| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new flag, 0x100, to indicate FAFT key stroke overrides.
BUG=chrome-os-partner:14056
TEST=none
BRANCH=stout
Change-Id: I76b7f3f4c51abec5528047f690f20a09b257abc2
Signed-off-by: Marc Jones <marc.jones@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/37074
Reviewed-by: Ronald G. Minnich <rminnich@chromium.org>
Reviewed-by: Gediminas Ramanauskas <gedis@chromium.org>
Tested-by: Gediminas Ramanauskas <gedis@chromium.org>
Commit-Ready: Marc Jones <marc.jones@se-eng.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There will be more bios*.bin (ex, bios_rw.bin) in firmware updater, and we do
want to sign all files.
BRANCH=signer
BUG=chromium-os:35369
TEST=sign_official_build.sh ssd DEV_IMAGE ../../tests/devkeys
Change-Id: I2ea0c5c3d7a18c43df581f50b4bd907206dcd7ad
Reviewed-on: https://gerrit.chromium.org/gerrit/36890
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We didn't get bit by this bug because getlong_opt does partial matching
on long option names. So --flag also works.
BUG=none
TEST=resign a test firmware; ensure preamble flag is preserved.
BRANCH=none
Change-Id: Ifd87c627b82468529fe1241be3629198d194027b
Reviewed-on: https://gerrit.chromium.org/gerrit/35350
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The bootcache will be changing the linux command line. Added additional
patterns that are acceptable to the signing software.
BUG=chromium-os:25441
TEST=ran security_test_image script against stumpy recovery images
BRANCH=none
Change-Id: I22d00ebc6191b5499f722974d90c260b78eb63b2
Reviewed-on: https://gerrit.chromium.org/gerrit/34959
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Paul Taysom <taysom@chromium.org>
Tested-by: Paul Taysom <taysom@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we are given a config file that doesn't exist, return an error rather
ignoring it. This way we don't accidentally give images a pass when we
didn't properly test them.
BUG=None
TEST=`./security_test_image --board=x86-alex --baselines=/` now shows 3 failures rather than all pass
BRANCH=None
Change-Id: I9d130db05befaeac8fcca921f0e43f47c2461f9f
Reviewed-on: https://gerrit.chromium.org/gerrit/34795
Reviewed-by: Ryan Cui <rcui@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This enables the signer script to sign update payloads.
BUG=chromium-os:34521
TEST=`./sign_official_build.sh update_payload testcase.sha256 . foo` produced a signed foo file
BRANCH=None
Change-Id: I27a9de89e760427251538deec38161944388a152
Reviewed-on: https://gerrit.chromium.org/gerrit/33535
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Don Garrett <dgarrett@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This option is disabled per default and can be enabled with
crossystem dev_boot_legacy=1
or by setting the GBB flag
GBB_FLAG_FORCE_DEV_BOOT_LEGACY 0x00000080
BUG=chrome-os-partner:6108
TEST=crossystem dev_boot_legacy=1
boot to dev mode screen, press CTRL-L, see SeaBIOS start
(other CLs needed)
BRANCH=link
Signed-off-by: Stefan Reinauer <reinauer@chromium.org>
Change-Id: I593d2be7cff5ca07b8d08012c4514a172bd75a38
Reviewed-on: https://gerrit.chromium.org/gerrit/31265
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
Tested-by: Stefan Reinauer <reinauer@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Ready: Stefan Reinauer <reinauer@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This GBB_FLAG_ENTER_TRIGGERS_TONORM is new added for allowing Enter
(default is Space) to trigger the TONORM screen. This flag is
used by FAFT testing.
Chage the usage of set_gbb_flags.sh to help an user.
BUG=chrome-os-partner:12699
TEST=None. Trivial comment change.
Change-Id: I8a1efa880627965570719f22dedfa0e31ab2d5f5
Reviewed-on: https://gerrit.chromium.org/gerrit/33404
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Commit-Ready: Tom Wai-Hong Tam <waihong@chromium.org>
Tested-by: Tom Wai-Hong Tam <waihong@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This lines up with the terminology that people have been using, and the
valid types that can appear in signer instruction files. We keep around
the old "install" so that other code continues to work.
BUG=None
TEST=None
BRANCH=none
Change-Id: I8d0d2ab4c0ae61f6bcdbcc24ec9796d9eabe386e
Reviewed-on: https://gerrit.chromium.org/gerrit/33056
Reviewed-by: David McMahon <djmm@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The signing script extracted firmware body sections FW_MAIN_{A,B} and
resigned the whole section instead of just firmware body.
