summaryrefslogtreecommitdiff
path: root/scripts
Commit message (Collapse)AuthorAgeFilesLines
...
* sign_android: don't use xattrs from unsquashfsGeorge Engelbrecht2020-10-301-2/+2
| | | | | | | | | | | | | | | | | | | | | We've moved to applying a file based set of selinux policies instead of taking the ones that were snagged from the image. Remove the policy attributes and let unsquash do whatever it would do by default. See https://chat.google.com/room/AAAA45hbdCQ/jkXYe7jMEDk. BUG=chromium:1141907 TEST=unittests Change-Id: I0a976fb216e0a07c00c4bb2fb68df6fa1ea00d79 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2511121 Reviewed-by: Yury Khmel <khmel@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Yury Khmel <khmel@google.com> Commit-Queue: George Engelbrecht <engeg@google.com> Commit-Queue: Yury Khmel <khmel@google.com> Tested-by: George Engelbrecht <engeg@google.com> Auto-Submit: George Engelbrecht <engeg@google.com>
* sign_official_build: dump more info in resign_android_image_if_existsstabilize-rust-13562.BBrian Norris2020-10-281-1/+10
| | | | | | | | | | | | | | | We're getting silent errors in here somewhere. BRANCH=none BUG=chromium:1141907 TEST=none Change-Id: I9af0a3ea1696920fe67c915660f82a68c1bddf34 Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2504358 Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: LaMont Jones <lamontjones@chromium.org> Tested-by: LaMont Jones <lamontjones@chromium.org>
* signer: syncronize image packing to what we have in build image phase.Yury Khmel2020-10-141-26/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This follows steps we have in build image phase to have parity in image packing. * Discard reapply selinex context. This looks not needed once re-signing should not change selinux context. Instead we could do similar to build image, pass file context to mksquashfs * Apply mksquashfs params based on image type, container/vm. This fixes proper block size and image compression algorithm * Remove old image before packing to prevent mksquashfs merge attempt BUG=b:170400225 BUG=b:170220295 BUG=b:170219920 BRANCH=none TEST=locally signed vm (kohaku) and container (hana): arc.Optin*, arc.Preopt*. Also checked final image size. With this CL it is reduced to 150Mb(vm) and very close to original image size (delta is less than 0.1%) Signed-off-by: Yury Khmel <khmel@chromium.org> Change-Id: I7037bea68fc2969345a8fabc3c6a9b9b690f02d1 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2462005 Reviewed-by: Yusuke Sato <yusukes@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Tested-by: Yury Khmel <khmel@google.com> Auto-Submit: Yury Khmel <khmel@google.com> Commit-Queue: Yury Khmel <khmel@google.com>
* signer: resign networkstack APKs with correct keystabilize-13525.Bfirmware-volteer-13521.BVictor Hsieh2020-10-091-1/+1
| | | | | | | | | | | | BUG=b:170156734 BRANCH=none TEST=sign rvc-arc image Signed-off-by: Victor HSieh <victorhsieh@chromium.org> Change-Id: I99fc4eb19be6cc785297e223a6603c1d777c5c77 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2458789 Reviewed-by: Yury Khmel <khmel@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com>
* Deal with Android's new networkstack keyVictor Hsieh2020-10-083-6/+15
| | | | | | | | | | | BUG=b:170156734 TEST=run signing script locally BRANCH=None Signed-off-by: Victor HSieh <victorhsieh@chromium.org> Change-Id: I4f045729241b479b56fef5687b721b5b59c2eed8 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2450551 Reviewed-by: George Engelbrecht <engeg@google.com>
* arc: Fix RVC signed image does not boot.factory-test-13517.BYury Khmel2020-10-061-9/+37
| | | | | | | | | | | | | | | | | | This supports new set of certificates plat_mac_permissions.xml and adds handling media and network_stack certificates. BRANCH=none BUG=b:169458218 TEST=Sign test image from goldeneye per instructions in bug, deploy it to device (kohaku) pass tast.arc.Optin.vm test Signed-off-by: Yury Khmel <khmel@chromium.org> Change-Id: I61c4e327eaa605ed60c0c80b3598c0f4fb6e5f5f Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2447430 Tested-by: Yury Khmel <khmel@google.com> Auto-Submit: Yury Khmel <khmel@google.com> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Yury Khmel <khmel@google.com>
* make_dev_ssd.sh: Correct root partition regular expressionHung-Te Lin2020-09-231-1/+1
