summaryrefslogtreecommitdiff
path: root/scripts
Commit message (Collapse)AuthorAgeFilesLines
* vboot: Support servo micro and C2D2 for {get,set}_gbb_flags.sh --servo.stabilize-14682.BSam McNally2022-04-023-10/+20
| | | | | | | | | | | | | | | Detect servo micro and C2D2 servo types and toggle cpu_fw_spi before and after flash access is required. BUG=b:220992685 TEST={get,set}_gbb_flags.sh --servo with C2D2 and servo micro BRANCH=None Cq-Depend: chromium:3470605 Change-Id: I9f8a9bcabe731001ed18150ca1db9820db20e0d3 Signed-off-by: Sam McNally <sammc@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3469747 Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
* sign_gsc_firmware: drop version number check for node locked imagesVadim Bendebury2022-03-301-12/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | With introduction of Ti50 images the version of the eraseflashinfo capable images must change, which will prevent signing scripts from accepting Ti50 images from node locked signing. Enforcing the version number is proving to be a larger pain that in is worth: we do need to modify the version once in a while, and it takes a lot of effort and time to propagate the version adjustment through signing stages. We already have a quorum requirement for eraseflashinfo capable node locked images, this provides enough guarantee from accidental signing or malicious signing of such an image, version number enforcement does not add security. BRANCH=none BUG=b:219774807 TEST=none Change-Id: Ifd5ac17540595d71210445e6ad573c81fc25a47a Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3553419 Reviewed-by: Mary Ruthven <mruthven@chromium.org> Reviewed-by: Andrey Pronin <apronin@chromium.org>
* vboot: Add --programmer and --servo flags to {get,set}_gbb_flags.sh.stabilize-quickfix-14526.91.Bstabilize-14528.Bstabilize-14526.89.Bstabilize-14526.84.Bstabilize-14526.73.Bstabilize-14526.67.Bstabilize-14526.57.Brelease-R100-14526.BSam McNally2022-02-173-8/+63
| | | | | | | | | | | | | | | | | | | | | Allow custom programmers to be used instead of host for getting and setting GBB flags via a --programmer/-p flag similar to the same flag for futility. Also support --servo with the same semantics as the futility flag - detecting the programmer to use from the current servod instance mirroring the logic in futility. Only CCD is supported at this stage. When reading, include the FMAP section as well as the GBB section. For writes over CCD, avoiding rescanning for the FMAP can save up to 1.8s. BUG=None TEST={get,set}_gbb_flags.sh --servo with and without servod running BRANCH=None Change-Id: Iecedf4c3d0cad6923aed4405ef4a72910f3f9f05 Signed-off-by: Sam McNally <sammc@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3455562 Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
* make_dev_ssd.sh: Update grub defaultA and defaultBJeffery Miller2022-02-111-2/+3
| | | | | | | | | | | | | | | | | | | | | Update the defaultA=2 and defaultB=3 grub settings to remove verification. In change I930d0f3f1a3f8f54edd1dce7f8259e3c261af9a1 the default options for grub were changed to be defaultA and defaultB instead of 'set default=2'. Update the removal to support these new configuration settings. BRANCH=none BUG=b:186240229 TEST=on a reven build run `/usr/share/vboot/bin/make_dev_ssd.sh --remove_rootfs_verification --force`; reboot and confirm verity is disabled Change-Id: I70ceed432c29865715c525a6ae13f0e7da8ee0ba Signed-off-by: Jeffery Miller <jefferymiller@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3445175 Reviewed-by: Nicholas Bishop <nicholasbishop@google.com> Reviewed-by: Hung-Te Lin <hungte@chromium.org> Commit-Queue: Nicholas Bishop <nicholasbishop@google.com>
* sign_official_build: Sign hps_firmwareEvan Benn2022-02-081-0/+3
| | | | | | | | | | | | | | | | BUG=b:204378599 TEST=None BRANCH=None Signed-off-by: Evan Benn <evanbenn@chromium.org> Cq-Depend: chrome-internal:4473134 Change-Id: I2316ec9e75e854352350e90055e717a258c43f6e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3388968 Tested-by: Evan Benn <evanbenn@chromium.org> Auto-Submit: Evan Benn <evanbenn@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Evan Benn <evanbenn@chromium.org>
* accessory: script to generate hps keysEvan Benn2022-01-261-0/+64
| | | | | | | | | | | | | | | | hps uses ed25519 keys so generate a pair of that type. BUG=b:214495498 TEST=./create_new_hps_key.sh BRANCH=none Signed-off-by: Evan Benn <evanbenn@chromium.org> Change-Id: I3f63ea5852b8e5959b7577e8b988284da043b449 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3394031 Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Evan Benn <evanbenn@chromium.org> Tested-by: Evan Benn <evanbenn@chromium.org>
