Banik <subratabanik@chromium.org>
Tested-by: Subrata Banik <subratabanik@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=none
TEST=none
BRANCH=none
Change-Id: Iedbad16be5f9541cb74cc092821b828bd25b12da
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3742864
Commit-Queue: Julius Werner <jwerner@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In vb2api_fw_phase1, use the boot_mode set by vb2_set_boot_mode to
determine whether to initialize display. This fixes the edge case where
VB2_NV_DIAG_REQUEST is set, but vb2api_diagnostic_ui_enabled() is 0.
BUG=none
TEST=make runtests
BRANCH=none
Signed-off-by: Hsin-Te Yuan <yuanhsinte@google.com>
Change-Id: Iecb9f52b056906bcd1d7da324390672adc5112c7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3737563
Reviewed-by: Hsuan Ting Chen <roccochen@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch reworks whole BIOS image signing to support images with CBFS,
and with ponly RW/A slot. CBFS images will now be truncated to eliminate
unnecessary empty space, and will sign only the part of firmware area
which contains the data, and not empty space.
This patch also adds more checks for potential errors, and does not
allow for signing incorrect nor uses data from structures, which might
not be valid.
futility sign command tests are also greatly extended to cover a wide
variety of possible errors, which have to be handled correctly.
BUG=b:197114807
TEST=sudo emerge vboot_reference
TEST=build whole chromeos-bootimage after making it and coreboot use
`futility sign --type bios ...`
TEST=make runtests
BRANCH=none
Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Cq-Depend: chromium:3707104
Change-Id: I7c84aa38776e8890a87f0e9b7ec7f32d86f82c13
Disallow-Recycled-Builds: test-failures
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3575325
Tested-by: Jakub Czapiga <czapiga@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Auto-Submit: Jakub Czapiga <czapiga@google.com>
Commit-Queue: Jakub Czapiga <czapiga@google.com>
|