[ownership] Add node-locked owner configs #24745
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
timothytrippel
approved these changes
Oct 9, 2024
cfrantz
force-pushed
the
owner-node-locked
branch
from
540e0ed
to
8ced1f6
Compare
|
Note: I rewrote this to provide a usage_constraints-like lock on the entire device_id rather than just the lock on the device identification number. This PR now depends on #24760. |
1. Add a version field to the TLV header structure. 2. Re-arrange fields in the owner block to compensate for the removal of the `struct_version` field. 3. Set the initial version of all structs to version 0.0. 4. Update opentitantool to match the updated owner config structure. The version number is printed in `--debug` mode. When writing the binary representation, the version number written is the version supported by the tool (e.g. version 0.0), _not_ the version number present in the input file. 5. Add version checking and unique errors for each tag in the firmware TLV parser. 6. Add tests for invalid struct versions. Signed-off-by: Chris Frantz <cfrantz@google.com>
Refactor the activation code into a common function that can be used by both the boot services activate handler and the same-owner `NewVersion` update. Signed-off-by: Chris Frantz <cfrantz@google.com>
Allow the owenrship block to specify that it is locked to a specific device ID. 1. Add `lock_constraints` and `device_id` fields to the owner config. 2. Use the device_id from the lifecycle controller in the cryptographic verification of the owner config. 3. Add tests to verify node locking. Signed-off-by: Chris Frantz <cfrantz@google.com>
cfrantz
force-pushed
the
owner-node-locked
branch
from
8ced1f6
to
cb77037
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allow the owenrship block to specify that it is locked to a specific device ID.
lock_constraintsanddevice_idfields to the owner config.Addresses: #24657