This new recovery reason will instruct the calling firmware in
vboot_select_and_load_kernel to reboot the device (under the assumption
that training of memory has already been performed by the firmware). On
seeing the return code VBERROR_REBOOT_REQUESTED, calling firmware should
perform a reboot.
BUG=chrome-os-partner:59352
BRANCH=None
TEST=make -j runtests successful
Change-Id: I110a735e612665cb2378bd71ca01a111edaf58e3
Signed-off-by: Furquan Shaikh <furquan@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/407656
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Previously, vb2_unpack_key() actually unpacked a key buffer. Callers
that had a vb2_packed_key had to typecast it back to a uint8_t buffer to
unpack it. Rename vb2_unpack_key() to vb2_unpack_key_buffer(), and make
vb2_unpack_key() unpack a vb2_packed_key.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge;
emerge-samus and boot it
Change-Id: I9ee38a819c59cc58a72ead78cf5ddf3d0f301ae7
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400906
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Originally, vboot1 code used VbExMalloc() and VbExFree() since it needed
to talk to EFI firmware that didn't have standard malloc() and free().
Now, coreboot and depthcharge implement them as wrappers around those
standard calls. vboot2 code already calls them directly, so let vboot1
code do that too.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: I49ad0e32e38d278dc3589bfaf494bcf0e4b0a4bd
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400905
Now that the vboot1 cryptolib code is gone, nothing uses stateful_util.
Remove it and its unit tests.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: I75b6014be00c5266545db10e87c1d9485fd1444b
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400904
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
At this point, all that's left are a few constants in the cryptolib
header files, and they're only used by host-side code. So move them to
a host-side header file and get rid of cryptolib.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: I2235f0e84e13fef313afe54e749b73744b157884
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400903
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
The old vboot1 cryptolib hard-coded many of its padding arrays in a
padding.c file. Use the equivalent vboot2 apis instead.
This change is almost exclusively on the host and test side; the only
firmware impact is on a single line of debug output.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: If689ffd92f0255847bea2424950da4547b2c0df3
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400902
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
This change makes run_test_scripts.sh dump stderr to the terminal
so that the failed test can be debugged. This is necessary to
analyze a failing test on build servers.
BUG=none
BRANCH=none
TEST=sudo FEATURES=test emerge vboot_reference && FEATURES=test
USE=minimal emerge-samus vboot_reference && make runtests
Change-Id: Id9ae0fb174cfe382ec30a1175f54c0891543c46e
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/403428
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Another in a continued stream of refactoring. This change removes more
of the vb1 rsa library code and associated tests, in favor of their vb2
equivalents. This change touches only host-side code and its tests, not
firmware.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: I1973bc2f03c60da62232e30bab0fa5fe791b6b34
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400901
No need to have two implementations of this now.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: I18bac928eb09971c37f3e1d7cbfd2009999b1f31
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/400899
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
No need to have two implementations of this now.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: Id3348eae80c5d85451981a44729164ff59f88648
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/399121
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Originally, we didn't trust the firmware to provide these functions from
a standard library. Now, with coreboot, we do.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; emerge-kevin coreboot depthcharge
Change-Id: I4e624c40085f2b665275a38624340b2f6aabcf11
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/399120
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
This change makes futility show command to dump data header information
in a BDB. # of hashes is used to verify 'futility bdb --add' can add a
hash in the unit test.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. run futility show tests/futility/data/bdb.bin
BDB Header:
Struct Version: 0x1:0x0
BDB key digest: c7895611c24efb2249d97376189eeee07def6bcd8ab162a3850d279354f08ddf
size: 1176
Data Header:
Struct Version: 0x1:0x0
# of Hashes: 2
Hash Entry Size:56
Signed Size: 272
Description:
Hash #0:
Offset: 0x2
Size: 35
Partition: 3
Type: 1
Load Address: 0x4
Digest: 72bcf33f448465f035bd58e4b61501db925e67c89feb4a70cb909d8b425861f4
Hash #1:
Offset: 0x2
Size: 35
Partition: 3
Type: 1
Load Address: 0x4
Digest: 72bcf33f448465f035bd58e4b61501db925e67c89feb4a70cb909d8b425861f4
Change-Id: I88934b761236f36a5d607c96f6f2543a62e50b68
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/392949
bdb_get_hash_by_index returns a hash entry from a BDB using an index.
bdb_get_hash is also renamed to bdb_get_hash_by_type. bdb_get_hash
is deprecated. Callers are expected to call bdb_get_hash_by_index(buf, 0)
instead.
BUG=none
BRANCH=none
TEST=make runtests
Change-Id: Id99926123c0ac9094574eb057c63f79eceda2867
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/392947
Reviewed-by: Randall Spangler <rspangler@chromium.org>
When --ignore_key_digest is specified, futility bdb --verify command
returns success even if the key digest didn't match. Warning message
will be printed to remind the digest wasn't checked.
BUG=chromium:649554
BRANCH=none
TEST=Tested as follows:
$ build/futility/futility bdb --verify tests/futility/data/bdb.bin \
--ignore_key_digest
BDB is valid. Key digest doesn't match but ignored.
