diff options
Diffstat (limited to 'docs/depthcharge')
-rw-r--r-- | docs/depthcharge/index.html | 362 |
1 files changed, 362 insertions, 0 deletions
diff --git a/docs/depthcharge/index.html b/docs/depthcharge/index.html new file mode 100644 index 00000000..210cde55 --- /dev/null +++ b/docs/depthcharge/index.html @@ -0,0 +1,362 @@ +<!DOCTYPE html> +<html> +<head> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1"> + + <style type="text/css"> + @import url('../css/main.css'); + </style> + + <title>Depthcharge payload</title> +</head> + +<body> + + <div class="section"> + + <h1 id="pagetop">Depthcharge payload</h1> + + <p> + This section relates to the depthcharge payload used in libreboot. + </p> + + <p> + Or <a href="../index.html">Back to main index</a>. + </p> + + <ul> + <li><a href="#cros_security_model">CrOS security model</a></li> + <li><a href="#developer_mode_screen">Developer mode screen</a> + <ul> + <li><a href="#holding_developer_mode_screen">Holding the developer mode screen</li> + <li><a href="#booting_normally">Booting normally</li> + <li><a href="#booting_different_mediums">Booting from different mediums</li> + <li><a href="#showing_device_information">Showing device information</li> + <li><a href="#warnings">Warnings</li> + </ul> + </li> + <li><a href="#recovery_mode_screen">Recovery mode screen</a> + <ul> + <li><a href="#recovering_bad_state">Recovering from a bad state</a></li> + <li><a href="#enabling_developer_mode">Enabling developer mode</a></li> + </ul> + </li> + <li><a href="#configuring_verified_boot_parameters">Configuring verified boot parameters</a></li> + </ul> + + </div> + + <div class="section"> + + <h1 id="cros_security_model">CrOS security model</h1> + + <p> + CrOS (Chromium OS/Chrome OS) devices such as Chromebooks implement a strict security model to ensure that these devices do not become compromised, + that is implemented as the verified boot (vboot) reference, most of which is executed within depthcharge. + A detailed overview of the CrOS security model is available on the dedicated page. + </p> + + <div class="subsection"> + + <p> + In spite of the CrOS security model, depthcharge won't allow booting kernels without verifying their signature and booting from external media or legacy payload unless explicitly allowed: see <a href="#configuring_verified_boot_parameters">configuring verified boot parameters</a>. + </p> + + </div> + + </div> + + <div class="section"> + + <h1 id="developer_mode_screen">Developer mode screen</h1> + + <p> + The developer mode screen can be accessed in depthcharge when developer mode is enabled.<br /> + Developer mode can be enabled from the <a href="#recovery_mode_screen">recovery mode screen</a>. + </p> + + <p> + It allows booting normally, booting from internal storage, booting from external media (when enabled), booting from legacy payload (when enabled), showing information about the device and disabling developer mode. + </p> + + <div class="subsection"> + + <h2 id="holding_developer_mode_screen">Holding the developer mode screen</h2> + + <p> + As instructed on the developer mode screen, the screen can be held by pressing <b>Ctrl + H</b> in the first 3 seconds after the screen is shown. + After that delay, depthcharge will resume booting normally. + </p> + + </div> + + <div class="subsection"> + + <h2 id="booting_normally">Booting normally</h2> + + <p> + As instructed on the developer mode screen, a regular boot will happen after <b>3 seconds</b> (if developer mode screen is not held).<br /> + The default boot medium (internal storage, external media, legacy payload) is shown on screen. + </p> + + </div> + + <div class="subsection"> + + <h2 id="booting_different_mediums">Booting from different mediums</h2> + + <p> + Depthcharge allows booting from different mediums, when they are allowed (see <a href="#configuring_verified_boot_parameters">configuring verified boot parameters</a> to enable or disable boot mediums).<br /> + As instructed on the developer mode screen, booting from various mediums can be triggered by pressing various key combinations: + </p> + + <ul> + <li>Internal storage: <b>Ctrl + D</b></li> + <li>External media: <b>Ctrl + U</b> (when enabled)</li> + <li>Legacy payload: <b>Ctrl + L</b> (when enabled)</li> + </ul> + + </div> + + <div class="subsection"> + + <h2 id="showing_device_information">Showing device information</h2> + + <p> + As instructed on the developer mode screen, showing device information can be triggered by pressing <b>Ctrl + I</b> or <b>Tab</b>.<br /> + Various information is shown, including vboot non-volatile data, TPM status, GBB flags and key hashes.<br /> + </p> + + </div> + + <div class="subsection"> + + <h2 id="warnings">Warnings</h2> + + <p> + The developer mode screen will show warnings when: + + <ul> + <li>Booting kernels without verifying their signature is enabled</li> + <li>Booting from external media is enabled</li> + <li>Booting legacy payloads is enabled</li> + </ul> + + </p> + + </div> + + </div> + + <div class="section"> + + <h1 id="recovery_mode_screen">Recovery mode screen</h1> + + <p> + The recovery mode screen can be accessed in depthcharge, by pressing <b>Escape + Refresh + Power</b> when the device is off. + </p> + + <p> + It allows recovering the device from a bad state by booting from a trusted recovery media. + When accessed with the device in a good state, it also allows enabling developer mode. + </p> + + <div class="subsection"> + + <h2 id="recovering_bad_state">Recovering from a bad state</h2> + + <p> + When the device fails to verify the signature of a piece of the boot software or when an error occurs, + it is considered to be in a bad state and will instruct the user to reboot to recovery mode.