aboutsummaryrefslogtreecommitdiff
path: root/i18n/fr_FR/docs/depthcharge
diff options
context:
space:
mode:
Diffstat (limited to 'i18n/fr_FR/docs/depthcharge')
-rw-r--r--i18n/fr_FR/docs/depthcharge/index.md176
1 files changed, 176 insertions, 0 deletions
diff --git a/i18n/fr_FR/docs/depthcharge/index.md b/i18n/fr_FR/docs/depthcharge/index.md
new file mode 100644
index 00000000..ffb525f5
--- /dev/null
+++ b/i18n/fr_FR/docs/depthcharge/index.md
@@ -0,0 +1,176 @@
+---
+title: Depthcharge payload
+x-toc-enable: true
+...
+
+This section relates to the depthcharge payload used in libreboot.
+
+CrOS security model
+===================
+
+CrOS (Chromium OS/Chrome OS) devices such as Chromebooks implement a strict
+security model to ensure that these devices do not become compromised, that is
+implemented as the verified boot (vboot) reference, most of which is executed
+within depthcharge. A detailed overview of the CrOS security model is available
+on the dedicated page.
+
+In spite of the CrOS security model, depthcharge won't allow booting kernels
+without verifying their signature and booting from external media or legacy
+payload unless explicitly allowed: see [configuring verified boot
+parameters](#configuring_verified_boot_parameters).
+
+Developer mode screen
+=====================
+
+The developer mode screen can be accessed in depthcharge when developer mode is
+enabled. Developer mode can be enabled from the recovery mode screen.
+
+It allows booting normally, booting from internal storage, booting from
+external media (when enabled), booting from legacy payload (when enabled),
+showing information about the device and disabling developer mode.
+
+Holding the developer mode screen
+---------------------------------
+
+As instructed on the developer mode screen, the screen can be held by pressing
+*Ctrl + H* in the first 3 seconds after the screen is shown. After that delay,
+depthcharge will resume booting normally.
+
+Booting normally
+----------------
+
+As instructed on the developer mode screen, a regular boot will happen after *3
+seconds* (if developer mode screen is not held).
+
+The default boot medium (internal storage, external media, legacy payload) is
+shown on screen.
+
+Booting from different mediums
+------------------------------
+
+Depthcharge allows booting from different mediums, when they are allowed (see
+[configuring verified boot parameters](#configuring_verified_boot_parameters)
+to enable or disable boot mediums).
+
+As instructed on the developer mode screen, booting from various mediums can be
+triggered by pressing various key combinations:
+
+- Internal storage: *Ctrl + D*
+- External media: *Ctrl + U* (when enabled)
+- Legacy payload: *Ctrl + L* (when enabled)
+
+Showing device information
+--------------------------
+
+As instructed on the developer mode screen, showing device information can be
+triggered by pressing *Ctrl + I* or *Tab*. Various information is shown,
+including vboot non-volatile data, TPM status, GBB flags and key hashes.
+
+Warnings
+--------
+
+The developer mode screen will show warnings when:
+
+- Booting kernels without verifying their signature is enabled
+- Booting from external media is enabled
+- Booting legacy payloads is enabled
+
+Recovery mode screen
+====================
+
+The recovery mode screen can be accessed in depthcharge, by pressing *Escape +
+Refresh + Power* when the device is off.
+
+It allows recovering the device from a bad state by booting from a trusted
+recovery media. When accessed with the device in a good state, it also allows
+enabling developer mode.
+
+Recovering from a bad state
+---------------------------
+
+When the device fails to verify the signature of a piece of the boot software
+or when an error occurs, it is considered to be in a bad state and will
+instruct the user to reboot to recovery mode.
+
+Recovery mode boots using only software located in write-protected memory, that
+is considered to be trusted and safe.
+
+Recovery mode then allows recovering the device by booting from a trusted
+recovery media, that is automatically detected when recovery mode starts. When
+no external media is found or when the recovery media is invalid, instructions
+are shown on screen.
+
+Trusted recovery media are external media (USB drives, SD cards, etc) that hold
+a kernel signed with the recovery key.
+
+Google provides images of such recovery media for Chrome OS (which are not
+advised to users as they contain proprietary software).
+
+They are signed with Google's recovery keys, that are pre-installed on the
+device when it ships.
+
+When replacing the full flash of the device, the pre-installed keys are
+replaced. When the recovery private key is available (e.g. when using
+self-generated keys), it can be used to sign a kernel for recovery purposes.
+
+Enabling developer mode
+-----------------------
+
+As instructed on the recovery mode screen, developer mode can be enabled by
+pressing *Ctrl + D*. Instructions to confirm enabling developer mode are then
+shown on screen.
+
+Configuring verified boot parameters
+====================================
+
+Depthcharge's behavior relies on the verified boot (vboot) reference
+implementation, that can be configured with parameters stored in the verified
+boot non-volatile storage.
+
+These parameters can be modified with the `crossystem` tool, that requires
+sufficient privileges to access the verified boot non-volatile storage.
+
+`crossystem` relies on `mosys`, that is used to access the verified boot
+non-volatile storage on some devices. `crossystem` and `mosys` are both free
+software and their source code is made available by Google:
+[crossystem](https://chromium.googlesource.com/chromiumos/platform/vboot_reference/).
+[mosys](https://chromium.googlesource.com/chromiumos/platform/mosys/).
+
+These tools are not distributed along with Libreboot yet. However, they are
+preinstalled on the device, with ChromeOS.
+
+Some of these parameters have the potential of *weakening the security of the
+device*. In particular, disabling kernels signature verification, external
+media boot and legacy payload boot can weaken the security of the device.
+
+The following parameters can be configured:
+
+Kernels signature verification:
+
+ # crossystem dev_boot_signed_only=1 # enable
+ # crossystem dev_boot_signed_only=0 # disable
+
+External media boot:
+
+ # crossystem dev_boot_usb=1 # enable
+ # crossystem dev_boot_usb=0 # disable
+
+Legacy payload boot:
+
+ # crossystem dev_boot_legacy=1 # enable
+ # crossystem dev_boot_legacy=0 # disable
+
+Default boot medium:
+
+ # crossystem dev_default_boot=disk # internal storage
+ # crossystem dev_default_boot=usb # external media
+ # crossystem dev_default_boot=legacy # legacy payload
+
+
+Copyright © 2015 Paul Kocialkowski <contact@paulk.fr>\
+
+Permission is granted to copy, distribute and/or modify this document
+under the terms of the GNU Free Documentation License Version 1.3 or any later
+version published by the Free Software Foundation
+with no Invariant Sections, no Front Cover Texts, and no Back Cover Texts.
+A copy of this license is found in [../fdl-1.3.md](../fdl-1.3.md)