Make Changes To The Chromium Rootfs
Production Chrome OS devices that are shipped from the factory are locked down and will not let you make changes to the software. This page describes how to enable developer mode and get root access to your system.
Make Changes to the Chromium rootfs
So I visited here www dot chromium dot org/chromium-os/poking-around-your-chrome-os-device and followed the steps to making changes to the filesystem and disabling rootfs verification. But the command it told me to enter just gave me an error: "make_dev_ssd.sh: ERROR: IMAGE /dev/mmcblk0 IS NOT MODIFIED."
By default, build_image will create an image with--enable_rootfs_verification enabled for x86 boards. This change hasnot landed just yet, but it will quite soon!= Why, why, why?- Build bots and automated tests will be running on the expected bootpath and rootfs layer (verified to the rootfs)- Exercise and polish the code!- If boot is really slow, check your dmesg for it spewing errors.(Right now, it doesn't fail on error; just warns..a lot)Also, the verified rootfs will open up booting by partition UUID whichwill make recovery/usb shim booting work irrespective of deviceenumeration. (This change to build_image and the installer is stillin progress...)= Great, but how can I ignore this for now?Build with: ./build_image --noenable_rootfs_verification ...= I keep getting errors on the USB. What gives?!?Right now, our machines automount any recognized filesystems. If youput a imaged usb stick into a booted chromium os machine, it _will_automount the root filesystem. In doing so, it will modify thefilesystem's metadata and make it fail the integrity checks.For legacy/efi bootloaders, you can rerun chromeos-setimage, butotherwise, you need to reimage the usb stick.If you have any ideas on how to avoid this, I'd love to know. Itseems that moving to a read-only filesystem (like squashfs) is the"easiest" solution ;)= Disabling and re-enabling rootfs verificationIf you're doing a lot of iterations, I'd suggest temporarily disablingverification (on legacy and efi systems): crosh -> shell /usr/sbin/chromeos-setimage --noenable_rootfs_verification [AB] rebootJust pick the A or B depending on which you'd like to boot to. Thenwhen you are ready to test those changes, just rerun it with--enable_rootfs_verification and reboot!If you have firmware that can boot to the kernel partition, thenyou'll need a new kernel partition image that doesn't have dm="..." inthe commandline (or has stubbed out devices ROOT_DEV/HASH_DEV). Ibelieve there is a doc floating around to do this, but I can't seem todig it up.Without doing anything special, you can always just disabledm-verity/rootfs verification in your image usingcros_make_image_bootable:1. Remove --enable_rootfs_verification from your [IMAGE_DIR]/boot.desc(just delete the line)2. Inside the chroot run: bin/cros_make_image_bootable [IMAGE_DIR]chromiumos_image.bin3. cd [IMAGE_DIR]; ./unpack_partitions chromiumos_image.bin4. scp part2 over to your device and dd it over the kernel partition.It's probably easier to just build a fresh image with it disabled :)= gmerge plz!Given that the root filesystem will be read-only, you can't justgmerge onto it. Probably it would make sense to build without supportor disable it then re-enable it when testing.If you really want to gmerge and keep going, you can switch betweenrootfs, but it isn't pretty: mkdir /tmp/other_root mount /dev/sdaX /tmp/other_root for d in /var /tmp /usr/local /mnt/stateful_partition; do mount--bind $d /tmp/other_root$d; done chroot /tmp/other_root gmerge blah exit # the chroot for d in /var /tmp /usr/local /mnt/stateful_partition; do umount/tmp/other_root$d; done umount /tmp/other_root # Recomputes the rootfs hash, writes it to disk, and updates thelegacy and efi bootloaders chromeos-setimage [AB] reboot(See the next section if you aren't using efi/legacy bootloaders.)= Will it get better?There is an open task to provide a gmerge helper to make thissmoother, but it will end up doing the same thing as above.Hopefully, turning this on will motivate additional interest in makingthe development process even better! Right now, I'm pretty certain mynormal flow varies from other people, and I've been hesitant tooptimize for it.Please send any ideas you have to make this less painful and/or moreefficient for development! Any and all other comments are certainlyappreciated -will
