| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We've moved to applying a file based set of selinux policies instead of
taking the ones that were snagged from the image. Remove the policy
attributes and let unsquash do whatever it would do by default.
See https://chat.google.com/room/AAAA45hbdCQ/jkXYe7jMEDk.
BUG=chromium:1141907
TEST=unittests
Change-Id: I0a976fb216e0a07c00c4bb2fb68df6fa1ea00d79
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2511121
Reviewed-by: Yury Khmel <khmel@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Yury Khmel <khmel@google.com>
Commit-Queue: George Engelbrecht <engeg@google.com>
Commit-Queue: Yury Khmel <khmel@google.com>
Tested-by: George Engelbrecht <engeg@google.com>
Auto-Submit: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're getting silent errors in here somewhere.
BRANCH=none
BUG=chromium:1141907
TEST=none
Change-Id: I9af0a3ea1696920fe67c915660f82a68c1bddf34
Signed-off-by: Brian Norris <briannorris@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2504358
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: LaMont Jones <lamontjones@chromium.org>
Tested-by: LaMont Jones <lamontjones@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This follows steps we have in build image phase to have parity in image
packing.
* Discard reapply selinex context. This looks not needed once
re-signing should not change selinux context. Instead we could do
similar to build image, pass file context to mksquashfs
* Apply mksquashfs params based on image type, container/vm. This
fixes proper block size and image compression algorithm
* Remove old image before packing to prevent mksquashfs merge attempt
BUG=b:170400225
BUG=b:170220295
BUG=b:170219920
BRANCH=none
TEST=locally signed vm (kohaku) and container (hana): arc.Optin*,
arc.Preopt*. Also checked final image size. With this CL it is
reduced to 150Mb(vm) and very close to original image size
(delta is less than 0.1%)
Signed-off-by: Yury Khmel <khmel@chromium.org>
Change-Id: I7037bea68fc2969345a8fabc3c6a9b9b690f02d1
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2462005
Reviewed-by: Yusuke Sato <yusukes@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Tested-by: Yury Khmel <khmel@google.com>
Auto-Submit: Yury Khmel <khmel@google.com>
Commit-Queue: Yury Khmel <khmel@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:170156734
BRANCH=none
TEST=sign rvc-arc image
Signed-off-by: Victor HSieh <victorhsieh@chromium.org>
Change-Id: I99fc4eb19be6cc785297e223a6603c1d777c5c77
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2458789
Reviewed-by: Yury Khmel <khmel@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:170156734
TEST=run signing script locally
BRANCH=None
Signed-off-by: Victor HSieh <victorhsieh@chromium.org>
Change-Id: I4f045729241b479b56fef5687b721b5b59c2eed8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2450551
Reviewed-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This supports new set of certificates plat_mac_permissions.xml and adds
handling media and network_stack certificates.
BRANCH=none
BUG=b:169458218
TEST=Sign test image from goldeneye per instructions in bug, deploy
it to device (kohaku) pass tast.arc.Optin.vm test
Signed-off-by: Yury Khmel <khmel@chromium.org>
Change-Id: I61c4e327eaa605ed60c0c80b3598c0f4fb6e5f5f
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2447430
Tested-by: Yury Khmel <khmel@google.com>
Auto-Submit: Yury Khmel <khmel@google.com>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: Yury Khmel <khmel@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Discovered by CL:2353632, the regular expression for extracting rootfs
partition should include non-digit character first otherwise we won't
get correct number when the partition number is longer than one digit
(e.g., >=10).
BUG=None
TEST=./make_dev_ssd.sh
BRANCH=none
Change-Id: I155e04beec47c55df4d09cb78168ab0a7407c697
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353776
Reviewed-by: Kuang-che Wu <kcwu@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The signer uses BLOCKLIST instead of DENYLIST. This patches make the
language match.
BUG=b:163883397
BRANCH=None
TEST=egrep -i -I -r "deny.*list"
TEST=make runtests
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: I47c913eb2ca89cd3eea4ca3ff5f1accb223ba418
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2401968
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Built on FreeBSD 12.1-RELEASE, 13-CURRENT, using gcc9 installed from
packages.
Change-Id: Ifa8bb343c7e916c1b545cf6c1e4bd0a18ea391cd
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2382790
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This script will sign the psp_veratage.bin file and modify the fields as required.
