This patch makes futility show command support boot block descriptor (BDB)
of the common boot flow.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. Ran futility show bdb.bin.
Change-Id: I5f199a32ab1c268351e822e37ed39e41ae19bc7a
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/388631
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This patch adds 'verify' sub-command to futility bdb. It verifies a BDB.
If a key digest is given, it also checks the validity of the embedded
BDB key.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. Ran futility bdb --create, --add, --resign, --verify.
Change-Id: Ie19dc0f067c3c6ce65b2b6184bad14b49b188f6d
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/387906
Reviewed-by: Randall Spangler <rspangler@chromium.org>
'resign' sub-command signs a BDB using keys provided. It can resign only
the data key, the hashes, or both. Required keys vary depending on what
part of BDB is invalid and on what public key is specified in the command
line. It then detects what key is needed based on
the verification result and fails if the required key is not provided.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. Ran futility bdb --create, --add, --resign, --verify
Change-Id: I589a5972f1d7e5066eb56e1c5efb4ee7089d41cd
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/387118
Reviewed-by: Randall Spangler <rspangler@chromium.org>
futility bdb --add appends a new hash entry to the given BDB.
The resulting BDB does not have a valid signature and is expected to
be resigned by 'resign' sub-command after all hashes are added.
BUG=chromium:649554
BRANCH=none
TEST=make runtest. Ran futility bdb --add, then --resign, then --verify
(to be implemented)
Change-Id: Icdf185f8ac268a23bb3954f5e78df6f80e749e18
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/387117
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This patch adds BDB_ERROR_DATA_CHECK_SIG and BD_ERROR_DATA_SIGNED_SIZE
to distiniguish data signature validation errors.
'futility bdb --resign' uses these to decide whether to resign is needed
or not.
BUG=chromium:649554
BRANCH=none
TEST=make runtests
Change-Id: I19137801ece2424ae575092c51d02664c8b73ba3
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/386795
Reviewed-by: Randall Spangler <rspangler@chromium.org>
bdb command manipulates BDBs. '--create' sub-command creates a BDB.
Other sub-commands will follow in the successive patches.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. Ran futility bdb --create using test keys and verify
it with bdb --verify (to be implemented).
Change-Id: Ib0a6165ac93efc7478b9d999d3c837d47cf81ddd
Reviewed-on: https://chromium-review.googlesource.com/386794
Commit-Ready: Daisuke Nojiri <dnojiri@chromium.org>
Tested-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Verified boot has "TPM anti-rollback check" that prohibits booting
firmware if the device has been installed with a firmware that has
higher signing version. This is causing problems when people are trying
to use make_dev_firmware script on MP devices (which usually has a
higher version than DEV keyset, which is always 1).
Previously, make_dev_firmware won't alert about this so developers will
first see boot failure, figure out what happened, and then either uprev
the devkeys folder manually (which we don't provide scripts on DUT so
it's hard), or reset the device by using factory reset shim.
Since make_dev_firmware already knows all information, it should check
and increase version number automatically.
This change has implemented checking and increasing 'firmware version'.
The 'data key version' is also checked, but increasing that is more
complicated and we probably don't have all required tools yet on DUT,
so it is only checked.
Also added one flag --[no]mod_hwid so MP device users can keep their HWID
easier, when they need to switch back and forth between DEV / real MP
firmware.
BRANCH=none
BUG=none
TEST=Grab a firmware from daisy mp-v4.bin and do
./make_dev_firmware.sh -f bios.bin -t out.bin --nomod_hwid
Change-Id: If81ef60e6debdcd1c6d899b5a2c03bdacb4fd4f7
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/390871
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
bdb_extend prints out secrets derived from the given BDS based on
the given BDB.
BUG=chromium:649555
BRANCH=none
TEST=make runtests. Ran bdb_extend -s bds.bin -b bdb.bin (with/without -m)
Change-Id: I8d9f73468992dad4cb93a422c0eae0977be9a16f
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/385539
This patch adds code which dervies secrets from BDS. It's supposed to be
done by SP-RO, hence the code is mostly useful for testing (or emulation).
vba_extend_secrets_ro takes a function pointer to a hash extend
function. It'll be used to try different sha256 extend algorithms.