* accessory: make create_new_hammer_like_keys generates correct key namestabilize-14477.BTing Shen2022-01-212-7/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | create_new_hammer_like_keys.sh generates a key pair with hard-coded filename "key_hammerlike.*". And we usually ask the croskeymanagers team to manually rename it to the correct device name (e.g. b:213403966). The manual step sometimes confuses people. Modify the script to make create_new_hammer_like_keys.sh takes an extra keyname argument and generates the correct filename at once. BUG=b:213922329 TEST=1) normal usage ./create_new_hammer_like_keys.sh foo 2) error (two keyname provided) ./create_new_hammer_like_keys.sh foo bar 3) error (missing keyname) ./create_new_hammer_like_keys.sh 4) also check efs keygen ./create_new_ec_efs_key.sh BRANCH=none Change-Id: I2a2e24b77961ea2d744ac65d835446a74381e004 Signed-off-by: Ting Shen <phoenixshen@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3398389 Reviewed-by: Hung-Te Lin <hungte@chromium.org> Reviewed-by: Yu-Ping Wu <yupingso@chromium.org> Tested-by: Ting Shen <phoenixshen@chromium.org> Commit-Queue: Ting Shen <phoenixshen@chromium.org>
* image_signing: Use "-b 256K" option for zstd squashfs compressionSatoshi Niwa2021-12-241-1/+1
| | | | | | | | | | | | | | | | | project-cheets-private CL: crrev/i/4381092 BUG=b:208763957 TEST=arc.AppLoadingPerf, etc. BRANCH=none Signed-off-by: Satoshi Niwa <niwa@google.com> Cq-Depend: chrome-internal:4381092 Change-Id: I95fe539294793f6894a8e4cd8e2bde4bbcf43c04 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3351476 Reviewed-by: Ryo Hashimoto <hashimoto@chromium.org> Tested-by: Satoshi Niwa <niwa@chromium.org> Auto-Submit: Satoshi Niwa <niwa@chromium.org> Commit-Queue: Satoshi Niwa <niwa@chromium.org>
* vboot_reference: shortcut for enable earlycon and serial consoleHsin-Yi Wang2021-12-091-1/+51
| | | | | | | | | | | | | | | | Add a shortcut to enable and disable earlycon and serial console. Earlycon requires to setup the correct parameter in stdout-path for ARM/ARM64 or SPCR table for x86. BRANCH=none BUG=b:168171144 TEST=./make_dev_ssd.sh -i $image --enable_earlycon (--disable_console) Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org> Change-Id: Ifc39c825bf0830bca9d72668b8451aff64708071 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2423643 Reviewed-by: Stephen Boyd <swboyd@chromium.org>
* gscvd: add dedicated test keysVadim Bendebury2021-12-032-0/+6
| | | | | | | | | | | | | | | | | | | | | | | This patch extends create_new_keys.sh to generate two additional key pairs to use for AP RO verification signing. Both new pairs are RSA4096/SHA256. The script was ran to generate a new set of keys and the produced AP RO verification key pairs were copied into tests/devkeys. BRANCH=none BUG=b:141191727 TEST=re-signed guybrush AP firmware image following the process described in cmd_gscvd.c comments, created a Cr50 image incorporating the new root public key hash, updated the DUT AP and Cr50 firmware and observed successful AP RO validation. Change-Id: I03cba1446fc5ffdfef662c5ce1ea3e61950477d4 Signed-off-by: Vadim Bendebury <vbendeb@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3297447 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* image_signing: skip signing of boot*.efi on reven boardstabilize-14345.Bstabilize-14336.Bstabilize-14333.BNicholas Bishop2021-11-082-6/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The reven board's first stage bootloader (bootia32.efi/bootx64.efi) is signed by Microsoft so that it can boot with the default UEFI Secure Boot keys. These two files should not be modified by the signing scripts. Implement this by adding a third argument to sign_uefi.sh, "efi_glob". This argument is set to "*.efi" by default, maintaining the existing behavior. If the key dir matches "*Reven*", the glob is changed to "grub*.efi". Tested by running sign_official_build.sh on a reven base image, once with a keys dir matching "*Reven*", once with it not matching. When the keys dir matches Reven, grub*.efi is signed but boot*.efi is not. When the keys dir does not match Reven, both grub*.efi and boot*.efi are signed: Matching "*Reven*": platform/vboot_reference/scripts/image_signing/sign_official_build.sh \ base build/images/reven/latest/chromiumos_base_image.bin \ platform/vboot_reference/tests/Reven \ build/images/reven/latest/chromiumos_base_image.bin.signed Not matching: platform/vboot_reference/scripts/image_signing/sign_official_build.sh \ base build/images/reven/latest/chromiumos_base_image.bin \ platform/vboot_reference/tests/devkeys \ build/images/reven/latest/chromiumos_base_image.bin.signed BUG=b:205145491 TEST=Build a reven base image and test as described above BRANCH=none Change-Id: Iec2800c276ca82bfd6e5b465ff821b11e0b0bb08 Signed-off-by: Nicholas Bishop <nicholasbishop@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3262479 Reviewed-by: Joseph Sussman <josephsussman@google.com>
* COIL: Remove "slave"Yu-Ping Wu2021-10-291-15/+17
| | | | | | | | | | | | | | In the context of device mapper (dm), use "mapped device". BUG=b:179221734 TEST=make runtests BRANCH=none Change-Id: I9245d8482e59db93bfe6cdcaafa503038ae5c9e3 Signed-off-by: Yu-Ping Wu <yupingso@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3246662 Reviewed-by: Chen-Yu Tsai <wenst@chromium.org> Reviewed-by: Hung-Te Lin <hungte@chromium.org>