-bin/gitweb.cgi?p=crosutils.git;a=commit;h=12f14ce889be432577995c209589e933475080e3Enables this change. Reverting it is as easy as changing the defaultback to FLAGS_FALSE.There's already been some discussion about why we'd want this on bydefault and what we should change. So I thought I'd open it up foranyone still reading:The issue: if you gmerge a lot, you will probably just build with thisdisabled. If that's common, why make it a default?Proposed suggestion: Only enable this on bots and testsI agree with the sentiment and the goal of this change isn't to makeeveryone's lives harder "in the name of security". The goal is quitesimply to raise awareness around code we plan on shipping to everyuser and ensure that people are indeed running their work on it. Theroot filesystem verification will impact all I/O bound processes onthe root filesystem which means every piece of code we run and allrootfs-based config data. Hopefully getting more eyes on it willtease out dumb issues and result in smart suggestions for how to makeit easier to develop on and better for our users. However, I'm opento changing it.For now, I'd like to leave this on by default. If we do change it, weneed to make sure it stays on for the factory_install and test imagesand on the bots by default. sosa & kliegs suggested ./build_image--withdev disable rootfs_verification. Any thoughts on if that flagmakes the most sense to tie it to? If so, I'd be happy to do so (andeven happier to review the change to do so :).Anyhow, nothing is immutable, so please pipe up with suggestions,fixes, cls, etc.thanks!will
Fair enough. --release == --nowithdev, but it would be nice to makeit explicit. However, I'd still be in favor of making changes thatstreamlined, instead of bloated, the cmdline arguments even if itrequires some script/alias updates. We already have a huge number offlags for build image.
That's this same problem that encouraged me to make--enable_rootfs_verification default. There're a lot of scripts thatpeople use that "just work". The only way to explore those scripts isto change the defaults. While it can yield breakage, it also means wesee valid breakage from incompatibility. So far, turning this onhasn't yielded any automated breakage that I've seen, but I'm waitingfor more people to wake up and let me know exactly how irritating thisis :)Anyway, if we tie it to --withdev we still need an extra option toforce verification when needed. shflags can't easily change defaultswith other arguments unless it parses the cmdline twice. Boo.In general though, I'd be curious where the build scripts are headed[+anush :]. For instance, it might make sense to have abin/cros_build_image that wraps build image codifying our build_imagearguments into profiles: release, developer, release-test, ...,[profile]-[mod]. But I expect that's even too narrow a view when westart to pull in the cros_workon stuff, binary packages, and releasebranches :)I don't have a specific course of action, but if no one else hasstrong opinions, we can pursue tying it to --withdev or some thingelse in a few days. (I expect after a few days of dealing with this,there may be more strong opinions :)thanks!
It's not at all likely to get merged upstream now. More likely thatVal Aurora's union-at-VFS-level changes will be merged in the next fewmonths.The Ubuntu kernel, on which we have based, does have ubuntu/aufs inthe tree: but starting to make use of that at this stage seems like acan of worms to me, useful though it may well be.Hugh
We need to clear those flag bits so we can make changes to the filesystem. To do this, we need to know the offset (in bytes) of the beginning of the rootfs partition. You can use the GNU parted tool to find this out:
Once an app qube has been created, any changes in its /home, /usr/local, or/rw/config directories will be persistent across reboots, which means thatany files stored there will still be available after restarting the app qube.No changes in any other directories in app qubes persist in this manner. If youwould like to make changes in other directories which do persist in thismanner, you must make those changes in the parent template.
Any app qube that is based on a template has its root filesystem non-persistentacross qube reboots. In other words, whatever changes the qube makes (or themalware running in this qube makes) to its root filesystem, are automaticallydiscarded whenever one restarts the qube.
To make the changes persistent, edit the file /etc/sysctl.conf and add these lines: fs.inotify.max_user_watches = 524288fs.inotify.max_user_instances = 512 fs.inotify.max_user_watches = 524288fs.inotify.max_user_instances = 512
Optionally chroot into the mounted rootfs. You may want to make configuration changes, or install packages. (Note: this requires you be operating from an ARMv7 system already)You should also remove x from the /etc/passwd file for the root user, that will allow us to fall into emergency shell if required.
Having a set of configuration fragments makes what was changed at which stage more transparent. You can turn on and off the