BUG=chromium:649555
BRANCH=none
TEST=make runtests
Change-Id: I8fef6b851fb84686d8bcdd948b36160016687c51
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/384354
Reviewed-by: Randall Spangler <rspangler@chromium.org>
If key digest matching is not required (i.e. verify-bdb-key efuse
flag is not set), bdb_verify skips digest matching. This change makes
bdb_verify accept null pointer for the key digest parameter.
BUG=chromium:649555
BRANCH=none
TEST=make runtests
Change-Id: I14e5bd02526684b7b7bca1e1701cf04056df83ea
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/385538
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Defining these symbols weakly causes the output executable to hit
segmentation fault because ld chooses *UND* symbols over the definition
when they appear in *.a archive:
$ objdump -t build/libvboot_utilbdb.a
bdb.o:
0000000000000000 w *UND* 0000000000000000 bdb_rsa4096_verify
...
rsa.o
000000000000061f w F .text 0000000000000111 bdb_rsa4096_verify
...
This happens regardless whether the symbol is referenced or not;
or whether the object defining the symbol appears earlier than the
reference or not.
BUG=none
BRANCH=none
TEST=make runtests
Change-Id: Ib53a9010f2afdc2ba59369fb145aef4381db30d3
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/387905
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Currently, test macros print out 'desc' regardless 'comment' is specified
or not. This patch makes 'desc' printed out only if 'comment' is not
supplied.
BUG=none
BRANCH=none
TEST=make runtests
Change-Id: I146d681b0d3cb7d41c7f80b71c59418a0250fc17
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/385159
Commit-Ready: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The version of unsquashfs that is shipped with Trusty does not correctly
file capabilities, even though the target filesystem supports them. This
change forces the Android signer script to prefer the pre-built binaries
for mksquashfs/unsquashfs in order for the file capabilities to be
preserved.
BUG=b:31630024
BRANCH=none
TEST=Called sign_android_image.sh locally, saw capabilities preserved
across repeated invocations.
CQ-DEPEND=CL:*289356
Change-Id: I13e8782edb699eb4ce8bcf82885bd474f4351430
Reviewed-on: https://chromium-review.googlesource.com/387867
Commit-Ready: Luis Hector Chavez <lhchavez@google.com>
Tested-by: Luis Hector Chavez <lhchavez@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
An earlier commit had added this:
ifeq (${TPM2_MODE},)
# TODO(apronin): tests for TPM2 case?
TEST_NAMES += \
tests/tlcl_tests \
tests/rollback_index2_tests
endif
but left this:
.PHONY: runmisctests
runmisctests: test_setup
${RUNTEST} ${BUILD_RUN}/tests/rollback_index2_tests
[...]
${RUNTEST} ${BUILD_RUN}/tests/tlcl_tests
So if TPM2_MODE is not null, those two test targets won't be
built. This CL puts those two into the same guard, so that
they won't be attempted if they're not built.
BUG=chrome-os-partner:57727
BRANCH=all
TEST=manual
Before, this fails:
FEATURES=test emerge-reef vboot_reference
Now, it passes.
Change-Id: Ic00f9f867d3d9c719d797907f00fda8bc5044504
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/388711
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Vadim Bendebury <vbendeb@chromium.org>
We use these features on the signer, so move the logic here so it's
in the public code.
BUG=None
TEST=`./create_new_keys.sh --key-name hihya --output foo --android` worked
BRANCH=None
Change-Id: I85d6fdbafd99a1b94bc90e26cbc17ba801614914
Reviewed-on: https://chromium-review.googlesource.com/388673
Reviewed-by: David Riley <davidriley@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
The 'key.versions' file is used by the image signing scripts to
ensure that newly generated keys and re-signed buildbot images
have the correct version numbers to avoid rollback in
officially-signed Chrome OS images.
