commit | 1969a957857fb657374af5a84a936c109085a7d1 | [log] [tgz] |
---|---|---|
author | Nicholas Bishop <nicholasbishop@google.com> | Mon Jun 05 21:34:26 2023 |
committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | Mon Nov 06 14:44:13 2023 |
tree | 9a75db61df384813cda9b27145322b737d91145b | |
parent | 01ca137c3a7158934b7525d348d7df0edcd4600a [diff] |
crdyshim: Implement the rest of the executable Note that the new executable is not yet installed into the test disk, so running the VM (including running VM tests) is still using regular shim instead of crdyshim. That will be fixed in the next commit. Keeping them separate will make reverting easier, if that becomes necessary. BUG=b:203705645 TEST=cargo xtask check Change-Id: Iaff17ca3653f74fc9b4da52d6e85d2ddb0b42a4e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crdyboot/+/4629648 Reviewed-by: Ted Brandston <tbrandston@google.com> Tested-by: Nicholas Bishop <nicholasbishop@google.com> Commit-Queue: Nicholas Bishop <nicholasbishop@google.com> Tested-by: chromeos-cop-builder@chromeos-cop.iam.gserviceaccount.com <chromeos-cop-builder@chromeos-cop.iam.gserviceaccount.com>
Pronounced CUR-dee-boot.
Crdyboot is a UEFI bootloader for ChromeOS Flex. It is not yet in use.
Crdyboot acts as a bridge between UEFI firmware and the Chromebook style of booting. It uses vboot to select and validate an appropriate kernel partition, then launches that kernel using the Linux EFI stub.
The project is organized as a Rust workspace containing several packages:
vboot
package is a thin wrapper around the C vboot library. It also exposes a DiskIo
trait through which it can read and write blocks to a disk.libcrdy
package contains shared code that is used by both the crdyboot
and crdyshim
packages.crdyboot
package produces the actual crdyboot
executable. It contains the embedded key used to verify the kernel data, the SBAT data used for revocation, and sets up logging and allocation. Then it loads, verifies, and runs the kernel.crdyshim
package produces an optional first-stage bootloader similar to shim
. Its purpose is to load, verify, and run the second stage bootloader.xtask
package contains a host executable that provides the various xtask
commands shown below. It's like a fancy Makefile for running various dev and test operations.enroller
subdirectory contains a small UEFI application that enrolls a test key in the PK
, KEK
, and db
variables. This is used to set up the test VM, and can also be used on real hardware (see the “Testing on real hardware” section).Install Rust: https://rustup.rs
Install tools used for image signing and running in a VM:
sudo apt install clang curl efitools gdisk libssl-dev ovmf ovmf-ia32 \ pkg-config qemu-system-x86 sbsigntool swtpm
After installing qemu, add your user to the kvm
group. You will need to log out and back in for this to take effect:
sudo adduser ${USER} kvm
Googlers: see go/crdyboot-internal for additional recommendations.
Before running any other commands in the repository, run this setup command:
cargo xtask setup [<disk-path>]
This will prepare a reven image to use with VM tests. By default a build of the public reven board is downloaded from a GS bucket. If you are a Googler, you can pass --reven-private
to get a recent build of the private reven board. Alternatively, you can provide a file path to use a local image. The image should be a test
image with verity enabled.
To check formatting, lint, test, build crdyboot/crdyshim, and install to the image:
cargo xtask check [--vm-tests]
The --vm-tests
option enables slow tests that run under QEMU.
To just build and install the bootloaders to the image (a quicker subset of check
):
cargo xtask build
Then run it in QEMU:
cargo xtask qemu [--ia32] [--no-secure-boot] [--tpm1|--tpm2]
To test secure boot with real hardware you will need to enroll custom keys. Write workspace/enroller.bin
to a USB, and write workspace/disk.bin
to a second USB, e.g. using writedisk.
Boot the DUT and enter the boot setup. Find the secure boot settings and change it to setup mode. (The details will vary from one vendor to another.)
Plug in the enroller USB and reboot. Use the boot menu to select the USB and wait for it to complete.
Unplug the enroller USB and plug in the cloudready USB, then reboot. Use the boot menu to select the USB.
See the docs subdirectory.