* strip_boot_from_image: use sfill instead of fstrimstabilize-14235.BGeorge Engelbrecht2021-09-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | fstrim relies on the underlying device supporting it and on our instances we're on lvm devices. Since we're fstrim'ing a mounted loopback the ability to call fstrim is inherited by the parent device. Something has changed in the kernel (see bug) that stopped us from making the trim call on the loopback partition. sfill with these options should accomplish the same thing (single write with all zeros) as well as cleaning up inode space. BRANCH=main BUG=b:200038130 TEST=signer full tests with this commit. Signed-off-by: engeg <engeg@google.com> Change-Id: I8c71adfd59c11b5142aa367fb20222fc4b03a2ba Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3167191 Tested-by: George Engelbrecht <engeg@google.com> Auto-Submit: George Engelbrecht <engeg@google.com> Reviewed-by: Jason Clinton <jclinton@chromium.org> Reviewed-by: Jared Loucks <jaredloucks@google.com> Reviewed-by: Greg Edelston <gredelston@google.com> Commit-Queue: George Engelbrecht <engeg@google.com> Commit-Queue: Greg Edelston <gredelston@google.com>
* sign_official_build: disable gsetup for revenstabilize-14217.BJack Neus2021-09-081-1/+5
| | | | | | | | | | | | | More permanent fix todo, need to unblock reven-release. BUG=b:199136347 TEST=shellcheck BRANCH=none Change-Id: I2b124f88aa2c5c70124888e2d64bd5a2c41f1a96 Signed-off-by: Jack Neus <jackneus@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3149594 Reviewed-by: George Engelbrecht <engeg@google.com>
* vboot/sign_offical_build: Unused variableJae Hoon Kim2021-09-081-1/+1
| | | | | | | | | | | | | | | | partnum variable isn't defined. BUG=none TEST=none Signed-off-by: Jae Hoon Kim <kimjae@chromium.org> BRANCH=none Change-Id: Ie4ce809e4331d04c10c60f0e9c1b883124018038 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3146295 Tested-by: Jae Hoon Kim <kimjae@chromium.org> Auto-Submit: Jae Hoon Kim <kimjae@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: George Engelbrecht <engeg@google.com>
* Revert "reven signing: skip install_gsetup_certs"Jack Neus2021-09-071-7/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 1376cfbfdd3b0cbc14da190c744604c4f3d29a23. Reason for revert: bad code (missing [[) Original change's description: > reven signing: skip install_gsetup_certs > > BUG=b:199136347,b:194500280 > TEST=none > BRANCH=none > > Change-Id: Iba90c1f4dcc2fadf9cbadac1948d5037b0feb278 > Signed-off-by: Jack Neus <jackneus@google.com> > Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3145774 > Reviewed-by: George Engelbrecht <engeg@google.com> Bug: b:199136347,b:194500280 Change-Id: I9b1df358a18d043eb0d20d18ed17e1bafbd9e5f3 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3146076 Auto-Submit: Jack Neus <jackneus@google.com> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: George Engelbrecht <engeg@google.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Reviewed-by: George Engelbrecht <engeg@google.com> Tested-by: George Engelbrecht <engeg@google.com> Tested-by: Jack Neus <jackneus@google.com>
* reven signing: skip install_gsetup_certsJack Neus2021-09-071-2/+7
| | | | | | | | | | | BUG=b:199136347,b:194500280 TEST=none BRANCH=none Change-Id: Iba90c1f4dcc2fadf9cbadac1948d5037b0feb278 Signed-off-by: Jack Neus <jackneus@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3145774 Reviewed-by: George Engelbrecht <engeg@google.com>
* vboot/sign_official_build: Skip re-signing empty miniOS partitionsJae Hoon Kim2021-09-071-7/+16
| | | | | | | | | | | | | | | | | | Reasons that miniOS partitions might be empty is that the feature is not enabled yet, but the partitions exist as it's using the newer disk_layout_v3. BUG=b:199021334 TEST=# run tests Signed-off-by: Jae Hoon Kim <kimjae@chromium.org> BRANCH=none Change-Id: I2a6b68240428ab2f01394230840ff116c720b3df Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3145770 Tested-by: Jae Hoon Kim <kimjae@chromium.org> Auto-Submit: Jae Hoon Kim <kimjae@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Commit-Queue: Julius Werner <jwerner@chromium.org>
* vboot/sign_official_build: Fix missing backslashYu-Ping Wu2021-09-011-2/+2
| | | | | | | | | | | | | | | Add the missing line continuation backslash, caused by CL:3046439. BUG=b:198232639 TEST=./sign_official_build.sh recovery ${IMAGE} tests/devkeys/ ${OUTPUT} TEST=./sign_official_build.sh factory ${IMAGE} tests/devkeys/ ${OUTPUT} BRANCH=none Change-Id: I587747e33c47afc85264052c9ca59081d5524a72 Signed-off-by: Yu-Ping Wu <yupingso@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3134894 Reviewed-by: Julius Werner <jwerner@chromium.org> Commit-Queue: Julius Werner <jwerner@chromium.org>
* signer: Handle zstd squashfs compressionstabilize-14163.Bfactory-keeby-14162.Bfactory-14162.BSatoshi Niwa2021-08-171-0/+2
| | | | | | | | | | | | | | | | BUG=b:193618692 TEST=sign_official_build.sh can handle zstd-compressed Android image BRANCH=none Signed-off-by: Satoshi Niwa <niwa@google.com> Cq-Depend: chrome-internal:4024687 Change-Id: Ie01e93e49da9b32245055f7e4b6fa4fb3fbefd8e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3066801 Tested-by: Satoshi Niwa <niwa@chromium.org> Reviewed-by: Kazuhiro Inaba <kinaba@chromium.org> Reviewed-by: Yury Khmel <khmel@chromium.org> Auto-Submit: Satoshi Niwa <niwa@chromium.org> Commit-Queue: Satoshi Niwa <niwa@chromium.org>
* vboot/sign_official_build: fix verity path in commentNicholas Bishop2021-08-131-1/+1
| | | | | | | | | | | | | verity is now in platform2. BUG=chromium:886953 TEST=none BRANCH=none Change-Id: I55b8a88540b781658a02819de749ab2d20984658 Signed-off-by: Nicholas Bishop <nicholasbishop@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3087641 Reviewed-by: Julius Werner <jwerner@chromium.org>
* signer: Implement retry logic for signing Android imageYury Khmel2021-07-291-15/+53
| | | | | | | | | | | | | | | | This retries signing android image in case of integrity check failure. The reason of failure is still unknown. BUG=b:175081695 TEST=Locally image signing passed with adding temporary code that emulates random diff file error. Confirmed recovery happened and signing finished successfully. BRANCH=none Signed-off-by: Yury Khmel <khmel@google.com> Change-Id: Iffc23145cae21f4f468b987d015f45fec95f29d0 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3057193 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* Reland "vboot/sign_official_build: re-sign miniOS partitions"Joel Kitching2021-07-231-3/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a reland of 43325cb9b2568c4a03c849f3474fcee8de3ae893 Looks like this was reverted incorrectly in CL:3044633, culprit turned out to be an unrelated flake (see b/194293181). Original change's description: > vboot/sign_official_build: re-sign miniOS partitions > > sign_official_build.sh needs to be taught how to re-sign miniOS > partitions, depending on whether the particular image at hand > contains them or not. > > BUG=b:188121855 > TEST=make clean && make runtests > BRANCH=none > > Cq-Depend: chromium:3027786 > Signed-off-by: Joel Kitching <kitching@google.com> > Change-Id: Iaf847e14588011dd0fea6b59405091ae36ef038f > Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2989640 > Tested-by: Joel Kitching <kitching@chromium.org> > Reviewed-by: Mike Frysinger <vapier@chromium.org> > Commit-Queue: Joel Kitching <kitching@chromium.org> Bug: b:188121855 Signed-off-by: Julius Werner <jwerner@google.com> Change-Id: I2e29a6e85f7d41ad365365ffb7e694f0c291d4f3 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3046439 Reviewed-by: Sergey Frolov <sfrolov@google.com> Reviewed-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Tested-by: Julius Werner <jwerner@chromium.org> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
* Revert "vboot/sign_official_build: re-sign miniOS partitions"stabilize-14106.BSergey Frolov2021-07-221-62/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 43325cb9b2568c4a03c849f3474fcee8de3ae893. Reason for revert: b/194293181 suspect Original change's description: > vboot/sign_official_build: re-sign miniOS partitions > > sign_official_build.sh needs to be taught how to re-sign miniOS > partitions, depending on whether the particular image at hand > contains them or not. > > BUG=b:188121855 > TEST=make clean && make runtests > BRANCH=none > > Cq-Depend: chromium:3027786 > Signed-off-by: Joel Kitching <kitching@google.com> > Change-Id: Iaf847e14588011dd0fea6b59405091ae36ef038f > Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2989640 > Tested-by: Joel Kitching <kitching@chromium.org> > Reviewed-by: Mike Frysinger <vapier@chromium.org> > Commit-Queue: Joel Kitching <kitching@chromium.org> Bug: b:188121855 Change-Id: Ieb936a21d5ae09ed84eb65c9a3a3198a5b5b22a5 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3044633 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Commit-Queue: Sergey Frolov <sfrolov@google.com>
* vboot/sign_official_build: re-sign miniOS partitionsJoel Kitching2021-07-191-3/+62
| | | | | | | | | | | | | | | | | | sign_official_build.sh needs to be taught how to re-sign miniOS partitions, depending on whether the particular image at hand contains them or not. BUG=b:188121855 TEST=make clean && make runtests BRANCH=none Cq-Depend: chromium:3027786 Signed-off-by: Joel Kitching <kitching@google.com> Change-Id: Iaf847e14588011dd0fea6b59405091ae36ef038f Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2989640 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* Detect compression type and use the same one for re-packing the imageSatoshi Niwa2021-07-081-6/+14
| | | | | | | | | | | | | | | | | | | | | After crrev/i/3949327, compression type is not simply determined by ARC type. BUG=b:180894807 TEST=sign_official_build.sh and check the log message BRANCH=none Signed-off-by: Satoshi Niwa <niwa@google.com> Cq-Depend: chromium:2999963 Cq-Depend: chrome-internal:3949327 Change-Id: I4b1bf452e0d033b4bb8c2f2c1f91819741f9885c Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2999823 Tested-by: Satoshi Niwa <niwa@chromium.org> Reviewed-by: Yury Khmel <khmel@chromium.org> Reviewed-by: Satoshi Niwa <niwa@chromium.org> Reviewed-by: Kazuhiro Inaba <kinaba@chromium.org> Auto-Submit: Satoshi Niwa <niwa@chromium.org> Commit-Queue: Satoshi Niwa <niwa@chromium.org>
* vboot: introduce minios_kernel.keyblockJoel Kitching2021-07-052-6/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | miniOS requires a distinct kernel data key, whose dev key pair is added in this CL as minios_kernel_data_key.vb{pub,priv}k. A distinct keyblock is also required. The keyblock should set the kernel keyblock flag MINIOS_1. Other keyblocks are modified appropriately to set MINIOS_0. Keyblocks were generated using the following commands: $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/ec_data_key.vbpubk --signprivate tests/devkeys/ec_root_key.vbprivk --pack tests/devkeys/ec.keyblock Keyblock file: tests/devkeys/ec.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 7 RSA4096 SHA256 Data key version: 1 Data key sha1sum: 5833470fe934be76753cb6501dbb8fbf88ab272b $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/firmware_data_key.vbpubk --signprivate tests/devkeys/root_key.vbprivk --pack tests/devkeys/firmware.keyblock Keyblock file: tests/devkeys/firmware.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 7 RSA4096 SHA256 Data key version: 1 Data key sha1sum: e2c1c92d7d7aa7dfed5e8375edd30b7ae52b7450 $ futility vbutil_keyblock --flags 27 --datapubkey tests/devkeys/recovery_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/recovery_kernel.keyblock Keyblock file: tests/devkeys/recovery_kernel.keyblock Signature valid Flags: 27 !DEV DEV REC !MINIOS Data key algorithm: 11 RSA8192 SHA512 Data key version: 1 Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb $ futility vbutil_keyblock --flags 43 --datapubkey tests/devkeys/minios_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/minios_kernel.keyblock Keyblock file: tests/devkeys/minios_kernel.keyblock Signature valid Flags: 43 !DEV DEV REC MINIOS Data key algorithm: 8 RSA4096 SHA512 Data key version: 1 Data key sha1sum: 65441886bc54cbfe3a7308b650806f4b61d8d142 $ futility vbutil_keyblock --flags 23 --datapubkey tests/devkeys/kernel_data_key.vbpubk --signprivate tests/devkeys/kernel_subkey.vbprivk --pack tests/devkeys/kernel.keyblock Keyblock file: tests/devkeys/kernel.keyblock Signature valid Flags: 23 !DEV DEV !REC !MINIOS Data key algorithm: 4 RSA2048 SHA256 Data key version: 1 Data key sha1sum: d6170aa480136f1f29cf339a5ab1b960585fa444 $ futility vbutil_keyblock --flags 26 --datapubkey tests/devkeys/installer_kernel_data_key.vbpubk --signprivate tests/devkeys/recovery_key.vbprivk --pack tests/devkeys/installer_kernel.keyblock Keyblock file: tests/devkeys/installer_kernel.keyblock Signature valid Flags: 26 DEV REC !MINIOS Data key algorithm: 11 RSA8192 SHA512 Data key version: 1 Data key sha1sum: e78ce746a037837155388a1096212ded04fb86eb BUG=b:188121855 TEST=make clean && make runtests BRANCH=none Signed-off-by: Joel Kitching <kitching@google.com> Change-Id: I5b3e4def83ff29ca156b3c84dfcb8398f4985e67 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2965485 Tested-by: Joel Kitching <kitching@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* vboot/sign_official_build: fix up dependenciesJoel Kitching2021-07-031-24/+23
| | | | | | | | | | | | | | | | Update dependencies list, and use ${FUTILITY} rather than calling futility directly. BUG=b:188121855 TEST=make clean && make runtests BRANCH=none Signed-off-by: Joel Kitching <kitching@google.com> Change-Id: I8a28465937ca82ea9e18edc5d613570a561a3e0e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2989639 Reviewed-by: Joel Kitching <kitching@chromium.org> Tested-by: Joel Kitching <kitching@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org>
* vboot/sign_official_build: remove kernel and recovery_kernelJoel Kitching2021-07-031-60/+0
| | | | | | | | | | | | | | | | | These two types are simply thin wrappers around vbutil_kernel and are no longer used. BUG=b:188121855 TEST=make clean && make runtests BRANCH=none Signed-off-by: Joel Kitching <kitching@google.com> Change-Id: Ia9a13f2992eb9de9f6c65525739da5f8e945cb3e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2989638 Tested-by: Joel Kitching <kitching@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
* vboot/sign_official_build: merge ssd+base and remove usbJoel Kitching2021-07-031-11/+3
| | | | | | | | | | | | | | | | | | | Merge aliases "ssd" and "base", since they do the same thing but only "base" is used in chromite scripts. Remove "usb" since it is not used anywhere. BUG=b:188121855 TEST=make clean && make runtests BRANCH=none Signed-off-by: Joel Kitching <kitching@google.com> Change-Id: Ief610387fc1b6d72fe8674b0e4d51d74e6173ddd Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2989637 Tested-by: Joel Kitching <kitching@chromium.org> Commit-Queue: Joel Kitching <kitching@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
* image_signing: fix rootfs mount when checking kernel paramsMike Frysinger2021-06-051-2/+1
| | | | | | | | | | | | | Use the existing mount helper so we clean up automatically when exiting. BUG=None TEST=CQ passes BRANCH=None Change-Id: I882c7f5ea3b54e08745c48378cc50702550cdc71 Signed-off-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2923828 Reviewed-by: George Engelbrecht <engeg@google.com>
