| commit | 25a6e36d19aa1db30e2eb426394758250e351b97 | [log] [tgz] |
|---|---|---|
| author | Cheng-Han Yang <chenghan@google.com> | Wed Aug 04 13:41:46 2021 |
| committer | Commit Bot <commit-bot@chromium.org> | Thu Aug 19 11:19:08 2021 |
| tree | 66c5788b3f964820768edbd44f70e7d06de691a3 | |
| parent | a642c9ca4d5b7ad926c2db8f0d702be306f06ce7 [diff] |
factory_install: Backport mandatory RSU to factory branches factory_install: Patch /dev in factory_bootstrap Some system daemons are run in minijail and requires /dev/log to exist. Patch /dev during bootstrap to make sure the path exists. BUG=b:194980249 TEST=manual test on DUT, check that the daemon is running Change-Id: Id5686bfec4405e21838195b9dcf0e0a64a3ce4bf Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3071059 Reviewed-by: Cheng Yueh <cyueh@chromium.org> Tested-by: Cheng-Han Yang <chenghan@chromium.org> Commit-Queue: Cheng-Han Yang <chenghan@chromium.org> (cherry picked from commit 8402a7838c35d69c93ae5b9fa1268fb9168745cc) Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3074703 Reviewed-by: Gene Chang <genechang@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3088998 factory_install: Add check_hwwp function Refactor: add `check_hwwp` function, and move SWWP related functions to put them together. BUG=None TEST=manual test on DUT. Change-Id: Id216c3ab537884e4f6f208f8213dc4bddfc2d5c6 Reviewed-on: https://chromium-review.googlesource.com/1621887 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Cheng-Han Yang <chenghan@chromium.org> Legacy-Commit-Queue: Commit Bot <commit-bot@chromium.org> Reviewed-by: Marco Chen <marcochen@chromium.org> Reviewed-by: Wei-Han Chen <stimim@chromium.org> factory_install: Check Cr50 firmware when HWWP is off We need to enable factory mode at the end of installation, which also needs a newer version of cr50 firmware. If the RMA center is still disconnecting the battery to disable HWWP, they might run into an error when turning on factory mode. BUG=b:194980249 TEST=None Change-Id: I7057a32b6141ec53aa95f4ce392ca123822c194a Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/2294629 Reviewed-by: Kevin Lin <kevinptt@chromium.org> Commit-Queue: Cheng-Han Yang <chenghan@chromium.org> Tested-by: Cheng-Han Yang <chenghan@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3088999 Reviewed-by: Yun-Kai Lin <kevinptt@chromium.org> factory_install: Restrict RMA actions when device is enrolled We shouldn't perform RMA operations on an enrolled device, unless the device performs RSU. For instance, we should not remove the battery and do RMA install on an enrolled device. This only applies to devices that support RSU. The CL allows only two default actions and invalidates other actions when the device is enrolled. If no default action is set, it will automatically do RSU. When RMA_AUTORUN is set and device is enrolled, it will also do RSU. BUG=b:194980249 TEST=build factory shim; manual test on DUT Change-Id: I152289efdca1084e761cf8a48f4e87688265aa9a Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/1686811 Reviewed-by: Leo Lai <cylai@google.com> Commit-Queue: Cheng-Han Yang <chenghan@chromium.org> Tested-by: Cheng-Han Yang <chenghan@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3060245 Reviewed-by: Gene Chang <genechang@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3089000 factory_install: Use FWMP presence to decide mandatory RSU Only check FWMP presence but not DEVELOPER_DISABLE_BOOT to determine if a device is enrolled and enforce RSU. This is a workaround to avoid awkward repair process where the user needs to keep the device open during the repair. BUG=b:194980249 TEST=manual test on DUT Change-Id: I65f77a990feb68f5482b62c0f980f6c17cbbf66d Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3045587 Tested-by: Cheng-Han Yang <chenghan@chromium.org> Reviewed-by: Stimim Chen <stimim@chromium.org> Commit-Queue: Cheng-Han Yang <chenghan@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3060246 Reviewed-by: Gene Chang <genechang@google.com> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3089001 Reviewed-by: Yun-Kai Lin <kevinptt@chromium.org> factory_install: Wait for cryptohome dbus service before calling it Wait until cryptohome dbus service is up before calling cryptohome to query FWMP status. BUG=b:194980249 TEST=None Change-Id: I685c5453b15bb4b1ce099f28b29f29eb708aa7a5 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3090674 Tested-by: Cheng-Han Yang <chenghan@chromium.org> Reviewed-by: Yun-Kai Lin <kevinptt@chromium.org> Commit-Queue: Cheng-Han Yang <chenghan@chromium.org> factory_install: Use FWMP_DEV_DISABLE_CCD_UNLOCK to decide mandatory RSU FWMP_DEV_DISABLE_CCD_UNLOCK is the flag that decides if factory mode is allowed. This flag is also set during enterprise enrollment. We can use this flag to decide if RSU is required, and also make sure if RSU is not required, we can disconnect the battery (or short pins) to enter factory mode. BUG=b:194980249 TEST=manual test on DUT Change-Id: I0a192497a38a05575f44a1e7098fa9f8cc4da66e Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3097525 Tested-by: Cheng-Han Yang <chenghan@chromium.org> Reviewed-by: Stimim Chen <stimim@chromium.org> Commit-Queue: Cheng-Han Yang <chenghan@chromium.org> (cherry picked from commit f29647fa448c6649f9cc0acbda5d52b979f9c3f2) Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3099329 Reviewed-by: Yun-Kai Lin <kevinptt@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/factory_installer/+/3105911
This folder contains the major scripts for the “Chrome OS factory shim”. The shim is used for installing a Chrome OS image (kernel, rootfs and firmware) to a device. It's also known as “(factory) install shim”, “RMA shim”, or “Reset shim”.
