commit 7f37ac12a5553f4696b40007cace5093414fa270
author Sarthak Kukreti <sarthakkukreti@chromium.org> Fri Sep 18 16:35:17 2020 -0700
committer Commit Bot <commit-bot@chromium.org> Wed Dec 02 05:56:38 2020 +0000
tree a59852d9396c678f56a368f8dd7eac90cc1e8a13
parent 3465afac57aea33feda5a0b6153c84d8fdc7de8a

init: conditionally disable encrypted-reboot-vault

encrypted-reboot-vault calls RAND_bytes() to create the random
encryption key for the vault. On some devices, this can stall boot
if there isn't enough entropy.

Add a USE flag to disable creation of the encrypted reboot vault.

BUG=b:158580694
TEST=USE=-encrypted_reboot_vault emerge chromeos-init disables
     the encrypted reboot vault.

Cq-Depend: chromium:2419229
Change-Id: I85a2cbdd55601791aa71d60ce0cadcfa90e7708c
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2419630
Tested-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Commit-Queue: Sarthak Kukreti <sarthakkukreti@chromium.org>
Reviewed-by: Amin Hassani <ahassani@chromium.org>
Reviewed-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-by: Aileen Cheng <chengaileen@google.com>
(cherry picked from commit 8ea0961f6378a03950a6ca8e1dead403977abb8d)
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2562997
Reviewed-by: SHAMANTHA KUMAR PERAMACHANAHALLI RAMARAO <shamanthakumar@google.com>
Reviewed-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Tested-by: SHAMANTHA KUMAR PERAMACHANAHALLI RAMARAO <shamanthakumar@google.com>
Tested-by: Shiva Sai Kothapalli <kshivasai@google.com>
Commit-Queue: Shiva Sai Kothapalli <kshivasai@google.com>

init/chromeos_startup

diff --git a/init/chromeos_startup b/init/chromeos_startup
index 8002c36..4713728 100755
--- a/init/chromeos_startup
+++ b/init/chromeos_startup
@@ -15,6 +15,10 @@
 # encrypted stateful partition.
 ENCRYPTED_STATEFUL_MNT="/mnt/stateful_partition/encrypted"
 
+# USE_ENCRYPTED_REBOOT_VAULT determines whether the encrypted reboot vault
+# should be created/mounted.
+USE_ENCRYPTED_REBOOT_VAULT=1
+
 # Unmounts the incomplete mount setup during the failure path. Failure to
 # set up mounts in this script result in the entire stateful partition getting
 # wiped using clobber-state.
@@ -486,8 +490,10 @@
 # Setup the encrypted reboot vault once the encrypted stateful partition
 # is available. If unlocking the encrypted reboot vault failed (due to power
 # loss/reboot/invalid vault), attempt to recreate the encrypted reboot vault.
-if ! encrypted-reboot-vault --action=unlock; then
-  encrypted-reboot-vault --action=create
+if [ "${USE_ENCRYPTED_REBOOT_VAULT}" -eq "1" ]; then
+  if ! encrypted-reboot-vault --action=unlock; then
+    encrypted-reboot-vault --action=create
+  fi
 fi
 
 force_clean_file_attrs /var