If a skilled user is re-keying her Chromebook to use personal
keys in normal mode (which requires disabling WP and changing the
GBB and VBLOCK_A/B), she can avoid clearing the TPM rollback
counters if make_dev_firmware.sh will obtain the firmware_version
from the key.versions file in her personal key directory.
BUG=none
BRANCH=none
TEST=make runtests, manual tests
Extract an MP-signed BIOS from a Chromebook Peppy.
flashrom -p host -r peppy.bin
Resign it without this CL:
make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy.bin
Resign it with this CL:
make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new.bin
Confirm no difference:
cmp dev_peppy.bin dev_peppy_new.bin
Temporarily edit tests/devkeys/key.versions to contain
firmware_key_version=2
firmware_version=3
kernel_key_version=4
kernel_version=5
Resign again:
make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new2.bin
Confirm that the only difference is the firmware version in VBLOCK_A/B:
futility show dev_peppy_new*.bin
Change-Id: I133f1b58fb969eaeb239a44a4800750c4eee1d5f
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/383887
Reviewed-by: Mike Frysinger <vapier@chromium.org>
We switched to different debug keys so the signature needs to be
updated.
TEST=sign_official_image with the new recovery image, failed before this
change bug succeeded after.
BUG=chromium:645628
Change-Id: I58236222c26f90268de80dc99f22d84650e67bb7
Reviewed-on: https://chromium-review.googlesource.com/383900
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
Bit 2 in the GPT partition attributes has been allocated as the legacy
bios boot (equivalent to the "active" or "boot" flag in MBR). If we
try to boot images on newer x86 systems, syslinux dies because it can't
find any GPT partition marked bootable.
Update the various parts of cgpt add & show to manage this bit. Now we
can run:
cgpt add -i 12 -B 1 chromiumos_image.bin
And the EFI partition will be marked bootable.
BUG=chromium:644845
TEST=vboot_reference unittests pass
TEST=booted an amd64-generic disk image via USB on a generic laptop
BRANCH=None
Change-Id: I78e17b8df5b0c61e9e2d8a3c703e6d5ad230fe92
Reviewed-on: https://chromium-review.googlesource.com/382411
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
The documentation claims the -A option shows the raw 64-bit attributes
field when in reality it only shows the high reserved 16-bits. Change
the docs to match the code.
BUG=chromium:644845
TEST=vboot_reference unittests pass
BRANCH=None
Change-Id: If163896ddbca0dc27ac8205db313031e73a68fd7
Reviewed-on: https://chromium-review.googlesource.com/382431
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Most of the cmd funcs had the same logic copied & pasted multiple times
over. Unify them into a common header.
BUG=chromium:644845
TEST=precq passes
TEST=passing invalid args to some funcs is caught
BRANCH=None
Change-Id: Ib7212bcbb17da1135b2508a52910aac37ee8e6cd
Reviewed-on: https://chromium-review.googlesource.com/382691
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
In CL:378661 we removed dev_firmware* from tests/devkey but that also makes
futility unit tests to fail.
This changes signing test scripts to first check if dev_firmware* keys exist,
and only use it (and test ZGB signing results) if available.
BRANCH=none
BUG=chrome-os-partner:52568,chrome-os-partner:56917
TEST=make runfutiltests; make runtests;
add dev_firmware* back; run tests again and success.
Change-Id: If42c8404baf183edf5c8dbeadf537efa8ad571ec
Reviewed-on: https://chromium-review.googlesource.com/381151
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Another in a long series of refactoring changes to replace old vboot1
code with its vboot2 equivalent. Futility changes only; no change to
firmware.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: I7be813b82820674e975db13d5e540e49bdea028d
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/366057
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
These have been superseded by their vboot2 equivalents. No firmware
changes; host-only.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: I36b5d3357767f32489efb7e480049620dcc0fce4
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/363970
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
If given a malformed file with an invalid algorithm, futility could
dereference null when looking up the algorithm names.
BUG=chromium:643769
BRANCH=none
TEST=make runtests
Change-Id: I26d1312b8bf2eec8d806664708676daa9f36fa58
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/380522
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
The dev_firmware* was created for legacy devices having different RW
firmware - A for devmode and B for normal, like Alex and ZGB.
