Update the unit tests which use it to use futility. No functional
changes to it, just relocation.
Remove the futility test which checks the exact list of supported
commands. This doesn't have a good way of handling
conditionally-compiled commands, and will be even harder to maintain
as we add more commands in the future. Presence of sub-commands is
still ensured by the other tests which use them (such as
vb2_firmware_tests.sh)
BUG=chromium:231547
BRANCH=none
TEST=make runtests && VBOOT2=1 make runtests
Change-Id: Idddb639276e4c6449d023d40ac7977123113bd28
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/213191
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
This change adds these formerly external utilities into the futility binary:
dev_sign_file
dump_kernel_config
gbb_utility
vbutil_firmware
vbutil_kernel
These target binaries will remain independent of futility, since they are
not directly related to verified boot:
cgpt
crossystem
tpm_init_temp_fix
tpmc
Also, dumpRSAPublicKey is removed from the target, since it is only used on
the build host to create new keypairs.
This change also add several additional tests.
BUG=chromium:224734
BRANCH=ToT
CQ-DEPEND=CL:210391,CL:210568,CL:210587
TEST=manual
make runtests
make clean
Also build and test:
- normal image
- test image
- recovery image
- firmware shellball
Note that this CL depends on simultaneous changes to the chromeos-initramfs
ebuild.
Change-Id: If791b5e9b5aac218ceafa9f45fc1785f16b91a64
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/210403
There are a few utilities that print the full path of any file they open.
This isn't necessary, and it just has to be ignored when running regression
tests from different directories.
This just removes that extra noise.
BUG=chromium:224734
BRANCH=ToT
TEST=make runtests
Change-Id: I4291bca7952a0d7371f8682b7d57545361c6341c
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/207619
Reviewed-by: Randall Spangler <rspangler@chromium.org>
We've been creating and linking against a library called "libvboot_host.a"
for two different reasons. The main purpose is to build the vboot_reference
tools found in the utility/ directory. But there are some external userspace
programs that would also like to use some functions in this library.
This change establishes libvboot_host.a as the library for use by external
userspace programs only, and creates a new libvboot_util.a library that's
only used inside this source tree to build the vboot utilities.
BUG=chromium:231567
BRANCH=ToT
TEST=manual
Build and run the local tests:
make runalltests
make clean
Build Link firmware and all the utilities:
emerge-link chromeos-base/vboot_reference \
sys-boot/depthcharge \
sys-boot/coreboot \
chromeos-base/chromeos-ec \
chromeos-base/chromeos-firmware-link \
chromeos-base/chromeos-cryptohome \
chromeos-base/update_engine \
chromeos-base/chromeos-installer \
chromeos-base/chromeos-login \
chromeos-base/verity
Build Lumpy utilities, which include the 32-bit cros_installer:
emerge-lumpy chromeos-base/vboot_reference \
chromeos-base/chromeos-login \
chromeos-base/verity \
chromeos-base/update_engine \
chromeos-base/chromeos-installer \
chromeos-base/chromeos-cryptohome
Change-Id: Ie81ff1f74a6356cb8fab7d98471139d7758c4f19
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/207016
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This constructs a test firmware using the old vboot signing utilities,
and then verifies it using vboot2 libraries. This ensures vboot2 can
read files signed by the current signing process.
BUG=chromium:370082
BRANCH=none
TEST=VBOOT2=1 make runtests
Change-Id: Icc113c982e5ed99382a4592f9ab688784e853c8e
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/204561
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
I'm breaking the last chunk of vboot2 into smaller pieces as I add
tests. This has the api-level routines actually called by depthcharge.
BUG=chromium:370082
BRANCH=none
TEST=make clean && VBOOT2=1 COV=1 make
Change-Id: Ic7c082fc5faa0b874b2fa5a15ebda7135dcafe0b
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/200151
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
We use a few bytes of battery-backed nvram to save some flags across
reboots. However if the battery discharges completely, these flags are lost.
