verified boot and chromium
82 views
Skip to first unread message
Steven Miller
Feb 12, 2016, 4:01:29 PM2/12/16
to Chromium OS dev
Is it possible to run chromium os on a chromebook in protected / secure mode? I haven't seen any docs saying whether you can or can't. I'm guessing you can't, but if you can.. are there any docs that layout the procedure?
Thanks,
Steven
Mike Frysinger
Feb 12, 2016, 4:10:32 PM2/12/16
to Steven Miller, Chromium OS dev
Chromium OS, by default, enforces read-only rootfs & checking of the blocks. there's no flags/methods to turn this on, just off. all the security methods we use in Chrome OS is the same as Chromium OS (because it's the same code).
what is it specifically you're looking at ?
keep in mind that verification of the kernel by the firmware can not be enforced unless you remove the WP screw and reflash with your own custom set of keys. but once you skip that, everything else is the same between Chromium OS & Chrome OS.
-mike
--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-dev?hl=en
Steven Miller
Feb 12, 2016, 4:19:05 PM2/12/16
to Chromium OS dev, stevenra...@gmail.com
I'd like to run my own Chromium OS build outside of dev mode and it would be neat to learn how it all actually works.
Steven
Julius Werner
Feb 12, 2016, 4:34:18 PM2/12/16
to Steven Miller, Chromium OS dev
On Fri, Feb 12, 2016 at 1:19 PM, Steven Miller
<stevenra...@gmail.com> wrote:
> I'd like to run my own Chromium OS build outside of dev mode and it would be
> neat to learn how it all actually works.
Outside of dev mode the firmware always enforces kernel verification
<stevenra...@gmail.com> wrote:
> I'd like to run my own Chromium OS build outside of dev mode and it would be
> neat to learn how it all actually works.
(and the kernel by default enforces rootfs verification, even on
Chromium builds). Since we can't allow you to sign your own kernel
with the firmware keys your Chromebook ships with for obvious reasons,
you have to resign your firmware with different keys like Mike said.
There's a /usr/share/vboot/bin/make_dev_firmware.sh script that can do
this for you once you removed your write-protect screw. It will use
our "developer keys" by default, which is what Chromium OS builds are
signed with. These keys are publicly known, so if you want actual
security you should generate your own keyset
(src/vboot_reference/scripts/keygeneration/create_new_keys.sh in
Chromium OS SDK) and resign both your firmware and your kernel with
them (the latter can be done with
/usr/share/vboot/bin/make_dev_ssd.sh).
Obvious disclaimer: messing with read-only firmware can easily brick
your machine. Never remove the firmware write-protect screw unless you
have a SPI flash programmer handy and know how to use it.
Steven Miller
Feb 12, 2016, 4:39:54 PM2/12/16
to Chromium OS dev, stevenra...@gmail.com
Thank you both very much for your replies. I figured / hoped there was a path.
Regards,
Steven
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages