| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
grep returns exit code 1, if pattern was not found, and due to `set -e`
ensure_not_tainted_license.sh exits immediately with code 1. This change
fixes it.
This change also ensures that the correct code 1 is returned when the
pattern is found.
BUG=chromium:1163996
TEST=N/A
BRANCH=none
Signed-off-by: Sergey Frolov <sfrolov@google.com>
Change-Id: Idd33cec8795420ca1aab9ab1490a338a04d20257
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2638856
Tested-by: George Engelbrecht <engeg@google.com>
Commit-Queue: George Engelbrecht <engeg@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change makes ensure_not_tainted_license.sh only emit a warning if
license file is not found, as opposed to failing.
BUG=chromium:1163996
TEST=N/A
BRANCH=none
Change-Id: I14103bc520efabf3e0c1424e8a5cae259d42c966
Signed-off-by: Sergey Frolov <sfrolov@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2632876
Commit-Queue: George Engelbrecht <engeg@google.com>
Reviewed-by: George Engelbrecht <engeg@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a part of the work to ensure that tainted images are never
signed with MP keys. A special tainted tag was added to the license file by
https://chromium-review.googlesource.com/c/chromiumos/chromite/+/2560225
and in ensure_not_tainted.sh we detect the presence of this tag.
This script has been manually tested on tainted and non-tainted images.
BUG=chromium:1059363
TEST=manual
BRANCH=none
Change-Id: I17ca27bb7895f268a79cca3ad948808f0f96b8c7
Signed-off-by: Sergey Frolov <sfrolov@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2607414
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Allen Webb <allenwebb@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit bc2317695965bb92b8809d9c06327adedcb0653c.
The reason for revert is that the signer needs to know the generated
file name, and in case vboot reference alters the name the signer
remains unaware of the change and is still looking for the file named
@CHIP@...
Some other means of figuring out the file name will be required, let's
stick with the @CHIP@ prefix for now.
BRANCH=none
BUG=b:173049030
TEST=none
Change-Id: I23ea65314d49e86fc4edb015e89b6076f87a54dd
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2605238
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Tested-by: George Engelbrecht <engeg@google.com>
Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When processing Gsc image singing request the signing server is not
aware of which chip the image is being signed for, the output file
name includes the string @CHIP@ and it is the responsibility of the
actual signing scripts to figure out if the image is for Cr50 or Ti50.
The destination image type is determined based no the signing manifest
contents, this patch add code to replace @CHIP@ with the actual image
type.
BRANCH=none
BUG=b:173049030
TEST=invoked the script to sign a Ti50 image locally, verified that
the produced signed image file had the expected name.
Change-Id: Ib1534ce50e0a44d0ec014e8dbee4e4d85c2082c9
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2596695
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The major difference between Cr50 and Ti50 signing is that the RW
sections are represented differently: elf files in Cr50 case and ihex
files in Ti50 case.
Other differences include the produced signed final image size and the
offsets of the components in the final image.
The signing script is being updated to figure out all these
differences at run time. A new optional field is introduced in the
signing manifest, the 'generation'. If this field is absent or set to
'h' (for H1), the script proceeds with the Cr50 signing process. If
'generation' is set to 'd' (for D2), the script proceeds with the Ti50
signing process.
Instead of using fixed offsets into the final image, the base
addresses of the components in ihex format are used, the only fixed
value is the base address of the flash image in the chip address space
(0x40000 for H1 vs 0x80000 for D2).
To make this work for H1 the output format of the signed blob produced
by gsc-codesigner is changed from binary to ihex.
BRANCH=none
BUG=b:173049030
TEST=using this script and the signing_istructions.sh module produced
by the real Cr50 signer was able to produce functional images for
both Cr50 and Ti50.
Change-Id: I845be1101b09c9476fa27fbddb72607dc6cea901
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2570009
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With the advent of D2 memory layout scheme it became impossible to
hardcode the base address of various components of the D2 firmware
image. Luckily, the components are represented as binary blobs in
Intel ihex format, which allows to retrieve the base address of the
component from the ihex records.
The address is composed of two elements: the segment base supplied in
the record type 02 or 04, and the record offset into the segment,
supplied in the data record of type 0.
The segment address is expressed as a 16 bit value, the actual value
shifted right either 4 bits (in case of record type 02) or 16 bits (in
case of record type 04). The data record offset is also a 16 bit
value.
