| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit db1b34f559fdbf5584b57007da43e4dddda43c6a.
Reason for revert: seems to break scarlet - b/259702907
Original change's description:
> crossystem: Add board_id property
>
> futility is one of a few places in ChromeOS that uses "mosys platform
> version". The goal is to remove this command from mosys.
>
> This commit adds a new property to crossystem, "board_id", which
> reads the board revision from SMBIOS/FDT, and replaces the call in
> futility with the appropriate VbGetSystemPropertyInt.
>
> BUG=b:187790074
> BRANCH=none
> TEST="crossystem board_id" on hana and brya
>
> Change-Id: Id69c8e309c0e509a165aa6da2778573ac7de3455
> Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4029537
> Reviewed-by: Julius Werner <jwerner@chromium.org>
Bug: b:187790074, b:259702907
Change-Id: Ibdc2525d6f395e2ef63354d36ca02b71543e8079
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4038443
Commit-Queue: Jack Rosenthal <jrosenth@chromium.org>
Tested-by: Jack Rosenthal <jrosenth@chromium.org>
Commit-Queue: Brian Norris <briannorris@chromium.org>
Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>
Owners-Override: Jack Rosenthal <jrosenth@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cbfstool uses tab instead of space, and because of that current
code does not work correctly with metadata hash images. Changing
space to tab in pattern fixes the issue.
BRANCH=none
BUG=b:259153966,b:197114807
TEST=build bootimage for volteer/voxel
Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Change-Id: Iab6ab56927a6bea9275eda4a5bad1ad73b779a69
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4030402
Commit-Queue: Jakub Czapiga <czapiga@google.com>
Tested-by: Jakub Czapiga <czapiga@google.com>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
futility is one of a few places in ChromeOS that uses "mosys platform
version". The goal is to remove this command from mosys.
This commit adds a new property to crossystem, "board_id", which
reads the board revision from SMBIOS/FDT, and replaces the call in
futility with the appropriate VbGetSystemPropertyInt.
BUG=b:187790074
BRANCH=none
TEST="crossystem board_id" on hana and brya
Change-Id: Id69c8e309c0e509a165aa6da2778573ac7de3455
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4029537
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The region parameter to flashrom_read_image() is essentially unusable in
isolation since it reads just the requested region into a buffer sized
to the entire flash, at the offset of the region within the flash.
Remove its unused region parameter and split the functionality of
requesting a region into flashrom_read_region() which stores just the
requested region into a buffer sized to the region.
BUG=b:253966060
TEST=futility update --detect-model -a <archive> works as expected
BRANCH=None
Signed-off-by: Sam McNally <sammc@chromium.org>
Change-Id: Ibf6c152dd42fbc99c1742fb077bc6aa35feeed08
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3965583
Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
futility update --emulate and flashrom's dummy programmer serve similar
purposes - both provide support for using a file instead of a real ROM.
The current --emulate implementation involves special-casing before
interacting with flashrom and pre-filling in the current image contents;
an appropriately-configured dummy programmer and unmodified flashrom
interactions could accomplish the same outcome with a more centralised
handling of --emulate. Other --emulate interactions mock out
non-flashrom interactions, so need to continue handling --emulate
specially for now.
Switch --emulate to use the dummy programmer. Add an extra field to
store the original programmer option for deciding on whether the apply
the preserve_me quirk.
BUG=b:253966060
TEST=unit tests
BRANCH=None
Signed-off-by: Sam McNally <sammc@chromium.org>
Change-Id: I687749523f54edcb9dd41cfc85614949b9d6607a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3965582
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Most of AP firmware images do not include the RO_GSCVD section and are
not supposed to be signed for AP RO verification.
The presence of AP RO verification keys (files prefixed with arv_...)
can be considered an indicator of the need to sign the RO_GSCVD
section.
This patch adds logic to skip signing of AP RO in case the appropriate
signing keys are not present.
