Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / refs/heads/factory-14778.B / . / oobe_config
tree: 892e51f564f4aaf1bd37834ef05ad6748b95a8c9 [path history] [tgz]
  1. dbus_bindings/
  2. etc/
  3. mojom/
  4. seccomp_filters/
  5. BUILD.gn
  6. load_oobe_config_interface.h
  7. load_oobe_config_rollback.cc
  8. load_oobe_config_rollback.h
  9. load_oobe_config_rollback_test.cc
  10. metrics.cc
  11. metrics.h
  12. network_exporter.cc
  13. network_exporter.h
  14. oobe_config.cc
  15. oobe_config.h
  16. oobe_config_restore_main.cc
  17. oobe_config_restore_service.cc
  18. oobe_config_restore_service.h
  19. oobe_config_save_main.cc
  20. oobe_config_test.cc
  21. OWNERS
  22. pstore_storage.cc
  23. pstore_storage.h
  24. README.md
  25. rollback_constants.cc
  26. rollback_constants.h
  27. rollback_data.proto
  28. rollback_finish_restore_main.cc
  29. rollback_helper.cc
  30. rollback_helper.h
  31. rollback_helper_test.cc
  32. rollback_openssl_encryption.cc
  33. rollback_openssl_encryption.h
  34. rollback_openssl_encryption_test.cc
  35. rollback_prepare_save_main.cc
oobe_config/README.md

OOBE Config Save and Restore Utilities

Provides utility executables to save and restore system state that can be applied during OOBE.

Currently only used by the enterprise rollback feature, which is described below.

Enterprise Rollback

Enterprise Rollback is a feature that allows device admins to roll back devices to a previous version. Device-wide network configs and state of oobe are preserved.

Rollback Overview

  • Admin pins to a certain device version and allows rollback

  • On the next update check, the device sends the rollback_allowed flag to Omaha

  • If there's a rollback image available for the pinned version, it will be downloaded and installed

  • Once the update is ready, update_engine leaves the flag /mnt/stateful_partition/.save_rollback_data and marks the device to be powerwashed

  • The device will boot into the rollback image on the next reboot

  • oobe_config_save is triggered during shutdown. Because the .save_rollback_data flag is present it will:

    • Collect information for rollback_data.proto by connecting to Chrome via mojo
    • Serialize and encrypt data with openssl
    • The encryption key is randomly created by software
    • Encrypted data is put into /mnt/stateful_partition/unencrypted/preserve/rollback_data
    • The key stays in /var/lib/oobe_config_save/data_for_pstore

  • Upon booting into the rollback image, the device powerwashes

    • /var/lib/oobe_config_save/data_for_pstore is moved into pstore /dev/pmsg0
    • /mnt/stateful_partition/unencrypted/preserve/rollback_data is preserved by moving to /tmp during wiping and then moving back
    • Once the device is wiped, it is rebooted

  • oobe_config_restore service always runs when oobe is not finished

  • Chrome requests oobe configuration from oobe_config_restore

    • Encrypted rollback data is loaded from /mnt/stateful_partition/unencrypted/preserve/rollback_data
    • The key can be found under /sys/fs/pstore/pmsg-ramoops-*
    • Unencrypted data is sent to Chrome and stored in /var/lib/oobe_config_restore
    • Chrome steps through oobe and reconfigures networks using rollback_network_config

Note:

  • Data put into /dev/pmsg0 only survives one reboot and does not survive a power cycle
  • In the future, rollback will utilize the TPM for more resilient encryption

Known Issues:

  • Firmware version increments may break rollback because of firmware rollback protection
  • Data save may fail on an unclean shutdown
  • If the device loses power after powerwash, the encryption key is lost and rollback data cannot be decrypted

Testing Data Save and Restore for Rollback

This will powerwash your device.

touch /mnt/stateful_partition/.save_rollback_data
echo "fast safe keepimg" > /mnt/stateful_partition/factory_install_reset
reboot