mirror of
https://github.com/Telecominfraproject/OpenCellular.git
synced 2026-01-08 08:31:52 +00:00
17fb34b647
Kernel verification will now roll forward the minimum allowable
version in the TPM no farther than the kernel_max_rollforward setting.
Note that CL:765573 changes chromeos-setgoodkernel so it always sets
kernel_max_rollforward to 0xfffffffe when marking a kernel as good.
That ensures that firmware with this setting will behave the same for
now as existing firmware.
BUG=chromium:783997
BRANCH=none
CQ-DEPEND=CL:765573
TEST=make runtests
Manual testing:
crossystem tpm_kernvel --> print current kernel version in TPM
- Resign the kernel with a higher version
- Reboot
- Wait a minute for chromeos-setgoodkernel to run
crossystem kernel_max_rollforward=0
- Reboot
crossystem tpm_kernvel --> has not changed
- Wait a minute for chromeos-setgoodkernel to run
crossystem kernel_max_rollforward -> 0xfffffffe
- Reboot
crossystem tpm_kernvel --> has changed to the higher version
Change-Id: Ia32ecb7fa4078548cd311541ccbe120570cf1bc5
Reviewed-on: https://chromium-review.googlesource.com/765574
Commit-Ready: Randall Spangler <rspangler@chromium.org>
Tested-by: Randall Spangler <rspangler@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Stefan Reinauer <reinauer@google.com>
Here's what's what in the firmware/ directory. bdb/ Code for managing Boot Descriptor Blocks (BDB). include/ lib/ These are the original structures and APIs used in the earliest Chromebooks and continuing through 2014. It never had a version as such to begin with, but we now refer to this implementation as "vboot1" or "vboot version 1.0". linktest/ stub/ These are stubs used to link the vboot1 libraries into host-side test executables so we can run some tests on the build machine instead of a Chromebook. 2lib/ In 2014 we began work on a new vboot API. The first step was just a refactoring and renaming of the verification API. The public functions and external headers that are exported for use by the Chrome OS firmware (or anything else that wants to use vboot) live in here. The internal structures and implementations go elsewhere. lib20/ This is an early implementation of the public (2lib/) API. It is binary-compatible with vboot1, so although the interface details are different, any existing on-device structures or signatures created by the vboot1 tools can be validated using this implementation. This was deployed slightly before it was ready. That's not a problem, thanks to the binary compatibility, but this directory will be abandoned Real Soon Now, except for the product support branches. lib21/ This is where the current development of the second-generation vboot API is taking place. It uses the public (2lib/) API, but will NOT be binary compatible with vboot1 structs. Because of the early release of the lib20 stuff, we're actually calling this lib21.