| | | | | | | | | | | | | | | | Discovered by CL:2353632, the regular expression for extracting rootfs partition should include non-digit character first otherwise we won't get correct number when the partition number is longer than one digit (e.g., >=10). BUG=None TEST=./make_dev_ssd.sh BRANCH=none Change-Id: I155e04beec47c55df4d09cb78168ab0a7407c697 Signed-off-by: Hung-Te Lin <hungte@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353776 Reviewed-by: Kuang-che Wu <kcwu@chromium.org>
* COIL: Change denylist to blocklistDaisuke Nojiri2020-09-113-5/+5
| | | | | | | | | | | | | | | The signer uses BLOCKLIST instead of DENYLIST. This patches make the language match. BUG=b:163883397 BRANCH=None TEST=egrep -i -I -r "deny.*list" TEST=make runtests Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Change-Id: I47c913eb2ca89cd3eea4ca3ff5f1accb223ba418 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2401968 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* portability fixes: support building vboot on FreeBSDIdwer Vollering2020-09-111-1/+1
| | | | | | | | | | | Built on FreeBSD 12.1-RELEASE, 13-CURRENT, using gcc9 installed from packages. Change-Id: Ifa8bb343c7e916c1b545cf6c1e4bd0a18ea391cd Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2382790 Reviewed-by: Julius Werner <jwerner@chromium.org> Tested-by: Julius Werner <jwerner@chromium.org> Commit-Queue: Julius Werner <jwerner@chromium.org>
* Add script for signing PSP VerstageMartin Roth2020-09-091-0/+162
| | | | | | | | | | | | | This script will sign the psp_veratage.bin file and modify the fields as required. BUG=b:166095736 TEST=create verstage signed with test key. Change-Id: I234d7902f950a60a816dd5f4d46d3d5afd105489 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2390825 Tested-by: Martin Roth <martinroth@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Martin Roth <martinroth@google.com>
* keygeneration: psp verstagebl: refactor key gen & csr generationMike Frysinger2020-09-091-32/+70
| | | | | | | | | | | | | | | | We want to separate the stages of creating the key & using the key as our HSM tools use different commands for these. This also means we no longer need a passphrase at all. BUG=b:166095736 TEST=ran script before & after and made sure output (largely) looked the same BRANCH=None Change-Id: Id488789f83c21ffb6263489e3c22531878ceb1f2 Signed-off-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2391219 Reviewed-by: Furquan Shaikh <furquan@chromium.org>
* Add CSR generation script for signing PSP VerstageMartin Roth2020-09-031-0/+103
| | | | | | | | | | | | | | This script is based on previous key generation scripts and on the AMD document describing their recommendations. BUG=b:166095736 TEST=Generate keys of different sizes with different passphrases in various directories. Change-Id: I76a31f5d592d233282c145a9a4ce5220a2d597d8 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2380612 Tested-by: Martin Roth <martinroth@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org>
* inclusive: change usage of blacklist/whitelistDaisuke Nojiri2020-08-193-4/+4
| | | | | | | | | | | | | | | | | | | | | Google is working to change its source code to use more inclusive language. To that end, replace the term "blacklist" & "whitelist" with inclusive alternatives. chrome-internal:3214766, chrome-internal:3214767, chrome-internal:3214831 will be checked in separately. They refer to a pinned vboot_reference. So, this patch won't affect the signer until the pin is moved. BUG=b:163883397 BRANCH=None TEST=grep -ir "white*list" TEST=grep -ir "black*list" TEST=make runtests Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Change-Id: Iff98b55713b3c7381ba092ff14b50141b8422cf2 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353421 Reviewed-by: Julius Werner <jwerner@chromium.org>
* inclusive: change usage of sanityDaisuke Nojiri2020-08-195-23/+24
| | | | | | | | | | | | | | | | Google is working to change its source code to use more inclusive language. To that end, replace the term "sanity" with inclusive alternatives. BUG=b:163883397 BRANCH=None TEST=grep -ir sanity TEST=make runtests Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org> Change-Id: I708a044d89050c442f14fb11a8ae5e98490d56af Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2353420 Reviewed-by: Julius Werner <jwerner@chromium.org>