As a result, read-only firmware spends more time loading read-write
firmware from SPI flash.
Since vblock has firmware body size information, signing script should
retrieve it and use it to sign just firmware body.
This may reduce boot time for ~560ms, depending on firmware image size,
section size and SPI flash/bus throughput.
Signed-off-by: Che-Liang Chiou <clchiou@chromium.org>
BRANCH=snow,link
BUG=chrome-os-partner:13094
TEST=For Snow (or boards that use cros_bundle_firmware), check that
after resigning, VBLOCK_{A,B} and FW_MAIN_{A,B} are unchanged
For Alex and ZGB, check that old and new resign_firmwarefd.sh
generates identical output
(Test for Snow; repeat for A and B)
dump_fmap -x image.bin VBLOCK_A FW_MAIN_A
mv VBLOCK_A VBLOCK_A.orig
mv FW_MAIN_A FW_MAIN_A.orig
resign_firmwarefd.sh image.bin image-resigned.bin \
firmware_data_key.vbprivk \
firmware.keyblock \
dev_firmware_data_key.vbprivk \
dev_firmware.keyblock \
kernel_subkey.vbpubk
dump_fmap -x image-resigned.bin VBLOCK_A FW_MAIN_A
cmp VBLOCK_A.orig VBLOCK_A
cmp FW_MAIN_A.orig FW_MAIN_A
(Test for Alex and ZGB; repeat for old and new resign_firmwarefd.sh)
resign_firmwarefd.sh image.bin image-resigned-{old or new}.bin \
firmware_data_key.vbprivk \
firmware.keyblock \
dev_firmware_data_key.vbprivk \
dev_firmware.keyblock \
kernel_subkey.vbpubk
cmp image-resigned-old.bin image-resigned-new.bin
Change-Id: Ie70b6c91614343ad9f991ae369a0f8e74ec213fe
Reviewed-on: https://gerrit.chromium.org/gerrit/31572
Commit-Ready: Che-Liang Chiou <clchiou@chromium.org>
Tested-by: Che-Liang Chiou <clchiou@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current kernel parameter parsing logic uses word boundaries (\b) to
keep from replacing parameters inside of other parameters (like "level=1"
mangling "loglevel=1" into "log"), but this fails when the last character
isn't a "word" character. e.g. "\bconsole=\b" doesn't match "console=".
Change the \b to a space. Since we're already using spaces as our split
marker, this shouldn't be a problem.
BRANCH=None
BUG=chrome-os-partner:12780
BUG=chromium-os:33868
TEST=ran `ensure_secure_kernelparams.sh` on an image with 'console=' and saw it work
Change-Id: Id69250179ea76aabfed9cd21c1c59483d78a215d
Reviewed-on: https://gerrit.chromium.org/gerrit/31356
Reviewed-by: David McMahon <djmm@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When checking kernel params fail, it's useful to know all the variables
as to what it's doing. So dump some state when an error occurs.
BRANCH=None
BUG=None
TEST=ran `ensure_secure_kernelparams.sh` on a bad image and saw useful output
TEST=ran `ensure_secure_kernelparams.sh` on a good image and saw no output
Change-Id: I0e499f87a6d8feed80da72aba75e1e6c1b4076c9
Reviewed-on: https://gerrit.chromium.org/gerrit/31355
Reviewed-by: David McMahon <djmm@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we've moved away from flag-files in session manager to
enable certain dev/test-mode features, our strategy of checking
for those flag files on the signer fell behind. This test adopts
a scheme that any use flag starting with "test_" or "dangerous_"
is blacklisted from release signing.
BUG=chromium-os:32430
TEST=ran the script against both a 'base' and 'test' image
from the builder/ToT. Passes/fails as expected.
Change-Id: I54d6ef17d52371c7543d5705e0939e000db85e51
Reviewed-on: https://gerrit.chromium.org/gerrit/29034
Reviewed-by: Chris Masone <cmasone@chromium.org>
Tested-by: Jim Hebert <jimhebert@chromium.org>
Commit-Ready: Jim Hebert <jimhebert@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was checking for /dev/dm-0, which isn't the case anymore. It now
always attempts to remove rootfs verification from the command line;
this is harmless (no-op) if it's already removed.