BUG=b:166095736
TEST=create verstage signed with test key.
Change-Id: I234d7902f950a60a816dd5f4d46d3d5afd105489
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2390825
Tested-by: Martin Roth <martinroth@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Martin Roth <martinroth@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We want to separate the stages of creating the key & using the key as
our HSM tools use different commands for these.
This also means we no longer need a passphrase at all.
BUG=b:166095736
TEST=ran script before & after and made sure output (largely) looked the same
BRANCH=None
Change-Id: Id488789f83c21ffb6263489e3c22531878ceb1f2
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2391219
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This script is based on previous key generation scripts and on the
AMD document describing their recommendations.
BUG=b:166095736
TEST=Generate keys of different sizes with different passphrases in
various directories.
Change-Id: I76a31f5d592d233282c145a9a4ce5220a2d597d8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2380612
Tested-by: Martin Roth <martinroth@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Google is working to change its source code to use more inclusive
language. To that end, replace the term "blacklist" & "whitelist"
with inclusive alternatives.
chrome-internal:3214766, chrome-internal:3214767, chrome-internal:3214831
will be checked in separately. They refer to a pinned vboot_reference.
So, this patch won't affect the signer until the pin is moved.
BUG=b:163883397
BRANCH=None
TEST=grep -ir "white*list"
TEST=grep -ir "black*list"
TEST=make runtests
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: Iff98b55713b3c7381ba092ff14b50141b8422cf2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353421
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Google is working to change its source code to use more inclusive
language. To that end, replace the term "sanity" with inclusive
alternatives.
BUG=b:163883397
BRANCH=None
TEST=grep -ir sanity
TEST=make runtests
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: I708a044d89050c442f14fb11a8ae5e98490d56af
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353420
Reviewed-by: Julius Werner <jwerner@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently the file android_file_contexts has a different name for ARCVM
with _vm suffix. Choose _vm if the container one is not found.
BUG=b:161828692
TEST=sign_official_build.sh base recovery_image.bin mykey signed.bin
BRANCH=none
Signed-off-by: Victor Hsieh <victorhsieh@chromium.org>
Change-Id: I8a93d8e1dd5b824f319d7de804f8f74825166a97
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2323647
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This was only used by smaug which went EOL a while ago and we've
already deleted supporting logic.
BUG=None
TEST=CQ passes
BRANCH=None
Change-Id: Ia639c7da3c70c62ee102f11d510ffaa928ab244a
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2309221
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:161828692
TEST=sign_official_build.sh base recovery_image.bin mykey signed.bin
TEST=sign_android_unittests.sh
BRANCH=none
Signed-off-by: Victor Hsieh <victorhsieh@chromium.org>
Change-Id: I158cd0c23198ffe8773b5882ba214b3ca4d26cae
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2310758
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
...also inflate my personal CL stats.
BUG=None
TEST=None
BRANCH=master
Signed-off-by: George Engelbrecht <engeg@chromium.org>
Change-Id: I4af2d8b2aa42b4e6d4d4ea36a6ca73a340aa4814
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2220336
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: George Engelbrecht <engeg@google.com>
Tested-by: George Engelbrecht <engeg@google.com>
Auto-Submit: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This follows the logic introduced in crrev.com/i/2523754
BUG=b:148229706
TEST= ./sign_official_build.sh usb source_image \
~/trunk/src/platform/vboot_reference/tests/devkeys out_image
BRANCH=None
Cq-Depend: chrome-internal:3022044
Signed-off-by: Yury Khmel <khmel@google.com>
Change-Id: I5398a9ea2984f0be11cb512f845507309d5f8f8e
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210771
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This script was added in CL:2618.
There's no references to it, and I can't find any evidence to it being
documented anywhere or anyone using it.
Let's remove it to see if anyone uses it.
BUG=chromium:1083510
BRANCH=none
TEST=emerge vboot_reference
Change-Id: I6c307d3b9f7ee4c12153baf5fcd97c98badefe7b
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2212646
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
No references to this. From commit history looks to be something
Mario-only?
Remove it and let's see where that goes...
BUG=chromium:1085310
BRANCH=none
TEST=emerge vboot_reference
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Change-Id: I7621d4673a09b85f59cdc69de1652e0b72ca1862
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2211957
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Looks like an old script from Mario. Won't run on modern chromebooks
anyway.