$ echo $?
0
Change-Id: I996b0a4f7bbbcf546e2d958f28c5ee8fb251fb99
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/392946
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Currently, test macros print out 'desc' regardless 'comment' is specified
or not. This patch makes TEST_EQ print 'desc' only if 'comment' is not
supplied.
BUG=none
BRANCH=none
TEST=make runtests
Change-Id: I9cc3c9a9561534352ae0315dfea983f2c212b909
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/388859
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This patch makes futility show command support boot block descriptor (BDB)
of the common boot flow.
BUG=chromium:649554
BRANCH=none
TEST=make runtests. Ran futility show bdb.bin.
Change-Id: I5f199a32ab1c268351e822e37ed39e41ae19bc7a
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/388631
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This patch adds BDB_ERROR_DATA_CHECK_SIG and BD_ERROR_DATA_SIGNED_SIZE
to distiniguish data signature validation errors.
'futility bdb --resign' uses these to decide whether to resign is needed
or not.
BUG=chromium:649554
BRANCH=none
TEST=make runtests
Change-Id: I19137801ece2424ae575092c51d02664c8b73ba3
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/386795
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This patch adds code which dervies secrets from BDS. It's supposed to be
done by SP-RO, hence the code is mostly useful for testing (or emulation).
vba_extend_secrets_ro takes a function pointer to a hash extend
function. It'll be used to try different sha256 extend algorithms.
BUG=chromium:649555
BRANCH=none
TEST=make runtests
Change-Id: I8fef6b851fb84686d8bcdd948b36160016687c51
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/384354
Reviewed-by: Randall Spangler <rspangler@chromium.org>
If key digest matching is not required (i.e. verify-bdb-key efuse
flag is not set), bdb_verify skips digest matching. This change makes
bdb_verify accept null pointer for the key digest parameter.
BUG=chromium:649555
BRANCH=none
TEST=make runtests
Change-Id: I14e5bd02526684b7b7bca1e1701cf04056df83ea
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/385538
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Currently, test macros print out 'desc' regardless 'comment' is specified
or not. This patch makes 'desc' printed out only if 'comment' is not
supplied.
BUG=none
BRANCH=none
TEST=make runtests
Change-Id: I146d681b0d3cb7d41c7f80b71c59418a0250fc17
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/385159
Commit-Ready: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Bit 2 in the GPT partition attributes has been allocated as the legacy
bios boot (equivalent to the "active" or "boot" flag in MBR). If we
try to boot images on newer x86 systems, syslinux dies because it can't
find any GPT partition marked bootable.
Update the various parts of cgpt add & show to manage this bit. Now we
can run:
cgpt add -i 12 -B 1 chromiumos_image.bin
And the EFI partition will be marked bootable.
BUG=chromium:644845
TEST=vboot_reference unittests pass
TEST=booted an amd64-generic disk image via USB on a generic laptop
BRANCH=None
Change-Id: I78e17b8df5b0c61e9e2d8a3c703e6d5ad230fe92
Reviewed-on: https://chromium-review.googlesource.com/382411
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
In CL:378661 we removed dev_firmware* from tests/devkey but that also makes
futility unit tests to fail.
This changes signing test scripts to first check if dev_firmware* keys exist,
and only use it (and test ZGB signing results) if available.
BRANCH=none
BUG=chrome-os-partner:52568,chrome-os-partner:56917
TEST=make runfutiltests; make runtests;
add dev_firmware* back; run tests again and success.
Change-Id: If42c8404baf183edf5c8dbeadf537efa8ad571ec
Reviewed-on: https://chromium-review.googlesource.com/381151
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Another in a long series of refactoring changes to replace old vboot1
code with its vboot2 equivalent. Futility changes only; no change to
firmware.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: I7be813b82820674e975db13d5e540e49bdea028d
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/366057
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
These have been superseded by their vboot2 equivalents. No firmware
changes; host-only.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: I36b5d3357767f32489efb7e480049620dcc0fce4
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/363970
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
The dev_firmware* was created for legacy devices having different RW
firmware - A for devmode and B for normal, like Alex and ZGB.
All other Chromebooks, including the CR48, were not doing that.
Signer scripts relied on checking if RW A/B are equivalent to decide if
they should select <dev_firmware* for A, firmware* for B> or <firmware*
(normal) for both A and B>. This worked for a long time until Skylake
family joined.
Skylake FSP has some limitation that we have to execute code in-place,
which leads to making RW A != B (due to addresses and offsets), and
triggers signer to incorrectly use dev_firmware*.
The production images are using keyset folders on signerbot, which only
Alex/ZGB keyset folders have dev_firmware*; so the images for Skylake
boards are signed correctly. But for people running firmware related
tests using tests/devkey keyset, for example
platform/dev/fm_and_key_version_test_prep.sh, having dev_firmware* in
devkey may produce incorrect output.
There is currently no easy way for signer scripts to figure out if the
image should use dev_firmware or not except looking into keyset folder.
Since Alex and ZGB are pretty old and no one plans to run key change
tests anymore on them, the recommended solution is to remove
dev_firmware.* from devkeys folder.