* image_signing: support mounted rootfs in more scriptsMike Frysinger2021-06-057-40/+79
| | | | | | | | | | | | | | | Update these scripts to accept a rootfs dir as input so we don't have to loopback+mount+umount with every invocation. This speeds up the overall runs. BUG=None TEST=scripts still work against image & rootfs dirs BRANCH=None Change-Id: I23050faebefd0a19e8ad44cdb76d7cc49c28e570 Signed-off-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2923827 Reviewed-by: George Engelbrecht <engeg@google.com>
* image_signing: set_lsb_release: simplify file rewritingMike Frysinger2021-06-041-9/+16
| | | | | | | | | | | | | | | | | Collapse the 4 sudo calls & temporary file into a single call. This is a bit easier to read and is faster as a result. We can also hoist the selinux restore to do it only once at the end if we modified the file. BUG=None TEST=set_lsb_release.sh on an image still works BRANCH=None Change-Id: I300cf47d017d159d762a62fe2aab789ce391f89a Signed-off-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2923826 Reviewed-by: George Engelbrecht <engeg@google.com>
* image_signing: simplify & fix mount cleanupsMike Frysinger2021-06-041-25/+2
| | | | | | | | | | | | | | | | | | | | We don't need all this infrastructure for arbitrary cleanups when we only ever run 2 clean up steps. This also fixes a subtle bug in the old logic: we registered cleanups in the logical order of (1) mounts and then (2) loopbacks, but the cleanup loop walks the registered calls in reverse order. This means the loopback cleanup would fail and timeout because we hadn't unmounted the partitions yet. The overall script doesn't fail as cleanup uses `set +e`, but it makes every script waste ~10 seconds at exit. BUG=None TEST=running set_lsb_release.sh on images works quickly now BRANCH=None Change-Id: Ibd25ad6ba149c64e08ac3ab860342fe7b2cc7851 Signed-off-by: Mike Frysinger <vapier@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2923825 Reviewed-by: George Engelbrecht <engeg@google.com>
* change node locked version expectationsstabilize-13971.Bstabilize-13970.BVadim Bendebury2021-05-121-6/+8
| | | | | | | | | | | | | | | With the new rollback info space value the node locked images base needs to be enabled. BRANCH=none BUG=b:187438971 TEST=none Change-Id: I78eafc72766947df81c9b6519bc13633423840d6 Signed-off-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2888711 Reviewed-by: Mary Ruthven <mruthven@chromium.org> Reviewed-by: Mike Frysinger <vapier@chromium.org>
* vboot_reference: migrate out of flashrom deprecated optionsDaniel Campello2021-04-281-1/+1
| | | | | | | | | | | | | | This change replaces --diff and --fast-verify for the supported equivalent flashrom options BRANCH=none BUG=b:186479007 TEST=tryjobs Change-Id: I614ba71c606dbe4e3a1b4988df845bcbbd61dd01 Signed-off-by: Daniel Campello <campello@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2853623 Reviewed-by: Jack Rosenthal <jrosenth@chromium.org>
* sign_gsc_firmware: support rewriting filenameGeorge Engelbrecht2021-03-101-0/+6
| | | | | | | | | | | | | | | | | | | | When the gsc signer reads the contents of the payload it finds out if it is a cr50 or ti50 chip. We write the chip type to a .rename file next to the bin (which has a @CHIP@ in the path) so that the signer can rename the artifact for placement. Signed-off-by: George Engelbrecht <engeg@google.com> BRANCH=None BUG=b:179964270 TEST=local signer Change-Id: I0600cb60bb614111802119293ba0c63f2b61c231 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2728736 Reviewed-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: George Engelbrecht <engeg@google.com> Tested-by: George Engelbrecht <engeg@google.com>
* vboot: standardize legacy boot and altfw terminologyJoel Kitching2021-02-271-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Standardize on the term "altfw" (short form) and "alternate bootloader" (long form) in both code and documentation. Remove the VbAltFwIndex_t enum, and replace with a simple uint32_t. Rename VbExLegacy to vb2ex_run_altfw, and move to vboot2 namespace. Rename crossystem param dev_boot_legacy to dev_boot_altfw, but leave an alias. Rename crossystem param dev_default_boot value from legacy to altfw, but leave an alias. BUG=b:179458327 TEST=make clean && make runtests TEST=emerge vboot_reference and check output for: crossystem dev_boot_legacy=0 crossystem dev_boot_altfw=0 crossystem dev_default_boot=legacy crossystem dev_default_boot=altfw BRANCH=none Cq-Depend: chromium:2641196 Signed-off-by: Joel Kitching <kitching@google.com> Change-Id: I289df63d992a3d9ae3845c59779ecbd115b18ee2 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2641346 Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Yu-Ping Wu <yupingso@chromium.org> Tested-by: Joel Kitching <kitching@chromium.org> Commit-Queue: Yu-Ping Wu <yupingso@chromium.org>
* ensure_not_tainted_license: fix exit codesSergey Frolov2021-01-211-1/+5
| | | | | | | | | | | | | | | | | | | | | grep returns exit code 1, if pattern was not found, and due to `set -e` ensure_not_tainted_license.sh exits immediately with code 1. This change fixes it. This change also ensures that the correct code 1 is returned when the pattern is found. BUG=chromium:1163996 TEST=N/A BRANCH=none Signed-off-by: Sergey Frolov <sfrolov@google.com> Change-Id: Idd33cec8795420ca1aab9ab1490a338a04d20257 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2638856 Tested-by: George Engelbrecht <engeg@google.com> Commit-Queue: George Engelbrecht <engeg@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com>
* ensure_not_tainted_license: skip if not foundSergey Frolov2021-01-161-2/+3
| | | | | | | | | | | | | | | | This change makes ensure_not_tainted_license.sh only emit a warning if license file is not found, as opposed to failing. BUG=chromium:1163996 TEST=N/A BRANCH=none Change-Id: I14103bc520efabf3e0c1424e8a5cae259d42c966 Signed-off-by: Sergey Frolov <sfrolov@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2632876 Commit-Queue: George Engelbrecht <engeg@google.com> Reviewed-by: George Engelbrecht <engeg@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org>
* Add ensure_not_tainted_license.shstabilize-rust-13720.Bmasterfactory-zork-13700.BSergey Frolov2021-01-011-0/+66
| | | | | | | | | | | | | | | | | | | This is a part of the work to ensure that tainted images are never signed with MP keys. A special tainted tag was added to the license file by https://chromium-review.googlesource.com/c/chromiumos/chromite/+/2560225 and in ensure_not_tainted.sh we detect the presence of this tag. This script has been manually tested on tainted and non-tainted images. BUG=chromium:1059363 TEST=manual BRANCH=none Change-Id: I17ca27bb7895f268a79cca3ad948808f0f96b8c7 Signed-off-by: Sergey Frolov <sfrolov@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2607414 Commit-Queue: Mike Frysinger <vapier@chromium.org> Reviewed-by: Allen Webb <allenwebb@google.com>
* Revert "sign_gsc_firmware: update generated file name"factory-dalboz-13695.BVadim Bendebury2020-12-291-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit bc2317695965bb92b8809d9c06327adedcb0653c. The reason for revert is that the signer needs to know the generated file name, and in case vboot reference alters the name the signer remains unaware of the change and is still looking for the file named @CHIP@... Some other means of figuring out the file name will be required, let's stick with the @CHIP@ prefix for now. BRANCH=none BUG=b:173049030 TEST=none Change-Id: I23ea65314d49e86fc4edb015e89b6076f87a54dd Signed-off-by: Vadim Bendebury <vbendeb@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2605238 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Tested-by: George Engelbrecht <engeg@google.com> Auto-Submit: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* sign_gsc_firmware: update generated file namefactory-test-13683.Bfactory-dedede-13683.BVadim Bendebury2020-12-181-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | When processing Gsc image singing request the signing server is not aware of which chip the image is being signed for, the output file name includes the string @CHIP@ and it is the responsibility of the actual signing scripts to figure out if the image is for Cr50 or Ti50. The destination image type is determined based no the signing manifest contents, this patch add code to replace @CHIP@ with the actual image type. BRANCH=none BUG=b:173049030 TEST=invoked the script to sign a Ti50 image locally, verified that the produced signed image file had the expected name. Change-Id: Ib1534ce50e0a44d0ec014e8dbee4e4d85c2082c9 Signed-off-by: Vadim Bendebury <vbendeb@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2596695 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Auto-Submit: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* sign_gsc_firmware: refactor and extend to support D2Vadim Bendebury2020-12-111-90/+136
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The major difference between Cr50 and Ti50 signing is that the RW sections are represented differently: elf files in Cr50 case and ihex files in Ti50 case. Other differences include the produced signed final image size and the offsets of the components in the final image. The signing script is being updated to figure out all these differences at run time. A new optional field is introduced in the signing manifest, the 'generation'. If this field is absent or set to 'h' (for H1), the script proceeds with the Cr50 signing process. If 'generation' is set to 'd' (for D2), the script proceeds with the Ti50 signing process. Instead of using fixed offsets into the final image, the base addresses of the components in ihex format are used, the only fixed value is the base address of the flash image in the chip address space (0x40000 for H1 vs 0x80000 for D2). To make this work for H1 the output format of the signed blob produced by gsc-codesigner is changed from binary to ihex. BRANCH=none BUG=b:173049030 TEST=using this script and the signing_istructions.sh module produced by the real Cr50 signer was able to produce functional images for both Cr50 and Ti50. Change-Id: I845be1101b09c9476fa27fbddb72607dc6cea901 Signed-off-by: Vadim Bendebury <vbendeb@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2570009 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Auto-Submit: Vadim Bendebury <vbendeb@chromium.org> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* sign_gsc_firmware: add functions to determine ihex module base addressVadim Bendebury2020-12-111-0/+86
