vboot: Add NvStorage variable to limit kernel roll-forward |
|||
Issue descriptionCurrently, vboot will roll the kernel version in the TPM if: * The kernel is marked successful (not trying a new one) * The key version and/or kernel version in the kernel vblock is newer than the TPM * The lowest versions of any active kernel on disk are higher than the TPM Enterprises would like to be able to retain the ability to roll back to an older version. To let them do this on a per-device basis without opening everyone up to rollback attacks, add a NvStorage variable which will set an upper bound for roll-forward. Unenrolled devices will use 0xFFFFFFFF, so will keep the same policy as now. This is a RW firmware change. See go/vboot-roll-forward
,
Nov 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/4aaaeca130a701a06cb898d9a17eddf67daa3617 commit 4aaaeca130a701a06cb898d9a17eddf67daa3617 Author: Randall Spangler <rspangler@chromium.org> Date: Sat Nov 18 04:18:19 2017 nvstorage: Add kernel max rollforward NV storage field This just adds the kernel_max_rollforward field to the nvstorage libraries and crossystem. The firmware does not use it yet; that's coming in a subsequent CL. 16 of the fields's 32 bits are taken from unused bytes of the kernel field. This has no effect on existing usage. BUG= chromium:783997 BRANCH=none TEST=make runtests Also manual testing. In a root shell: crossystem kernel_max_rollforward --> Should default to 0 crossystem kernel_max_rollforward=0xfffffffe crossystem kernel_max_rollforward --> Should be 0xfffffffe (Note that setting it to 0xffffffff is indistinguishable from the -1 value that the crossystem library uses to indicate error, so 0xffffffff isn't actually usable as a max rollforward limit. But 0xfffffffe is, and if we ever get so close to the limit that we need to use 0xffffffff, something has already gone horribly wrong with our versioning strategy...) Change-Id: I008f412e6ed3c0b59beb9881268585af69d1ff2e Signed-off-by: Randall Spangler <rspangler@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/765572 Reviewed-by: Julius Werner <jwerner@chromium.org> [modify] https://crrev.com/4aaaeca130a701a06cb898d9a17eddf67daa3617/utility/crossystem.c [modify] https://crrev.com/4aaaeca130a701a06cb898d9a17eddf67daa3617/firmware/2lib/include/2nvstorage_fields.h [modify] https://crrev.com/4aaaeca130a701a06cb898d9a17eddf67daa3617/host/lib/crossystem.c [modify] https://crrev.com/4aaaeca130a701a06cb898d9a17eddf67daa3617/tests/vboot_nvstorage_test.c [modify] https://crrev.com/4aaaeca130a701a06cb898d9a17eddf67daa3617/firmware/2lib/2nvstorage.c [modify] https://crrev.com/4aaaeca130a701a06cb898d9a17eddf67daa3617/firmware/2lib/include/2nvstorage.h [modify] https://crrev.com/4aaaeca130a701a06cb898d9a17eddf67daa3617/firmware/lib/vboot_nvstorage.c [modify] https://crrev.com/4aaaeca130a701a06cb898d9a17eddf67daa3617/firmware/include/vboot_nvstorage.h [modify] https://crrev.com/4aaaeca130a701a06cb898d9a17eddf67daa3617/tests/vb2_nvstorage_tests.c
,
Nov 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/17fb34b647a73bb55fac876a9b20c2c90844ea2e commit 17fb34b647a73bb55fac876a9b20c2c90844ea2e Author: Randall Spangler <rspangler@chromium.org> Date: Sat Nov 18 04:18:20 2017 vboot: Use kernel max rollforward NV storage field Kernel verification will now roll forward the minimum allowable version in the TPM no farther than the kernel_max_rollforward setting. Note that CL:765573 changes chromeos-setgoodkernel so it always sets kernel_max_rollforward to 0xfffffffe when marking a kernel as good. That ensures that firmware with this setting will behave the same for now as existing firmware. BUG= chromium:783997 BRANCH=none CQ-DEPEND=CL:765573 TEST=make runtests Manual testing: crossystem tpm_kernvel --> print current kernel version in TPM - Resign the kernel with a higher version - Reboot - Wait a minute for chromeos-setgoodkernel to run crossystem kernel_max_rollforward=0 - Reboot crossystem tpm_kernvel --> has not changed - Wait a minute for chromeos-setgoodkernel to run crossystem kernel_max_rollforward -> 0xfffffffe - Reboot crossystem tpm_kernvel --> has changed to the higher version Change-Id: Ia32ecb7fa4078548cd311541ccbe120570cf1bc5 Reviewed-on: https://chromium-review.googlesource.com/765574 Commit-Ready: Randall Spangler <rspangler@chromium.org> Tested-by: Randall Spangler <rspangler@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Stefan Reinauer <reinauer@google.com> [modify] https://crrev.com/17fb34b647a73bb55fac876a9b20c2c90844ea2e/firmware/lib/vboot_api_kernel.c [modify] https://crrev.com/17fb34b647a73bb55fac876a9b20c2c90844ea2e/tests/vboot_api_kernel4_tests.c
,
Nov 18 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/b73462ef75f8f8d95d60b6bf0d99c71019da2811 commit b73462ef75f8f8d95d60b6bf0d99c71019da2811 Author: Randall Spangler <rspangler@chromium.org> Date: Sat Nov 18 04:18:19 2017 installer: setgoodkernel rolls forward as far as possible On the boot following chromeos-setgoodkernel marking a kernel as good, RW firmware will roll forward the minimum allowable kernel vboot version stored in the TPM as far as possible. This is the correct behavior on unenrolled devices, and duplicates the behavior of older firmware which does not support kernel_max_rollforward. Note that the firmware change which uses this setting is dependent on this change, to make sure current behavior is maintained when that change commits. Once enterprise support for kernel_max_rollforward policy has been added, this script should be changed so it only forces max rollforward on unenrolled devices. Added a TODO to that effect. BUG= chromium:783997 BRANCH=none CQ-DEPEND=CL:765572 TEST=manual # Overrides value of 0 crossystem kernel_max_rollforward=0 chromeos-setgoodkernel crossystem kernel_max_rollforward --> 0xfffffffe # Overrides non-zero values too crossystem kernel_max_rollforward=0x10001 chromeos-setgoodkernel crossystem kernel_max_rollforward --> 0xfffffffe Change-Id: I8e3488553569ade3fea0c885e18b6daf0b5663aa Signed-off-by: Randall Spangler <rspangler@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/765573 Reviewed-by: Stefan Reinauer <reinauer@google.com> [modify] https://crrev.com/b73462ef75f8f8d95d60b6bf0d99c71019da2811/installer/chromeos-setgoodkernel
,
Nov 28 2017
Firmware changes are implemented. Still need OS to implement the corp policy side when ready.