BRANCH=none
BUG=b:247645824, cros:1382709
TEST=ran sign_official_build.sh to re-sign a Nissa test tarball,
observed successful completion with log messages confirming
RO_GSCVD signing.
then removed tests/devkeys/arv_root.vbpubk and ran the script
again, observed successful completion and log messages
confirming skipping AP RO verification signing.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: Iee5a2adcceb7ecc86f48d7c56755cc10405e5eed
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/4024432
Commit-Queue: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=none
BRANCH=none
TEST=make runtests -j8
Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Disallow-Recycled-Builds: test-failures
Change-Id: I9c22627410836906a84c387377facc778dd77f3b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3986523
Tested-by: Jakub Czapiga <czapiga@google.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Jakub Czapiga <czapiga@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This doesn't use "mosys platform model" anymore, update the comment
text.
BUG=b:187790074
BRANCH=none
TEST=none
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Change-Id: I8ee427a0f26f386d319bb12a9f64be70ecbb9761
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3995400
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Commit-Queue: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Servo v2 is deprecated, so we should change the default servo programmer
to the servo micro/C2D2 programmer (raiden_debug_spi).
BUG=b:256007307,b:256048551
TEST=make; run tests
BRANCH=None
Change-Id: Ie42d79ed2b7bd664dfdf01f4631665bac23040f2
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3989704
Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When signing AP RO images, in cases when signer_config.csv manifest
includes the brand code column add a futility invocation to sign the
RO_GSCVD section of the image. If the <path to unpacked>/keyset
directory is found, save the gscvd.<model> blob in that directory.
BRANCH=none
BUG=b:247652363
TEST=built ChromeOS test image for Nissa, then invoked
$ scripts/image_signing/sign_official_build.sh \
base \
~/trunk/src/build/images/nissa/latest/chromiumos_test_image.bin \
tests/devkeys \
/tmp/signed.bin
and observed 'futility gscvd' invocation in the log.
Cq-Depend: 3954963
Change-Id: I55cec75794560662ed2cfb2dac7f44d972a8571f
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3935034
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the qemu logic from the Makefile. Document the RUNTEST, BUILD_RUN
and SRC_RUN variables. Ensure those variables are used consistently
throughout the Makefile and test scripts.
BUG=b:231084609
BRANCH=None
TEST=FEATURES=test emerge vboot_reference
TEST=FEATURES=test emerge-amd64-generic vboot_reference
TEST=FEATURES=test emerge-hatch coreboot
TEST=(coreboot upstream with this patch) make all
TEST=make BUILD=build1 runtests
TEST=make BUILD=build2 RUNTEST=env runtests
Cq-Depend: chromium:3934904
Change-Id: Ifd18463d681bedbf7464165f2df0181474b36791
Signed-off-by: Evan Benn <evanbenn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3831828
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix coreboot standalone build by initializing body_c in show_fw_preamble_buf.
BUG=b:254014539
Signed-off-by: Selma Bensaid <selma.bensaid@intel.com>
Change-Id: I963a1e8556b36302d455710d4561fc8460c44405
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3961988
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Jakub Czapiga <czapiga@google.com>
Tested-by: Yu-Ping Wu <yupingso@chromium.org>
Commit-Queue: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is still being debated who is supposed to make sure that the GBB
flags are set to zero before the root of trust validation is granted
to the AP firmware image, but as of today the approach is that the GBB
flags must be zero at AP RO validation time.
The problem is that when AP RO space signature is created GBB flags
can be set to a non-zero value.
With this patch when AP RO areas contents is hashed, in case GBB flags
are included in one of the ranges, the flags are not read from the
flash, and substituted with zero.
During validation the real flags value is used. A unit test is added
to verify various futility gscvd GBB related situations, the blobs for
the unit test were extracted from a Nivviks firmware image.
BRANCH=none
BUG=b:245799496, b:253540670
TEST='./tests/futility/test_gscvd.sh' and 'make runfutiltests' succeed
Change-Id: I2f047b990cf71ea24d191fc690da08e25ebb10cc
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3958581
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Separate GBB discovery into a function and cache GBB information in
the ap_firmware_file structure for future use.