The base address of the blob is calculated as
<segment address> + <first data record offset>
and is available from the first two records in the ihex module.
Detailed information of ihex file format can be found in
https://en.wikipedia.org/wiki/Intel_HEX .
BRANCH=none
BUG=b:173049030
TEST=with the next patch in the stack applied was able to successfully
build a multicomponent ti50 image.
Change-Id: I135c2f9960f1f218532c82bafd7acbe362414fc9
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2570008
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch does not yet provide the ability to sign Ti50 images, but
prepares the signing scripts for further modifications to support a
variety of security chip signing flows.
BRANCH=none
BUG=b:173049030
TEST=verified successful signing of a Cr50 image in a test signer
setup
also created a functional Cr50 image invoking
sign_official_build.sh by hand.
Change-Id: Ic103c9fdf7d1c4ea160c7f6849d5ae5a8303c343
Signed-off-by: Vadim Bendebury <vbendeb@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2537078
Tested-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds extra verifications to many Android signer operation in order
to narrow down the problem when empty folders are removed from the disk.
BUG=chromium:1154734
TEST=Locally image signing passed. Emulated problem and it was detected.
BRANCH=none
Signed-off-by: Yury Khmel <khmel@google.com>
Change-Id: If8bb9fced290117766bfa9ff76a25fc86ed263dc
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2572240
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want to find the culprit loopback device which isn't detatching on
crbug.com/1141907. We might as well log our cleanup actions anyway, and
this will allow us to see the last loopback processed in production.
BUG=chromium:1141907
TEST=just a log message
BRANCH=None
Signed-off-by: George Engelbrecht <engeg@google.com>
Change-Id: I126efceae4f67993069675c23f6c4af61c7e5667
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2514561
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently this trap initiated function will not save the orginal return
value of the script. Save it and return it on exit.
BUG=chromium:1141907
TEST=unittest and manually on a signer
BRANCH=None
Signed-off-by: George Engelbrecht <engeg@google.com>
Change-Id: Icd807f4d153e4bcc1d309fbcea43c2b3344771ca
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2514560
Reviewed-by: Sean McAllister <smcallis@google.com>
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium:1141907
TEST=unit tests and manual signing run
Signed-off-by: George Engelbrecht <engeg@google.com>
BRANCH=none
Change-Id: I0316f464e138dea9e77b2554a3b31250e8b92c07
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2514559
Reviewed-by: Sean McAllister <smcallis@google.com>
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: George Engelbrecht <engeg@google.com>
Tested-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium:1141907
TEST=unit tests and manual signing run
Signed-off-by: George Engelbrecht <engeg@google.com>
BRANCH=none
Change-Id: I39b133ca69e717576140b418fc59dd167f068d59
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2514558
Reviewed-by: Sean McAllister <smcallis@google.com>
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: George Engelbrecht <engeg@google.com>
Tested-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Eval will terminate the shell on non-zero error code.
"POSIX says that an error in a special built-in utility
(such as eval) should cause the non-interactive shell to terminate"
This is the case and is causing cleanup to terminate android signing
with a non-zero error when it is clear the intent (given the set +e) is
that we should be best effort here.
BUG=chromium:1141907
TEST=unittest and manually on a signer
Change-Id: Ie6374b292c7982371d549b919b44328ea71a09dd
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2513228
Reviewed-by: George Engelbrecht <engeg@google.com>
Tested-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We've moved to applying a file based set of selinux policies instead of
taking the ones that were snagged from the image. Remove the policy
attributes and let unsquash do whatever it would do by default.
See https://chat.google.com/room/AAAA45hbdCQ/jkXYe7jMEDk.
BUG=chromium:1141907
TEST=unittests
Change-Id: I0a976fb216e0a07c00c4bb2fb68df6fa1ea00d79
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2511121
Reviewed-by: Yury Khmel <khmel@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Yury Khmel <khmel@google.com>
Commit-Queue: George Engelbrecht <engeg@google.com>
Commit-Queue: Yury Khmel <khmel@google.com>
Tested-by: George Engelbrecht <engeg@google.com>
Auto-Submit: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're getting silent errors in here somewhere.
BRANCH=none
BUG=chromium:1141907
TEST=none
Change-Id: I9af0a3ea1696920fe67c915660f82a68c1bddf34
Signed-off-by: Brian Norris <briannorris@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2504358
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: LaMont Jones <lamontjones@chromium.org>
Tested-by: LaMont Jones <lamontjones@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This follows steps we have in build image phase to have parity in image
packing.
