[ownership] manual cherry-pick for #24745, #24766, #24798, #24683, #24799 #25028
+648
−89
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
timothytrippel
approved these changes
Nov 7, 2024
Refactor the activation code into a common function that can be used by both the boot services activate handler and the same-owner `NewVersion` update. Signed-off-by: Chris Frantz <[email protected]> (cherry picked from commit 44b0b34)
Allow the owenrship block to specify that it is locked to a specific device ID. 1. Add `lock_constraints` and `device_id` fields to the owner config. 2. Use the device_id from the lifecycle controller in the cryptographic verification of the owner config. 3. Add tests to verify node locking. Signed-off-by: Chris Frantz <[email protected]> (cherry picked from commit 355160f)
1. Rewrite the OwnerSecret page when performing an ownership transfer. 2. Test that the sealing derivation changes in each state along the transfer (e.g. CurrentOwner -> Unlocked -> NextOwner). Signed-off-by: Chris Frantz <[email protected]> (cherry picked from commit 2aff7a3)
1. Always allow the `REBO`, `WAIT` and `BAUD` commands. 2. Do not lock the ownership pages when in rescue mode _and_ built with `ROM_EXT_KLOBBER_ALLOWED` defined. A "klobber-enabled" DEV build is allowed to erase the ownership pages for disaster testing. Signed-off-by: Chris Frantz <[email protected]> (cherry picked from commit 2f9c9af)
The `SelfVersion` update mode permits either an ownership unlock to `UnlockedSelf` or a new-version update from the current owner. Signed-off-by: Chris Frantz <[email protected]> (cherry picked from commit f95f31d)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manual cherry-pick for commits included in the following PRs: