New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 840496 link

Starred by 2 users
Status: Verified
Owner:
drcrash@chromium.org
Closed: Jul 2
Cc:
bthomson@chromium.org
kkaluri@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug



Sign in to add a comment

Allows uploading of enrollment ID even if the device hasn't been able to compute one yet

Project Member Reported by drcrash@chromium.org, May 7 2018 
Until now, not all devices are able to compute an Enrollment ID (EID). We are providing a way for all of them to do so now, and this means that a device who previously indicated to the Google management servers that it did not have an EID should now be able to upload one.

Comment 1 by drcrash@chromium.org, May 7 2018

Blockedon: 835324 835759
Project Member

Comment 2 by bugdroid1@chromium.org, May 25 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0

commit b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0
Author: Yves Arrouye <drcrash@google.com>
Date: Fri May 25 15:46:47 2018

Request and directly upload an EID if no enrollment certificate

A device that is enrolled pre-M68 may not be able to obtain an
enrollment certificate until it is wiped, but can request a computation
of its EID immediately and upload that to the management servers.

BUG= chromium:840496 
TEST=unit_tests

Change-Id: Ib1c4d2652110c49d1370fcc0dfbcfddb336c2de9
Reviewed-on: https://chromium-review.googlesource.com/1069599
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Commit-Queue: Yves Arrouye <drcrash@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561890}
[modify] https://crrev.com/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0/chrome/browser/chromeos/attestation/enrollment_policy_observer.cc
[modify] https://crrev.com/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0/chrome/browser/chromeos/attestation/enrollment_policy_observer.h
[modify] https://crrev.com/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0/chrome/browser/chromeos/attestation/enrollment_policy_observer_unittest.cc
[modify] https://crrev.com/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0/chromeos/dbus/cryptohome_client.cc
[modify] https://crrev.com/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0/chromeos/dbus/cryptohome_client.h
[modify] https://crrev.com/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0/chromeos/dbus/fake_cryptohome_client.cc
[modify] https://crrev.com/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0/chromeos/dbus/fake_cryptohome_client.h
[modify] https://crrev.com/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0/components/policy/core/common/cloud/cloud_policy_client.cc
[modify] https://crrev.com/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0/components/policy/core/common/cloud/cloud_policy_client.h
[modify] https://crrev.com/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0/components/policy/core/common/cloud/cloud_policy_client_unittest.cc
[modify] https://crrev.com/b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0/components/policy/core/common/cloud/mock_cloud_policy_client.h

Comment 3 by kkaluri@chromium.org, May 28 2018

Cc: kkaluri@chromium.org
Labels: Needs-Feedback
drcrash@ Could you please help us with the repro steps to verify the fix from comment #2

Thank You...
Project Member

Comment 4 by bugdroid1@chromium.org, May 30 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/819405bfc3461c7abcc583279d0457f49fbd852f

commit 819405bfc3461c7abcc583279d0457f49fbd852f
Author: Yves Arrouye <drcrash@google.com>
Date: Wed May 30 22:18:17 2018

Upload EIDs as bytes.

Formally changed the type in the proto (as on server). Also include
a zero byte in the EID in unit tests.

BUG= chromium:840496 
TEST=unit_tests

Change-Id: I4e0acaf70547658421c16a8d4731f72f7dc2caa1
Reviewed-on: https://chromium-review.googlesource.com/1079255
Commit-Queue: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#563024}
[modify] https://crrev.com/819405bfc3461c7abcc583279d0457f49fbd852f/chrome/browser/chromeos/attestation/enrollment_policy_observer.cc
[modify] https://crrev.com/819405bfc3461c7abcc583279d0457f49fbd852f/chrome/browser/chromeos/attestation/enrollment_policy_observer_unittest.cc
[modify] https://crrev.com/819405bfc3461c7abcc583279d0457f49fbd852f/components/policy/proto/device_management_backend.proto

Comment 5 by drcrash@chromium.org, May 30 2018

Cc: bthomson@chromium.org
Labels: Merge-Request-68

Comment 6 by drcrash@chromium.org, May 31 2018

Blockedon: -835324 -835759
Verified on the nightly build after requesting merge.

Comment 7 by abdulsyed@google.com, May 31 2018 

Please add appropriate impacted OS.
Project Member

Comment 8 by sheriffbot@chromium.org, May 31 2018

Labels: -Merge-Request-68 Hotlist-Merge-Approved Merge-Approved-68
Your change meets the bar and is auto-approved for M68. Please go ahead and merge the CL to branch 3440 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by drcrash@chromium.org, May 31 2018

Labels: OS-Chrome
Project Member

Comment 10 by bugdroid1@chromium.org, May 31 2018

Labels: -merge-approved-68 merge-merged-3440
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f

commit 7b3fb4806e02cf8a0909e4e760f46d81afc0e29f
Author: Yves Arrouye <drcrash@google.com>
Date: Thu May 31 23:49:57 2018

Request and directly upload an EID if no enrollment certificate

A device that is enrolled pre-M68 may not be able to obtain an
enrollment certificate until it is wiped, but can request a computation
of its EID immediately and upload that to the management servers.