There aren't any security issues with that since they reset to safe values,
but some of the flags are used to configure how the system boots in
dev-mode.
If a dev-mode user has completely replaced ChromeOS with some other OS, then
she often needs to set the dev_boot_usb and/or dev_boot_legacy flags as well
in order to boot it using Ctrl-U or Ctrl-L. If the battery dies, then those
flags are cleared, and the only way to make the Chromebook boot again is by
going through recovery, which wipes the disk.
This change uses a new NV space in the TPM to back up some of the nvram
flags. These nvram fields will be backed up:
block_devmode
dev_boot_legacy
dev_boot_signed_only
dev_boot_usb
fwupdate_tries
loc_idx
Because writing to the TPM space is slow and limited to an unspecified but
finite number of cycles, we only back up the fields when specifically
requested by the new backup_nvram_request flag. This flag will be set by
crossystem whenever it is used to change any of the fields listed above. The
backup will be attempted at the NEXT boot (because the TPM is locked after
booting), and the backup_nvram_request flag will be cleared if the backup
was successfull.
Note that this CL is for Top of Trunk only. The firmware will create the
required TPM spaces on systems that have never been booted, but we don't yet
have a secure or reliable method to update existing systems.
FYI, on Link, determining that the TPM's backup NV space doesn't exist adds
about 6ms to the boot time. If it does exist, the backup_nvram_request flag
is cleared automatically so it won't check until it's set again.
BUG=chromium:362105
BRANCH=ToT (only!)
TEST=manual
Testing this is a long and involved process. Read on...
First, there are host-side tests for it. In the chroot:
cd src/platform/ec
make runtests
Second, to test on a completely NEW system that was first booted with a BIOS
that contains this CL, do this:
Enter dev-mode
Use crossystem to set values for the fields listed above
Confirm that "backup_nvram_request" is set to 1
Reboot
Use crossystem to confirm that "backup_nvram_request" is now 0
Remove the battery and the AC
Reattach either battery or AC so it will boot again
Use crossystem to confirm that the backed up fields are still good, while
the others have been reset to default values
Switch to normal mode
Remove the battery and the AC
Reattach either battery or AC so it will boot again
Look at the bios info in chrome://system to see what crossystem says
Confirm that the dev_boot_* flags are all 0, while the others are restored
Third, to set things up to test this on an existing system (I used Link),
you have update the BIOS, delete both the Kernel and Firmware NV spaces in
the TPM, then reboot so that the BIOS will create the Backup, Kernel, and
Firmware spaces. It will only do that if they're all missing.
Open it up, disable write-protect, attach a servo, etc.
Switch to dev-mode, log in.
Run make_dev_firmware.sh
Reboot in recovery mode, and insert a USB stick with a test image on it.
NOTE: In order to fiddle with the TPM, we'll *always* have to boot in
recovery mode, since that's the only time the TPM is left unlocked. That's
NOT the same as pressing Ctrl-U at the scary boot screen. The rest of
these steps assume you've booted in recovery mode and are running from the
test image on the USB stick.
Run
make_dev_ssd.sh --remove_rootfs_verification --recovery_key
Reboot (recovery mode)
Run
mv /etc/init/tcsd.conf /etc/init/tcsd.conf.disabled
Reboot (recovery mode).
Run "tpmc getvf". It should say
deactivated 0
disableForceClear 0
physicalPresence 1
physicalPresenceLock 0
bGlobalLock 0
Run "tpmc geto". It should say
Owned: no
Now you'll need to build the "tpm-nvtool" utility. In the chroot:
cd src/third_party/tpm/nvtool
make
Copy that to the DUT, in /usr/local/bin.
Now run
tcsd
tpm-nvtool --list | grep Index
You may see a number of spaces, but you should at least see these:
# NV Index 0x00001007
# NV Index 0x00001008
Run
tpm_takeownership
It will prompt you for two passwords (and confirm each one). Respond with
something you can remember like "google".
Run
tpm-nvtool --release --index 0x1007 --owner_password "google"
tpm-nvtool --release --index 0x1008 --owner_password "google"
Verify that it worked with
tpm-nvtool --list | grep Index
Power off.
Using servo, flash the new BIOS that has this CL in it.
Power on, normally this time (not recovery mode). If all goes well, it
should create the correct NV spaces and boot into the SSD. Copy tpm-nvtool
into this image too, and run
tpm-nvtool --list | grep Index
You should now see at least these spaces:
# NV Index 0x00001007
# NV Index 0x00001008
# NV Index 0x00001009
Now you're ready to test the backup/recover feature.
Change-Id: I00031fa0774720147327e2ae0f37e26b34b86341
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/202138
Reviewed-by: Luigi Semenzato <semenzato@chromium.org>
Currently, this does nothing. It just sets a flag that nothing looks at.
Don't get all wound up - we haven't abandoned our principles. This will
eventually be used to allow enterprise-enrolled customers to prevent
unauthorized use of developer mode in the Chrome OS devices that THEY OWN.
This is not Google deciding to turn a feature off, it's allowing the OWNER
to control the use of the feature. In some situations, the owner can be held
liable for what others do with the owner's equipment. This will help the
owner avoid those situations while their device is out of their immediate
control.
BUG=none
BRANCH=ToT
TEST=manual
Set the flag with:
crossystem block_devmode=1
Clear it with:
crossystem block_devmode=0
Retrieve the value ("0" or "1") like so:
val=$(crossystem block_devmode)
echo "the flag is $val"
or just test it directly like so:
if crossystem 'block_devmode?1' ; then
echo "devmode is blocked"
else
echo "devmode is allowed"
fi
It should be persistent across reboots.
Change-Id: I097f15b307e1c3a2a9db595e9495028a2eea6309
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/197771
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This adds a VB_MAX_STRING_PROPERTY for callers that don't
want to guess at how big to make their buffers.
Additionally, it changes the size parameter to VbGetPropertyString()
from int to size_t.
BUG=None
TEST=compile the code
BRANCH=none
Change-Id: I22809d48e13b535593cb22a56444e2dcb27791a5
Reviewed-on: https://chromium-review.googlesource.com/175039
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Tested-by: Richard Barnette <jrbarnette@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Commit-Queue: Richard Barnette <jrbarnette@chromium.org>
Querying "debug_build" allows the caller to determine whether the
image has requested debug, independent of the setting of the
dev_mode switch.
BUG=chromium:308678
BRANCH=none
TEST=use the new command option on both base and dev images
Change-Id: I369f26d75156f2e88d9f6f467efbf8f633e78bda
Reviewed-on: https://chromium-review.googlesource.com/174107
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Tested-by: Richard Barnette <jrbarnette@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Commit-Queue: Richard Barnette <jrbarnette@chromium.org>
At present reading data from storage in Vboot is a little fragmented. For
the firmware image, we expect the boot loader to handle this. For the disk
we have a block-level API. For the GBB (which also sits in the firmware
image) we expect the entire thing to be read before Vboot is called.
Add the concept of a region, and an API to read from a region. At present,
and most pressing, is reading from a GBB region. In the future this could
be extended to other parts of the firmware or even the disk.
Move all access to the GBB into this API so that the boot loader can provide
either a GBB region in one large contiguous chunk, or a function to deal with
read requests from vboot.
The call to VbExRegionRead() is behind a flag since not all boot loaders
support it yet.
The main change for boot loaders which don't support this new API is that
vboot will do more behind the scenes. For example, it will allocate memory
for chunks of data that it reads from the GBB, rather than just accessing it
directly. This approach is considerably simpler than trying to pass char **
everywhere and have vboot decide whether something needs to be allocated or
not.