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With the advent of D2 memory layout scheme it became impossible to hardcode the base address of various components of the D2 firmware image. Luckily, the components are represented as binary blobs in Intel ihex format, which allows to retrieve the base address of the component from the ihex records. The address is composed of two elements: the segment base supplied in the record type 02 or 04, and the record offset into the segment, supplied in the data record of type 0. The segment address is expressed as a 16 bit value, the actual value shifted right either 4 bits (in case of record type 02) or 16 bits (in case of record type 04). The data record offset is also a 16 bit value. The base address of the blob is calculated as <segment address> + <first data record offset> and is available from the first two records in the ihex module. Detailed information of ihex file format can be found in https://en.wikipedia.org/wiki/Intel_HEX . BRANCH=none BUG=b:173049030 TEST=with the next patch in the stack applied was able to successfully build a multicomponent ti50 image. Change-Id: I135c2f9960f1f218532c82bafd7acbe362414fc9 Signed-off-by: Vadim Bendebury <vbendeb@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2570008 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org>
* image_signing: use GSC nomenclature instead of Cr50Vadim Bendebury2020-12-112-57/+105
| | | | | | | | | | | | | | | | | | | | | This patch does not yet provide the ability to sign Ti50 images, but prepares the signing scripts for further modifications to support a variety of security chip signing flows. BRANCH=none BUG=b:173049030 TEST=verified successful signing of a Cr50 image in a test signer setup also created a functional Cr50 image invoking sign_official_build.sh by hand. Change-Id: Ic103c9fdf7d1c4ea160c7f6849d5ae5a8303c343 Signed-off-by: Vadim Bendebury <vbendeb@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2537078 Tested-by: Vadim Bendebury <vbendeb@chromium.org> Reviewed-by: George Engelbrecht <engeg@google.com> Commit-Queue: Vadim Bendebury <vbendeb@chromium.org> Auto-Submit: Vadim Bendebury <vbendeb@chromium.org>
* signer: Verify many Android signer operations that content is unchanged.stabilize-13654.BYury Khmel2020-12-051-8/+29
| | | | | | | | | | | | | | This adds extra verifications to many Android signer operation in order to narrow down the problem when empty folders are removed from the disk. BUG=chromium:1154734 TEST=Locally image signing passed. Emulated problem and it was detected. BRANCH=none Signed-off-by: Yury Khmel <khmel@google.com> Change-Id: If8bb9fced290117766bfa9ff76a25fc86ed263dc Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2572240 Reviewed-by: Mike Frysinger <vapier@chromium.org>
* common: log loopback detachesGeorge Engelbrecht2020-11-031-0/+1
| | | | | | | | | | | | | | We want to find the culprit loopback device which isn't detatching on crbug.com/1141907. We might as well log our cleanup actions anyway, and this will allow us to see the last loopback processed in production. BUG=chromium:1141907 TEST=just a log message BRANCH=None Signed-off-by: George Engelbrecht <engeg@google.com> Change-Id: I126efceae4f67993069675c23f6c4af61c7e5667 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2514561 Reviewed-by: LaMont Jones <lamontjones@chromium.org>
* common: save the existing return value on cleanupGeorge Engelbrecht2020-11-031-0/+3
| | | | | | | | | | | | | | Currently this trap initiated function will not save the orginal return value of the script. Save it and return it on exit. BUG=chromium:1141907 TEST=unittest and manually on a signer BRANCH=None Signed-off-by: George Engelbrecht <engeg@google.com> Change-Id: Icd807f4d153e4bcc1d309fbcea43c2b3344771ca Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2514560 Reviewed-by: Sean McAllister <smcallis@google.com> Reviewed-by: LaMont Jones <lamontjones@chromium.org>
* cleanup_minimal: remove duplicate trap for temps and mountsGeorge Engelbrecht2020-11-031-1/+0
| | | | | | | | | | | | | | BUG=chromium:1141907 TEST=unit tests and manual signing run Signed-off-by: George Engelbrecht <engeg@google.com> BRANCH=none Change-Id: I0316f464e138dea9e77b2554a3b31250e8b92c07 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2514559 Reviewed-by: Sean McAllister <smcallis@google.com> Reviewed-by: LaMont Jones <lamontjones@chromium.org> Commit-Queue: George Engelbrecht <engeg@google.com> Tested-by: George Engelbrecht <engeg@google.com>
View Lorry Controller Status