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/24c29183f537d55c58d7d190d5fc1ed32b478888 commit 24c29183f537d55c58d7d190d5fc1ed32b478888 Author: Randall Spangler <rspangler@chromium.org> Date: Thu Nov 30 00:15:13 2017 nvstorage: Add kernel max rollforward NV storage field This just adds the kernel_max_rollforward field to the nvstorage libraries and crossystem. The firmware does not use it yet; that's coming in a subsequent CL. 16 of the fields's 32 bits are taken from unused bytes of the kernel field. This has no effect on existing usage. BUG= chromium:783997 BRANCH=none TEST=make runtests Also manual testing. In a root shell: crossystem kernel_max_rollforward --> Should default to 0 crossystem kernel_max_rollforward=0xfffffffe crossystem kernel_max_rollforward --> Should be 0xfffffffe (Note that setting it to 0xffffffff is indistinguishable from the -1 value that the crossystem library uses to indicate error, so 0xffffffff isn't actually usable as a max rollforward limit. But 0xfffffffe is, and if we ever get so close to the limit that we need to use 0xffffffff, something has already gone horribly wrong with our versioning strategy...) Change-Id: I008f412e6ed3c0b59beb9881268585af69d1ff2e Signed-off-by: Randall Spangler <rspangler@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/765572 Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/798126 Commit-Queue: Shelley Chen <shchen@chromium.org> Tested-by: Shelley Chen <shchen@chromium.org> [modify] https://crrev.com/24c29183f537d55c58d7d190d5fc1ed32b478888/utility/crossystem.c [modify] https://crrev.com/24c29183f537d55c58d7d190d5fc1ed32b478888/firmware/2lib/include/2nvstorage_fields.h [modify] https://crrev.com/24c29183f537d55c58d7d190d5fc1ed32b478888/host/lib/crossystem.c [modify] https://crrev.com/24c29183f537d55c58d7d190d5fc1ed32b478888/tests/vboot_nvstorage_test.c [modify] https://crrev.com/24c29183f537d55c58d7d190d5fc1ed32b478888/firmware/2lib/2nvstorage.c [modify] https://crrev.com/24c29183f537d55c58d7d190d5fc1ed32b478888/firmware/2lib/include/2nvstorage.h [modify] https://crrev.com/24c29183f537d55c58d7d190d5fc1ed32b478888/firmware/lib/vboot_nvstorage.c [modify] https://crrev.com/24c29183f537d55c58d7d190d5fc1ed32b478888/firmware/include/vboot_nvstorage.h [modify] https://crrev.com/24c29183f537d55c58d7d190d5fc1ed32b478888/tests/vb2_nvstorage_tests.c
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/vboot_reference/+/aa9cca4019164120f0ce8b756c0cbb8751c7ac3d commit aa9cca4019164120f0ce8b756c0cbb8751c7ac3d Author: Randall Spangler <rspangler@chromium.org> Date: Thu Nov 30 00:15:16 2017 vboot: Use kernel max rollforward NV storage field Kernel verification will now roll forward the minimum allowable version in the TPM no farther than the kernel_max_rollforward setting. Note that CL:765573 changes chromeos-setgoodkernel so it always sets kernel_max_rollforward to 0xfffffffe when marking a kernel as good. That ensures that firmware with this setting will behave the same for now as existing firmware. BUG= chromium:783997 BRANCH=none CQ-DEPEND=CL:765573 TEST=make runtests Manual testing: crossystem tpm_kernvel --> print current kernel version in TPM - Resign the kernel with a higher version - Reboot - Wait a minute for chromeos-setgoodkernel to run crossystem kernel_max_rollforward=0 - Reboot crossystem tpm_kernvel --> has not changed - Wait a minute for chromeos-setgoodkernel to run crossystem kernel_max_rollforward -> 0xfffffffe - Reboot crossystem tpm_kernvel --> has changed to the higher version Change-Id: Ia32ecb7fa4078548cd311541ccbe120570cf1bc5 Reviewed-on: https://chromium-review.googlesource.com/765574 Commit-Ready: Randall Spangler <rspangler@chromium.org> Tested-by: Randall Spangler <rspangler@chromium.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Stefan Reinauer <reinauer@google.com> Reviewed-on: https://chromium-review.googlesource.com/798127 Reviewed-by: Randall Spangler <rspangler@chromium.org> Commit-Queue: Shelley Chen <shchen@chromium.org> Tested-by: Shelley Chen <shchen@chromium.org> [modify] https://crrev.com/aa9cca4019164120f0ce8b756c0cbb8751c7ac3d/firmware/lib/vboot_api_kernel.c [modify] https://crrev.com/aa9cca4019164120f0ce8b756c0cbb8751c7ac3d/tests/vboot_api_kernel4_tests.c
,
Jun 14 2018
|
|||
►
Sign in to add a comment |
|||
Comment 1 by rspangler@chromium.org
, Nov 13 2017