The tests are updated, mainly to include setting up a GBB structure
accessible from VbCommonParams, which is now required by the firmware and
kernel functions. In normal operation this is set up at the start of
VbLoadFIrmware() and VbSelectAndLoadKernel() but for tests which call
children of these functions directly, the GBB structure must be set up
manually by the test.
BUG=chrome-os-partner:21115
BRANCH=none
TEST=manual
FEATURES=test sudo -E emerge vboot_reference
Change-Id: If2b8bbe467fdbd643239d8d9b5d7aa98df4d286f
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: David Hendricks <dhendrix@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/63336
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/167361
At present reading data from storage in Vboot is a little fragmented. For
the firmware image, we expect the boot loader to handle this. For the disk
we have a block-level API. For the GBB (which also sits in the firmware
image) we expect the entire thing to be read before Vboot is called.
Add the concept of a region, and an API to read from a region. At present,
and most pressing, is reading from a GBB region. In the future this could
be extended to other parts of the firmware or even the disk.
Move all access to the GBB into this API so that the boot loader can provide
either a GBB region in one large contiguous chunk, or a function to deal with
read requests from vboot.
The call to VbExRegionRead() is behind a flag since not all boot loaders
support it yet.
The main change for boot loaders which don't support this new API is that
vboot will do more behind the scenes. For example, it will allocate memory
for chunks of data that it reads from the GBB, rather than just accessing it
directly. This approach is considerably simpler than trying to pass char **
everywhere and have vboot decide whether something needs to be allocated or
not.
The tests are updated, mainly to include setting up a GBB structure
accessible from VbCommonParams, which is now required by the firmware and
kernel functions. In normal operation this is set up at the start of
VbLoadFIrmware() and VbSelectAndLoadKernel() but for tests which call
children of these functions directly, the GBB structure must be set up
manually by the test.
BUG=chrome-os-partner:21115
BRANCH=none
TEST=manual
FEATURES=test sudo -E emerge vboot_reference
Change-Id: I2c19e9dc2ed602d0642bbf4f7d27f79fe9fad873
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/63336
Reviewed-by: Randall Spangler <rspangler@chromium.org>
In case of a TPM error, tpmc returns the TPM error code, which can
be greater than 255. In that case the error code is truncated.
Some error codes, such as TPM_E_RETRY, end with a zero byte,
resulting in a successful exit code. This is despicable.
BUG=chromium:234357
TEST=tested with exit codes < 255. Too hard to generate the others.
BRANCH=none
Change-Id: I891a5c0659c06aac778449e2a0a935c5f82ccdb8
Reviewed-on: https://chromium-review.googlesource.com/66885
Reviewed-by: Luigi Semenzato <semenzato@chromium.org>
Commit-Queue: Luigi Semenzato <semenzato@chromium.org>
Tested-by: Luigi Semenzato <semenzato@chromium.org>
The "-p internal:bus=*" is now deprecated by "-p {host,ec}" because we may have
EC on SPI bus.
BUG=none
TEST=manually executed dev_debug_vboot and see correct output.
BRANCH=none
Change-Id: I6363c09c2ebf57812bf35b7db220303a2786db20
Reviewed-on: https://gerrit.chromium.org/gerrit/66321
Tested-by: Hung-Te Lin <hungte@chromium.org>
Reviewed-by: Yung-Chieh Lo <yjlou@chromium.org>
Commit-Queue: Hung-Te Lin <hungte@chromium.org>
When copying the vmlinuz zeropage, the entries were being truncated even
though the boot protocol version was being retained. This means that
booting a kernel that depended on details from the zeropage's ignored
areas would find invalid information. Fix this by copying out the entire
possible range of memory.
BUG=chromium:230212
TEST=kernels can boot with CONFIG_RELOCATABLE
BRANCH=None
Change-Id: Ifb94bedcf881e17ab20fff44d8c1c1885b15ef9e
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/47832
Reviewed-by: Luigi Semenzato <semenzato@chromium.org>
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
This stops creating dump_fmap as a standalone utility and builds it into
futility. Since it was already invoked as a symlink, no user-visible changes
should be observed.