* sign_android_image: use ARCVM file context if neededVictor Hsieh2020-07-291-3/+10
| | | | | | | | | | | | | | Apparently the file android_file_contexts has a different name for ARCVM with _vm suffix. Choose _vm if the container one is not found. BUG=b:161828692 TEST=sign_official_build.sh base recovery_image.bin mykey signed.bin BRANCH=none Signed-off-by: Victor Hsieh <victorhsieh@chromium.org> Change-Id: I8a93d8e1dd5b824f319d7de804f8f74825166a97 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2323647 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* image_signing: drop support for signing nvidia lp0_firmwareMike Frysinger2020-07-243-290/+0
| | | | | | | | | | | | | | | This was only used by smaug which went EOL a while ago and we've already deleted supporting logic. BUG=None TEST=CQ passes BRANCH=None Change-Id: Ia639c7da3c70c62ee102f11d510ffaa928ab244a Signed-off-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2309221 Reviewed-by: Furquan Shaikh <furquan@chromium.org> Reviewed-by: Joel Kitching <kitching@chromium.org>
* sign_official_build: accept arcvm/bertha imageVictor Hsieh2020-07-234-3/+13
| | | | | | | | | | | | BUG=b:161828692 TEST=sign_official_build.sh base recovery_image.bin mykey signed.bin TEST=sign_android_unittests.sh BRANCH=none Signed-off-by: Victor Hsieh <victorhsieh@chromium.org> Change-Id: I158cd0c23198ffe8773b5882ba214b3ca4d26cae Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2310758 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* trivial: fix spelling in add_loem_keys.shGeorge Engelbrecht2020-05-291-1/+1
| | | | | | | | | | | | | | | | ...also inflate my personal CL stats. BUG=None TEST=None BRANCH=master Signed-off-by: George Engelbrecht <engeg@chromium.org> Change-Id: I4af2d8b2aa42b4e6d4d4ea36a6ca73a340aa4814 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2220336 Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: George Engelbrecht <engeg@google.com> Tested-by: George Engelbrecht <engeg@google.com> Auto-Submit: George Engelbrecht <engeg@google.com>
* image_signing: Activate file hash cache for watchlist service for signed builds.Yury Khmel2020-05-271-1/+4
| | | | | | | | | | | | | | | This follows the logic introduced in crrev.com/i/2523754 BUG=b:148229706 TEST= ./sign_official_build.sh usb source_image \ ~/trunk/src/platform/vboot_reference/tests/devkeys out_image BRANCH=None Cq-Depend: chrome-internal:3022044 Signed-off-by: Yury Khmel <khmel@google.com> Change-Id: I5398a9ea2984f0be11cb512f845507309d5f8f8e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210771 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* image_signing: remove firmware_boot.shJack Rosenthal2020-05-221-101/+0
| | | | | | | | | | | | | | | | | | This script was added in CL:2618. There's no references to it, and I can't find any evidence to it being documented anywhere or anyone using it. Let's remove it to see if anyone uses it. BUG=chromium:1083510 BRANCH=none TEST=emerge vboot_reference Change-Id: I6c307d3b9f7ee4c12153baf5fcd97c98badefe7b Signed-off-by: Jack Rosenthal <jrosenth@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2212646 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* image_singing: remove align_rootfs.shJack Rosenthal2020-05-221-150/+0
| | | | | | | | | | | | | | | | No references to this. From commit history looks to be something Mario-only? Remove it and let's see where that goes... BUG=chromium:1085310 BRANCH=none TEST=emerge vboot_reference Signed-off-by: Jack Rosenthal <jrosenth@chromium.org> Change-Id: I7621d4673a09b85f59cdc69de1652e0b72ca1862 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2211957 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* image_signing: remove unpack_firmwarefd.sh scriptJack Rosenthal2020-05-221-69/+0
| | | | | | | | | | | | | | | | | | Looks like an old script from Mario. Won't run on modern chromebooks anyway. Not installed on any devices. BUG=chromium:1084003,chromium:1085310 BRANCH=none TEST=emerge vboot_reference Signed-off-by: Jack Rosenthal <jrosenth@chromium.org> Change-Id: I4b68183bc9bc943f273630cf12c52801a74df5be Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210762 Reviewed-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Hung-Te Lin <hungte@chromium.org>
* image_signing: remove tofactory.sh scriptJack Rosenthal2020-05-221-179/+0