The factory shim is designed to allow operators removing USB stick once it's booted, so the boot process is slightly different. The shim relies on initramfs technology to bootstrap and load all contents into memory, then start an upstart service to display the menu.
Inside chroot, do:
build_packages --board $BOARD build_image --board $BOARD factory_install
The output disk image is in ~/trunk/src/build/images/$BOARD/latest/factory_install_shim.bin.
If you have local changes in src/platform/factory_installer, please remember to do
cros_workon --board $BOARD start factory_installer emerge-$BOARD factory_installer
If you have local changes in src/platform/initramfs, please remember to do
cros_workon --board $BOARD start chromeos-initramfs
There‘s no need to emerge chromeos-initramfs because it’s always re-built in build_image stage.
Factory shims are signed in a special way for security reasons. It needs to boot with “developer switch turned on” and “boot in recovery mode”.
ESC + F3(REFRESH) + POWER to enter recovery modeCTRL + D to turn on developer switchENTER to confirmESC + F3(REFRESH) + POWER to enter recovery mode again (no need to wait for wiping)rma_image.binPOWER + VOL_UP + VOL_DOWN for at least 10 seconds, and release them to enter recovery modeVOL_UP + VOL_DOWN to show recovery menuVOL_UP or VOL_DOWN to move the cursor to “Confirm Disabling OS Verification”, and press POWER to select itPOWER + VOL_UP + VOL_DOWN for at least 10 seconds, and release them to enter recovery mode again (no need to wait for wiping)rma_image.binIf you boot factory shim in developer mode (Ctrl-U), some functions won't work, such as recovering TPM.
If you boot into a factory shim successfully, you will see a shim menu, followed by a prompt to select an action.
Please select an action and press Enter. I Install Performs a network or USB install R Reset Performs a factory reset; finalized devices only S Shell Opens bash; available only with developer firmware V View configuration Shows crossystem, VPD, etc. D Debug info and logs Shows useful debugging information and kernel/firmware logs Z Zero (wipe) storage Makes device completely unusable C SeCure erase Performs full storage erase, write a verification pattern Y VerifY erase Verifies the storage has been erased with option C T Reset TPM Call chromeos-tpm-recovery F Update TPM Firmware Call tpm-firmware-update-factory U Update Cr50 Update Cr50 fw from ROOTFS_PARTITION/opt/google/cr50/firmware/cr50.bin.prod E Reset Cr50 Perform a Cr50 reset M Cr50 factory mode Enable Cr50 factory mode action>
The install shim also checks /etc/lsb-factory for flags that decides the default action of the shim menu (listed from high priority to low priority).
NETBOOT_RAMFS=1: This flag is automatically set when using netboot firmware. The install shim will set the default action to (I) Install.RMA_AUTORUN=true: This flag is set by image_tool when creating an RMA shim. Please see RMA shim README for the behavior of this parameter.DEFAULT_ACTION=<action>: This flag directly sets the default action to . For instance, DEFAULT_ACTION=i sets the default action to (I) Install.Factory shims do not provide shells by default for security reason. If you can still see virtual terminal consoles, try VT0, VT1, VT2, VT3 - there are lots of debug messages there.
If you do need a shell to debug, add cros_debug to kernel command line. You can do this in build_image:
build_image --board $BOARD --boot_args cros_debug factory_install
For an existing image, you can use make_dev_ssd.sh to change kernel command line easily:
# inside chroot cd ~/trunk/src/platform/vboot_reference/scripts/image_signing ./make_dev_ssd.sh -i $PATH_TO_IMAGE_OR_USB_DEVICE \ --partitions 2 --recovery --edit_config
This will bring an editor to allow editing command line.
Note make_dev_ssd.sh is also available on all Chrome OS image (even factory shim) - try /usr/share/vboot/bin/make_dev_ssd.sh.
If you boot a factory shim with cros_debug, then you should have one shell in VT2 or VT3. Moreover, if you can enter the menu, ‘S’ will give you the full shell.
The frecon (or frecon-lite) provides text-based console. If you can't see anything on screen, redirect the console to another device, for example Servo consoles so you can check why frecon failed. To do this, add console=ttyS0,115200n8 to kernel command line (use the make_dev_ssd.sh or add --boot_args as explained in previous section). Some devices may need different TTY name for example ttyS1. Please check the care-and-feed doc of your device.
If the menu or frecon will die and adding cros_debug does not help, you probably want to attach serial console (for example SuzyQ) and get everything except factory shim UI (menu) there. To do that:
Open the /usr/sbin/factory_tty.sh and find the TTY_CONSOLE= line. If it already has valid serial console (for example ttyS0), move to step 3.
TTY_CONSOLE and build image.Edit the make.conf in board overlay, to find or add one setting (assume serial console is ttyS0):
TTY_CONSOLE="ttyS0"
Then,then re-build the factory_installer package and factory shim:
emerge-$BOARD factory_installer build_image --board $BOARD factory_install
Mount the rootfs and rename /etc/init/console-ttyS0.conf to something that does not start as console:
# First enable RW for rootfs. Assume the USB is in /dev/sdX. cd ~/trunk/src/platform/vboot_reference/scripts/image_signing sudo ./make_dev_ssd.sh -i /dev/sdX --recovery \ --remove_rootfs_verification --partitions 2 # Mount (assume your shim is in /dev/sdX) sudo mount /dev/sdX /media cd /media/etc/init sudo mv console-ttyS0.confg debug-ttyS0.conf cd - # To leave /media folder so we can unmount. sudo umount /media