BUG=chromium:224734
BRANCH=none
TEST=manual, trybots
sudo FEATURES=test emerge vboot_reference
FEATURES=test emerge-$BOARD vboot_reference
Change-Id: I68d1bea0c1867043b2633e15509b95c2717009a7
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/47672
Reviewed-by: Randall Spangler <rspangler@chromium.org>
FindKernelConfig() is used to extract the kernel cmdline from a kernel
partition. It's only used in the chromeos-installer, but was a bit awkward.
This changes the calling parameters to make it simpler.
BUG=chromium:221544
BRANCH=none
TEST=manual
CQ-DEPEND=CL:46835
FEATURES=test sudo emerge vboot_reference
FEATURES=test emerge-$BOARD vboot_reference
Change-Id: Ib7192175d72ad51387d8d122ead4490a4aa62300
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/46834
The chromeos-installer uses several functions from the vboot_reference
userspace library, but the names of those functions are inconsistent:
IsZero
MapFile
VbGetSystemPropertyString
cgpt_add
cgpt_boot
cgpt_create
cgpt_get_boot_partition_number
cgpt_get_num_non_empty_partitions
cgpt_get_partition_details
cgpt_prioritize
cgpt_set_attributes
find_kernel_config
The Google C++ style guide says types and functions should use CamelCase,
while variables use lower_case_with_underscores.
Kernel style (which vboot_reference tries to be more-or-less compatible
with) uses lower_case_with_underscores for everything, but that really only
has to apply to firmware stuff. For userspace, we can use the Google style.
BUG=chromium:221544
BRANCH=none
TEST=buildbot
CQ-DEPEND=CL:46045
Renaming/cleanup only; no functional changes.
Change-Id: I9c82c9ff8909be88586194c8ffdb435fc771195f
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/46044
These were macros that were never used, or that were only set to one thing and
could be substituted up front.
I left in code guarded by the HAVE_ENDIAN_H and HAVE_LITTLE_ENDIAN macros even
though those are never defined because they guard a reportedly significantly
faster implementation of some functionality, at least according to a comment
in the source. It would be a good idea to enable that code path and see if it
really does make a big difference before removing it entirely.
BUG=None
TEST=Built for Link, Daisy, and the host with FEATURES=test. Built depthcharge
for Link and booted in normal mode.
BRANCH=None
Change-Id: I934a4dd0da169ac018ba07350d56924ab88b1acc
Signed-off-by: Gabe Black <gabeblack@google.com>
Reviewed-on: https://gerrit.chromium.org/gerrit/45687
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Queue: Gabe Black <gabeblack@chromium.org>
Tested-by: Gabe Black <gabeblack@chromium.org>
This moves all the old userspace utilities generated by vboot_reference into
a subdirectory not in $PATH, and replaces them with symlinks to a single
executable named 'futility'. At the moment that utility just execs the
original utilities (optionally logging that fact first).
Ultimately, the old utilities will be subsumed into a single binary instead
of multiple separate executables.
There is a matching CL needed to make the recovery image creation work.
BUG=chromium-os:37062
BRANCH=none
CQ-DEPEND=CL:44864
TEST=auto
To test, build everything, test everything. It should work as before in all
cases. I have built normal images, test images, factory installers, recovery
images; they all seem to work.
I've run trybots on daisy-paladin link-paladin lumpy-paladin and alex-paladin.
Change-Id: Ie93db676f2ed2a64e4b13b3b5dc6b65a77db0f8c
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/44871
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Hung-Te Lin <hungte@chromium.org>
This utility sets up the encrypted directories for Chrome OS at boot time.
It uses some of the TPM-related libraries from vboot_reference, but it
isn't really part of the verified boot process itself so I'm moving it into
the cryptohome repo where it belongs.
This CL just removes the code from vboot_reference. Another CL will put it
into cryptohome, and yet another will change the ebuilds to notices.