* Discard reapply selinex context. This looks not needed once
re-signing should not change selinux context. Instead we could do
similar to build image, pass file context to mksquashfs
* Apply mksquashfs params based on image type, container/vm. This
fixes proper block size and image compression algorithm
* Remove old image before packing to prevent mksquashfs merge attempt
BUG=b:170400225
BUG=b:170220295
BUG=b:170219920
BRANCH=none
TEST=locally signed vm (kohaku) and container (hana): arc.Optin*,
arc.Preopt*. Also checked final image size. With this CL it is
reduced to 150Mb(vm) and very close to original image size
(delta is less than 0.1%)
Signed-off-by: Yury Khmel <khmel@chromium.org>
Change-Id: I7037bea68fc2969345a8fabc3c6a9b9b690f02d1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2462005
Reviewed-by: Yusuke Sato <yusukes@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Tested-by: Yury Khmel <khmel@google.com>
Auto-Submit: Yury Khmel <khmel@google.com>
Commit-Queue: Yury Khmel <khmel@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:170156734
BRANCH=none
TEST=sign rvc-arc image
Signed-off-by: Victor HSieh <victorhsieh@chromium.org>
Change-Id: I99fc4eb19be6cc785297e223a6603c1d777c5c77
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2458789
Reviewed-by: Yury Khmel <khmel@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:170156734
TEST=run signing script locally
BRANCH=None
Signed-off-by: Victor HSieh <victorhsieh@chromium.org>
Change-Id: I4f045729241b479b56fef5687b721b5b59c2eed8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2450551
Reviewed-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This supports new set of certificates plat_mac_permissions.xml and adds
handling media and network_stack certificates.
BRANCH=none
BUG=b:169458218
TEST=Sign test image from goldeneye per instructions in bug, deploy
it to device (kohaku) pass tast.arc.Optin.vm test
Signed-off-by: Yury Khmel <khmel@chromium.org>
Change-Id: I61c4e327eaa605ed60c0c80b3598c0f4fb6e5f5f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2447430
Tested-by: Yury Khmel <khmel@google.com>
Auto-Submit: Yury Khmel <khmel@google.com>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: Yury Khmel <khmel@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Discovered by CL:2353632, the regular expression for extracting rootfs
partition should include non-digit character first otherwise we won't
get correct number when the partition number is longer than one digit
(e.g., >=10).
BUG=None
TEST=./make_dev_ssd.sh
BRANCH=none
Change-Id: I155e04beec47c55df4d09cb78168ab0a7407c697
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353776
Reviewed-by: Kuang-che Wu <kcwu@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The signer uses BLOCKLIST instead of DENYLIST. This patches make the
language match.
BUG=b:163883397
BRANCH=None
TEST=egrep -i -I -r "deny.*list"
TEST=make runtests
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: I47c913eb2ca89cd3eea4ca3ff5f1accb223ba418
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2401968
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Built on FreeBSD 12.1-RELEASE, 13-CURRENT, using gcc9 installed from
packages.
Change-Id: Ifa8bb343c7e916c1b545cf6c1e4bd0a18ea391cd
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2382790
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This script will sign the psp_veratage.bin file and modify the fields as required.
BUG=b:166095736
TEST=create verstage signed with test key.
Change-Id: I234d7902f950a60a816dd5f4d46d3d5afd105489
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2390825
Tested-by: Martin Roth <martinroth@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Martin Roth <martinroth@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want to separate the stages of creating the key & using the key as
our HSM tools use different commands for these.
This also means we no longer need a passphrase at all.
BUG=b:166095736
TEST=ran script before & after and made sure output (largely) looked the same
BRANCH=None
Change-Id: Id488789f83c21ffb6263489e3c22531878ceb1f2
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2391219
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This script is based on previous key generation scripts and on the
AMD document describing their recommendations.
BUG=b:166095736
TEST=Generate keys of different sizes with different passphrases in
various directories.
Change-Id: I76a31f5d592d233282c145a9a4ce5220a2d597d8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2380612
Tested-by: Martin Roth <martinroth@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Google is working to change its source code to use more inclusive
language. To that end, replace the term "blacklist" & "whitelist"
with inclusive alternatives.
chrome-internal:3214766, chrome-internal:3214767, chrome-internal:3214831
will be checked in separately. They refer to a pinned vboot_reference.
