oobe_config/README.md - third_party/platform2 - Git at Google

 # OOBE Config Save and Restore Utilities

 Provides utility executables to save and restore system state that can be
 applied during OOBE.

 Currently only used by the enterprise rollback feature, which is described
 below.

 ## Enterprise Rollback

 Enterprise Rollback is a feature that allows device admins to roll back devices
 to a previous version. Device-wide network configs and state of oobe are
 preserved.

 ### Rollback Overview

 - Admin pins to a certain device version and allows rollback
 - On the next update check, the device sends the [rollback_allowed](https://source.chromium.org/chromium/aosp/platform/system/update_engine/+/HEAD:cros/omaha_request_builder_xml.cc;l=159;drc=bed15aeab709496288faa6ab288b7d0e6cde0630)
 flag to Omaha
 - If there's a rollback image available for the pinned version, it will be
 downloaded and installed
 - Once the update is ready, update_engine leaves the flag
 [/mnt/stateful_partition/.save_rollback_data](https://source.chromium.org/chromium/aosp/platform/system/update_engine/+/HEAD:cros/hardware_chromeos.cc;l=262;drc=bed15aeab709496288faa6ab288b7d0e6cde0630)
 and marks the device to be powerwashed
 - The device will boot into the rollback image on the next reboot


 - [oobe_config_save](http://cs/chromeos_public/src/platform2/oobe_config/etc/init/oobe_config_save.conf)
 is triggered during shutdown. Because the `.save_rollback_data` flag is present
 it will:
 	- Collect information for [rollback_data.proto](./rollback_data.proto)
 	by connecting to Chrome via mojo
 	- (Option 1, devices produced with firmware that branched before 2023)
 	Serialize and encrypt data with [openssl](./config/rollback_openssl_encryption.h)
 	using pstore. The encryption key is randomly created by software and stays
 	in `/var/lib/oobe_config_save/data_for_pstore`
 	- (Option 2, devices produced with firmware that branched after 2022)
 	Serialize and encrypt data with [libhwsec](../libhwsec/frontend/oobe_config/)
 	using the TPM
 	- Encrypted data is put into
 	`/mnt/stateful_partition/unencrypted/preserve/rollback_data(_tpm)`

 - Upon booting into the rollback image, the device
 [powerwashes](/init/clobber_state.cc)
 	- `/var/lib/oobe_config_save/data_for_pstore` is moved into pstore
 	`/dev/pmsg0`
 	- `/mnt/stateful_partition/unencrypted/preserve/rollback_data(_tpm)` is
 	preserved by moving to `/tmp` during wiping and then moving back
 	- Once the device is wiped, it is rebooted


 - [oobe_config_restore](./etc/init/oobe_config_restore.conf)
 service always runs when oobe is not finished
 - Chrome requests oobe configuration from `oobe_config_restore`
 	- Encrypted rollback data is loaded from
 	`/mnt/stateful_partition/unencrypted/preserve/rollback_data`
 	- If pstore was used, the key can be found under `/sys/fs/pstore/pmsg-ramoops-*`
 	- Unencrypted data is sent to Chrome and stored in
 	`/var/lib/oobe_config_restore`
 	- Chrome steps through oobe and reconfigures networks using
 	[rollback_network_config](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/ash/net/rollback_network_config/)

 Note:
 - Data put into `/dev/pmsg0` only survives one reboot and does not survive a
 	power cycle

 Known Issues:
 - Firmware version increments may break rollback because of firmware rollback
 	protection
 - Data save may fail on an unclean shutdown
 - If the device loses power after powerwash, the encryption key in pstore is lost and
 	rollback data cannot be decrypted

 ## Checking if a device is able to use TPM encryption (Option 2 above)

 ```
 tpm_manager_client list_spaces
 ```
 Check if you see a space `0x000100E`. That is the rollback space and indicates
 the device is able to use the TPM for encryption.