| | | | | | | | | | | | | | | | | | | Looks like this was an old script meant to be run on Mario. It's currently installed in the SDK only (not on the DUT), where it won't even operate anyway. I can't find any references to the script, aside from some old Mario documentation. BUG=chromium:1084003,chromium:1085310 BRANCH=none TEST=emerge vboot_reference Change-Id: I0b0bd22912170e62390e7ee1a62ef466b2ea1a7c Signed-off-by: Jack Rosenthal <jrosenth@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2210761 Reviewed-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org>
* vboot: Fixes bug in get_gbb_flags.sh -eRob Barnes2020-03-241-1/+1
| | | | | | | | | | | | | | | | get_gbb_flags.sh outputs incorrect information because the hex number is not parsed correctly. BUG=none TEST=Manual BRANCH=none Change-Id: Ie6428a5c50d48ae5d732b31d7a8e7b314653c2d9 Signed-off-by: Rob Barnes <robbarnes@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2108286 Reviewed-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Jack Rosenthal <jrosenth@chromium.org> Commit-Queue: Jack Rosenthal <jrosenth@chromium.org>
* image_signing: Add one more cheets flavor.Lepton Wu2020-03-032-1/+5
| | | | | | | | | | | | | On Pi, the target name is sdk_cheets instead of sdk_google_cheets BUG=chromium:1057649 TEST=./sign_android_unittests.sh BRANCH=none Change-Id: Ic4e5123687eee7fc9f6c0640b7b9455f180dff6e Signed-off-by: Lepton Wu <lepton@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2083836 Reviewed-by: Nicolas Norvez <norvez@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com>
* vboot: stop using wpsw_boot and remove it from crossystemJoel Kitching2020-02-271-1/+1
| | | | | | | | | | | | | | | | | | wpsw_boot is being deprecated, so just use wpsw_cur. BUG=b:124141368, chromium:950273 TEST=make clean && make runtests BRANCH=none Change-Id: Iae63b2a76b19629a9ecd9b87e5dd6367767860b3 Cq-Depend: chromium:2066154, chromium:2068241, chromium:2068209 Cq-Depend: chromium:2068297, chromium:2067229, chromium:2067231 Cq-Depend: chromium:2068242 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2066192 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Hung-Te Lin <hungte@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* keygeneration: add helper for generating update payload keysMike Frysinger2020-01-241-0/+8
| | | | | | | | | | | | | | We don't use this anywhere as we've only ever generated one key so far. But we never wrote this down, so this is more documentation. BUG=None TEST=ran the code manually BRANCH=None Change-Id: Ia9a318c686b1ad7ab1de31899b49ce73a4d5ad9f Signed-off-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1947554 Reviewed-by: George Engelbrecht <engeg@google.com>
* vboot: rename FAFT_KEY_OVERIDE and clarify its useJoel Kitching2020-01-161-1/+1
| | | | | | | | | | | | | | | Rename GBB flag FAFT_KEY_OVERRIDE to RUNNING_FAFT. Add a comment to clarify its use. BUG=b:124141368, chromium:965914 TEST=make clean && make runtests BRANCH=none Change-Id: Ib90de7a0d22b39898fc84be8c16ff34ea1d3b504 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1977902 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* EC sync: Drop support for "PD" software sync.Tim Wawrzynczak2019-11-131-2/+2
| | | | | | | | | | | | | | | | All devices which have a PD chip running CrOS EC code have already shipped, and there is no intention to go back to using an "EC" for a TCPC anymore. BUG=b:143762298,chromium:1017093 BRANCH=none TEST=make runtests Change-Id: I177c00581089de59e4f35608b97ef5432e8b492b Signed-off-by: Tim Wawrzynczak <twawrzynczak@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1895712 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Joel Kitching <kitching@chromium.org>
* cr50_signing: add code to sign pre-pvt, pre-release and releaseVadim Bendebury2019-11-021-33/+59
| | | | | | | | | | | | | | | | | | | | | | | This patch adds checks necessary before various types of images signing could proceed. The checks include verifying that Board ID flags and major version number match the image type. Also, manifest modification for node locked images is enhanced by setting the least significant bit of the tag field to one. This will ensure that the prod key ladder is not available to node locked images even though they are signed with a prod key. BRANCH=none BUG=b:74100307 TEST=verified various cases by manually editing prod.json and signing_instructions.sh and observing results: either error messages or successful modification of the manifest and signing. Change-Id: I0bc4a8acae1ca4e983999fd47e515c48786ded6c Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1894848