Not installed on any devices.
BUG=chromium:1084003,chromium:1085310
BRANCH=none
TEST=emerge vboot_reference
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Change-Id: I4b68183bc9bc943f273630cf12c52801a74df5be
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210762
Reviewed-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Looks like this was an old script meant to be run on Mario. It's
currently installed in the SDK only (not on the DUT), where it won't
even operate anyway.
I can't find any references to the script, aside from some old Mario
documentation.
BUG=chromium:1084003,chromium:1085310
BRANCH=none
TEST=emerge vboot_reference
Change-Id: I0b0bd22912170e62390e7ee1a62ef466b2ea1a7c
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210761
Reviewed-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
get_gbb_flags.sh outputs incorrect information because the hex number is not
parsed correctly.
BUG=none
TEST=Manual
BRANCH=none
Change-Id: Ie6428a5c50d48ae5d732b31d7a8e7b314653c2d9
Signed-off-by: Rob Barnes <robbarnes@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2108286
Reviewed-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>
Commit-Queue: Jack Rosenthal <jrosenth@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Pi, the target name is sdk_cheets instead of sdk_google_cheets
BUG=chromium:1057649
TEST=./sign_android_unittests.sh
BRANCH=none
Change-Id: Ic4e5123687eee7fc9f6c0640b7b9455f180dff6e
Signed-off-by: Lepton Wu <lepton@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2083836
Reviewed-by: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
wpsw_boot is being deprecated, so just use wpsw_cur.
BUG=b:124141368, chromium:950273
TEST=make clean && make runtests
BRANCH=none
Change-Id: Iae63b2a76b19629a9ecd9b87e5dd6367767860b3
Cq-Depend: chromium:2066154, chromium:2068241, chromium:2068209
Cq-Depend: chromium:2068297, chromium:2067229, chromium:2067231
Cq-Depend: chromium:2068242
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2066192
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We don't use this anywhere as we've only ever generated one key so
far. But we never wrote this down, so this is more documentation.
BUG=None
TEST=ran the code manually
BRANCH=None
Change-Id: Ia9a318c686b1ad7ab1de31899b49ce73a4d5ad9f
Signed-off-by: Mike Frysinger <vapier@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1947554
Reviewed-by: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename GBB flag FAFT_KEY_OVERRIDE to RUNNING_FAFT.
Add a comment to clarify its use.
BUG=b:124141368, chromium:965914
TEST=make clean && make runtests
BRANCH=none
Change-Id: Ib90de7a0d22b39898fc84be8c16ff34ea1d3b504
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1977902
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
All devices which have a PD chip running CrOS EC code have already shipped,
and there is no intention to go back to using an "EC" for a TCPC anymore.
BUG=b:143762298,chromium:1017093
BRANCH=none
TEST=make runtests
Change-Id: I177c00581089de59e4f35608b97ef5432e8b492b
Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1895712
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds checks necessary before various types of images
signing could proceed.
The checks include verifying that Board ID flags and major version
number match the image type.
Also, manifest modification for node locked images is enhanced by
setting the least significant bit of the tag field to one. This will
ensure that the prod key ladder is not available to node locked images
even though they are signed with a prod key.
BRANCH=none
BUG=b:74100307
TEST=verified various cases by manually editing prod.json and
signing_instructions.sh and observing results: either error
messages or successful modification of the manifest and signing.
Change-Id: I0bc4a8acae1ca4e983999fd47e515c48786ded6c
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1894848
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Node locked images signed by the builder will have to come from the
factory branch and have version of 0.3.22.
Signing manifest will be processed to insert Device ID values, remove
Board ID values and set the top bit of config1.
BRANCH=none
BUG=b:74100307
TEST=ran the script manually with proper input and verified that
manifest is processed as expected.
Change-Id: Ib8cbe0f1ae31e79c3228a662c02231caeb901adc
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1880572
Tested-by: George Engelbrecht <engeg@google.com>
Reviewed-by: Ned Nguyen <nednguyen@google.com>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BRANCH=None
BUG=None
TEST=None
Change-Id: I6e10fd839e256454ce3671228116d8c3a9ec6092
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1888274
Tested-by: LaMont Jones <lamontjones@chromium.org>
Tested-by: George Engelbrecht <engeg@google.com>
Auto-Submit: LaMont Jones <lamontjones@chromium.org>
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: George Engelbrecht <engeg@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
No platforms support vpd in mosys anymore, so this will always
fail. Drop the warning message and let the user extract it from the
BIOS backup if they need.