All other Chromebooks, including the CR48, were not doing that.
Signer scripts relied on checking if RW A/B are equivalent to decide if
they should select <dev_firmware* for A, firmware* for B> or <firmware*
(normal) for both A and B>. This worked for a long time until Skylake
family joined.
Skylake FSP has some limitation that we have to execute code in-place,
which leads to making RW A != B (due to addresses and offsets), and
triggers signer to incorrectly use dev_firmware*.
The production images are using keyset folders on signerbot, which only
Alex/ZGB keyset folders have dev_firmware*; so the images for Skylake
boards are signed correctly. But for people running firmware related
tests using tests/devkey keyset, for example
platform/dev/fm_and_key_version_test_prep.sh, having dev_firmware* in
devkey may produce incorrect output.
There is currently no easy way for signer scripts to figure out if the
image should use dev_firmware or not except looking into keyset folder.
Since Alex and ZGB are pretty old and no one plans to run key change
tests anymore on them, the recommended solution is to remove
dev_firmware.* from devkeys folder.
BRANCH=none
BUG=chrome-os-partner:52568
TEST=platform/dev/fm_and_key_version_test_prep.sh -b sentry -i \
/tmp/chromiumos_test_image.bin -f 8530.69.0 -s /tmp/image.bin -v \
Google_Sentry.7820.156.0
Change-Id: Ief37dd482875efc8e808460f3ad00041b5f3b3a2
Reviewed-on: https://chromium-review.googlesource.com/378661
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
mount-encrypted needs to be aware of TPM ownership status, and
will also want to issue a read lock for the early access NVRAM
index.
BRANCH=none
BUG=chromium:625037
TEST=mount-encrypted shows ownership at boot with kevin
Change-Id: I42f43f91d892137e1c46c7cacd88e3b749ce7f04
Reviewed-on: https://chromium-review.googlesource.com/366443
Commit-Ready: Andrey Pronin <apronin@chromium.org>
Tested-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Several files were changed to own by root instead of the original owner
in the squashfs image. This has caused problem to boot Android.
TEST=./sign_official_image with local keys, extract system.raw.img and
override device copy. Able to launch ARC.
BUG=b:29915721,b:30919855
Change-Id: Ic2595c99cbb7f7c2a2c543612a368681220cb3d9
Reviewed-on: https://chromium-review.googlesource.com/372312
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
When we return early from the release check, we leaked the mount point.
This could in turn cause issues with data syncing and hash calculation.
BUG=b:30891460
TEST=None
BRANCH=None
Change-Id: I7a40007e371b8e64ca7e8210ad9121dc1a4bcf9f
Reviewed-on: https://chromium-review.googlesource.com/370739
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
sign_android_image.sh is the main script that signs the image. It makes
similar changes to an image like the Android official signing tool
(sign_target_files_apks.py) does, but more Chrome OS specific.
TEST=./sign_official_build.sh recovery recovery_image.bin \
../../tests/devkeys/ out_img
TEST=Same above but with a recovery image without Android image.
Android signing was skipping.
TEST=Same above but with a M53 image. Android signing was skipped.
TEST=Unpack the image and diff the before and after. Looks correct.
BUG=b:29915721
Change-Id: I0ae5f0ad8d2b05e485d60262558517ea563bf527
Reviewed-on: https://chromium-review.googlesource.com/366794
Commit-Ready: Victor Hsieh <victorhsieh@chromium.org>
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
If there is no HWID and mainfw_type is "nonchrome", report that the
host is a VM. If HWID is present, it's not a VM. Make the detection
architecture-independent.
BUG=chromium:632303
TEST=emerge-cyan vboot_reference and test binary on QEMU and HW
TEST=emerge-veyron_minnie vboot_reference and test binary on HW
BRANCH=none
Change-Id: I076eb9838a3b724ded0cfded9fb8d8a5392631c8
Reviewed-on: https://chromium-review.googlesource.com/368650
Commit-Ready: Nicolas Norvez <norvez@chromium.org>
Tested-by: Nicolas Norvez <norvez@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
