Allow factory-friendly reset in recovery shim |
|||||
Issue descriptionThe "reset" in factory shim is very similar to what the recovery shim is doing. By introduction of wipe-in-place, the factory is almost nothing related to FSI, but the "reset" after OQC is still using sharing "stateful partition" from FSI. This is usually fine, but sometimes when there are critical changes (like the migration from eryptfs to ext4crypto" - see b/62691173), it may cause problems and would need kernel rebase in factory branches - which may be causing a lot of more issues. Due to this, we wonder if there's a more simplified and easy way for factory to "reset" a device by just using recovery image. Currently the factory shim is doing following things for "reset" action in additional to to what the recovery shim is doing: 1. (factory_installer) Clear NV data (mosys nvram clear) 2. clear 'block_devmode' from VPD and NV data 3. If HW WP is 0, clear SW WP 4. Request to clear TPM owner (crossystem clear_tpm_owner_request=1) 5. Recover TPM (for version and owner - chromeos-tpm-recovery) 6. Inform shopfloor 7. reset activate data (activate_date --clean) 8. reset recovery counter (vpd -i RW_VPD -d "recovery_count") 9. check AC state & battery level, prompt for right configuration 10. cutoff or shutdown by "crossystem battery_cutoff_request=1 && sleep 3 && reboot" It should be safe to add following items in reccovery image: 1, 4, 10 And should be fine to ignore following items in recovery image: 2, 3, 5, 6, 9 So we just need to figure out how to do following items (by some condition) in recovery image: 7, 8 One possible approach is to follow factory shim - if developer switch was enabled AND a config file is found on USB stateful partition then also do 7, 8.
,
Jun 30 2017
,
Jun 30 2017
I am wondering about the TPM operations here, both if we are really ok to clear the owner outside the factory reset shim, and if we are ok potentially not having a way to fully clear the TPM (e.g. clear version rollback). For 7 and 8 adding them to the recovery scripts pending some detectable setting seems reasonable, dev mode and a special file on the stateful is probably sufficient, not sure whom owns the code that would be involved here though, these have a lot of committers and most of the stuff has not changed much in a long time.
,
Jul 3 2017
+mnissler to see what he thinks about if it's ok to always clear TPM owner (4) in recovery image.
,
Jul 3 2017
Re TPM handling: Recovery already clears the owner (relying on physical presence): https://cs.corp.google.com/chromeos_public/src/platform/initramfs/recovery/recovery_init.sh?rcl=3b5a5598ce95f11fcd1356dc599cb3b1d121f792&l=396 Thus, it doesn't make sense to add #4 to recovery. We should *never* reset the rollback counters in recovery mode. It's fine to do so in the factory/RMA flows as long as (1) that requires HW W/P to be disabled and (2) the process installs an OS image and boots it (which will bump the counters to the values shipped by the image). Re #7 + #8 I don't care much from the security point of view ;-) However, doing #10 at the end of recovery seems a bit unfortunate? The UX we want for users is that the device reboots into the newly installed image, so shutting down wouldn't be right.
,
Jul 3 2017
Re#5
This is for factory to "reset" a device so they have to shutdown (battery cutoff) the device for shipment, so step #10 is required. It's not for end users.
Ok, so if we summarize, for a "factory-friendly reset in recovery shim, after normal recovery flow, it should:
0. detect if factory-friendly tag is found (a file in stateful partition),
and proceed following items:
1. Clear NV data (mosys nvram clear)
7. reset activate data (activate_date --clean)
10. cutoff or shutdown by "crossystem battery_cutoff_request=1 && sleep 3 && reboot"
This will be a special mode for factory to reset devices in OQC process (boot device to FSI and do basic OOBE testing then factory reset). It's different from factory shim reset in:
a. TPM rollback versions were not reset (makes sense since in OQC FSI is the same).
b. won't work if block_dev mode is set (make sense since OQC should not test enrollment)
c. WP states were not cleared (makes sense since in OQC WP state is the same, and we are not changing FW)
d. shopfloor is not informed (if that is needed then partner has to use factory shim)
e. recover counter is not reset (i.e., the counter will be 1 for OQC devices)
f. AC state and battery levels can't be ensured (probably fine if the OQC SOP includes to charge system into given state)
Assigning to Marco - feel free to work on it if you think this will help partners to prevent the need to rebasing kernels.
,
Jul 3 2017
... And Marco, feel free to set this as WONTFIX if you think the limitations are not feasible to partners.
,
Jul 6 2017
Hi Hung-Te, Some questions to understand this proposal more: 1. if recovery image supports this factory-friendly reset then does it mean we don't need factory shim reset anymore? If we still need factory shim reset then we still need to rebase the kernel for these projects with issues like b/62691173. > 0. detect if factory-friendly tag is found (a file in stateful partition), > and proceed following items: 2. It means partners need to mount stateful partition in recovery shim by themselves in order to putting special file with a tag above. Is it right?
,
Jul 6 2017
1. I think most factory flow won't "need" factory shim reset, but they may "want" to use it, since (1) factory shim reset does not need to reflash firmware & emmc (2) factory shim reset may allow shopfloor call if needed. So RMA centers may prefer recovery-based shim while manufacturing line (after OQC) may prefer factory shim. 2. yes.
,
Jul 6 2017
re#9 Considering to b/62691173, will check whether factory-friendly reset in recovery image can satisfy their needs or not. If not, the priority here will be lower down.
,
Jul 7 2017
> (2) factory shim reset may allow shopfloor call if needed. Some partners need the action above after reset in the factory so lower priority down to this issue.
,
Aug 1
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by hungte@chromium.org
, Jun 30 2017