BRANCH=none
BUG=b:245799496
TEST=ran the following command
./build/futility/futility gscvd -G -R 00000000:00001000 \
--keyblock tests/devkeys/arv_platform.keyblock \
--platform_priv tests/devkeys/arv_platform.vbprivk \
--board_id XYZ1 \
--root_pub_key tests/devkeys/arv_root.vbpubk "${BIOS_FILE}"
using 'futility' compiled before and after this patch was applied,
verified that the resulting file is the same.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I3ab59536cfa75a303be3e9271d9b44b1de851f5c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3958580
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To support the "futility update" ability to put together firmware
images for different targets, the pre-signed RO_GSCVD sections need to
be included in the firmware tarball.
This patch adds a command line option which will make 'futilty gscvd'
save the signed section in a local file for inclusion in the tarball.
BRANCH=none
BUG=b:245799496
TEST=verified that passing the --gscvd_out command line option results
in creating a file with the RO_GSCVD section contents, identical
to the section in the signed binary file.
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: Id4a75c74ad1e27c11a6005472708730b8051f036
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3954963
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Compare fwid with firmware installer manifest to see if they mismatch,
then report the result to UMA.
BUG=b:211005753
TEST=Manual test
BRANCH=None
Signed-off-by: Yuanpeng Ni <yuanpengni@chromium.org>
Change-Id: Id5ed7ad95f4f5439d30fdad9314e8e2b317834ab
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3960435
Reviewed-by: Jae Hoon Kim <kimjae@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a noop change making reading the code a little easier, avoid
naming variable the same as the function name.
BRANCH=none
BUG=none
TEST='make futil' still succeeds
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Change-Id: I5b5d742aa5463160207f05f6c19c20754e538813
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3954469
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=none
BRANCH=none
TEST=make runtests
Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Change-Id: If93a65ba58c4973d4b344229c7ee26685395bbbf
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3964274
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Commit-Queue: Jakub Czapiga <czapiga@google.com>
Tested-by: Jakub Czapiga <czapiga@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
firmware/lib/tpm_lite/include/tpm_error_messages.h had DOS (CRLF) line
endings. This patch changes them to UNIX (LF) and also fixes other
style warnings and errors reported by pre-upload repo hook.
BUG=none
BRANCH=none
TEST=make runtests
Signed-off-by: Jakub Czapiga <czapiga@google.com>
Change-Id: Ic9f177fb00e1bd942585211f2ed33a4e386f864d
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3966174
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It turns out that if two processes try to read the same GPIO at the
same time that one of them will fail because the GPIO is
"busy".
This is really by design of the kernel's GPIO API. In order to read a
value, each userspace process "requests" control of the GPIO and then
queries it. There doesn't appear to be any way to "wait" for a GPIO
that's been requested by someone else--we just need to wait a bit and
try again later. ...so that's what we'll do.
Without this patch, if you run the following script on a
write-protected sc7180-trogdor class device in two shells at the same
time:
old_val=""
while true; do
val=$(crossystem wpsw_cur)
if [[ "${val}" != "${old_val}" ]]; then
echo "$(date): ${old_val} => ${val}"
old_val="${val}"
fi
done
Then you'll see stuff like this:
GPIO_GET_LINEHANDLE_IOCTL: Device or resource busy
Tue Oct 18 11:34:01 PDT 2022: 1 => 0
Tue Oct 18 11:34:01 PDT 2022: 0 => 1
GPIO_GET_LINEHANDLE_IOCTL: Device or resource busy
Tue Oct 18 11:34:01 PDT 2022: 1 => 0
Tue Oct 18 11:34:01 PDT 2022: 0 => 1
The 0 actually comes from the fact that crossystem falls back to
`GetVdatInt(VDAT_INT_HW_WPSW_BOOT)` if it fails to read the GPIO and
that value isn't initted to anything on trogdor (VDAT_INT_HW_WPSW_BOOT
is deprecated and not populated on trogdor).
It is postulated that the above problem is causing some parts of the
system to get confused about the write protect state of devices.
BRANCH=none
BUG=b:249498455
TEST=Run script in CL commit message and see no errors
Change-Id: I307cdb4e290c27694690a19af60f4697ee0233e4
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3963985
Reviewed-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To migrate the archive manifest generation from `setvars.sh` to
`signer_config.csv`, we have to find the patch files (rootkey.*,
vblock_?.*, gscvd.*) in the signer_config manifest builder.
Also updated the comments for how the signer_config works.
BUG=b:251040363
TEST=make; run test
BRANCH=None
Change-Id: I6e30b7fc55fda2b24f7809a8f2215bb9af1117af
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3937843
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To support patching firmware image files with different GSCVD (GSC
verified data for AP RO verification) per brand code, we want to read
and load the data from keyset/gscvd.$model in the firmware archives.
BRANCH=None
BUG=b:248317123
TEST=make; run test
Change-Id: I99ed4bae21b8909da2cbb1ebca0b9bbac268be5d
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3937842
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `futility validate_rec_mrc` command was added to allow the
MrcCacheTest factory test to verify the MRC cache. However,
duplicating the verification logic between coreboot and futility is not
very maintainable. This caused problems recently when CB:67670 replaced
the checksum in the MRC header with a hash.
MrcCacheTest was changed to instead read eventlog to check that coreboot
successfully updated the cache: CL:3935801. Now `futility
validate_rec_mrc` is no longer used, so remove it.
BRANCH=none
BUG=b:242667207, b:249174725
TEST=emerge-nissa vboot_reference
Change-Id: I7b78cdbfdda37e70aef3675636ed347a4ea1694e
Signed-off-by: Reka Norman <rekanorman@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3949072
Tested-by: Reka Norman <rekanorman@chromium.org>
Commit-Queue: Reka Norman <rekanorman@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for signing and verification of coreboot images
supporting VBOOT_CBFS_INTEGRATION. Images with config option
CONFIG_VBOOT_CBFS_INTEGRATION=y will be signed with CBFS metadata hash
in signature. vb2api_get_metadata_hash() should be used to extract hash
value from VBLOCK and then should be used to verify CBFS metadata.
To support full verification, CBFS file data verification should also be
enabled and correctly handled.
BUG=b:197114807
TEST=build with CB:66909 and boot on volteer/voxel with
CONFIG_VBOOT_CBFS_INTEGRATION=y
BRANCH=none
Signed-off-by: Jakub Czapiga <czapiga@google.com>
Change-Id: I4075c84820949be24c423ed14e291c89a0032863
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3811754
Commit-Queue: Julius Werner <jwerner@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A ti50 TPM works with a servov4 as it reports 'ccd_gsc'. With suzyq
'ccd_ti50' is reported. Special case that string in the same way as
cr50.
BUG=b:251281342
BRANCH=None
TEST=sudo futility update -a ./chromeos-firmwareupdate -m factory \
--servo --servo_port=9994 -d
before: Selected Servo V2.
after: Selected CCD.
Change-Id: I1333fac24a023c1c88e708d69196f8da89777ef9
Signed-off-by: Evan Benn <evanbenn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3929938
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Sam McNally <sammc@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:251281342
BRANCH=None
TEST=set_gbb_flags.sh --servo targeting a Nereid succeeded.
Change-Id: Iea83ebacf2bbcdf9da70b38a94017811c07c063e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3929937
Tested-by: Tirath Ramdas <tirath@google.com>
Reviewed-by: Jett Rink <jettrink@chromium.org>
Reviewed-by: Allen Webb <allenwebb@google.com>
Reviewed-by: Sam McNally <sammc@chromium.org>
Commit-Queue: Tirath Ramdas <tirath@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The body_sig pointer is being freed twice. This can lead to
indeterminate behavior and could corrupt memory. Remove superfluous
free to avoid memory corruption.
BUG=b:250952592
TEST=NA
BRANCH=None
Change-Id: Ie4c11e940653550e24829f253d05be08d74620f6
Signed-off-by: Jon Murphy <jpmurphy@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3935032
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Hsuan Ting Chen <roccochen@chromium.org>
Commit-Queue: Julius Werner <jwerner@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BRANCH=none
BUG=none
TEST=cros lint
Signed-off-by: Jakub Czapiga <jacz@semihalf.com>
Change-Id: I7710c43c8c70cf257a898f22c42ecbf350e125a2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3925702
Commit-Queue: Jakub Czapiga <czapiga@google.com>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Tested-by: Jakub Czapiga <czapiga@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the default set of test rules.
V2 test plans will be verified in staging before being enabled in prod.
See go/cros-cq-test-config for more details.
BRANCH=None
BUG=b:249150178
TEST=dirmd validate
Change-Id: I7fb7967025019c8cf286294e48573445e3e90d5b
Signed-off-by: Navil Perez <navil@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3927889
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The root public key hash needs to be incorporated into the GSC
firmware. Before this patch the only way to get the hash was to
preform an AP RO firmware signing operation, which, among other things
requires access to the platform private key.
This patch adds another invocation option where only the -r parameter
is passed in, in which case the hash of the public key is printed.
BRANCH=none
BUG=b:247653513
TEST=verified printing root pubk hash:
$ futility gscvd \
-r ./nivviksSigning-MP/root_key_arv_root.vbpubk
Root key body sha256 hash:
b3dba1f89e943d53206e2950e06c3764fe230ef883bb8fd2932a9fb21c281ba1
Change-Id: I41d8396309d43d9d48555453d3339b0b540000c0
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3906635
Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It has been decided to communicate the list of ranges to cover by the
signature through a preset ranges array in the RO_GSCVD FMAP section
of the AP firmware image.
This patch adds the ability to retrieve ranges from the image in case
the -R command line parameter is not given on the command line when
invoking 'futility gsvd'.
BRANCH=none
BUG=b:247653513
TEST=verified that both forms of invocation, with and without -R work
as expected, as well as GSCVD verification invocations with and
without the root public key hash
without passing in the ranges:
$ utility gscvd \
-k nivviksSigning-MP/arv_platform.keyblock \
-p nivviksSigning-MP/arv_platform.vbprivk \
-b 52435a5a \
-r nivviksSigning-MP/root_key_arv_root.vbpubk \
--outfile ~/tmp/bios/image-nivviks.signed.bin \
~/tmp/bios/image-nivviks.serial.bin
Will sign the following 3 ranges:
01fe4e00:0001b200
01c07000:00000030
01c07180:00002000
Root key body sha256 hash:
b3dba1f89e943d53206e2950e06c3764fe230ef883bb8fd2932a9fb21c281ba1
with passing in the ranges:
$ futility gscvd \
-R 1c77000:200,1c07000:400,1c16800:100,1c06000:1000,1c08000:100 \
-k nivviksSigning-MP/arv_platform.keyblock \
-p nivviksSigning-MP/arv_platform.vbprivk \
-b 52435a5a \
-r nivviksSigning-MP/root_key_arv_root.vbpubk \
--outfile ~/tmp/bios/image-nivviks.signed.bin \
~/tmp/bios/image-nivviks.serial.bin
Root key body sha256 hash:
b3dba1f89e943d53206e2950e06c3764fe230ef883bb8fd2932a9fb21c281ba1
validate signed image without pub key hash:
futility gscvd ~/tmp/bios/image-nivviks.signed.bin
validate signed image with pub key hash:
$ futility gscvd ~/tmp/bios/image-nivviks.signed.bin \
b3dba1f89e943d53206e2950e06c3764fe230ef883bb8fd2932a9fb21c281ba1
try validating signed image with a corrupted pub key hash:
$ futility gscvd ~/tmp/bios/image-nivviks.signed.bin \
b3dba1f89e943d53206e2950e06c3764fe230ef883bb8fd2932a9fb21c281ba0
ERROR: validate_gscvd_or_read_ranges: Sha256 mismatch
validate proper processing of uninitialized GVD:
$ futility gscvd -k nivviksSigning-MP/arv_platform.keyblock \
-p nivviksSigning-MP/arv_platform.vbprivk \
-b 52435a5a \
-r nivviksSigning-MP/root_key_arv_root.vbpubk \
--outfile ~/tmp/bios/image-nivviks.signed.bin \
~/tmp/bios/image-guybrush.serial.bin
ERROR: validate_gvd: Incorrect gscvd magic ffffffff
ERROR: do_gscvd: Missing --ranges argument and no ranges in...
Change-Id: I586f97083f6d77fdddddd7327c61891197c3cc58
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3905178
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Alyssa Haroldsen <kupiakos@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A trap to delete tempfiles was mistakenly masked.
BUG=b:247920664
BRANCH=None
TEST=get_gbb_flags.sh; ls /tmp/tmp.* | wc -l == 0
Change-Id: I3b783395309ea2acb1bc75ffa19df62f81b90450
Signed-off-by: Evan Benn <evanbenn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3907130
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Commit-Queue: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
BRANCH=None
TEST=None
Signed-off-by: Evan Benn <evanbenn@chromium.org>
Change-Id: Ia2d4426ad0807a51d4b0568bd6a750f8fb6021f7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3907132
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The --allow-multiple-definition linker option was added in CL:6770 to
allow mocking functions. Now that we're exclusively using the weak
attribute (or equivalently test_mockable in vboot_reference) in other
firmware repositories (coreboot, depthcharge) for unit testing, the
--allow-multiple-definition option should no longer be needed.
In addition, one problem with --allow-multiple-definition is that, when
a function being mocked is automatically inlined by compiler
optimization, the mock function may not be called at all, leading to
unexpected behavior. Marking that function as test_mockable can prevent
this situation.
Therefore, add test_mockable to all the functions being mocked, and
remove the linker option from Makefile.
BUG=none
TEST=make -j32 test_setup && make runtests
BRANCH=none
Change-Id: Ifcd8138641d17bff689dd5093cdd69e4da9f0b0c
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3744746
Reviewed-by: Jakub Czapiga <czapiga@google.com>
Commit-Queue: Jakub Czapiga <czapiga@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Crdyboot uses the kernel's own EFI boot stub to actually launch the
kernel, so the "pick apart" operations done by futility on x86 kernels
aren't desired. Skip those operations if the kernel contains the builtin
EFI stub. This will only affect the reven board, as only the reven
kernel config has CONFIG_EFI_STUB enabled.
To detect whether the kernel was built with the EFI stub, check the
first two bytes of kernel data for the COFF header magic bytes "MZ".
Tested by running `vbutil_kernel --pack` on two amd64 kernels, one with
CONFIG_EFI_STUB enabled and one with it disabled. Full command:
futility --debug vbutil_kernel
--pack out.img
--keyblock /usr/share/vboot/devkeys/recovery_kernel.keyblock
--signprivate /usr/share/vboot/devkeys/recovery_kernel_data_key.vbprivk
--version 1
--config config.txt
--bootloader /lib64/bootstub/bootstub.efi
--vmlinuz vmlinuz.bin
--arch amd64
In the kernel with the EFI stub the debug output includes "EFI boot stub
detected", the other one does not.
BUG=b:238316304
TEST=Test two kernels as described above
TEST=Test booting through crdyboot
BRANCH=none
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
Change-Id: I14640eadce2a1e41a262921cb6ab96962b6b3a22
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3900403
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Emit a warning and continue when OpenSSL is newer than expected. The
chroot still uses an older version.
BUG=b:245993083, b:246328810
BRANCH=none
TEST=make -C ~/cosarm/src/platform/vboot_reference/ USE_FLASHROM=0
See that the errors become warnings
Signed-off-by: Simon Glass <sjg@chromium.org>
Change-Id: I85afba4007da3bc7c37abc04d744185c3362ad99
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3887562
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Utility programs in vboot sometimes use subprocess_run to execute
another program like flashrom or cbfstool. This change makes it easier
to debug these utilities by logging executed subprocess and its
arguments.
This change also fixes futility vb2ex_printf() implementation.
Previously use of VB2_DEBUG_RAW() calling vb2ex_printf(NULL, ...) was
unnecessarily trying to print NULL as function name, which was not
intended behavior.
TEST=sign image and look for "Run: cbfstool ..."
BUG=none
BRANCH=none
Signed-off-by: Jakub Czapiga <czapiga@google.com>
Change-Id: I613d4af4af4370425cbbedc2d7de29a488533c6a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3878593
Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add vb2api_inject_kernel_subkey for bootloaders that only want to use
vboot for loading and verifying the kernel. The intended usage is:
vb2api_init();
vb2api_inject_kernel_subkey();
vb2api_load_kernel();
BUG=b:237093169
BRANCH=none
TEST=make && make runtests
Change-Id: Iea6e31826f89ec754496427427d124a35285c463
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3732807
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running auxfw sync after EC sync is intentional, and the order should
not be swapped. Therefore add a check in the mock vb2api_auxfw_sync().
BUG=none
TEST=make run2tests
BRANCH=none
Change-Id: I60104378d4abf509cd379dc30818d79dd0606ee3
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3863492
Reviewed-by: Hsuan Ting Chen <roccochen@chromium.org>
Commit-Queue: Hsuan Ting Chen <roccochen@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch moves the connection to the vb2ex_hwcrypto API further down
the stack, into the low-level vb2_digest and vb2_hash APIs. These
functions will now take an extra allow_hwcrypto argument that the caller
can use to deny or allow hwcrypto by policy. If allowed, the function
will try HW crypto first and fall back to the software implementation if
the selected algorithm is not supported. vb2_hwcrypto_allowed() is made
available to external callers as a vb2api function to make that decision
in most cases (for others, like userspace tools and testing, HW crypto
is generally not used anyway and they can just pass `false`).
Since vb2ex_hwcrypto_digest_init() takes a data_size argument for the
total amount of bytes expected, vb2_digest_init() will now also need to
take this extra argument. But since the total data size cannot always be
known in advance, callers are allowed to pass 0 to indicate that the
size is unknown. The software implementations work either way, and HW
crypto implementations will now need to check if data_size is 0 and
return HWCRYPTO_UNSUPPORTED if they cannot handle this case.
While we're touching everything anyway, let's take this opportunity to
retire the vb2_digest_buffer() API in favor of the newer and usually
more convenient vb2_hash_calculate(), so we can limit the amount of
separate APIs we have to support going forward.
BRANCH=none
BUG=b:240624460
TEST=runtests
Signed-off-by: Julius Werner <jwerner@chromium.org>
Cq-Depend: chromium:3854282
Change-Id: I34c3f54e31742619d422d1cd871bdb77ad0439b7
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3825558
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commits adds support for the `ensure_amd_psp_flags` script which
only needs to be few on certain AMD boards.
BRANCH=none
BUG=b:202397678
TEST=Verified that ensure_amd_psp_flags executes correctly
Change-Id: I6ae61083113497d1c63b5ed5a0bd608c525a0c6e
Signed-off-by: Robert Zieba <robertzieba@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3821000
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit updates the `ensure_amd_psp_flags` script so that it will
ignore any artifacts that do not contain valid AMD AP images as long as
there are no soft-fuse bitsets present for the given board. This allows
all logic to be contained within this script.
BRANCH=none
BUG=b:202397678
TEST=Verified that script still works on AMD artifacts, tested that
Intel and ARM artifacts are ignored
Change-Id: I17a9414a36fbeb4a0ae9792c2e036deccd089870
Signed-off-by: Robert Zieba <robertzieba@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3860383
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Declaring struct vb2_context in 2api.h creates problems with circular
dependencies if other API functions need to rely on data types in
headers that in return need the vb2_context definition. This patch
solves that problem by factoring vb2_context out into its own header.
BRANCH=none
BUG=b:240624460
TEST=none
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: I3d6a94e6e3d69cfa29d1f1415552446051a50c57
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3825557
Reviewed-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-by: Kangheui Won <khwon@chromium.org>
Tested-by: Jakub Czapiga <czapiga@google.com>
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=none
TEST=Ran script with new arg and ensured it disabled verity
BRANCH=none
Change-Id: I2cf4ca1a0a7b3663b05f7b2ef35fb6f9261b00a9
Signed-off-by: Steven 'Steve' Kendall <skend@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3825117
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes flashrom_get_wp() use the new libflashrom WP interface that
was recently added to flashrom and moves it to host/lib/flashrom_drv.c
with the other libflashrom wrapper functions.
BUG=b:223291615
BRANCH=none
TEST=flashrom --wp-disable; futility update -i image.bin \
futility prints: `Write protection: 0 (disabled; HW=0, SW=0).`
TEST=flashrom --wp-enable; futility update -i image.bin \
futility prints: `Write protection: 0 (disabled; HW=0, SW=1).`
Change-Id: Ib13eeb2f1f718443271b074969ff69e66149f401
Signed-off-by: Nikolai Artemiev <nartemiev@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3540785
Commit-Queue: Edward O'Callaghan <quasisec@chromium.org>
Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:231084609
BRANCH=None
TEST=None
Change-Id: Id76f2469faa13c136c6ec2761577acec4ad810e5
Signed-off-by: Evan Benn <evanbenn@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3831833
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In vb2_get_gbb, abort if gbb_offset is zero. This ensures that functions
like vb2api_gbb_get_flags won't try to read garbage GBB data if the
context hasn't been properly initialized.
Some additional changes made to fix tests:
1. In vb2_set_boot_mode, don't access GBB unless needed.
2. In vb2api_get_dev_default_boot_target, use vb2api_gbb_get_flags
instead of vb2_get_gbb to make it easier to mock. This is needed for
depthcharge tests.
3. Make vb2api_get_debug_info tolerant of GBB not being set. This is
needed for depthcharge tests.
BUG=b:237093169
BRANCH=none
TEST=make && make runtests
Cq-Depend: chromium:3820402
Change-Id: I921d6cc4a5d91c8114c5e46748b4576a1e7716d0
Signed-off-by: Nicholas Bishop <nicholasbishop@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3817941
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The script doesn't work on betty without --force. And in turn
dev_features_rootfs_verification doesn't work as well.
BUG=None
TEST=copy the script to betty and run
BRANCH=none
Change-Id: I70f48b97b470bb04fb9f5fff751df83c44d7defe
Signed-off-by: Shao-Chuan Lee <shaochuan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3818089
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a general security test script. This allows
some logic to be moved out of the signer as well as providing a single
entry point for the security tests run by the signer.
BRANCH=none
BUG=b:202397678
TEST=Verified that correct security tests ran with/without
`--keyset-is-mp`
Change-Id: Ib4c779a90d2fe9160c278f20d7ec61242f1d68cc
Signed-off-by: Robert Zieba <robertzieba@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3820999
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit changes the order of the arguments for this script from
`<board> <image>` to `<image> <board>`. This brings the script in-line
with the existing ensure scripts.
BRANCH=none
BUG=b:202397678
TEST=Verified that script works with guybrush image
Change-Id: I7bf31eb0b6ab667b1c3c0e71c2388531bb3f1bc0
Signed-off-by: Robert Zieba <robertzieba@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3820998
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|