BUG=chromium-os:31558
TEST=manual
/usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification
reboot
touch /opt/google/chrome/chrome
Change-Id: I62dc138e8d1d09bdcb16be3faab74d32c5f7675a
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/28506
Reviewed-by: David James <davidjames@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Developers testing firmware preamble flags (usually for turn on/off RO-NORMAL
bits) need a easy way to change existing firmware, without hacking FDT source /
looking for complex script.
Also included some minor improvements:
* Always enable FORCE_DEV_BOOT_USB and DISABLE_FW_ROLLBACK_CHECK. These are
flags most developers need when leaving official signed normal firmware.
* --bmpfv is deprecated because our latest firmware now always include
official bitmaps in updater, no more DEV bitmaps.
BUG=none
TEST=./make_dev_firmware.sh -f bios.bin -t new_bios.bin --preamble_flags 0
./make_dev_firmware.sh -f bios.bin -t new_bios.bin --preamble_flags 1
Change-Id: I7ee72d32b4b7fa28f2be635fd8c7bb678852e132
Reviewed-on: https://gerrit.chromium.org/gerrit/28792
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
test images
/root/.forget_usernames is going away from test images. It was a hack.
BUG=chromium-os:31807
TEST=suite:bvt
Change-Id: I27b606fa0232514f3ec45a4ed765b89efcf8f07e
Reviewed-on: https://gerrit.chromium.org/gerrit/27588
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Nirnimesh <nirnimesh@chromium.org>
Commit-Ready: Nirnimesh <nirnimesh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A simple script to help setting GBB flags on-the-fly, with help information for
flag value meanings.
BUG=chrome-os-partner:10389
TEST=./set_gbb_flags.sh 0x20
./set_gbb_flags.sh 0x0
Change-Id: Ic624f76c0897a1cbda876f3073b36f7c6425b5d4
Reviewed-on: https://gerrit.chromium.org/gerrit/26224
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium-os:31893
TEST=verified on images with/without payload verification enabled.
Change-Id: Ic1883aafcc2c48d9e7c5323d6dc7e21fb8f47585
Reviewed-on: https://gerrit.chromium.org/gerrit/25407
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This makes it easy to integrate firmware signing into the signer
since we can reuse the base signing script.
BUG=chromium-os:10094
TEST=try signing both firmware and normal images.
Change-Id: I8beb598e267de33a2c3468dcf8d7c4b74d4de9fd
Reviewed-on: https://gerrit.chromium.org/gerrit/24654
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Align_rootfs was written to auto-fetch the previous release of a given
image, but that logic has bit-rotted. This CL is a quick hack to use
--src_image instead.
BUG=chromium-os:31124
TEST=Hand ran.
Change-Id: I530c6f82c42993648cecb5d59172010d61dd1603
Reviewed-on: https://gerrit.chromium.org/gerrit/23168
Commit-Ready: Don Garrett <dgarrett@chromium.org>
Reviewed-by: Don Garrett <dgarrett@chromium.org>
Tested-by: Don Garrett <dgarrett@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The retry logic has brought down the number of flakes significantly (from
multiple errors a day to ~one every other day). But let's up the retry
count, and have it sleep longer after each failure, so hopefully we can
bring down the flake count even further.
BUG=chrome-os-partner:8156
TEST=`./signing_poller.py -s` signs local images fine
Change-Id: I98bc947836514d8b931568f87f7f9a373f771b79
Reviewed-on: https://gerrit.chromium.org/gerrit/21468
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The kernels we are running the signers on flake out from time to time
when mounting the loop back images. Have the mount code detect this
edge case and automatically retry when the flake hits.
BUG=chrome-os-partner:8156
TEST=`./signing_poller.py -s` signs local images fine
Change-Id: Iaa08445904aa26f0aa7240504f6c7a96e6ef3bbb
Reviewed-on: https://gerrit.chromium.org/gerrit/21055
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The common code takes care of cleaning up temporary files for us if we
use the right helpers. These scripts don't though, so the temp files
end up not getting cleaned and over time, /tmp/ files up with crap.
The common helper takes care of unmounting and removing, so converting
these files over should be safe.
BUG=None
TEST=`./signer/signer_poller.py -s` signs local images and leaves no /tmp/tmp.* junk
Change-Id: I87aa122895997a5ec0017665203fdc8d14e0ab2a
Reviewed-on: https://gerrit.chromium.org/gerrit/20329
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we try to run the signing_poller daemon as non-root, it fails to set
the channel. Detect if the lsb file is writable, and if not, switch to
using sudo on the fly.
