The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/f41cd04d9eeefe7b7b98c67484ee96ba4fbf1125

commit f41cd04d9eeefe7b7b98c67484ee96ba4fbf1125
Author: Mike Frysinger <vapier@chromium.org>
Date: Fri Oct 28 00:15:05 2016

pad_digest_utility: fix usage output

The usage string wasn't appending a newline to the end which caused
weird output when shown.  Add a proper usage() helper and extend the
output a bit to be more human friendly.

BUG= chromium:660209 
TEST=`pad_digest_utility` is nice
BRANCH=None

Change-Id: I01c3c5372a4202bc6f5a9b2c5fe0e2a59c3ca5cf
Reviewed-on: https://chromium-review.googlesource.com/404768
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Randall Spangler <rspangler@chromium.org>

[modify] https://crrev.com/f41cd04d9eeefe7b7b98c67484ee96ba4fbf1125/utility/pad_digest_utility.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/dm-verity/+/0dc0a96c6ac31c75a61c05591d6266a927017932

commit 0dc0a96c6ac31c75a61c05591d6266a927017932
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Oct 27 22:10:44 2016

ignore generated files

BUG= chromium:660209 
TEST=`git status` is clean

Change-Id: I94075da61c654bc1d6eb6c66df34cbc7eb5b4d54
Reviewed-on: https://chromium-review.googlesource.com/404029
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[add] https://crrev.com/0dc0a96c6ac31c75a61c05591d6266a927017932/.gitignore

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/dm-verity/+/5d5faf68cdb05e477f0637f517f4926a0db1394a

commit 5d5faf68cdb05e477f0637f517f4926a0db1394a
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Oct 27 22:37:46 2016

verity: support salt=random generation

Many CrOS build scripts generate a salt randomly (using things like xxd
on /dev/urandom).  Add support for that directly to verity so we don't
have to copy these ad-hoc implementations around.

BUG= chromium:660209 
TEST=`verity mode=create alg=sha1 payload=img hashtree=hash salt=random` outputs a random salt each time

Change-Id: Iee631a1eb72945a011d4c64c930b1331330f32cd
Reviewed-on: https://chromium-review.googlesource.com/404728
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/5d5faf68cdb05e477f0637f517f4926a0db1394a/file_hasher.cc
[modify] https://crrev.com/5d5faf68cdb05e477f0637f517f4926a0db1394a/file_hasher.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/62461d719ff658512a9595cfc1e67e2a127bd1fc

commit 62461d719ff658512a9595cfc1e67e2a127bd1fc
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Jan 12 02:12:16 2017

image_signing: support signing of OCI containers

BUG= chromium:660209 
TEST=`./sign_official_build.sh oci-container fastboot/ ../tests/devkeys` works
TEST=signing an image inserted the container pubkey
BRANCH=None

Change-Id: I75793b03e93f2c18b1495a3ec729ad04d2e17401
Reviewed-on: https://chromium-review.googlesource.com/427538
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>

[add] https://crrev.com/62461d719ff658512a9595cfc1e67e2a127bd1fc/scripts/image_signing/insert_container_publickey.sh
[add] https://crrev.com/62461d719ff658512a9595cfc1e67e2a127bd1fc/scripts/image_signing/sign_oci_container.sh
[add] https://crrev.com/62461d719ff658512a9595cfc1e67e2a127bd1fc/tests/devkeys/cros-oci-container.pem
[modify] https://crrev.com/62461d719ff658512a9595cfc1e67e2a127bd1fc/scripts/image_signing/sign_official_build.sh
[add] https://crrev.com/62461d719ff658512a9595cfc1e67e2a127bd1fc/tests/devkeys/cros-oci-container-pub.pem

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/cros-signing/+/bff1b0e03521b4b65d7acd030704142dc80ce361

commit bff1b0e03521b4b65d7acd030704142dc80ce361
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Jan 12 03:14:03 2017

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/cros-signing/+/bff1b0e03521b4b65d7acd030704142dc80ce361

commit bff1b0e03521b4b65d7acd030704142dc80ce361
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Jan 12 03:14:03 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/crosutils/+/34808e575e71429d298e50aaf03fbec68e8b49dd

commit 34808e575e71429d298e50aaf03fbec68e8b49dd
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Jan 12 02:14:08 2017

unify vboot path vars

A bunch of scripts duplicate vboot paths, so unify them all in common.sh.

