aboutsummaryrefslogtreecommitdiff
path: root/docs/depthcharge
diff options
context:
space:
mode:
Diffstat (limited to 'docs/depthcharge')
-rw-r--r--docs/depthcharge/index.md140
1 files changed, 71 insertions, 69 deletions
diff --git a/docs/depthcharge/index.md b/docs/depthcharge/index.md
index 1c0c8d13..ffb525f5 100644
--- a/docs/depthcharge/index.md
+++ b/docs/depthcharge/index.md
@@ -8,16 +8,16 @@ This section relates to the depthcharge payload used in libreboot.
CrOS security model
===================
-CrOS (Chromium OS/Chrome OS) devices such as Chromebooks implement a
-strict security model to ensure that these devices do not become
-compromised, that is implemented as the verified boot (vboot) reference,
-most of which is executed within depthcharge. A detailed overview of the
-CrOS security model is available on the dedicated page.
+CrOS (Chromium OS/Chrome OS) devices such as Chromebooks implement a strict
+security model to ensure that these devices do not become compromised, that is
+implemented as the verified boot (vboot) reference, most of which is executed
+within depthcharge. A detailed overview of the CrOS security model is available
+on the dedicated page.
-In spite of the CrOS security model, depthcharge won't allow booting
-kernels without verifying their signature and booting from external
-media or legacy payload unless explicitly allowed: see [configuring
-verified boot parameters](#configuring_verified_boot_parameters).
+In spite of the CrOS security model, depthcharge won't allow booting kernels
+without verifying their signature and booting from external media or legacy
+payload unless explicitly allowed: see [configuring verified boot
+parameters](#configuring_verified_boot_parameters).
Developer mode screen
=====================
@@ -32,37 +32,38 @@ showing information about the device and disabling developer mode.
Holding the developer mode screen
---------------------------------
-As instructed on the developer mode screen, the screen can be held by
-pressing **Ctrl + H** in the first 3 seconds after the screen is shown.
-After that delay, depthcharge will resume booting normally.
+As instructed on the developer mode screen, the screen can be held by pressing
+*Ctrl + H* in the first 3 seconds after the screen is shown. After that delay,
+depthcharge will resume booting normally.
Booting normally
----------------
-As instructed on the developer mode screen, a regular boot will happen
-after **3 seconds** (if developer mode screen is not held).\
-The default boot medium (internal storage, external media, legacy
-payload) is shown on screen.
+As instructed on the developer mode screen, a regular boot will happen after *3
+seconds* (if developer mode screen is not held).
+
+The default boot medium (internal storage, external media, legacy payload) is
+shown on screen.
Booting from different mediums
------------------------------
-Depthcharge allows booting from different mediums, when they are allowed
-(see [configuring verified boot
-parameters](#configuring_verified_boot_parameters) to enable or disable
-boot mediums).\
-As instructed on the developer mode screen, booting from various mediums
-can be triggered by pressing various key combinations:
+Depthcharge allows booting from different mediums, when they are allowed (see
+[configuring verified boot parameters](#configuring_verified_boot_parameters)
+to enable or disable boot mediums).
+
+As instructed on the developer mode screen, booting from various mediums can be
+triggered by pressing various key combinations:
-- Internal storage: **Ctrl + D**
-- External media: **Ctrl + U** (when enabled)
-- Legacy payload: **Ctrl + L** (when enabled)
+- Internal storage: *Ctrl + D*
+- External media: *Ctrl + U* (when enabled)
+- Legacy payload: *Ctrl + L* (when enabled)
Showing device information
--------------------------
As instructed on the developer mode screen, showing device information can be
-triggered by pressing **Ctrl + I** or **Tab**. Various information is shown,
+triggered by pressing *Ctrl + I* or *Tab*. Various information is shown,
including vboot non-volatile data, TPM status, GBB flags and key hashes.
Warnings
@@ -77,69 +78,70 @@ The developer mode screen will show warnings when:
Recovery mode screen
====================
-The recovery mode screen can be accessed in depthcharge, by pressing
-**Escape + Refresh + Power** when the device is off.
+The recovery mode screen can be accessed in depthcharge, by pressing *Escape +
+Refresh + Power* when the device is off.