* cr50_signing: add code to process node locked imagesVadim Bendebury2019-10-301-26/+85
| | | | | | | | | | | | | | | | | | | | | Node locked images signed by the builder will have to come from the factory branch and have version of 0.3.22. Signing manifest will be processed to insert Device ID values, remove Board ID values and set the top bit of config1. BRANCH=none BUG=b:74100307 TEST=ran the script manually with proper input and verified that manifest is processed as expected. Change-Id: Ib8cbe0f1ae31e79c3228a662c02231caeb901adc Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1880572 Tested-by: George Engelbrecht <engeg@google.com> Reviewed-by: Ned Nguyen <nednguyen@google.com> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: George Engelbrecht <engeg@google.com>
* OWNERS: engeg@ is owner.LaMont Jones2019-10-291-1/+1
| | | | | | | | | | | | | | BRANCH=None BUG=None TEST=None Change-Id: I6e10fd839e256454ce3671228116d8c3a9ec6092 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1888274 Tested-by: LaMont Jones <lamontjones@chromium.org> Tested-by: George Engelbrecht <engeg@google.com> Auto-Submit: LaMont Jones <lamontjones@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: George Engelbrecht <engeg@google.com>
* tofactory.sh: remove usage of "mosys vpd" commandJack Rosenthal2019-10-261-6/+0
| | | | | | | | | | | | | | | No platforms support vpd in mosys anymore, so this will always fail. Drop the warning message and let the user extract it from the BIOS backup if they need. BUG=chromium:990438 BRANCH=none TEST=verified no platform offers cmd_vpd in mosys Change-Id: I5550724f13120202775245cfd252c988edd5b21f Signed-off-by: Jack Rosenthal <jrosenth@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1881473 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* vboot: standardize on "keyblock" as one wordJoel Kitching2019-10-231-1/+1
| | | | | | | | | | | | | | | | Stardardize on inconsistency between "keyblock" and "key block" both in code, comments, and textual output. BUG=b:124141368, chromium:968464 TEST=make clean && make runtests BRANCH=none Change-Id: Ib8819a2426c1179286663f21f0d254f3de9d94a4 Signed-off-by: Joel Kitching <kitching@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1786385 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Joel Kitching <kitching@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* vboot: format hex numbers with %#x instead of 0x%xJoel Kitching2019-10-231-1/+1
| | | | | | | | | | | | | | | | Also standardize on using hex for printing ASCII key values across vboot_ui.c and vboot_ui_menu.c. BUG=b:124141368 TEST=make clean && make runtests BRANCH=none Change-Id: Ib10288d95e29c248ebe807d99108aea75775b155 Signed-off-by: Joel Kitching <kitching@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1840191 Reviewed-by: Joel Kitching <kitching@chromium.org> Tested-by: Joel Kitching <kitching@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* image_signing: drop set_chronos_password.shMike Frysinger2019-09-201-56/+0
| | | | | | | | | | | | | | | We're dropping this from the signer, so drop it from here too. Nothing else has referred to it. BUG=None TEST=CQ passes BRANCH=None Change-Id: I855ef036b620082ec98af7aac8ea330ae472435a Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1814697 Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org>
* sign_cr50_firmware.sh: allow signing MP images.LaMont Jones2019-09-081-8/+9
| | | | | | | | | | | | | | | Allow MP images to be signed. Also, the manifest file name changed. BRANCH=none BUG=b:74100307 TEST=manual Change-Id: Ia6b4724ceea2b7a18a2caecea7142d1b6ebfaa13 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1791816 Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: LaMont Jones <lamontjones@chromium.org> Tested-by: LaMont Jones <lamontjones@chromium.org> Auto-Submit: LaMont Jones <lamontjones@chromium.org>
* vboot: deprecate fastboot supportJoel Kitching2019-08-301-1/+0
