Implement block_devmode for FWMP |
|||||||||||
Issue descriptionWe probably want at least DEVELOPER_DISABLE_BOOT (which seems to be the equivalent of block_devmode). See also: * https://code.google.com/p/chrome-os-partner/issues/detail?id=62205 * README.firmware_management_parameters * https://docs.google.com/document/d/1-O1OZxG0j12emPkfKLhSxFK0shffJqAlDB4RrxP78XU/edit
,
Jan 26 2017
Am I correct that we need to set dev_disable_boot, dev_disable_recovery and dev_disable_ccd_unlock to be on the safe side? And what should happen on pre-Cr50 devices? Do we create the FWMP space (but it has no effect) or should we just not create the space? Maybe the former would provide an upgrade path in case we decide to add support for FWMP to older devices?
,
Jan 26 2017
Just dev_disable_boot and dev_disable_ccd_unlock. dev_disable_recovery may affect the RMA flow; it's there as a failsafe if we discover a bug in that flow which could be exploited. Might as well create the space everywhere. That way if we do need to add FWMP support to older devices' RW firmware, the FWMP will already exist so the owner won't need to re-enroll their devices.
,
Feb 28 2017
,
Mar 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/d89187a8178fb39db1b1f9a330010e62c1e725cb commit d89187a8178fb39db1b1f9a330010e62c1e725cb Author: Igor <igorcov@chromium.org> Date: Tue Mar 14 22:06:02 2017 cryptohome: Permissions for D-Bus calls to update FWMP To remove or set firmware management parameters (FWMP), the D-Bus calls to cryptohome interface need to be done. This change gives permission to make the calls. BUG= chromium:685144 TEST=Manual Change-Id: If561e5f3d90fb5d10b13a694f153b9aecbca6dad Reviewed-on: https://chromium-review.googlesource.com/451322 Commit-Ready: Igor <igorcov@chromium.org> Tested-by: Igor <igorcov@chromium.org> Reviewed-by: Randall Spangler <rspangler@chromium.org> Reviewed-by: Darren Krahn <dkrahn@chromium.org> [modify] https://crrev.com/d89187a8178fb39db1b1f9a330010e62c1e725cb/cryptohome/etc/Cryptohome.conf
,
Mar 29 2017
Marking R-B-S to make sure it's on people's radar.
,
Apr 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833 commit d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833 Author: igorcov <igorcov@chromium.org> Date: Fri Apr 07 16:23:45 2017 Update FWMP in TPM As part of enrollment, the firmware management parameters (FWMP) partition from TPM has to be set including the flags to mark if the devmode is blocked. The update has to be done before the TPM is locked but after the policy is retrieved. It is implemented by including additional step in enrollment process that makes the D-Bus call to cryptohome to set the data in FWMP. Similarly when the device is deprovisioned, the firmware management parameters are removed from TPM when it is established that it is a consumer owned device. BUG= 685144 Review-Url: https://codereview.chromium.org/2727713003 Cr-Commit-Position: refs/heads/master@{#462886} [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.cc [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chrome/browser/chromeos/policy/enrollment_handler_chromeos.h [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chrome/browser/chromeos/settings/install_attributes.cc [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chrome/browser/chromeos/settings/install_attributes.h [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chrome/browser/chromeos/settings/install_attributes_unittest.cc [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chromeos/dbus/cryptohome_client.cc [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chromeos/dbus/cryptohome_client.h [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chromeos/dbus/fake_cryptohome_client.cc [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chromeos/dbus/fake_cryptohome_client.h [modify] https://crrev.com/d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833/chromeos/dbus/mock_cryptohome_client.h
,
Apr 10 2017
,
Apr 10 2017
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 10 2017
Marking as fixed, as the CLs landed and I've tested the functionality. Will cherry-pick to 58 the CLs now.
,
Apr 10 2017
,
Apr 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/ed89cd7bcc30fd6bf279b5fa496882cd3fedd9cd commit ed89cd7bcc30fd6bf279b5fa496882cd3fedd9cd Author: Igor <igorcov@chromium.org> Date: Tue Apr 11 17:27:34 2017 cryptohome: Permissions for D-Bus calls to update FWMP To remove or set firmware management parameters (FWMP), the D-Bus calls to cryptohome interface need to be done. This change gives permission to make the calls. BUG= chromium:685144 TEST=Manual Change-Id: If561e5f3d90fb5d10b13a694f153b9aecbca6dad Reviewed-on: https://chromium-review.googlesource.com/451322 Commit-Ready: Igor <igorcov@chromium.org> Tested-by: Igor <igorcov@chromium.org> Reviewed-by: Randall Spangler <rspangler@chromium.org> Reviewed-by: Darren Krahn <dkrahn@chromium.org> (cherry picked from commit d89187a8178fb39db1b1f9a330010e62c1e725cb) Reviewed-on: https://chromium-review.googlesource.com/473188 Reviewed-by: Andrey Pronin <apronin@chromium.org> Commit-Queue: Igor <igorcov@chromium.org> [modify] https://crrev.com/ed89cd7bcc30fd6bf279b5fa496882cd3fedd9cd/cryptohome/etc/Cryptohome.conf
,
Apr 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8a9654349f513c585696ad788dcb5b37b1283211 commit 8a9654349f513c585696ad788dcb5b37b1283211 Author: Maksim Ivanov <emaxx@chromium.org> Date: Wed Apr 12 17:44:43 2017 Update FWMP in TPM As part of enrollment, the firmware management parameters (FWMP) partition from TPM has to be set including the flags to mark if the devmode is blocked. The update has to be done before the TPM is locked but after the policy is retrieved. It is implemented by including additional step in enrollment process that makes the D-Bus call to cryptohome to set the data in FWMP. Similarly when the device is deprovisioned, the firmware management parameters are removed from TPM when it is established that it is a consumer owned device. BUG= 685144 Review-Url: https://codereview.chromium.org/2727713003 Cr-Commit-Position: refs/heads/master@{#462886} (cherry picked from commit d6dbbe9a3f1a62bc6ec0414bd4bbd5d4c2d9f833) Review-Url: https://codereview.chromium.org/2812053004 . Cr-Commit-Position: refs/branch-heads/3029@{#678} Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471} [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.cc [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chrome/browser/chromeos/policy/enrollment_handler_chromeos.h [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chrome/browser/chromeos/settings/install_attributes.cc [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chrome/browser/chromeos/settings/install_attributes.h [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chrome/browser/chromeos/settings/install_attributes_unittest.cc [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chromeos/dbus/cryptohome_client.cc [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chromeos/dbus/cryptohome_client.h [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chromeos/dbus/fake_cryptohome_client.cc [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chromeos/dbus/fake_cryptohome_client.h [modify] https://crrev.com/8a9654349f513c585696ad788dcb5b37b1283211/chromeos/dbus/mock_cryptohome_client.h
,
Jan 22 2018
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by rspangler@chromium.org
, Jan 25 2017