BUG=None
TEST=`./signer/signing_poller.py` as non-root and setting the channel works
Change-Id: Iadb10ae68582edfb332f33d3b101c83949ee9502
Reviewed-on: https://gerrit.chromium.org/gerrit/20089
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Investigations in crosbug.com/26483 revealed a bug in loop device handling
if 'umount -d' was called on loop devices mounted using 'mount -o loop'.
This CL changes all invocations of umount to remove the -d option since they
are always in the context of a loop device creating using -o loop.
BUG=chrome-os-partner:8156
TEST=none
Change-Id: I96f30664c3f9148d3b57d430002512d8e94b66bc
Reviewed-on: https://gerrit.chromium.org/gerrit/19858
Reviewed-by: David James <davidjames@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Similar to the canary channel, the dogfood channel images can have their
own app id that is distinct from the board app id.
BUG=chromium-os:25702, chrome-os-partner:8441
TEST=on a dogfood-channel image
Change-Id: Ic993a40d905b224072d325a69e47fdb6633c2e22
Reviewed-on: https://gerrit.chromium.org/gerrit/18039
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Reviewed-by: Scott Zawalski <scottz@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the channel is canary, allow appid to match the value of
expected_appid_canary in the ensure sane lsb release test
configuration.
BUG=chromium-os:25437
TEST=manually tested on an image with and without the channel being canary.
Change-Id: I6bf71adbe0fc090ef777c28d24c53eaa8be18404
Reviewed-on: https://gerrit.chromium.org/gerrit/15509
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Reviewed-by: Scott Zawalski <scottz@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The test is run on a recovery image by the signer. We care more about the
parameters on the kernel partition 4 (the SSD install kernel) than 2.
It'd be nice to have security test on the recovery kernel too and I have
marked that as a TODO for now.
BUG=chromium-os:24077
TEST=tested on a R17 and R18 mario, alex and zgb image.
Change-Id: Ia27ceaefb24dff64115f08b1cc6bbb75d1900071
Reviewed-on: https://gerrit.chromium.org/gerrit/12970
Reviewed-by: Jim Hebert <jimhebert@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Correctly handle the lack of valid dm config parameters in the kernel
command line (dm="..."). In particular, skip trying to perform a rootfs
hash update for that kernel partition.
This change has the side effect of properly signing new recovery images
with the in-flight changes recovery install changes being done as part of
crosbug.com/22530.
Also fix verification of recovery images to consider both kernel partitions
for determing the hash to compare the calculated value against.
Finally, remove dd's verbose output while signing the firmware.
BUG=chromium-os:22530
TEST=manually re-signed new (Alex) and old (Lumpy) recovery image. Verified
that recovery install works.
Change-Id: Ied9f82f2e77ed581875cec0b43ce45fd98186db2
Reviewed-on: https://gerrit.chromium.org/gerrit/12588
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
firmware
Change https://gerrit.chromium.org/gerrit/12471 introduced a regression where by
we always sign a firmware with version 1.
This change fixes that bug.
BUG=chromium-os:23817
TEST=ran sign_official_build and made sure the firmware was signed with the
right firmware version.
Change-Id: I6c8d3e8b103f3f7329b7a4db5a78a8f1ce4415a2
Reviewed-on: https://gerrit.chromium.org/gerrit/12496
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We recently fixed a bug in the sign_firmware.sh script to perform
root key replacement after signing FWA and FWB to allow
resign_firmwarefd.sh to correctly determine the preamble flag to use.
As it turns out, the sign_official_build.sh script used by the signer
for in-place firmware re-signing was using a different code path (by
directly calling resign_firmwarefd.sh).
This change makes sign_official_build script call sign_firmware.sh instead.
BUG=chrome-os-partner:6874
TEST=tried signing a vanilla lumpy image with and without the fix, and
observed the value of preamble flag used.
Change-Id: Icffb1d86fbe44f69e444da51fe251ad3427635c6
Reviewed-on: https://gerrit.chromium.org/gerrit/12471
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the FW_A and FW_B contents are the same, we should not resign with
DEV/NORM keyblocks.
BUG=chrome-os-partner:6942
TEST=(to sign) ./resign_firmwarefd.sh bios.bin new.bin \
../../tests/devkeys/firmware_data_key.vbprivk
../../tests/devkeys/firmware.keyblock \
../../tests/devkeys/dev_firmware_data_key.vbprivk \
../../tests/devkeys/dev_firmware.keyblock \
../../tests/devkeys/kernel_subkey.vbpubk
(to verify) dump_fmap -x new.bin
vbutil_keyblock --unpack VBLOCK_A | grep Flags
vbutil_keyblock --unpack VBLOCK_B | grep Flags
When the input (bios.bin) have DEV FW (ex, zgb/alex), then output
is A=6, B=7; when the input is old or new firmware without DEV
(ex, mario/s*y/l*y), output is A=7, B=7, and you'lll see
"Found firmware with same A/B content - ignore DEV keyblock."
meessage during resign process.