-It allows recovering the device from a bad state by booting from a
-trusted recovery media. When accessed with the device in a good state,
-it also allows enabling developer mode.
+It allows recovering the device from a bad state by booting from a trusted
+recovery media. When accessed with the device in a good state, it also allows
+enabling developer mode.
Recovering from a bad state
---------------------------
-When the device fails to verify the signature of a piece of the boot
-software or when an error occurs, it is considered to be in a bad state
-and will instruct the user to reboot to recovery mode.\
-Recovery mode boots using only software located in write-protected
-memory, that is considered to be trusted and safe.
+When the device fails to verify the signature of a piece of the boot software
+or when an error occurs, it is considered to be in a bad state and will
+instruct the user to reboot to recovery mode.
+
+Recovery mode boots using only software located in write-protected memory, that
+is considered to be trusted and safe.
+
+Recovery mode then allows recovering the device by booting from a trusted
+recovery media, that is automatically detected when recovery mode starts. When
+no external media is found or when the recovery media is invalid, instructions
+are shown on screen.
+
+Trusted recovery media are external media (USB drives, SD cards, etc) that hold
+a kernel signed with the recovery key.
-Recovery mode then allows recovering the device by booting from a
-trusted recovery media, that is automatically detected when recovery
-mode starts. When no external media is found or when the recovery media
-is invalid, instructions are shown on screen.\
-Trusted recovery media are external media (USB drives, SD cards, etc)
-that hold a kernel signed with the recovery key.
+Google provides images of such recovery media for Chrome OS (which are not
+advised to users as they contain proprietary software).
-Google provides images of such recovery media for Chrome OS (which are
-not advised to users as they contain proprietary software).\
-They are signed with Google's recovery keys, that are pre-installed on
-the device when it ships.
+They are signed with Google's recovery keys, that are pre-installed on the
+device when it ships.
When replacing the full flash of the device, the pre-installed keys are
replaced. When the recovery private key is available (e.g. when using
-self-generated keys), it can be used to sign a kernel for recovery
-purposes.
+self-generated keys), it can be used to sign a kernel for recovery purposes.
Enabling developer mode
-----------------------
-As instructed on the recovery mode screen, developer mode can be enabled
-by pressing **Ctrl + D**. Instructions to confirm enabling developer mode are
-then shown on screen.
+As instructed on the recovery mode screen, developer mode can be enabled by
+pressing *Ctrl + D*. Instructions to confirm enabling developer mode are then
+shown on screen.
Configuring verified boot parameters
====================================
Depthcharge's behavior relies on the verified boot (vboot) reference
-implementation, that can be configured with parameters stored in the
-verified boot non-volatile storage.\
-These parameters can be modified with the **crossystem** tool, that
-requires sufficient privileges to access the verified boot non-volatile
-storage.
-
-**crossystem** relies on **mosys**, that is used to access the verified
-boot non-volatile storage on some devices. **crossystem** and **mosys**
-are both free software and their source code is made available by
-Google:
+implementation, that can be configured with parameters stored in the verified
+boot non-volatile storage.
+
+These parameters can be modified with the `crossystem` tool, that requires
+sufficient privileges to access the verified boot non-volatile storage.
+
+`crossystem` relies on `mosys`, that is used to access the verified boot
+non-volatile storage on some devices. `crossystem` and `mosys` are both free
+software and their source code is made available by Google:
[crossystem](https://chromium.googlesource.com/chromiumos/platform/vboot_reference/).
-[mosys](https://chromium.googlesource.com/chromiumos/platform/mosys/).\
-These tools are not distributed along with Libreboot yet. However, they
-are preinstalled on the device, with ChromeOS.
-
-Some of these parameters have the potential of **weakening the security
-of the device**. In particular, disabling kernels signature
-verification, external media boot and legacy payload boot can weaken the
-security of the device.
+[mosys](https://chromium.googlesource.com/chromiumos/platform/mosys/).
+
+These tools are not distributed along with Libreboot yet. However, they are
+preinstalled on the device, with ChromeOS.
+
+Some of these parameters have the potential of *weakening the security of the
+device*. In particular, disabling kernels signature verification, external
+media boot and legacy payload boot can weaken the security of the device.
The following parameters can be configured: