xtask: Update to latest commit in shim-review This version uses crdyboot by default, so the Dockerfile modifications are no longer needed. BUG=None TEST=cargo xtask setup TEST=cargo xtask check TEST=cargo xtask qemu Change-Id: If518bc17ec1273fc5b76832f72aa49adcd6fc662 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/crdyboot/+/4427206 Auto-Submit: Nicholas Bishop <[email protected]> Commit-Queue: Jeffery Miller <[email protected]> Commit-Queue: Nicholas Bishop <[email protected]> Tested-by: Nicholas Bishop <[email protected]> Reviewed-by: Jeffery Miller <[email protected]>
Pronounced CUR-dee-boot.
Crdyboot is a UEFI bootloader for ChromeOS Flex. It is not yet in use.
Crdyboot acts as a bridge between UEFI firmware and the Chromebook style of booting. It uses vboot to select and validate an appropriate kernel partition, then launches that kernel using the Linux EFI stub.
The project is organized as a Rust workspace containing several packages:
vboot package is a thin wrapper around the C vboot library. It also exposes a DiskIo trait through which it can read and write blocks to a disk. This package is no_std, and can be built for both the UEFI targets and the host target. Building for the host allows tests to be run on the host.libcrdy package is where most of the bootloader is implemented. It implements the DiskIo trait using the uefi crate, and uses the vboot package to load and verify a kernel. It then boots into that kernel using the EFI stub. This package is also no_std and can also be built for both UEFI targets and the host target for testing purposes.crdyboot package provides the actual bootloader executable. It contains the embedded key used to verify the kernel data, the SBAT data used for revocation, and sets up logging and allocation. Then it uses libcrdy to load, verify, and run the kernel.xtask package contains a host executable that provides the various xtask commands shown below. It's like a fancy Makefile for running various dev and test operations.enroller subdirectory contains a small UEFI application that enrolls a test key in the PK, KEK, and db variables. This is used to set up the test VM, and can also be used on real hardware (see the “Testing on real hardware” section).Install Rust: https://rustup.rs
Install tools used for image signing and running in a VM:
sudo apt install clang efitools gdisk ovmf ovmf-ia32 podman \
qemu-system-x86 sbsigntool swtpm
After installing qemu, add your user to the kvm group. You will need to log out and back in for this to take effect:
sudo adduser ${USER} kvm
Googlers: see go/crdyboot-internal for additional recommendations.
Before running any other commands in the repository, run this setup command:
cargo xtask setup [<disk-path>]
This will prepare a reven image to use with various tests. By default the latest reven release is downloaded from a GS bucket. You can also provide a path to use a local image. Any kind of image (base, dev, or test) is allowed, but the image must have rootfs verification enabled.
To check formatting, lint, test, build crdyboot, and install to the image:
cargo xtask check [--vm-tests]
The --vm-tests option enables slow tests that run under QEMU.
To just build crdyboot and install to the image (a quicker subset of check):
cargo xtask build
Then run it in QEMU:
cargo xtask qemu [--ia32] [--no-secure-boot] [--tpm1|--tpm2]
To test secure boot with real hardware you will need to enroll custom keys. Write workspace/enroller.bin to a USB, and write workspace/disk.bin to a second USB, e.g. using writedisk.
Boot the DUT and enter the boot setup. Find the secure boot settings and change it to setup mode. (The details will vary from one vendor to another.)
Plug in the enroller USB and reboot. Use the boot menu to select the USB and wait for it to complete.
Unplug the enroller USB and plug in the cloudready USB, then reboot. Use the boot menu to select the USB.
See the docs subdirectory.