So, this patch won't affect the signer until the pin is moved.
BUG=b:163883397
BRANCH=None
TEST=grep -ir "white*list"
TEST=grep -ir "black*list"
TEST=make runtests
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: Iff98b55713b3c7381ba092ff14b50141b8422cf2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353421
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Google is working to change its source code to use more inclusive
language. To that end, replace the term "sanity" with inclusive
alternatives.
BUG=b:163883397
BRANCH=None
TEST=grep -ir sanity
TEST=make runtests
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: I708a044d89050c442f14fb11a8ae5e98490d56af
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353420
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently the file android_file_contexts has a different name for ARCVM
with _vm suffix. Choose _vm if the container one is not found.
BUG=b:161828692
TEST=sign_official_build.sh base recovery_image.bin mykey signed.bin
BRANCH=none
Signed-off-by: Victor Hsieh <victorhsieh@chromium.org>
Change-Id: I8a93d8e1dd5b824f319d7de804f8f74825166a97
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2323647
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was only used by smaug which went EOL a while ago and we've
already deleted supporting logic.
BUG=None
TEST=CQ passes
BRANCH=None
Change-Id: Ia639c7da3c70c62ee102f11d510ffaa928ab244a
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2309221
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:161828692
TEST=sign_official_build.sh base recovery_image.bin mykey signed.bin
TEST=sign_android_unittests.sh
BRANCH=none
Signed-off-by: Victor Hsieh <victorhsieh@chromium.org>
Change-Id: I158cd0c23198ffe8773b5882ba214b3ca4d26cae
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2310758
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
...also inflate my personal CL stats.
BUG=None
TEST=None
BRANCH=master
Signed-off-by: George Engelbrecht <engeg@chromium.org>
Change-Id: I4af2d8b2aa42b4e6d4d4ea36a6ca73a340aa4814
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2220336
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: George Engelbrecht <engeg@google.com>
Tested-by: George Engelbrecht <engeg@google.com>
Auto-Submit: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This follows the logic introduced in crrev.com/i/2523754
BUG=b:148229706
TEST= ./sign_official_build.sh usb source_image \
~/trunk/src/platform/vboot_reference/tests/devkeys out_image
BRANCH=None
Cq-Depend: chrome-internal:3022044
Signed-off-by: Yury Khmel <khmel@google.com>
Change-Id: I5398a9ea2984f0be11cb512f845507309d5f8f8e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210771
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This script was added in CL:2618.
There's no references to it, and I can't find any evidence to it being
documented anywhere or anyone using it.
Let's remove it to see if anyone uses it.
BUG=chromium:1083510
BRANCH=none
TEST=emerge vboot_reference
Change-Id: I6c307d3b9f7ee4c12153baf5fcd97c98badefe7b
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2212646
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
No references to this. From commit history looks to be something
Mario-only?
Remove it and let's see where that goes...
BUG=chromium:1085310
BRANCH=none
TEST=emerge vboot_reference
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Change-Id: I7621d4673a09b85f59cdc69de1652e0b72ca1862
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2211957
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Looks like an old script from Mario. Won't run on modern chromebooks
anyway.
Not installed on any devices.
BUG=chromium:1084003,chromium:1085310
BRANCH=none
TEST=emerge vboot_reference
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Change-Id: I4b68183bc9bc943f273630cf12c52801a74df5be
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210762
Reviewed-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Looks like this was an old script meant to be run on Mario. It's
currently installed in the SDK only (not on the DUT), where it won't
even operate anyway.
I can't find any references to the script, aside from some old Mario
documentation.
BUG=chromium:1084003,chromium:1085310
BRANCH=none
TEST=emerge vboot_reference
Change-Id: I0b0bd22912170e62390e7ee1a62ef466b2ea1a7c
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210761
Reviewed-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
get_gbb_flags.sh outputs incorrect information because the hex number is not
parsed correctly.
BUG=none
TEST=Manual
BRANCH=none
Change-Id: Ie6428a5c50d48ae5d732b31d7a8e7b314653c2d9
Signed-off-by: Rob Barnes <robbarnes@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2108286
Reviewed-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>
Commit-Queue: Jack Rosenthal <jrosenth@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Pi, the target name is sdk_cheets instead of sdk_google_cheets
BUG=chromium:1057649
TEST=./sign_android_unittests.sh
BRANCH=none
Change-Id: Ic4e5123687eee7fc9f6c0640b7b9455f180dff6e
Signed-off-by: Lepton Wu <lepton@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2083836
Reviewed-by: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
wpsw_boot is being deprecated, so just use wpsw_cur.
