Currently make_dev_firmware will abort if the stored TPM version is
higher and ask user to reset TPM; however that is not very feasible
because:
(1) If the device is still MP-signed, external users can't boot
dev-signed factory shim or recovery or test images.
(2) Even if the user is able to reset TPM, the stored TPM version
will be increased again when user boots into the image for
running make_dev_firmware.
As a result, the right flow is to allow user (with warning and
instructions) resign firmware with dev-keys, boot into recovery mode due
to anti-rollback check, and then boot any dev-signed image to reset TPM.
BRANCH=none
BUG=None
TEST=./make_dev_firmware.sh # see warning message.
Change-Id: Ifd4cd9912ab505427c985154b3f469e1485789b2
Reviewed-on: https://chromium-review.googlesource.com/419898
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
We had two places extracting the board value from lsb-release and parsing
the output by hand. Unify them to use the same parsing logic to avoid
desynchronized behavior.
We also create a new get_boardvar_from_lsb_release helper to unify the
board name -> variable name mangling logic.
BUG=chromium:667192
TEST=`./security_test_image --board samus` still detects the correct board
BRANCH=None
Change-Id: If88a8ae59b9c9fd45ddd796653a0173ed0186d2d
Reviewed-on: https://chromium-review.googlesource.com/414224
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Nicolas Boichat <drinkcat@chromium.org>
The old vboot1 cryptolib hard-coded many of its padding arrays in a
padding.c file. Use the equivalent vboot2 apis instead.
This change is almost exclusively on the host and test side; the only
firmware impact is on a single line of debug output.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: If689ffd92f0255847bea2424950da4547b2c0df3
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400902
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
For a device with bootcache support (such as parrot), the kernel config
contains bootcache args (reference: device_map_args in
build_kernel_image.sh). When removing rootfs verification, bootcache
should be disabled, equivalently we should remove bootcache args.
BRANCH=vboot_reference
BUG=chromium:590606
TEST=tested on parrot device with ./build_image --board=parrot test.
After installing the image on device,
(1) run sudo /usr/share/vboot/bin/make_dev_ssd.sh
--remove_rootfs_verification
(2) reboot
The bootloop bug is fixed.
Change-Id: I56ca5f2d98e00e1117611959a67ce72338ec7377
Reviewed-on: https://chromium-review.googlesource.com/395386
Commit-Ready: Qiang Xu <warx@chromium.org>
Tested-by: Qiang Xu <warx@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Qiang Xu <warx@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Verified boot has "TPM anti-rollback check" that prohibits booting
firmware if the device has been installed with a firmware that has
higher signing version. This is causing problems when people are trying
to use make_dev_firmware script on MP devices (which usually has a
higher version than DEV keyset, which is always 1).
Previously, make_dev_firmware won't alert about this so developers will
first see boot failure, figure out what happened, and then either uprev
the devkeys folder manually (which we don't provide scripts on DUT so
it's hard), or reset the device by using factory reset shim.
Since make_dev_firmware already knows all information, it should check
and increase version number automatically.
This change has implemented checking and increasing 'firmware version'.
The 'data key version' is also checked, but increasing that is more
complicated and we probably don't have all required tools yet on DUT,
so it is only checked.
Also added one flag --[no]mod_hwid so MP device users can keep their HWID
easier, when they need to switch back and forth between DEV / real MP
firmware.
BRANCH=none
BUG=none
TEST=Grab a firmware from daisy mp-v4.bin and do
./make_dev_firmware.sh -f bios.bin -t out.bin --nomod_hwid
Change-Id: If81ef60e6debdcd1c6d899b5a2c03bdacb4fd4f7
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/390871
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
The version of unsquashfs that is shipped with Trusty does not correctly
file capabilities, even though the target filesystem supports them. This
change forces the Android signer script to prefer the pre-built binaries
for mksquashfs/unsquashfs in order for the file capabilities to be
preserved.
