Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / refs/heads/main / . / oobe_config
tree: 58329ebc7276e093e442b2ca318fb45890718258 [path history] [tgz]
  1. dbus_bindings/
  2. encryption/
  3. etc/
  4. features/
  5. filesystem/
  6. metrics/
  7. minijail/
  8. mojom/
  9. seccomp_filters/
  10. tmpfiles.d/
  11. BUILD.gn
  12. flex_oobe_config.cc
  13. flex_oobe_config.h
  14. flex_oobe_config_test.cc
  15. load_oobe_config_interface.h
  16. load_oobe_config_rollback.cc
  17. load_oobe_config_rollback.h
  18. load_oobe_config_rollback_fuzzer.cc
  19. load_oobe_config_rollback_test.cc
  20. network_exporter.cc
  21. network_exporter.h
  22. oobe_config.cc
  23. oobe_config.h
  24. oobe_config_restore_main.cc
  25. oobe_config_restore_service.cc
  26. oobe_config_restore_service.h
  27. oobe_config_save_main.cc
  28. oobe_config_test.cc
  29. oobe_config_test.h
  30. OWNERS
  31. README.md
  32. rollback_cleanup.cc
  33. rollback_cleanup.h
  34. rollback_cleanup_main.cc
  35. rollback_cleanup_test.cc
  36. rollback_data.proto
oobe_config/README.md

OOBE Config Save and Restore Utilities

Provides utility executables to save and restore system state that can be applied during OOBE.

Currently only used by the enterprise rollback feature, which is described below.

Enterprise Rollback

Enterprise Rollback is a feature that allows device admins to roll back devices to a previous version. Device-wide network configs and state of oobe are preserved.

Rollback Overview

  • Admin pins to a certain device version and allows rollback

  • On the next update check, the device sends the rollback_allowed flag to Omaha

  • If there's a rollback image available for the pinned version, it will be downloaded and installed

  • Once the update is ready, update_engine leaves the flag /mnt/stateful_partition/.save_rollback_data and marks the device to be powerwashed

  • The device will boot into the rollback image on the next reboot

  • oobe_config_save is triggered during shutdown. Because the .save_rollback_data flag is present it will:

    • Collect information for rollback_data.proto by connecting to Chrome via mojo
    • (Option 1, devices produced with firmware that branched before 2023) Serialize and encrypt data with openssl using pstore. The encryption key is randomly created by software and stays in /var/lib/oobe_config_save/data_for_pstore
    • (Option 2, devices produced with firmware that branched after 2022) Serialize and encrypt data with libhwsec using the TPM
    • Encrypted data is put into /mnt/stateful_partition/unencrypted/preserve/rollback_data(_tpm)

  • Upon booting into the rollback image, the device powerwashes

    • /var/lib/oobe_config_save/data_for_pstore is moved into pstore /dev/pmsg0
    • /mnt/stateful_partition/unencrypted/preserve/rollback_data(_tpm) is preserved by moving to /tmp during wiping and then moving back
    • Once the device is wiped, it is rebooted

  • oobe_config_restore service always runs when oobe is not finished

  • Chrome requests oobe configuration from oobe_config_restore

    • Encrypted rollback data is loaded from /mnt/stateful_partition/unencrypted/preserve/rollback_data
    • If pstore was used, the key can be found under /sys/fs/pstore/pmsg-ramoops-*
    • Unencrypted data is sent to Chrome and stored in /var/lib/oobe_config_restore
    • Chrome steps through oobe and reconfigures networks using rollback_network_config

Note:

  • Data put into /dev/pmsg0 only survives one reboot and does not survive a power cycle

Known Issues:

  • Firmware version increments may break rollback because of firmware rollback protection
  • Data save may fail on an unclean shutdown
  • If the device loses power after powerwash, the encryption key in pstore is lost and rollback data cannot be decrypted

Checking if a device is able to use TPM encryption (Option 2 above)

tpm_manager_client list_spaces

Check if you see a space 0x000100E. That is the rollback space and indicates the device is able to use the TPM for encryption.

Testing Data Save and Restore for Rollback

This will powerwash your device.

touch /mnt/stateful_partition/.save_rollback_data
echo "fast safe keepimg" > /mnt/stateful_partition/factory_install_reset
reboot