BUG=chromium-os:39264
BRANCH=none
TEST=auto
CQ-DEPEND=CL:44301, CL:44302
This is just refactoring, not a new feature. After all the CLs are in, the
platform_EncryptedStateful autotest should continue to pass as before.
Change-Id: I6bb436ae57140e89581cb0be5dc2385b8f3ff5e2
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/44303
Reviewed-by: Kees Cook <keescook@chromium.org>
In an effort to reduce the chances of a kernel bug wrecking filesystems
during encrypted-stateful shutdown, add explicit sync() calls during
shutdown.
BUG=chrome-os-partner:17610
TEST=link build, shutdown with simulated panic in LOOP_CLR_FD results in
successful journal replays
BRANCH=None
Change-Id: I4be981ebd0270d275ae81a79e3195bc72b70d984
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/43736
Reviewed-by: Grant Grundler <grundler@chromium.org>
AFAICT, we don't actually run this test anywhere. If we do, we shouldn't
hard-code the path to the real chromeos-tpm-recovery utility, because we
may need to move it around.
BUG=none
BRANCH=none
TEST=none
Change-Id: I295d57d659adf564ca964efc91d95dfdd1ff00aa
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/43174
Reviewed-by: Randall Spangler <rspangler@chromium.org>
EC verification is done via software sync; the EC doesn't do vboot on
its own.
BUG=chromium-os:38139
BRANCH=none
TEST=manual
make runtests
emerge-link vboot_reference chromeos-u-boot chromeos-bootimage
Change-Id: I6e5c0db8fc54b474f044d37c2603a9c116747a85
Signed-off-by: Randall Spangler <rspangler@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/41953
Reviewed-by: Bill Richardson <wfrichar@chromium.org>
Export the NVRAM contents to tmpfs (/tmp) for use during boot without
incurring the cost of repeated trips through the TPM.
Signed-off-by: Will Drewry <wad@chromium.org>
BUG=chromium-os:37367
TEST=builds, boots, emits lockbox.nvram which validates using in-progress lockbox-cache
BRANCH=none
Change-Id: I8b1103f4bd22bd75e98a7617a571bdb3a06d2914
Reviewed-on: https://gerrit.chromium.org/gerrit/41433
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Queue: Will Drewry <wad@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Tested-by: Will Drewry <wad@chromium.org>
This is immediately needed to debug a Parrot TPM problems, but
we've had similar situation in the past and probably will again
in the future.
BUG=chromium-os:37819
TEST=manually tested with a couple of different packets, and error inputs
BRANCH=none
Change-Id: Id7f66bdbdfe5887fa49cd62af4a9b807fa3d9a89
Reviewed-on: https://gerrit.chromium.org/gerrit/41166
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Queue: Luigi Semenzato <semenzato@chromium.org>
Tested-by: Luigi Semenzato <semenzato@chromium.org>
If a system key is available (could read TPM NVRAM), but the "finalization
needed" file exists, it means that we are in the situation where either
cryptohome was interrupted, or the TPM was temporarily unavailable at an
earlier boot. In this case, it is up to mount-encrypted to perform the
finalization. Before, we were making the very bad assumption that the
keyfile was valid if a system key was found, meaning we would delete the
"finalization needed" file, leaving us with no way to find the encryption
key leading to an OOBE on the next boot.
BUG=chrome-os-partner:15960
TEST=daisy build, manual testing
BRANCH=None
Change-Id: Ifb6d74d8a38100e00d9a4597c25a71a6c33f806c
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/39883
Reviewed-by: Luigi Semenzato <semenzato@chromium.org>
Reviewed-by: Elly Jones <ellyjones@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
This just adds a one-byte field in the nvstorage region for use in debugging
hard-to-catch errors. There's no official meaning or expectation for this
field. It's just a handy place to emit some information.
BUG=chrome-os-partner:11534
BRANCH=parrot
TEST=manual
Just change the value and ensure that it persists across a (working) reboot.