BUG=b:31630024
BRANCH=none
TEST=Called sign_android_image.sh locally, saw capabilities preserved
across repeated invocations.
CQ-DEPEND=CL:*289356
Change-Id: I13e8782edb699eb4ce8bcf82885bd474f4351430
Reviewed-on: https://chromium-review.googlesource.com/387867
Commit-Ready: Luis Hector Chavez <lhchavez@google.com>
Tested-by: Luis Hector Chavez <lhchavez@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
We use these features on the signer, so move the logic here so it's
in the public code.
BUG=None
TEST=`./create_new_keys.sh --key-name hihya --output foo --android` worked
BRANCH=None
Change-Id: I85d6fdbafd99a1b94bc90e26cbc17ba801614914
Reviewed-on: https://chromium-review.googlesource.com/388673
Reviewed-by: David Riley <davidriley@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
The 'key.versions' file is used by the image signing scripts to
ensure that newly generated keys and re-signed buildbot images
have the correct version numbers to avoid rollback in
officially-signed Chrome OS images.
If a skilled user is re-keying her Chromebook to use personal
keys in normal mode (which requires disabling WP and changing the
GBB and VBLOCK_A/B), she can avoid clearing the TPM rollback
counters if make_dev_firmware.sh will obtain the firmware_version
from the key.versions file in her personal key directory.
BUG=none
BRANCH=none
TEST=make runtests, manual tests
Extract an MP-signed BIOS from a Chromebook Peppy.
flashrom -p host -r peppy.bin
Resign it without this CL:
make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy.bin
Resign it with this CL:
make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new.bin
Confirm no difference:
cmp dev_peppy.bin dev_peppy_new.bin
Temporarily edit tests/devkeys/key.versions to contain
firmware_key_version=2
firmware_version=3
kernel_key_version=4
kernel_version=5
Resign again:
make_dev_firmware.sh -f peppy.bin -k tests/devkeys -t dev_peppy_new2.bin
Confirm that the only difference is the firmware version in VBLOCK_A/B:
futility show dev_peppy_new*.bin
Change-Id: I133f1b58fb969eaeb239a44a4800750c4eee1d5f
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/383887
Reviewed-by: Mike Frysinger <vapier@chromium.org>
We switched to different debug keys so the signature needs to be
updated.
TEST=sign_official_image with the new recovery image, failed before this
change bug succeeded after.
BUG=chromium:645628
Change-Id: I58236222c26f90268de80dc99f22d84650e67bb7
Reviewed-on: https://chromium-review.googlesource.com/383900
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
Several files were changed to own by root instead of the original owner
in the squashfs image. This has caused problem to boot Android.
TEST=./sign_official_image with local keys, extract system.raw.img and
override device copy. Able to launch ARC.
BUG=b:29915721,b:30919855
Change-Id: Ic2595c99cbb7f7c2a2c543612a368681220cb3d9
Reviewed-on: https://chromium-review.googlesource.com/372312
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
When we return early from the release check, we leaked the mount point.
This could in turn cause issues with data syncing and hash calculation.
BUG=b:30891460
TEST=None
BRANCH=None
Change-Id: I7a40007e371b8e64ca7e8210ad9121dc1a4bcf9f
Reviewed-on: https://chromium-review.googlesource.com/370739
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
sign_android_image.sh is the main script that signs the image. It makes
similar changes to an image like the Android official signing tool
(sign_target_files_apks.py) does, but more Chrome OS specific.
TEST=./sign_official_build.sh recovery recovery_image.bin \
../../tests/devkeys/ out_img
TEST=Same above but with a recovery image without Android image.
Android signing was skipping.
TEST=Same above but with a M53 image. Android signing was skipped.
TEST=Unpack the image and diff the before and after. Looks correct.
BUG=b:29915721
Change-Id: I0ae5f0ad8d2b05e485d60262558517ea563bf527
Reviewed-on: https://chromium-review.googlesource.com/366794
Commit-Ready: Victor Hsieh <victorhsieh@chromium.org>
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
This reverts commit f482470b72.