 ## Testing Data Save and Restore for Rollback

 This will powerwash your device.

 ```
 touch /mnt/stateful_partition/.save_rollback_data
 echo "fast safe keepimg" > /mnt/stateful_partition/factory_install_reset
 reboot
 ```
	# OOBE Config Save and Restore Utilities

	Provides utility executables to save and restore system state that can be
	applied during OOBE.

	Currently only used by the enterprise rollback feature, which is described
	below.

	## Enterprise Rollback

	Enterprise Rollback is a feature that allows device admins to roll back devices
	to a previous version. Device-wide network configs and state of oobe are
	preserved.

	### Rollback Overview

	- Admin pins to a certain device version and allows rollback
	- On the next update check, the device sends the [rollback_allowed](https://source.chromium.org/chromium/aosp/platform/system/update_engine/+/HEAD:cros/omaha_request_builder_xml.cc;l=159;drc=bed15aeab709496288faa6ab288b7d0e6cde0630)
	flag to Omaha
	- If there's a rollback image available for the pinned version, it will be
	downloaded and installed
	- Once the update is ready, update_engine leaves the flag
	[/mnt/stateful_partition/.save_rollback_data](https://source.chromium.org/chromium/aosp/platform/system/update_engine/+/HEAD:cros/hardware_chromeos.cc;l=262;drc=bed15aeab709496288faa6ab288b7d0e6cde0630)
	and marks the device to be powerwashed
	- The device will boot into the rollback image on the next reboot


	- [oobe_config_save](http://cs/chromeos_public/src/platform2/oobe_config/etc/init/oobe_config_save.conf)
	is triggered during shutdown. Because the `.save_rollback_data` flag is present
	it will:
	- Collect information for [rollback_data.proto](./rollback_data.proto)
	by connecting to Chrome via mojo
	- (Option 1, devices produced with firmware that branched before 2023)
	Serialize and encrypt data with [openssl](./config/rollback_openssl_encryption.h)
	using pstore. The encryption key is randomly created by software and stays
	in `/var/lib/oobe_config_save/data_for_pstore`
	- (Option 2, devices produced with firmware that branched after 2022)
	Serialize and encrypt data with [libhwsec](../libhwsec/frontend/oobe_config/)
	using the TPM
	- Encrypted data is put into
	`/mnt/stateful_partition/unencrypted/preserve/rollback_data(_tpm)`

	- Upon booting into the rollback image, the device
	[powerwashes](/init/clobber_state.cc)
	- `/var/lib/oobe_config_save/data_for_pstore` is moved into pstore
	`/dev/pmsg0`
	- `/mnt/stateful_partition/unencrypted/preserve/rollback_data(_tpm)` is
	preserved by moving to `/tmp` during wiping and then moving back
	- Once the device is wiped, it is rebooted


	- [oobe_config_restore](./etc/init/oobe_config_restore.conf)
	service always runs when oobe is not finished
	- Chrome requests oobe configuration from `oobe_config_restore`
	- Encrypted rollback data is loaded from
	`/mnt/stateful_partition/unencrypted/preserve/rollback_data`
	- If pstore was used, the key can be found under `/sys/fs/pstore/pmsg-ramoops-*`
	- Unencrypted data is sent to Chrome and stored in
	`/var/lib/oobe_config_restore`
	- Chrome steps through oobe and reconfigures networks using
	[rollback_network_config](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/ash/net/rollback_network_config/)

	Note:
	- Data put into `/dev/pmsg0` only survives one reboot and does not survive a
	power cycle

	Known Issues:
	- Firmware version increments may break rollback because of firmware rollback
	protection
	- Data save may fail on an unclean shutdown
	- If the device loses power after powerwash, the encryption key in pstore is lost and
	rollback data cannot be decrypted

	## Checking if a device is able to use TPM encryption (Option 2 above)

	```
	tpm_manager_client list_spaces
	```
	Check if you see a space `0x000100E`. That is the rollback space and indicates
	the device is able to use the TPM for encryption.

	## Testing Data Save and Restore for Rollback

	This will powerwash your device.

	```
	touch /mnt/stateful_partition/.save_rollback_data
	echo "fast safe keepimg" > /mnt/stateful_partition/factory_install_reset
	reboot
	```