<br /> + Recovery mode boots using only software located in write-protected memory, that is considered to be trusted and safe. + </p> + + <p> + Recovery mode then allows recovering the device by booting from a trusted recovery media, that is automatically detected when recovery mode starts. + When no external media is found or when the recovery media is invalid, instructions are shown on screen. <br /> + Trusted recovery media are external media (USB drives, SD cards, etc) that hold a kernel signed with the recovery key. + </p> + + <p> + Google provides images of such recovery media for Chrome OS (which are not advised to users as they contain proprietary software). <br /> + They are signed with Google's recovery keys, that are pre-installed on the device when it ships. + </p> + + <p> + When replacing the full flash of the device, the pre-installed keys are replaced. + When the recovery private key is available (e.g. when using self-generated keys), it can be used to sign a kernel for recovery purposes. + </p> + + </div> + + <div class="subsection"> + + <h2 id="enabling_developer_mode">Enabling developer mode</h2> + + <p> + As instructed on the recovery mode screen, developer mode can be enabled by pressing <b>Ctrl + D</b>.<br /> + Instructions to confirm enabling developer mode are then shown on screen. + </p> + + </div> + + </div> + + <div class="section"> + + <h1 id="configuring_verified_boot_parameters">Configuring verified boot parameters</h1> + + <p> + Depthcharge's behavior relies on the verified boot (vboot) reference implementation, + that can be configured with parameters stored in the verified boot non-volatile storage.<br /> + These parameters can be modified with the <b>crossystem</b> tool, that requires sufficient privileges to access the verified boot non-volatile storage. + </p> + + <p> + <b>crossystem</b> relies on <b>mosys</b>, that is used to access the verified boot non-volatile storage on some devices. + <b>crossystem</b> and <b>mosys</b> are both free software and their source code is made available by Google: <a href="https://chromium.googlesource.com/chromiumos/platform/vboot_reference/">crossystem</a>. <a href="https://chromium.googlesource.com/chromiumos/platform/mosys/">mosys</a>.<br /> + These tools are not distributed along with Libreboot yet. However, they are preinstalled on the device, with ChromeOS. + </p> + + <p> + Some of these parameters have the potential of <b>weakening the security of the device</b>. + In particular, disabling kernels signature verification, external media boot and legacy payload boot can weaken the security of the device. + </p> + + <div class="subsection"> + + <p> + The following parameters can be configured: + </p> + + <ul> + + <li> + Kernels signature verification: + <ul> + + <li> + Enabled with:<br /> + # <b>crossystem dev_boot_signed_only=1</b> + </li> + + <li> + Disabled with:<br /> + # <b>crossystem dev_boot_signed_only=0</b> + </li> + + </ul> + </li> + + <li> + External media boot: + <ul> + + <li> + Enabled with:<br /> + # <b>crossystem dev_boot_usb=1</b> + </li> + + <li> + Disabled with:<br /> + # <b>crossystem dev_boot_usb=0</b> + </li> + + </ul> + </li> + + <li> + Legacy payload boot: + <ul> + + <li> + Enabled with:<br /> + # <b>crossystem dev_boot_legacy=1</b> + </li> + + <li> + Disabled with:<br /> + # <b>crossystem dev_boot_legacy=0</b> + </li> + + </ul> + </li> + + <li> + Default boot medium: + <ul> + + <li> + Internal storage:<br /> + # <b>crossystem dev_default_boot=disk</b> + </li> + + <li> + External media:<br /> + # <b>crossystem dev_default_boot=usb</b> + </li> + + <li> + Legacy payload:<br /> + # <b>crossystem dev_default_boot=legacy</b> + </li> + + </ul> + + </ul> + + </div> + + </div> + + <div class="section"> + + <p> + Copyright © 2015 Paul Kocialkowski <contact@paulk.fr><br/> + Permission is granted to copy, distribute and/or modify this document + under the terms of the GNU Free Documentation License, Version 1.3 + or any later version published by the Free Software Foundation; + with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. + A copy of the license can be found at <a href="../gfdl-1.3.txt">../gfdl-1.3.txt</a> + </p> + + <p> + Updated versions of the license (when available) can be found at + <a href="https://www.gnu.org/licenses/licenses.html">https://www.gnu.org/licenses/licenses.html</a> + </p> + + <p> + UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE + EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS + AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF + ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, + IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, + WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, + ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT + KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT + ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + </p> + <p> + TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE + TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, + NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, + INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, + COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR + USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN + ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR + DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR + IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + </p> + <p> + The disclaimer of warranties and limitation of liability provided + above shall be interpreted in a manner that, to the extent + possible, most closely approximates an absolute disclaimer and + waiver of all liability. + </p> + + </div> + +</body> +</html> |