The original change is the suspected root cause of chromium:606738.
TEST=signing_unittests.py in cros-signing passes (with updated
vboot_stable_hash).
BUG=chromium:606738
BRANCH=None
Change-Id: I21ea027bbda123ee26c6deb4437b07d2fc6e8575
Reviewed-on: https://chromium-review.googlesource.com/340895
Commit-Ready: Amey Deshpande <ameyd@google.com>
Tested-by: Amey Deshpande <ameyd@google.com>
Reviewed-by: Amey Deshpande <ameyd@google.com>
Often the partitions we extract have extra space in them, but the dd
utility will still write out the excess zeros. That can mean we write
out hundreds of megs of data which could otherwise be skipped. We thus
waste a good amount of I/O and storage.
For now, only use this flag when extracting a partition to a new file
as this should be safe (there's no pre-existing data to clobber/merge).
Now that the signers have been upgraded to Trusty, we can land this.
BUG=chromium:530730
TEST=`./signing_unittests.py` passes
BRANCH=None
Change-Id: I275973ebfc028c15a8d1ef33dd9b3dcf6ca726a2
Reviewed-on: https://chromium-review.googlesource.com/306420
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Amey Deshpande <ameyd@google.com>
The standalone accessories are using a key name like this:
key_<product>.pem or key_<product>.vbprik2
when it doesn't exist, fallback using key.pem or key.vbprik2.
BRANCH=none
BUG=chrome-os-partner:47557
TEST=manual:
./scripts/image_signing/sign_official_build.sh accessory_usbpd ../ec/build/zinger/ec.bin tests/devkeys-acc /tmp/ec-zinger.TEST.SIGNED.bin
./scripts/image_signing/sign_official_build.sh accessory_rwsig ../ec/private/build/hadoken/keyboard_app.bin tests/devkeys-acc /tmp/ec-hadoken.TEST.SIGNED.bin
./scripts/image_signing/sign_official_build.sh accessory_rwsig ../ec/private/build/hadoken/keyboard_app.bin /tmp /tmp/ec-hadoken.TEST.SIGNED.bin
Change-Id: I68863664bdb9da1695e91b1986f3a0148af7da26
Reviewed-on: https://chromium-review.googlesource.com/312836
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
My previous patch using futility to re-sign standalone accessory
firmware images had a mistake in the key directory path : fix it.
Also add RSA-2048 'accessory' keys for signer unit testing.
BRANCH=smaug, samus
BUG=chrome-os-partner:46635
TEST=run cros-signing unittests (./signing_unittests.py)
Change-Id: Ia2f641c85337c67f81968be4730643a6ad5f22cf
Reviewed-on: https://chromium-review.googlesource.com/309530
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Use futility to re-sign standalone accessory firmware images either the
former "usbpd1" used by USB Power Delivery firmware generated from the
EC codebase or the new "rwsig" format.
BRANCH=smaug, samus
BUG=chrome-os-partner:46635
TEST=manual:
openssl genrsa -F4 -out key_zinger.pem 2048
openssl genrsa -F4 -out key_hadoken.pem 2048
futility create --desc="Hadoken fake MP key" key_hadoken.pem key_hadoken
./scripts/image_signing/sign_official_build.sh accessory_usbpd build/zinger/ec.bin . build/zinger/ec.SIGNED.bin
./scripts/image_signing/sign_official_build.sh accessory_rwsig build/hadoken/keyboard_app.bin . build/hadoken/keyboard_app.SIGNED.bin
and compare the re-signed files with the original files.
Change-Id: I586ba3e4349929782e734af1590f394824e7dd44
Reviewed-on: https://chromium-review.googlesource.com/306795
Commit-Ready: Vincent Palatin <vpalatin@chromium.org>
Tested-by: Vincent Palatin <vpalatin@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
This reverts commit 82dec09bd5.
This flag doesn't exist on Ubuntu Precise which is what the signers
are running atm. Until we get them upgraded to Trusty, back this
change out.
BUG=chromium:530730
TEST=`./signing_unittests.py` passes
BRANCH=None
Change-Id: I9ba508c1531dbb169fd020d06ab102f6576b7342
Reviewed-on: https://chromium-review.googlesource.com/306310
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Amey Deshpande <ameyd@google.com>
Specifically, this patch updates 'root_hexdigest' in legacy bootloader
templates in EFI system partition to match the signed rootfs.
BRANCH=None
BUG=chromium:512940
TEST=Ran sign_official_build.sh locally and booted the image on kvm
(using BIOS).
TEST=Ran signing_unittests.py by locally changing vboot_stable_hash to
include this patch.
$ ./sign_official_build.sh base chromiumos_base_image.bin \
../../tests/devkeys chromiumos_base_image_signed.bin
Change-Id: Ied021c4464b113a64508f5081605069bdcecbc1f
Reviewed-on: https://chromium-review.googlesource.com/301742
Commit-Ready: Amey Deshpande <ameyd@google.com>
Tested-by: Amey Deshpande <ameyd@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
BRANCH=None
BUG=chrome-os-partner:44227
TEST='sign_official_build.sh recovery_kernel boot.img keys
boot.img.recovery-signed' works fine and able to boot in locked recovery mode
using fastboot boot.
Change-Id: Iabde28bb2068b8294fc3d03f2f771c63368ecbb5
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/300250
Commit-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
Often the partitions we extract have extra space in them, but the dd
utility will still write out the excess zeros. That can mean we write
out hundreds of megs of data which could otherwise be skipped. We thus
waste a good amount of I/O and storage.
For now, only use this flag when extracting a partition to a new file
as this should be safe (there's no pre-existing data to clobber/merge).
BUG=chromium:530730
TEST=`./signing_unittests.py` passes
BRANCH=None
Change-Id: Ic32665cf7c38fc0a5efc3f8b227fa8ff408ca9e3
Reviewed-on: https://chromium-review.googlesource.com/299450
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
This should speed up the copies significantly by using less disk
storage & I/O when the unpacked file is not sparse already. This
option has been in cp for a long time, and works in Ubuntu Precise
(coreutils-8.13) & Trusty (coreutils-8.21).
BUG=chromium:530730
TEST=`./signing_unittests.py` passes
BRANCH=None
Change-Id: I82192455a623eabf96abf4f25296f3dc0c129ca2
Reviewed-on: https://chromium-review.googlesource.com/299440
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
Reviewed-by: Amey Deshpande <ameyd@google.com>
Rather than use the existence of the output as a marker for running the
gbb step, key off the loem index. We want to run it the first time and
not bother after that.
BUG=chrome-os-partner:44227
BRANCH=None
TEST=signer can still sign loem keysets
Change-Id: I26e9ccaf1333f769d6993a8e0d84c63644bb2597
Reviewed-on: https://chromium-review.googlesource.com/298980
Reviewed-by: David Riley <davidriley@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
The "function" keyword is not portable -- use the normal function style.
The awk command uses a non-portable regex (the word anchor \>). Rework
it to avoid regexes entirely.
BUG=chromium:475101
TEST=keyset_version_check.sh works on a POSIX system
BRANCH=None
Change-Id: I5446f63aa9181d06da1898aafb8fab17f5042989
Reviewed-on: https://chromium-review.googlesource.com/296562
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
Signer was calling sign_official_build.sh in a manner that wasn't
being accepted correctly. Also add test keys from firmware branch.
BUG=chrome-os-partner:44227
TEST=sign_official_build.sh nv_lp0_firmware tegra_lp0_resume.fw tests/devkeys tegra_lp0_resume.fw.signed versions.default
BRANCH=signer
Change-Id: Icd298ac75e3da746220826dc2fb9cc2466e41f1d
Signed-off-by: David Riley <davidriley@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/297802
Reviewed-by: Furquan Shaikh <furquan@chromium.org>
The new nvidia logic expects to have the "real" output filename and not
yet another temp path. Since sign_firmware.sh supports being passed in
the input as the output and doing in-place signing, just document it and
update the callers.