Change-Id: I10cbbf7370f35a40673b328b70c83e7d1213a45d
Reviewed-on: https://gerrit.chromium.org/gerrit/12371
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For key generation, only generate dev firmware keyblocks, if the
--devkeyblock option is passed. For signing, re-use normal firmware
keyblock and data key if no dev keyblocks or data key are found in
the keyset directory.
BUG=chrome-os-partner:6942
TEST=manual
- tested key generation with/without the new flag
- tested signing with or without the presence of dev keyblock
Change-Id: Ic4bf72cb194461e07fcc0f6de39d4e16d1c979a6
Reviewed-on: https://gerrit.chromium.org/gerrit/12038
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
re-signed
resign_firmwarefd.sh needs a verifiable copy of the firmware (and associated root key)
to determine the preamble flag value to use.
BUG=chrome-os-partner:6874
TEST=manually tested resigning a firmware .bin using sign_firmware.sh. Verified correct
preamble flag determination.
Change-Id: Ifb132f54f4891dec4fa7250d3a00e7b4feda24c1
Reviewed-on: https://gerrit.chromium.org/gerrit/11776
Reviewed-by: Duncan Laurie <dlaurie@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium-os:21742
TEST=manual, ensure vboot scripts continue to work
like make_dev_ssd.sh on the client
Change-Id: I405334bab734f35a1a81e4b9e90e93cb760cc3d2
Reviewed-on: https://gerrit.chromium.org/gerrit/10479
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Tested-by: Sonny Rao <sonnyrao@chromium.org>
Commit-Ready: Sonny Rao <sonnyrao@chromium.org>
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium-os:21863
TEST=ensure_not_ASAN.sh image.bin
Change-Id: I414f941a787e0023257401bb8ed7b4a5257f026a
Reviewed-on: http://gerrit.chromium.org/gerrit/10352
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Jim Hebert <jimhebert@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To prevent execution permissions lost after being copied to /tmp, force adding
a+rx to the staging file.
BUG=chromium-os:20797
TEST=sudo sign_official_build.sh ssd \
x86-zgb-0.16.1089.0.bin ../../tests/devkeys ssd_image.bin
Change-Id: Ibee12dbb3faea9f6b05600d1343620e0af8633fb
Reviewed-on: http://gerrit.chromium.org/gerrit/8263
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Work around the fact that we have 3 different verity kernel arguments depending
on the image being signed (legacy parameters, new key=value parameters, new key=
value parameters with salt).
Since the signer is not branch conscious, expect and use the old verity binary to
be present when legacy kernel arguments are specified. The last 2 types of verity
arguments can be distinguished based on whether a salt is present.
BUG=chromium-os:20640
TEST=manually tested by signing r14, r15 and r16 images and verifying
that kernel parameters are set correctly.
Change-Id: I96ecf6f506a94509a64ef12d7a108e977f94c23c
Reviewed-on: http://gerrit.chromium.org/gerrit/8214
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
Reviewed-by: David McMahon <djmm@chromium.org>
Tested-by: David McMahon <djmm@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is again working around the fact that the signer isn't branch
conscious. Depending on which branch you look at, there are 3 possible
verity parameter styles in use.
This CL allows the kernel parameter test to allow multiple alternatives
for verity dm= parameters.
BUG=chromium-os:20640
TEST=manually tried with a R16, R15 and R14 image
Change-Id: I07554594d6adbdfd1988395d3e91edfd603d8cd4
Reviewed-on: http://gerrit.chromium.org/gerrit/8067
Reviewed-by: Jim Hebert <jimhebert@chromium.org>
Commit-Ready: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium-os:17138
TEST=tested changes on vm8-m2, was able to successfully run au-generate.py
and it used the cgpt binary from au-generate.zip
Change-Id: Ia57f1be4b0d669cad430e51977cce6e26d704320
Reviewed-on: http://gerrit.chromium.org/gerrit/7796
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Reviewed-by: Eric Blake <eblake@chromium.org>
Tested-by: Eric Blake <eblake@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To prevent hard-coding the procedure to repack a firmware updater, this CL
supports using new "--sb_repack" mode supported by updater so that signer does
not need to care about how the updater is packed anymore.