BUG=chromium:990438
BRANCH=none
TEST=verified no platform offers cmd_vpd in mosys
Change-Id: I5550724f13120202775245cfd252c988edd5b21f
Signed-off-by: Jack Rosenthal <jrosenth@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1881473
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stardardize on inconsistency between "keyblock" and "key block"
both in code, comments, and textual output.
BUG=b:124141368, chromium:968464
TEST=make clean && make runtests
BRANCH=none
Change-Id: Ib8819a2426c1179286663f21f0d254f3de9d94a4
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1786385
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Joel Kitching <kitching@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also standardize on using hex for printing ASCII key values
across vboot_ui.c and vboot_ui_menu.c.
BUG=b:124141368
TEST=make clean && make runtests
BRANCH=none
Change-Id: Ib10288d95e29c248ebe807d99108aea75775b155
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1840191
Reviewed-by: Joel Kitching <kitching@chromium.org>
Tested-by: Joel Kitching <kitching@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're dropping this from the signer, so drop it from here too.
Nothing else has referred to it.
BUG=None
TEST=CQ passes
BRANCH=None
Change-Id: I855ef036b620082ec98af7aac8ea330ae472435a
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1814697
Reviewed-by: George Engelbrecht <engeg@google.com>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow MP images to be signed. Also, the manifest file name changed.
BRANCH=none
BUG=b:74100307
TEST=manual
Change-Id: Ia6b4724ceea2b7a18a2caecea7142d1b6ebfaa13
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1791816
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: LaMont Jones <lamontjones@chromium.org>
Tested-by: LaMont Jones <lamontjones@chromium.org>
Auto-Submit: LaMont Jones <lamontjones@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=b:124141368, chromium:995172
TEST=make clean && make runtests
BRANCH=none
Change-Id: I42e4ac8a21ac3be416d315a8a8cc914f997bab79
Signed-off-by: Joel Kitching <kitching@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1758148
Reviewed-by: Julius Werner <jwerner@chromium.org>
Tested-by: Joel Kitching <kitching@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We deleted the script the oci-container target needs,
so remove some remaining dead references.
BUG=chromium:976916
TEST=signing image w/key deletes it, and signing image w/out key passes
BRANCH=None
Change-Id: I54624a1241a7b7326a746514aa32644fd94ec525
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1762462
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The way the sed logic was written we allowed invalid sed expressions
to count as "pass". This is because we use "no output" as the signal
that the command line option is OK (since the sed script deleted it),
but it meant that invalid sed scripts produced no output too. Add an
explicit exit status check to make sure invalid scripts fail.
BUG=chromium:991590
TEST=`./image_signing/ensure_secure_kernelparams.sh ./coral-12439.0.0-recovery.bin .../cros-signing/security_test_baselines/ensure_secure_kernelparams.config` produces no errors
BRANCH=None
Change-Id: I1de3ada7e44c49f97ecc40824d98cca9291ab7e6
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1762459
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We never released this feature and we've dropped the logic from newer
releases. Purge the signing logic of references to the key. We still
need to delete the key in case we're signing an older release branch.
BUG=chromium:976916
TEST=signing image w/key deletes it, and signing image w/out key passes
BRANCH=None
Change-Id: I82b8a4dab5f68e01c54281afd4817eea3dd359ff
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1742692
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We're updating the algorithm for this so the signing scripts have to
support it as well. Since we're running ToT signing scripts on older
images as well, determine the hash algorithm used in the image by
checking its length (40 hex digits for SHA1, 64 for SHA256).
BRANCH=None
BUG=b:137576540
TEST=$(sign_official_build.sh recovery recovery_image.bin
/tmp/scratch/mykeys/ resigned_image.bin) -- used futility to confirm
that new image kern_b_hash matches new image KERN-B and uses the
expected algorithm (tried with both SHA1 and SHA256)
Cq-Depend: chromium:1706624
Change-Id: Ie1a62ad1fd4fbf141cc1c32d592b863f2d43a24e
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1707529
Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding --absolute-names to getfattr to let getfattr not to remove
the leading slash, and not to print the warning to stderr.