BUG=chrome-os-partner:44227
BRANCH=None
TEST=signer outputs pubkey.sha to the same location as the output firmware
Change-Id: Iadc5dc5aaace6be9e22ff2c55bfbc58b7e1b3ef0
Reviewed-on: https://chromium-review.googlesource.com/296574
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>
If nv_pkc.pem file is present for a device, use nv_pkc_signing for
adding PKC signature in the firmware image.
BUG=chrome-os-partner:44227
BRANCH=None
TEST=unittests run fine. verified image boots on fused system.
Change-Id: I9b2f48da55137a0e4a75f23d16d3779be1aa94c8
Signed-off-by: Furquan Shaikh <furquan@google.com>
Reviewed-on: https://chromium-review.googlesource.com/296452
Commit-Ready: Furquan Shaikh <furquan@chromium.org>
Tested-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
There are two new GBB flags added (lid/fastboot) and we should update the
description in set_gbb_flags.
BRANCH=none
BUG=none
TEST=emerge-link vboot_reference
Change-Id: I0d16df03e9427ec1c8780fbb6be10c31eed9bf9e
Signed-off-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/286052
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
This patch checks for 'cros_legacy' in the kernel config, and skips
running strip_boot_from_image.sh if present. This is because
'cros_installer postinst' on legacy BIOS relies on presence of /boot in
rootfs.
BRANCH=signer
BUG=b:20947354
TEST=Ran the script with devkeys, and checked presence of /boot in the
signed .bin file by mounting locally
$ ./sign_official_build.sh ssd chromiumos_image.bin ../../tests/devkeys \
chromiumos_image_signed.bin ../../tests/devkeys/key.versions
Change-Id: Ieb919067b353839019bc1c561d7bb66bebac1040
Reviewed-on: https://chromium-review.googlesource.com/272742
Tested-by: Amey Deshpande <ameyd@google.com>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Amey Deshpande <ameyd@google.com>
This patch changes ensure_no_nonrelease_files.sh to use per-board
release file blacklist instead of the default one. It also uses this
opportunity to make ensure_no_nonrelease_files.sh consistently
formatted.
BRANCH=none
TEST=Ran ./security_test_image on a lakitu image and --vboot_hash
pointing to this commit, and verified ensure_no_nonrelease_files.sh passes.
BUG=brillo:823
Change-Id: I2cff56192a5ff0b917faba7549e7adafb4757a47
Reviewed-on: https://chromium-review.googlesource.com/267335
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Amey Deshpande <ameyd@google.com>
Tested-by: Amey Deshpande <ameyd@google.com>
The '--save_config' and '--set_config' are found to be very useful for
developers but it's sometimes inconvenient that developer must specify a
temporary path and to know the implicit rules of how the files are generated.
Since most people just want to do in-place editing, we can add a --edit_config
so developers can simply invoke "make_dev_ssd --edit_config --partitions 2" to
start changing kernel command line without worrying about where to store the
temporary files.
BRANCH=none
BUG=none
TEST=./make_dev_ssd.sh --edit_config --partition 2
Change-Id: Ib8f19115df31f3f250b4378201d0f7ea562fec15
Reviewed-on: https://chromium-review.googlesource.com/266814
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Queue: Hung-Te Lin <hungte@chromium.org>
This is largely geared for testing for quickly creating a set of loem keys.
BUG=chromium:381862
TEST=`./add_loem_keys.sh 0` converted an existing keyset to a loem keyset
TEST=`./add_loem_keys.sh 3` added three more keysets
TEST=ran sign_official_build.sh with new keysets against a recovery.bin
BRANCH=none
Change-Id: I598b7a453b747a231df850657df50bede01768c2
Reviewed-on: https://chromium-review.googlesource.com/203940
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Commit-Queue: Mike Frysinger <vapier@chromium.org>