BUG=b:124141368, chromium:950273
TEST=make clean && make runtests
BRANCH=none
Change-Id: Iae63b2a76b19629a9ecd9b87e5dd6367767860b3
Cq-Depend: chromium:2066154, chromium:2068241, chromium:2068209
Cq-Depend: chromium:2068297, chromium:2067229, chromium:2067231
Cq-Depend: chromium:2068242
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2066192
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't use this anywhere as we've only ever generated one key so
far. But we never wrote this down, so this is more documentation.
BUG=None
TEST=ran the code manually
BRANCH=None
Change-Id: Ia9a318c686b1ad7ab1de31899b49ce73a4d5ad9f
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1947554
Reviewed-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename GBB flag FAFT_KEY_OVERRIDE to RUNNING_FAFT.
Add a comment to clarify its use.
BUG=b:124141368, chromium:965914
TEST=make clean && make runtests
BRANCH=none
Change-Id: Ib90de7a0d22b39898fc84be8c16ff34ea1d3b504
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1977902
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All devices which have a PD chip running CrOS EC code have already shipped,
and there is no intention to go back to using an "EC" for a TCPC anymore.
BUG=b:143762298,chromium:1017093
BRANCH=none
TEST=make runtests
Change-Id: I177c00581089de59e4f35608b97ef5432e8b492b
Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1895712
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds checks necessary before various types of images
signing could proceed.
The checks include verifying that Board ID flags and major version
number match the image type.
Also, manifest modification for node locked images is enhanced by
setting the least significant bit of the tag field to one. This will
ensure that the prod key ladder is not available to node locked images
even though they are signed with a prod key.
BRANCH=none
BUG=b:74100307
TEST=verified various cases by manually editing prod.json and
signing_instructions.sh and observing results: either error
messages or successful modification of the manifest and signing.
Change-Id: I0bc4a8acae1ca4e983999fd47e515c48786ded6c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1894848
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Node locked images signed by the builder will have to come from the
factory branch and have version of 0.3.22.
Signing manifest will be processed to insert Device ID values, remove
Board ID values and set the top bit of config1.
BRANCH=none
BUG=b:74100307
TEST=ran the script manually with proper input and verified that
manifest is processed as expected.
Change-Id: Ib8cbe0f1ae31e79c3228a662c02231caeb901adc
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1880572
Tested-by: George Engelbrecht <engeg@google.com>
Reviewed-by: Ned Nguyen <nednguyen@google.com>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BRANCH=None
BUG=None
TEST=None
Change-Id: I6e10fd839e256454ce3671228116d8c3a9ec6092
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1888274
Tested-by: LaMont Jones <lamontjones@chromium.org>
Tested-by: George Engelbrecht <engeg@google.com>
Auto-Submit: LaMont Jones <lamontjones@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
No platforms support vpd in mosys anymore, so this will always
fail. Drop the warning message and let the user extract it from the
BIOS backup if they need.
BUG=chromium:990438
BRANCH=none
TEST=verified no platform offers cmd_vpd in mosys
Change-Id: I5550724f13120202775245cfd252c988edd5b21f
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1881473
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stardardize on inconsistency between "keyblock" and "key block"
both in code, comments, and textual output.
BUG=b:124141368, chromium:968464
TEST=make clean && make runtests
BRANCH=none
Change-Id: Ib8819a2426c1179286663f21f0d254f3de9d94a4
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1786385
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Joel Kitching <kitching@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also standardize on using hex for printing ASCII key values
across vboot_ui.c and vboot_ui_menu.c.
BUG=b:124141368
TEST=make clean && make runtests
BRANCH=none
Change-Id: Ib10288d95e29c248ebe807d99108aea75775b155
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1840191
Reviewed-by: Joel Kitching <kitching@chromium.org>
Tested-by: Joel Kitching <kitching@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're dropping this from the signer, so drop it from here too.
Nothing else has referred to it.
BUG=None
TEST=CQ passes
BRANCH=None
Change-Id: I855ef036b620082ec98af7aac8ea330ae472435a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1814697
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|