New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 652748 link

Starred by 1 user
Status: Archived
Owner:
shchen@chromium.org
Last visit > 30 days ago
Closed: Feb 2017
Cc:
reinauer@chromium.org
mnissler@chromium.org
wad@chromium.org
jorgelo@chromium.org
rickyz@chromium.org
wfrichar@chromium.org
keescook@chromium.org
shchen@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Feature



Sign in to add a comment

Add rollback check to recovery initramfs scripts

Project Member Reported by rspangler@chromium.org, Oct 4 2016 
If a recovery image is properly signed, it will always work on a given system.  There is no way to lock out that image if it is buggy or vulnerable.

This is intentional, because whatever rollback information is stored on the system could theoretically become corrupt and a recovery image would need to be able to boot to fix that.

But that means that we can't currently lock out old recovery images.

Instead, put the rollback check at the start of the recovery image's initramfs script.  That way, the recovery image will lock itself out before its attack surface grows very far.  And because the check is in the recovery image, in the event that devices are somehow broken in a way which makes the check fail, we can release a new recovery image which works around that breakage.

(This won't help existing recovery images, but it will help new ones...)

Comment 2 by rspangler@chromium.org, Oct 4 2016 

Here's a standalone script which has the important implementationy bits in it.  It just needs incorporating into all of the initramfs scripts, then testing.
rollback_check_proof_of_concept.sh
2.1 KB View Download

Comment 3 by jorgelo@chromium.org, Oct 4 2016 

Do you want to include the addition of the delay in this bug, or do you want me to file a new bug for that?

Comment 4 by rspangler@chromium.org, Oct 4 2016 

Re#3: Let's make that a separate bug.  It's a different feature.

Comment 5 by jorgelo@chromium.org, Oct 4 2016 

Filed issue 652796 for the delay.

Comment 6 by rspangler@chromium.org, Feb 1 2017

Owner: shchen@chromium.org

Comment 7 by rspangler@chromium.org, Feb 25 2017

Status: Fixed (was: Started)
Implemented here:
https://chromium-review.googlesource.com/437592
Project Member

Comment 8 by bugdroid1@chromium.org, Mar 3 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/initramfs/+/a0f0b6ba3da4e4bcf9ffd277e903b19c75501fca

commit a0f0b6ba3da4e4bcf9ffd277e903b19c75501fca
Author: Shelley Chen <shchen@chromium.org>
Date: Fri Mar 03 04:17:44 2017

Recovery: Adding FW rollback check

BUG= chromium:652748 
BRANCH=None
TEST=build recovery image and ran it on chell & sentry.

Change-Id: I3e07dd76adfe98b92e2c53daf3b8b5866cf1cd62
Signed-off-by: Shelley Chen <shchen@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/437592
Reviewed-by: Randall Spangler <rspangler@chromium.org>

[modify] https://crrev.com/a0f0b6ba3da4e4bcf9ffd277e903b19c75501fca/recovery/init
[modify] https://crrev.com/a0f0b6ba3da4e4bcf9ffd277e903b19c75501fca/recovery/recovery_init.sh

Comment 9 by dchan@google.com, Apr 17 2017

Labels: VerifyIn-59

Comment 10 by dchan@google.com, May 30 2017

Labels: VerifyIn-60

Comment 11 by dchan@chromium.org, Aug 1 2017

Labels: VerifyIn-61

Comment 12 by dchan@chromium.org, Oct 14 2017

Status: Archived (was: Fixed)

Sign in to add a comment