| | | | | | | | | | | | | BUG=b:124141368, chromium:995172 TEST=make clean && make runtests BRANCH=none Change-Id: I42e4ac8a21ac3be416d315a8a8cc914f997bab79 Signed-off-by: Joel Kitching <kitching@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1758148 Reviewed-by: Julius Werner <jwerner@chromium.org> Tested-by: Joel Kitching <kitching@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* image_signing: clean up more oci referencesMike Frysinger2019-08-261-14/+0
| | | | | | | | | | | | | | | We deleted the script the oci-container target needs, so remove some remaining dead references. BUG=chromium:976916 TEST=signing image w/key deletes it, and signing image w/out key passes BRANCH=None Change-Id: I54624a1241a7b7326a746514aa32644fd94ec525 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1762462 Reviewed-by: LaMont Jones <lamontjones@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org>
* ensure_secure_kernelparams: add sanity checks on baseline sed scriptsMike Frysinger2019-08-261-6/+17
| | | | | | | | | | | | | | | | | | The way the sed logic was written we allowed invalid sed expressions to count as "pass". This is because we use "no output" as the signal that the command line option is OK (since the sed script deleted it), but it meant that invalid sed scripts produced no output too. Add an explicit exit status check to make sure invalid scripts fail. BUG=chromium:991590 TEST=`./image_signing/ensure_secure_kernelparams.sh ./coral-12439.0.0-recovery.bin .../cros-signing/security_test_baselines/ensure_secure_kernelparams.config` produces no errors BRANCH=None Change-Id: I1de3ada7e44c49f97ecc40824d98cca9291ab7e6 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1762459 Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org>
* image_signing: clean up oci container key referencesMike Frysinger2019-08-092-97/+15
| | | | | | | | | | | | | | | | We never released this feature and we've dropped the logic from newer releases. Purge the signing logic of references to the key. We still need to delete the key in case we're signing an older release branch. BUG=chromium:976916 TEST=signing image w/key deletes it, and signing image w/out key passes BRANCH=None Change-Id: I82b8a4dab5f68e01c54281afd4817eea3dd359ff Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1742692 Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org>
* sign_official_build.sh: Update kern_b_hash to support SHA256stabilize-octopus-12371.15.Bstabilize-12386.Bstabilize-12371.89.Bstabilize-12371.82.Bstabilize-12371.81.Bstabilize-12371.80.Bstabilize-12371.75.Bstabilize-12371.71.Bstabilize-12371.65.Bstabilize-12371.52.Bstabilize-12371.50.Bstabilize-12371.39.Bstabilize-12371.27.Bstabilize-12371.26.Bstabilize-12371.11.Brelease-R77-12371.BJulius Werner2019-07-251-1/+7
| | | | | | | | | | | | | | | | | | | | | We're updating the algorithm for this so the signing scripts have to support it as well. Since we're running ToT signing scripts on older images as well, determine the hash algorithm used in the image by checking its length (40 hex digits for SHA1, 64 for SHA256). BRANCH=None BUG=b:137576540 TEST=$(sign_official_build.sh recovery recovery_image.bin /tmp/scratch/mykeys/ resigned_image.bin) -- used futility to confirm that new image kern_b_hash matches new image KERN-B and uses the expected algorithm (tried with both SHA1 and SHA256) Cq-Depend: chromium:1706624 Change-Id: Ie1a62ad1fd4fbf141cc1c32d592b863f2d43a24e Signed-off-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1707529 Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org>
* set_lsb_release.sh: tell getfattr to use absolute namesQijiang YĆ«ki Ishii2019-07-231-1/+1
| | | | | | | | | | | | | | | | Adding --absolute-names to getfattr to let getfattr not to remove the leading slash, and not to print the warning to stderr. BUG=chromium:954670 TEST=set_lsb_release.sh xx.bin a b TEST=`getfattr: Removing leading '/' from absolute path names` not printed BRANCH=none Change-Id: I6273151713612746443d5d68a8df530f1146a4a2 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1712890 Tested-by: Qijiang Fan <fqj@google.com> Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: Qijiang Fan <fqj@google.com>
* scripts: Update OWNERS file to reflect current ownership.factory-mistral-12361.BLaMont Jones2019-07-211-2/+3
| | | | | | | | | | | | | BUG=chromium:985940 TEST=None BRANCH=none Change-Id: I844074e28a9cf2384bb7dc1593de7d7e01622457 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1710989 Tested-by: LaMont Jones <lamontjones@chromium.org> Auto-Submit: LaMont Jones <lamontjones@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org>