BUG=chromium-os:20027
TEST=./sign_official_build.sh ssd \
~/trunk/src/build/images/x86-zgb/latest/chromiumos_image.bin \
../../tests/devkeys \
~/trunk/src/build/images/x86-zgb/latest/chromiumos_new_image.bin
# success
Change-Id: I035dfaa86b05b85748e69ec039769b0c08d33f64
Reviewed-on: http://gerrit.chromium.org/gerrit/7311
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium-os:18492
TEST=manually on new and old image.
Change-Id: Ifa7ab70cd2cd3629656d167cd6f4bfaae8f7f03a
Reviewed-on: http://gerrit.chromium.org/gerrit/6589
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium-os:18492
TEST=manually tested with both an old verity image, as well as a new one (with
the pending http://gerrit.chromium.org/gerrit/6085)
Change-Id: I347de9185db1c4ea949d37121c63e08184e8fcfe
Reviewed-on: http://gerrit.chromium.org/gerrit/6516
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We should detect keyblock from existing firmware and decide if a developer
firmware keyblock should be used.
BUG=chromium-os:18946
TEST=./make_dev_firmware.sh -f zgb.bin -t zgb_dev.bin
# seeing Using keyblocks (developer, normal)...
./make_dev_firmware.sh -f mario.bin -t mario_dev.bin
# seeing Using keyblocks (normal, normal)...
./make_dev_firmware.sh -f arm.bin -t arm_dev.bin
# seeing Using keyblocks (normal, normal)...
Change-Id: I74fa0db980e26a6a19a4393303e8c5b3260c84c7
Reviewed-on: http://gerrit.chromium.org/gerrit/5623
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Parsing fmap information becomes easier after dump_fmap adds "-p" mode, and
prevents the dependency because dump_fmap is in same repo with signing scripts.
BUG=none, pure refine to reduce dependency and less error messages
TEST=./resign_firmwarefd.sh mario_bios.bin output.bin \
devkeys/firmware_data_key.vbprivk devkeys/firmware.keyblock \
devkeys/firmware_data_key.vbprivk devkeys/firmware.keyblock \
devkeys/kernel_subkey.vbpubk
# Also verified with modern firmware like ZGB/Alex and ARM.
Change-Id: Ia40ecd9ab641250272952e20ab058e780eb7770b
Reviewed-on: http://gerrit.chromium.org/gerrit/5132
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When preamble_flag is not assigned manually, resign_firwmarefd should not change
the preamble flag.
BUG=chromium-os:18207
TEST=# Prepare a bios.bin with preamble_flag=1 (ex, ARM firmware)
./resign_firmwarefd.sh bios.bin ..... # do not assign preamble
vbutil_firmware --verify # see preamble_flag=1
# Repeat with firmware having preamble_flag=0 (ex, x86 firmware like ZGB/Alex)
# preamble_flag is 0 after resign_firmwarefd.
Change-Id: I50f88bbf51a28defaf1c4e5383ab856168a128fc
Reviewed-on: http://gerrit.chromium.org/gerrit/5133
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The two-stop firmware relies on the "flag" field which may be useful for the
resign_firmwarefd.sh.
BUG=chrome-os-partner:5095
TEST=./resign_firmwarefd [params] 1
vbutil_firmware --verify ..... # seeing flag = 1
Change-Id: I56b44ee5b610e36384e15e6eb31286f0f838734b
Reviewed-on: http://gerrit.chromium.org/gerrit/4561
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium-os:17953
TEST=Run sign_official_build.sh verify from the chroot on an image, now
it succeeds.
Change-Id: Idd923716c95f4f12bd0a1236e2894af276e26d71
Reviewed-on: http://gerrit.chromium.org/gerrit/4499
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Tested-by: Gaurav Shah <gauravsh@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The %U is better since arm and x86 both supports it now.
BUG=chromium-os:15683
TEST=./make_dev_ssd.sh # need latest kernel patch
Change-Id: I94a6471788d3496cfa7ef263493e89877bb2b593
Reviewed-on: http://gerrit.chromium.org/gerrit/3551
Reviewed-by: Che-Liang Chiou <clchiou@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium-os:15061
TEST=(on arm) ./make_dev_ssd.sh --remove_rootfs_verification # works
Change-Id: I0ed5e02cd566c89b2604a2e77b87413dc957471e
Reviewed-on: http://gerrit.chromium.org/gerrit/3375
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
|