BUG=chromium:954670
TEST=set_lsb_release.sh xx.bin a b
TEST=`getfattr: Removing leading '/' from absolute path names` not printed
BRANCH=none
Change-Id: I6273151713612746443d5d68a8df530f1146a4a2
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1712890
Tested-by: Qijiang Fan <fqj@google.com>
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: Qijiang Fan <fqj@google.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=chromium:985940
TEST=None
BRANCH=none
Change-Id: I844074e28a9cf2384bb7dc1593de7d7e01622457
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1710989
Tested-by: LaMont Jones <lamontjones@chromium.org>
Auto-Submit: LaMont Jones <lamontjones@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We migrated away from this in 2012, so drop the alias. Any devices
made around that time won't need new factory images either.
BUG=None
TEST=None
BRANCH=None
Change-Id: I72a155d6c4c241781ec07b2ebb9a2393f8470a08
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1679436
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I was following the advice given in these examples and saw:
# flashrom -p bios -w /mnt/stateful_partition/backups/bios_SAMUS_TEST_8028_20190628_100324.fd
flashrom v0.9.9 : cc7cca2 : Jun 15 2019 04:36:54 UTC on Linux 4.14.129 (x86_64)
Error: Unknown programmer bios.
Please run "flashrom --help" for usage info.
As you can see in flashrom_bios() in that same file, the "programmer"
argument in flashrom that you need to flash the BIOS is "host" not
"bios":
# flashrom -p host -w /tmp/bios_SAMUS_TEST_8028_20190628_100324.fd
flashrom v0.9.9 : 2d00129 : Jun 27 2019 15:16:55 UTC on Linux 4.14.129 (x86_64)
flashrom v0.9.9 : 2d00129 : Jun 27 2019 15:16:55 UTC on Linux 4.14.129 (x86_64)
Calibrating delay loop... OK.
coreboot table found at 0x7ce3a000.
...
Erasing and writing flash chip... SUCCESS
BUG=none
TEST=successfully flashed a backup BIOS image using flashrom
BRANCH=none
Change-Id: Ib1e10c1e06ad84714853953702328c4f4dadebe7
Signed-off-by: Ross Zwisler <zwisler@google.com>
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1685859
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Commit-Queue: Hung-Te Lin <hungte@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We are leaving the --4k options since they are (now) no-ops, and
existing users of the script may be passing them. Since they are the
default, we want to discourage their use, so they are not documented.
BUG=b:135130152
TEST=Unit tests pass
BRANCH=None
Change-Id: I1d73496f45ac0e04657149d438434a33e0e8569b
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1680641
Tested-by: LaMont Jones <lamontjones@chromium.org>
Commit-Queue: LaMont Jones <lamontjones@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Auto-Submit: LaMont Jones <lamontjones@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
BUG=None
TEST=manually verified.
BRANCH=None
Change-Id: I65467d56409bcf608e9c59aa0759e820d11507ed
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1667537
Tested-by: LaMont Jones <lamontjones@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: LaMont Jones <lamontjones@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For set_lsb_release.sh called without parameter, it doesn't modify
anything in the image, and mount the image ro. Thus setfattr to
ensure security.selinux xattr will fail with Read-only filesystem,
and is not necessary since nothing has been modified.
BUG=chromium:954670
TEST=set_lsb_release.sh xx.bin a b
TEST=set_lsb_release.sh xx.bin
BRANCH=none
Change-Id: I32bf61796c2b60d18e4e62cc43f2d0e9dc75cef5
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1666516
Tested-by: Qijiang Fan <fqj@google.com>
Commit-Queue: LaMont Jones <lamontjones@chromium.org>
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After every invocation to set_lsb_release.sh, make sure /etc/lsb-release
in $rootfs has the expected SELinux security context stored at
security.selinux extended attribute.
BRANCH=none
BUG=chromium:954670
TEST=set-lsb_release.sh chromium_test_image.bin a b
Change-Id: I541493d8ad3c94b16840337d807629691b1b00bb
Reviewed-on: https://chromium-review.googlesource.com/1630426
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Qijiang Fan <fqj@google.com>
Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org>
Reviewed-by: LaMont Jones <lamontjones@chromium.org>
|