On Fri, Feb 12, 2016 at 1:19 PM, Steven Miller
<
stevenra...@gmail.com> wrote:
> I'd like to run my own Chromium OS build outside of dev mode and it would be
> neat to learn how it all actually works.
Outside of dev mode the firmware always enforces kernel verification
(and the kernel by default enforces rootfs verification, even on
Chromium builds). Since we can't allow you to sign your own kernel
with the firmware keys your Chromebook ships with for obvious reasons,
you have to resign your firmware with different keys like Mike said.
There's a /usr/share/vboot/bin/make_dev_firmware.sh script that can do
this for you once you removed your write-protect screw. It will use
our "developer keys" by default, which is what Chromium OS builds are
signed with. These keys are publicly known, so if you want actual
security you should generate your own keyset
(src/vboot_reference/scripts/keygeneration/create_new_keys.sh in
Chromium OS SDK) and resign both your firmware and your kernel with
them (the latter can be done with
/usr/share/vboot/bin/make_dev_ssd.sh).
Obvious disclaimer: messing with read-only firmware can easily brick
your machine. Never remove the firmware write-protect screw unless you
have a SPI flash programmer handy and know how to use it.