BUG= chromium:840496 
TEST=unit_tests

Change-Id: Ib1c4d2652110c49d1370fcc0dfbcfddb336c2de9
Reviewed-on: https://chromium-review.googlesource.com/1069599
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Darren Krahn <dkrahn@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Commit-Queue: Yves Arrouye <drcrash@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#561890}(cherry picked from commit b7bfd936b02ff97d75d0ef0f1e9ba31e7f0de2c0)
Reviewed-on: https://chromium-review.googlesource.com/1080971
Reviewed-by: Yves Arrouye <drcrash@chromium.org>
Cr-Commit-Position: refs/branch-heads/3440@{#72}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[modify] https://crrev.com/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f/chrome/browser/chromeos/attestation/enrollment_policy_observer.cc
[modify] https://crrev.com/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f/chrome/browser/chromeos/attestation/enrollment_policy_observer.h
[modify] https://crrev.com/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f/chrome/browser/chromeos/attestation/enrollment_policy_observer_unittest.cc
[modify] https://crrev.com/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f/chromeos/dbus/cryptohome_client.cc
[modify] https://crrev.com/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f/chromeos/dbus/cryptohome_client.h
[modify] https://crrev.com/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f/chromeos/dbus/fake_cryptohome_client.cc
[modify] https://crrev.com/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f/chromeos/dbus/fake_cryptohome_client.h
[modify] https://crrev.com/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f/components/policy/core/common/cloud/cloud_policy_client.cc
[modify] https://crrev.com/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f/components/policy/core/common/cloud/cloud_policy_client.h
[modify] https://crrev.com/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f/components/policy/core/common/cloud/cloud_policy_client_unittest.cc
[modify] https://crrev.com/7b3fb4806e02cf8a0909e4e760f46d81afc0e29f/components/policy/core/common/cloud/mock_cloud_policy_client.h

Comment 11 by drcrash@chromium.org, May 31 2018 

#3, here are some test steps with unmodified devices. You need to test in two phases per the steps below:

1. Enroll the device and observe FRE and not Auto RE
2. Once DMServer is updated, observe Auto RE

You should test at first against DMServer QA when using an OU with FRE+DEV Mode. QA domains that were setup for Auto RE testing are: cros423.com, cros382.com and crosdmsregtest.com. You can test against DMServer QA by adding the line:

  --device-management-url=https://crosman-qa.sandbox.google.com/devicemanagement/data/api

to /etc/chrome_dev.conf and rebooting

You can do steps 1 and 2 separately, or wait for DMServer QA to be updated (6/4) and do everything.

Here are the steps:

1. Enroll the device and observe FRE and not Auto RE

- Obtain a device that does NOT have a stable_device_secret_DO_NOT_SHARE key in the VPD (e.g. the command 'read_vpd stable_device_secret_DO_NOT_SHARE' does not return a 64 hex dgits string).
- Ensure this device runs Chrome OS from a milestone between M65 and M67 (inclusive).
- Enroll the device into an organization that supports Auto RE and is on the Auto RE whitelist (i.e. crosprqa1.com).
- Ensure that FRE is turned on for that domain.
- Wipe the device

===> Observe that the device does not enroll automatically. It will show an enterprise enrollment pane (FRE).

2. Once DMServer is updated, observe Auto RE

Again, please test against Alpha first. Contact pmoon@ to confirm dates.

- Upgrade the enrolled device to Chrome OS M68 (this step can probably be done before re-enrolling).
- Log in the device.
- Ensure policy is fetched by going to chrome://policy and reloading policies.
- Wait a few minutes.
- Wipe the device.

===> Observe that the device does enroll automatically. It will show a success panel after enrollment.
Project Member

Comment 12 by bugdroid1@chromium.org, May 31 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a47920812b4dadf0ceb1df68fb1210418cee44d9

commit a47920812b4dadf0ceb1df68fb1210418cee44d9
Author: Yves Arrouye <drcrash@google.com>
Date: Thu May 31 23:55:27 2018

Upload EIDs as bytes.

Formally changed the type in the proto (as on server). Also include
a zero byte in the EID in unit tests.

BUG= chromium:840496 
TEST=unit_tests

Change-Id: I4e0acaf70547658421c16a8d4731f72f7dc2caa1
Reviewed-on: https://chromium-review.googlesource.com/1079255
Commit-Queue: Yves Arrouye <drcrash@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#563024}(cherry picked from commit 819405bfc3461c7abcc583279d0457f49fbd852f)
Reviewed-on: https://chromium-review.googlesource.com/1080972
Reviewed-by: Yves Arrouye <drcrash@chromium.org>
Cr-Commit-Position: refs/branch-heads/3440@{#73}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[modify] https://crrev.com/a47920812b4dadf0ceb1df68fb1210418cee44d9/chrome/browser/chromeos/attestation/enrollment_policy_observer.cc
[modify] https://crrev.com/a47920812b4dadf0ceb1df68fb1210418cee44d9/chrome/browser/chromeos/attestation/enrollment_policy_observer_unittest.cc
[modify] https://crrev.com/a47920812b4dadf0ceb1df68fb1210418cee44d9/components/policy/proto/device_management_backend.proto

Comment 13 by kaishenc@chromium.org, Jun 1 2018 

Yves, I just try SAMUS device. Auto RE is working. 
Chrome OS: 69.0.3445.0

Comment 14 by drcrash@chromium.org, Jul 2

Status: Verified (was: Assigned)

Sign in to add a comment