* image_signing: drop "install" alias for factoryMike Frysinger2019-07-111-2/+1
| | | | | | | | | | | | | | | We migrated away from this in 2012, so drop the alias. Any devices made around that time won't need new factory images either. BUG=None TEST=None BRANCH=None Change-Id: I72a155d6c4c241781ec07b2ebb9a2393f8470a08 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1679436 Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: Mike Frysinger <vapier@chromium.org> Tested-by: Mike Frysinger <vapier@chromium.org>
* make_dev_firmware.sh: correct flashrom examplesRoss Zwisler2019-07-031-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I was following the advice given in these examples and saw: # flashrom -p bios -w /mnt/stateful_partition/backups/bios_SAMUS_TEST_8028_20190628_100324.fd flashrom v0.9.9 : cc7cca2 : Jun 15 2019 04:36:54 UTC on Linux 4.14.129 (x86_64) Error: Unknown programmer bios. Please run "flashrom --help" for usage info. As you can see in flashrom_bios() in that same file, the "programmer" argument in flashrom that you need to flash the BIOS is "host" not "bios": # flashrom -p host -w /tmp/bios_SAMUS_TEST_8028_20190628_100324.fd flashrom v0.9.9 : 2d00129 : Jun 27 2019 15:16:55 UTC on Linux 4.14.129 (x86_64) flashrom v0.9.9 : 2d00129 : Jun 27 2019 15:16:55 UTC on Linux 4.14.129 (x86_64) Calibrating delay loop... OK. coreboot table found at 0x7ce3a000. ... Erasing and writing flash chip... SUCCESS BUG=none TEST=successfully flashed a backup BIOS image using flashrom BRANCH=none Change-Id: Ib1e10c1e06ad84714853953702328c4f4dadebe7 Signed-off-by: Ross Zwisler <zwisler@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1685859 Reviewed-by: Hung-Te Lin <hungte@chromium.org> Commit-Queue: Hung-Te Lin <hungte@chromium.org>
* keygeneration: default to RSA4096 keys.LaMont Jones2019-06-282-9/+28
| | | | | | | | | | | | | | | | | | We are leaving the --4k options since they are (now) no-ops, and existing users of the script may be passing them. Since they are the default, we want to discourage their use, so they are not documented. BUG=b:135130152 TEST=Unit tests pass BRANCH=None Change-Id: I1d73496f45ac0e04657149d438434a33e0e8569b Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1680641 Tested-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: LaMont Jones <lamontjones@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Auto-Submit: LaMont Jones <lamontjones@chromium.org>
* create_new_android_keys: fix typo.stabilize-kukui-12285.BLaMont Jones2019-06-191-1/+1
| | | | | | | | | | | | BUG=None TEST=manually verified. BRANCH=None Change-Id: I65467d56409bcf608e9c59aa0759e820d11507ed Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1667537 Tested-by: LaMont Jones <lamontjones@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: LaMont Jones <lamontjones@chromium.org>
* set_lsb_release.sh: only setfattr for selinux if modifiedQijiang Fan2019-06-191-3/+4
| | | | | | | | | | | | | | | | | | For set_lsb_release.sh called without parameter, it doesn't modify anything in the image, and mount the image ro. Thus setfattr to ensure security.selinux xattr will fail with Read-only filesystem, and is not necessary since nothing has been modified. BUG=chromium:954670 TEST=set_lsb_release.sh xx.bin a b TEST=set_lsb_release.sh xx.bin BRANCH=none Change-Id: I32bf61796c2b60d18e4e62cc43f2d0e9dc75cef5 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/1666516 Tested-by: Qijiang Fan <fqj@google.com> Commit-Queue: LaMont Jones <lamontjones@chromium.org> Reviewed-by: LaMont Jones <lamontjones@chromium.org>
* set_lsb_release.sh: make sure selinux context for lsb-release fileQijiang Fan2019-06-061-0/+3
| | | | | | | | | | | | | | | | | After every invocation to set_lsb_release.sh, make sure /etc/lsb-release in $rootfs has the expected SELinux security context stored at security.selinux extended attribute. BRANCH=none BUG=chromium:954670 TEST=set-lsb_release.sh chromium_test_image.bin a b Change-Id: I541493d8ad3c94b16840337d807629691b1b00bb Reviewed-on: https://chromium-review.googlesource.com/1630426 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Qijiang Fan <fqj@google.com> Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org> Reviewed-by: LaMont Jones <lamontjones@chromium.org>
View Lorry Controller Status