BRANCH=none
BUG=chrome-os-partner:52568
TEST=platform/dev/fm_and_key_version_test_prep.sh -b sentry -i \
/tmp/chromiumos_test_image.bin -f 8530.69.0 -s /tmp/image.bin -v \
Google_Sentry.7820.156.0
Change-Id: Ief37dd482875efc8e808460f3ad00041b5f3b3a2
Reviewed-on: https://chromium-review.googlesource.com/378661
Commit-Ready: Hung-Te Lin <hungte@chromium.org>
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
sign_android_image.sh is the main script that signs the image. It makes
similar changes to an image like the Android official signing tool
(sign_target_files_apks.py) does, but more Chrome OS specific.
TEST=./sign_official_build.sh recovery recovery_image.bin \
../../tests/devkeys/ out_img
TEST=Same above but with a recovery image without Android image.
Android signing was skipping.
TEST=Same above but with a M53 image. Android signing was skipped.
TEST=Unpack the image and diff the before and after. Looks correct.
BUG=b:29915721
Change-Id: I0ae5f0ad8d2b05e485d60262558517ea563bf527
Reviewed-on: https://chromium-review.googlesource.com/366794
Commit-Ready: Victor Hsieh <victorhsieh@chromium.org>
Tested-by: Victor Hsieh <victorhsieh@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
This refactors futility and the host library to use only vboot 2.0 APIs
to create and verify keyblocks.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: Ia3cc1e24971b94f01bcb4890c8666a3af6f84841
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/356129
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
This replaces all calls to vboot1 VerifyFirmwarePreamble() with
equivalent vb2.0 functions. No effect on ToT firmware, which already
uses the vboot2.0 functions.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: I5c84e9ed0e0c75e2ea8dbd9bfcde0597bc457f24
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/349322
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Futility needs to link against both vboot1/vboot2.0 and vboot2.1
functions. This was easy in the past because it did (vboot1 +
vboot2.1) and there's no overlap.
In replacing vboot1 function calls and structs with vboot2.0, now there
are symbol collisions between vboot2.0 and vboot2.1. For example, both
of them use a struct called vb2_signature, but the structs are defined
differently. Functions which operate on those structs also overload.
Rename the vb2.1 structs to start with vb21_ instead of vb2_. Do the
same for vb2.1 functions which operate on vb2.1 data.
BUG=chromium:611535
BRANCH=none
TEST=make runtests
Change-Id: I24defd87cbd9ef64239faf1a8e98ab2372d27539
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/347458
Reviewed-by: Daisuke Nojiri <dnojiri@google.com>
And nuke all the underlying code that is unused once those APIs are
gone. These APIs are not used by any project in ToT, having been
superseded last year by the vboot2 APIs.
No functional changes to live code, just lots of deletes.
CQ-DEPEND=CL:347414
BUG=chromium:611535
BRANCH=none
TEST=make runtests; build samus
Change-Id: I05ac752d74d1343dd03600b1c5e6ed22822e2802
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/347257
This change replaces all calls to the old vboot1 SHA library with their
vboot2 equivalents.
This is the first in a long series of changes to move the core vboot kernel
verification into vb2, and the control/display loop out to depthcharge.
BUG=chromium:611535
BRANCH=none
TEST=make runtests; build samus firmware and boot it
Change-Id: I31986eb766176c0e39a192c5ce15730471c3cf94
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/344342
Tested-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
The secrets library clears, extends, and derives secrets which are used
by vboot SoC.
BUG=chrome-os-partner:51907
BRANCH=tot
TEST=make runtests
Change-Id: I38c93fd450364792cebc942694f848e10d0e9502
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/349252
Reviewed-by: Randall Spangler <rspangler@chromium.org>
vba_update_buc writes a BUC (boot unlock code) to NVM-RW. It will be called
by AP-RW to update a BUC.
BUG=chrome-os-partner:51907
BRANCH=tot
TEST=make runtests
Change-Id: Ic91f34b60b11ebce948bce01993ddb44519a59b8
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/346233
With newer PD chips and different update mechanisms, we can no longer
guarantee that the "hash" (really just a sort of version identifier) of
an EC-RW image will always be a SHA256. This patch removes any hardcoded
assumptions about that from vboot, and instead accepts any hash size
returned by VbExEcHashImage() and VbExEcGetExpectedImageHash().
It also removes the assumption that the hash can be regenerated by
running SHA256 over the full image returned by VbExEcGetExpectedImage().
We can thus no longer support VBERROR_EC_GET_EXPECTED_HASH_FROM_IMAGE,
which is fine since that functionality hasn't been needed for years and
there would be no reason why we might need it in the future. This also
allows simplifying the code flow of EcUpdateImage() a bit (since you can
really just return very early if you already figured out that you don't
need to update).
BRANCH=None
BUG=chrome-os-partner:53780
TEST=Tested software sync on Oak both after cold and warm boot.
Change-Id: I498f3d39085a38740734fff9f2d1a186a0801489
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/348001
Reviewed-by: Randall Spangler <rspangler@chromium.org>