BUG= chromium:660209 
TEST=precq passes

Change-Id: I7e568a205a0ab93ed6a413a88f9bb79c06095883
Reviewed-on: https://chromium-review.googlesource.com/427498
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: David Riley <davidriley@chromium.org>

[modify] https://crrev.com/34808e575e71429d298e50aaf03fbec68e8b49dd/build_library/build_image_util.sh
[modify] https://crrev.com/34808e575e71429d298e50aaf03fbec68e8b49dd/mod_image_for_recovery.sh
[modify] https://crrev.com/34808e575e71429d298e50aaf03fbec68e8b49dd/common.sh
[modify] https://crrev.com/34808e575e71429d298e50aaf03fbec68e8b49dd/build_image
[modify] https://crrev.com/34808e575e71429d298e50aaf03fbec68e8b49dd/mod_test_image_for_pyauto.sh
[modify] https://crrev.com/34808e575e71429d298e50aaf03fbec68e8b49dd/build_kernel_image.sh
[modify] https://crrev.com/34808e575e71429d298e50aaf03fbec68e8b49dd/bin/cros_make_image_bootable
[modify] https://crrev.com/34808e575e71429d298e50aaf03fbec68e8b49dd/mod_test_image_for_dbusspy.sh

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/crosutils/+/9b9f5166ad28a4943f10db0687fa13df2381ab3b

commit 9b9f5166ad28a4943f10db0687fa13df2381ab3b
Author: Mike Frysinger <vapier@chromium.org>
Date: Wed Nov 30 21:20:07 2016

package_to_container: create a signed app

In addition to updating package_to_container and the generated
config.json files (includes changes from CL:417097), output the
manifest and sign it.

The layout is:
  manifest.json - file w/config.json & rootfs hashes
  manifest.json.sig - signature of manifest.json

By default we use the devkey from vboot.

BUG= chromium:660209 
TEST=run_oci only runs containers with a valid manifest.json{,.sig}
CQ-DEPEND=CL:427498

Change-Id: I3f570ade96e267b420a4609919ebc3af3c7cdc5b
Reviewed-on: https://chromium-review.googlesource.com/415231
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[modify] https://crrev.com/9b9f5166ad28a4943f10db0687fa13df2381ab3b/package_to_container
[modify] https://crrev.com/9b9f5166ad28a4943f10db0687fa13df2381ab3b/generic_container_files/config.json
[delete] https://crrev.com/34808e575e71429d298e50aaf03fbec68e8b49dd/generic_container_files/runtime.json

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/crosutils/+/91944962c8691526efc17991027e6c2512f9334a

commit 91944962c8691526efc17991027e6c2512f9334a
Author: Mike Frysinger <vapier@chromium.org>
Date: Thu Jan 12 03:58:57 2017

build_image: insert container devkey into image

This way we can verify the container verification stack.

BUG= chromium:660209 
TEST=build_image included the new container pub key

Change-Id: I1cf2dfe3386b6bc5bdae72f651df982e5f419667
Reviewed-on: https://chromium-review.googlesource.com/430830
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/91944962c8691526efc17991027e6c2512f9334a/build_library/base_image_util.sh

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/0e20b19e4cc5fa3ff1cd1dc24788a9d0f000c0b2

commit 0e20b19e4cc5fa3ff1cd1dc24788a9d0f000c0b2
Author: Mike Frysinger <vapier@chromium.org>
Date: Mon Jan 09 16:30:39 2017

container_utils: require containers be signed by default

We now require a manifest.json (with a signed manifest.json.sig) to be
included.  In that json file lives a hash of the config.json file.

BUG= chromium:660209 
TEST=run_oci only runs containers with a valid manifest.json{,.sig}

Change-Id: Icdfa037dc932759ecb4b17d3a9ccd47034ac1856
Reviewed-on: https://chromium-review.googlesource.com/426538
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/0e20b19e4cc5fa3ff1cd1dc24788a9d0f000c0b2/container_utils/container_utils.gyp
[modify] https://crrev.com/0e20b19e4cc5fa3ff1cd1dc24788a9d0f000c0b2/container_utils/container_options.h
[modify] https://crrev.com/0e20b19e4cc5fa3ff1cd1dc24788a9d0f000c0b2/container_utils/run_oci.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/89261a27fe3a3f252f8fc82d7f9aab1ad11787d3

commit 89261a27fe3a3f252f8fc82d7f9aab1ad11787d3
Author: Mike Frysinger <vapier@chromium.org>
Date: Fri Jan 27 03:17:56 2017

libcontainer: depend on devmapper for dm-verity mounts

BUG= chromium:660209 
TEST=precq passes

Change-Id: I9d071194d4e895fb0d8e83e7502baa82f80ed21a
Reviewed-on: https://chromium-review.googlesource.com/433937
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/89261a27fe3a3f252f8fc82d7f9aab1ad11787d3/chromeos-base/libcontainer/libcontainer-9999.ebuild

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/chromeos/cros-signing/+/b89133065d8a5bcc9c77f6d6b793fc364ccf6e03

commit b89133065d8a5bcc9c77f6d6b793fc364ccf6e03
Author: Mike Frysinger <vapier@chromium.org>
Date: Wed Feb 01 22:43:37 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/05e594e3cd9b22d117b8a1827c6dd22355ad30e7

commit 05e594e3cd9b22d117b8a1827c6dd22355ad30e7
Author: Mike Frysinger <vapier@chromium.org>
Date: Fri Feb 03 13:15:08 2017

containers: support mounting via dm-verity

If the mount options include a dm= flag, use that to set up the device
over dm-verity.

BUG= chromium:660209 
TEST=run_oci sets up rootfs image via loopback and dm-verity and still works

Change-Id: I38604ace5acc55eb923521a6f2caf32c545f2045
Reviewed-on: https://chromium-review.googlesource.com/426599
Commit-Ready: Mike Frysinger <vapier@chromium.org>
Tested-by: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Dylan Reid <dgreid@chromium.org>

[modify] https://crrev.com/05e594e3cd9b22d117b8a1827c6dd22355ad30e7/libcontainer/libcontainer.h
[modify] https://crrev.com/05e594e3cd9b22d117b8a1827c6dd22355ad30e7/container_utils/run_oci.cc
[modify] https://crrev.com/05e594e3cd9b22d117b8a1827c6dd22355ad30e7/libcontainer/libcontainer_unittest.c
[modify] https://crrev.com/05e594e3cd9b22d117b8a1827c6dd22355ad30e7/libcontainer/libcontainer.c
[modify] https://crrev.com/05e594e3cd9b22d117b8a1827c6dd22355ad30e7/common-mk/common.gypi
[modify] https://crrev.com/05e594e3cd9b22d117b8a1827c6dd22355ad30e7/common-mk/platform2.py
[modify] https://crrev.com/05e594e3cd9b22d117b8a1827c6dd22355ad30e7/libcontainer/libcontainer.gyp
[modify] https://crrev.com/05e594e3cd9b22d117b8a1827c6dd22355ad30e7/login_manager/container_config_parser.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/510e7a2b0373b61237ed3a8ec7b6788828e5deba

commit 510e7a2b0373b61237ed3a8ec7b6788828e5deba
Author: Mike Frysinger <vapier@chromium.org>
Date: Wed Apr 26 23:19:50 2017

devkeys: switch container key from RSA to EC

Created by doing:
  openssl ecparam -name prime256v1 -out prime256v1.pem
  openssl ecparam -genkey -noout -out cros-oci-container.pem -in prime256v1.pem
  openssl pkey -in cros-oci-container.pem -out cros-oci-container-pub.pem -pubout

BUG= chromium:660209 
TEST=`./sign_official_build.sh oci-container fastboot/ ../tests/devkeys` still works
BRANCH=None

Change-Id: I4171b2d9d9788cccf082d613b1de6e7ca9d0b005
Reviewed-on: https://chromium-review.googlesource.com/461418
Commit-Ready: Dylan Reid <dgreid@chromium.org>
Tested-by: Dylan Reid <dgreid@chromium.org>
Reviewed-by: Eric Caruso <ejcaruso@chromium.org>

[modify] https://crrev.com/510e7a2b0373b61237ed3a8ec7b6788828e5deba/tests/devkeys/cros-oci-container.pem
[modify] https://crrev.com/510e7a2b0373b61237ed3a8ec7b6788828e5deba/tests/devkeys/cros-oci-container-pub.pem

this is done and pretty much deployed.  security/design doc is here:
https://docs.google.com/document/d/1u9PUfmf6BNlHAwkr270Vt1zxAyRCUmXFvvzVWGX_aHI/edit