Google Git
Sign in
chromium / crdyboot / d6aa7703a814b3d92b6ed0644b86e72a134f0ce7
commitd6aa7703a814b3d92b6ed0644b86e72a134f0ce7[log] [tgz]
authorNicholas Bishop <nicholasbishop@google.com>Fri Jul 30 20:36:46 2021
committerNicholas Bishop <nicholasbishop@google.com>Fri Jul 30 20:36:46 2021
tree0255f24ee6213b59fd811d6dcd31a0e7ef145a1a
parent86f2d0f5d9d1a910971c45787c1632469de0bb12 [diff]
crdyboot: read some sbat data from manifest

Change-Id: I6a4dc55fa153b5aad883dc0a3b6e0c3e5be5196b
2 files changed
tree: 0255f24ee6213b59fd811d6dcd31a0e7ef145a1a
  1. crdyboot/
  2. enroller/
  3. third_party/
  4. tools/
  5. vboot/
  6. workspace/
  7. .gitignore
  8. .gitmodules
  9. .rustfmt.toml
  10. LICENSE
  11. README.md
  12. x.py
README.md

crdyboot

Pronounced CUR-dee-boot.

This is a work-in-progress UEFI bootloader for CloudReady. It is intended to be run either as a second-stage bootloader after shim when using the Microsoft keys, or as the first-stage bootloader when using custom keys. Then crdyboot will handle loading, verifying, and running the Linux kernel.

Goals:

  • Ensure that when secure boot is enabled, dm-verity is enabled for the rootfs. (Note that this can only be fully verified if using custom Secure Boot keys, otherwise a different OS signed with the Microsoft keys could be used to avoid verifying the rootfs.)
  • Use UEFI features as little as possible. We need to run on a lot of hardware, and not all UEFI implementations work well.
  • Use the ChromeOS GPT-attribute mechanism for determining which kernel to boot.
  • Use the ChromeOS kernel partitions rather than loading the kernel from the EFI partition. The kernel partitions include both the kernel data and command-line, as well as data structures to verify the signature of everything being loaded.
  • Verify the signature of everything loaded from the kernel partition.
  • Only support 64-bit CPUs, but support both 32- and 64-bit UEFI environments.

License

Apache License Version 2.0

Code layout

The vboot subdirectory is a no_std library that handles loading and verifying the kernel. Internally it uses the LoadKernel function from third_party/vboot_reference. This crate can be built for the host target so that tests can run.

The crdyboot subdirectory contains the actual bootloader. It can only be built for the x86_64-unknown-uefi and i686-unknown-uefi targets.

The tools subdirectory contains a single binary that is used by the various x.py commands shown below.

Dependencies

Install nightly Rust:

rustup install nightly
rustup component add rust-src --toolchain nightly

Provides headers needed for compiling C code compatible with the Rust UEFI targets.

sudo apt install mingw-w64-i686-dev mingw-w64-x86-64-dev

For building OVMF:

sudo apt install acpica-tools nasm uuid-dev

Other tools used for image signing and running in a VM:

sudo apt install efitools gdisk qemu-system-x86 sbsigntool

Building and testing

To format, lint, test, and build both vboot and crdyboot:

./x.py check

To build crdyboot for both 64-bit and 32-bit UEFI targets:

./x.py build

One-time step to build OVMF:

./x.py build-ovmf

One-time step to enroll custom secure-boot keys:

./x.py secure-boot-setup

One-time step to copy in an existing cloudready image:

cp /path/to/cloudready.bin workspace/disk.bin

One-time step to prepare the image:

./x.py prep-disk

To copy the latest crdyboot build to the image:

./x.py update-disk

Then run it in QEMU:

./x.py qemu [--ia32] [--secure-boot]

By default crdyboot sets the max log level to Warn. Pass --enable-verbose-feature to the check or build command to set the max log level to Debug instead.

Testing on real hardware

To test secure boot with real hardware you will need to enroll custom keys. First build the enroller image (workspace/enroller.bin):

./x.py build-enroller

Write workspace/enroller.bin to a USB, and write workspace/disk.bin to a second USB, e.g. using writedisk.

Boot the DUT and enter the boot setup. Find the secure boot settings and change it to setup mode. (The details will vary from one vendor to another.)

Plug in the enroller USB and reboot. Use the boot menu to select the USB and wait for it to complete.

Unplug the enroller USB and plug in the cloudready USB, then reboot. Use the boot menu to select the USB.

Developer notes

An older pure-Rust version can be found in the pure-rust-20210729 branch. Since then we have switched to building the C vboot library and loading/verifying the kernel through that library.