It's only updated at specific points under very exacting error conditions,
so all we really want to test is that it works as a place to store some
extra info.
crossystem recovery_subcode
crossystem recovery_subcode=14
reboot
crossystem recovery_subcode
The recovery_subcode byte is at index [6] of the VbNv.raw bytes that appear
when you press TAB, so you can find it there too:
VbNv.raw: 60 20 00 00 00 00 0e 00 00 00 00 00 00 00 00 65
Decimal 14 == 0x0e
Change-Id: I1930b8f81a03ab838dbee99a8d72c35a444efdfd
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/39803
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Make sure all Tlcl users benefit from the new retry logic.
BUG=None
TEST=daisy build, manual testing of racing tpmc loops
BRANCH=None
Change-Id: I8e9656a65b5d6b45694c1c8bceb95f54f7c751bb
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/39525
Reviewed-by: Luigi Semenzato <semenzato@chromium.org>
Snow was built with overlapping regions in its FMAP, so when we use
dump_fmap -h to see what the layout is, it complains and dies. This change
lets it keep going if you give it multiple -h args. Nothing else is different.
BUG=none
BRANCH=none
TEST=manual
This complains and quits:
dump_fmap -h image-snow.bin
This complains and keeps going:
dump_fmap -hh image-snow.bin
Change-Id: Ia4592b9ba6963b8c5064dd6f51625e9495db2845
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/39551
Reviewed-by: Randall Spangler <rspangler@chromium.org>
If the TPM hits an error other than ENOENT during open(), retry for 5
seconds with 100ms polling delays. Also switch to on-demand opening
of TPM, so umount will not hit delays if tcsd keeps the TPM open at
shutdown time.
BUG=chrome-os-partner:15960
TEST=daisy build, mount ok with kernel patched to return EBUSY for a few
opens, platform_EncryptedStateful passes.
BRANCH=None
Change-Id: Ia597622bb54ccc4366be2a0c960c518406e6c0b2
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/39445
Reviewed-by: Luigi Semenzato <semenzato@chromium.org>
If there were any errors communicating with the TPM at the OS layer
(open, read, write failures), the library would immediately exit, not
allowing the caller to make any decisions about how to handle it. This
introduces a way to initialize the library so that errors will get passed
back up to the caller instead of unceremoniously exiting.
Setting the environment variable "TPM_NO_EXIT=1" enables the feature. To
avoid needing to implement supporting functions in all backends, the
feature is currently limited to just the Tlcl stub implementation.
In the case of mount-encrypted, it can now survive the kernel returning
read/write failures. In the past it had only worked around having open
fail, but that has now been replaced with more sensible logic instead of
the environment variable trickiness.
BUG=chrome-os-partner:15960
TEST=daisy built with an always-failing kernel driver, u-boot builds too
BRANCH=None
Change-Id: Ic7b217017537980f9c239d678067398613045676
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/38791
Reviewed-by: Luigi Semenzato <semenzato@chromium.org>
In the case of the TPM getting into a permanent failure mode
(e.g. crosbug.com/p/15785), the entropy system was not trying harder to
get entropy (i.e. falling back to system RNG), and was just using
whatever happened to be on the stack.
This adds the system RNG to the fallback list:
- try TPM RNG
- try system RNG
- use uninitialized stack contents
The reason for the last one being used is so we can make sure we're
getting a system up. It is extremely unlikely for both the TPM and
the system RNGs to be broken and if they are, it's likely a relatively
permanent failure condition. If we abort in this state, we'll cause an
infinite repair loop which is a very bad user experience. Instead, get
the system up using terrible entropy so the conditions can be examined.
BUG=chrome-os-partner:15960
TEST=daisy build with instrumented kernel tpm driver to always fail
BRANCH=none
Change-Id: I92c454925a78bb0d94262cdb3914c1b72010450e
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/38751
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
To help identify the specific failure conditions encountered when the
TPM goes weird, report them any time they are encountered.
BUG=chrome-os-partner:15960
TEST=daisy build, manual testing
BRANCH=none
Change-Id: I80b3bd23c88c19d807cbcafe8ea2736fe000e1d6
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/38468
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Libraries must come after objects when linking. Otherwise their
references will be elided when earlier objects didn't need them.
BUG=None
TEST=`LDFLAGS=-Wl,--as-needed emerge-daisy vboot_reference` worked
BRANCH=None
Change-Id: Ic8237a767758d002cd848ed3293b17940884b609
Reviewed-on: https://gerrit.chromium.org/gerrit/37166
Reviewed-by: Kees Cook <keescook@chromium.org>
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Instead of fsid, which is unpopulated for tmpfs, use device number
since that will increment for each different tmpfs.
BUG=chrome-os-partner:15192
TEST=parrot build, manual testing
BRANCH=none
Change-Id: I0024f7283c90684daaf1278d3cf6b76cc85bb253
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/35615
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Elly Jones <ellyjones@chromium.org>
While not having a TPM was supported for non-Chrome devices, it was not
expected for Chrome devices. This adds logic to fail the TPM calls
before making them when the TPM is missing. The tpm_lite library doesn't
handle the TPM being missing, so we have to do this ourselves.
BUG=chrome-os-partner:15192
TEST=parrot build, verified operation after "mv /dev/tpm0 /dev/tpm0.bak"
BRANCH=none
Change-Id: I2f625305dce7fa698fcad33e412ee37c60da9bc2
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/35440
Reviewed-by: Luigi Semenzato <semenzato@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Currently vbutil_what_keys only displays the kernel keyblock info for disk
images. This adds a -v option (requiring sudo) to cause it to attempt to look
inside any rootfs partitions and extract the BIOS image from the shellball.
This CL also updates the list of known sha1sums.
Without -v:
vbutil_what_keys recovery_image.bin
IMAGE: recovery_image.bin
part 2 kernel: 49d40533b0812d3f31232c5eedd47e7e11acc293 (!DEV DEV REC)
part 4 kernel: cc887372ac2d1c415eac93fc11e753629c387358 (!DEV DEV !REC)
With -v:
vbutil_what_keys -v recovery_image.bin
IMAGE: recovery_image.bin
part 2 kernel: 49d40533b0812d3f31232c5eedd47e7e11acc293 (!DEV DEV REC)
part 4 kernel: cc887372ac2d1c415eac93fc11e753629c387358 (!DEV DEV !REC)
part 3 shellball:
hwid: X86 LUMPY TEST 6638
recovery key: 0d800afb53cdd05dd849addee0143ca1d96e893c
root key: 4e92f07efd4a920c4e4f1ed97cf47b7b04ee1428
BUG=none
BRANCH=none
TEST=manual
This is an optional feature to a debugging utility. You can try the examples
above if you feel like testing it yourself.
Change-Id: Ie0dc918c1a99705c408314e960f4dc98aee7c1a9
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/34537
Reviewed-by: Randall Spangler <rspangler@chromium.org>
This option is disabled per default and can be enabled with
crossystem dev_boot_legacy=1
or by setting the GBB flag
GBB_FLAG_FORCE_DEV_BOOT_LEGACY 0x00000080
BUG=chrome-os-partner:6108
TEST=crossystem dev_boot_legacy=1
boot to dev mode screen, press CTRL-L, see SeaBIOS start
(other CLs needed)
BRANCH=link
Signed-off-by: Stefan Reinauer <reinauer@chromium.org>
Change-Id: I593d2be7cff5ca07b8d08012c4514a172bd75a38
Reviewed-on: https://gerrit.chromium.org/gerrit/31265
Reviewed-by: Stefan Reinauer <reinauer@chromium.org>
Tested-by: Stefan Reinauer <reinauer@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>
Commit-Ready: Stefan Reinauer <reinauer@chromium.org>
