docs: Introduce instructions to use and configure depthcharge

Signed-off-by: Paul Kocialkowski <contact@paulk.fr>

1 files changed, 288 insertions, 4 deletions

diff --git a/docs/depthcharge/index.html b/docs/depthcharge/index.html
index 664a6c8..d30c2e0 100644
--- a/docs/depthcharge/index.html
+++ b/docs/depthcharge/index.html
@@ -14,22 +14,306 @@
 <body>
 
 	<div class="section">
+
 		<h1 id="pagetop">Depthcharge payload</h1>
+
+		<p>
+			This section relates to the depthcharge payload used in libreboot.
+		</p>
+
+		<p>
+			Or <a href="../index.html">Back to main index</a>.
+		</p>
+
+		<ul>
+			<li><a href="#chromebook_security_model">Chromebook security model</a></li>
+			<li><a href="#developer_mode_screen">Developer mode screen</a>
+				<ul>
+					<li><a href="#holding_developer_mode_screen">Holding the developer mode screen</li>
+					<li><a href="#booting_normally">Booting normally</li>
+					<li><a href="#booting_different_mediums">Booting from different mediums</li>
+					<li><a href="#showing_device_information">Showing device information</li>
+					<li><a href="#warnings">Warnings</li>
+				</ul>
+			</li>
+			<li><a href="#recovery_mode_screen">Recovery mode screen</a>
+				<ul>
+					<li><a href="#recovering_bad_state">Recovering from a bad state</a></li>
+					<li><a href="#enabling_developer_mode">Enabling developer mode</a></li>
+				</ul>
+			</li>
+			<li><a href="#configuring_verified_boot_parameters">Configuring verified boot parameters</a></li>
+		</ul>
+
+	</div>
+
+	<div class="section">
+
+		<h1 id="chromebook_security_model">Chromebook security model</h1>
+
+		<p>
+			Chromebooks implement a strict security model to ensure that these devices do not become compromised,
+			that is implemented as the verified boot (vboot) reference, most of which is executed within depthcharge.
+			A detailed overview of the Chromebook security model is available on the dedicated page.
+		</p>
+
+		<div class="subsection">
+
+			<p>
+				In spite of the Chromebook security model, depthcharge won't allow booting kernels without verifying their signature and booting from external media or legacy payload unless explicitly allowed: see <a href="#configuring_verified_boot_parameters">configuring verified boot parameters</a>.
+			</p>
+
+		</div>
+
+	</div>
+
+	<div class="section">
+
+		<h1 id="developer_mode_screen">Developer mode screen</h1>
+
+		<p>
+			The developer mode screen can be accessed in depthcharge when developer mode is enabled.<br />
+			Developer mode can be enabled from the <a href="#recovery_mode_screen">recovery mode screen</a>.
+		</p>
+
+		<p>
+			It allows booting normally, booting from internal storage, booting from external media (when enabled), booting from legacy payload (when enabled), showing information about the device and disabling developer mode.
+		</p>
+
+		<div class="subsection">
+
+			<h2 id="holding_developer_mode_screen">Holding the developer mode screen</h2>
+
+			<p>
+				As instructed on the developer mode screen, the screen can be held by pressing <b>Ctrl + H</b> in the first 3 seconds after the screen is shown.
+				After that delay, depthcharge will resume booting normally.
+			</p>
+
+		</div>
+
+		<div class="subsection">
+
+			<h2 id="booting_normally">Booting normally</h2>
+
+			<p>
+				As instructed on the developer mode screen, a regular boot will happen after <b>3 seconds</b> (if developer mode screen is not held).<br />
+				The default boot medium (internal storage, external media, legacy payload) is shown on screen.
+			</p>
+
+		</div>
+
+		<div class="subsection">
+
+			<h2 id="booting_different_mediums">Booting from different mediums</h2>
+
+			<p>
+				Depthcharge allows booting from different mediums, when they are allowed (see <a href="#configuring_verified_boot_parameters">configuring verified boot parameters</a> to enable or disable boot mediums).<br />
+				As instructed on the developer mode screen, booting from various mediums can be triggered by pressing various key combinations:
+			</p>
+
+			<ul>
+				<li>Internal storage: <b>Ctrl + D</b></li>
+				<li>External media: <b>Ctrl + U</b> (when enabled)</li>
+				<li>Legacy payload: <b>Ctrl + L</b> (when enabled)</li>
+			</ul>
+
+		</div>
+
+		<div class="subsection">
+
+			<h2 id="showing_device_information">Showing device information</h2>
+
+			<p>
+				As instructed on the developer mode screen, showing device information can be triggered by pressing <b>Ctrl + I</b> or <b>Tab</b>.<br />
+				Various information is shown, including vboot non-volatile data, TPM status, GBB flags and key hashes.<br />
+			</p>
+
+		</div>
+
+		<div class="subsection">
+
+			<h2 id="warnings">Warnings</h2>
+
+			<p>
+				The developer mode screen will show warnings when:
+
+				<ul>
+					<li>Booting kernels without verifying their signature is enabled</li>
+					<li>Booting from external media is enabled</li>
+					<li>Booting legacy payloads is enabled</li>
+				</ul>
+
+			</p>
+
+		</div>
+
+	</div>
+
+	<div class="section">
+
+		<h1 id="recovery_mode_screen">Recovery mode screen</h1>
+
+		<p>
+			The recovery mode screen can be accessed in depthcharge, by pressing <b>Escape + Refresh + Power</b> when the device is off.
+		</p>
+
+		<p>
+			It allows recovering the device from a bad state by booting from a trusted recovery media.
+			When accessed with the device in a good state, it also allows enabling developer mode.
+		</p>
+
+		<div class="subsection">
+
+			<h2 id="recovering_bad_state">Recovering from a bad state</h2>
+
 			<p>
-				This section relates to the depthcharge payload used in libreboot.
+				When the device fails to verify the signature of a piece of the boot software or when an error occurs,
+				it is considered to be in a bad state and will instruct the user to reboot to recovery mode.<br />
+				Recovery mode boots using only software located in write-protected memory, that is considered to be trusted and safe.
 			</p>
+
 			<p>
-				TODO: write this section.
+				Recovery mode then allows recovering the device by booting from a trusted recovery media, that is automatically detected when recovery mode starts.
+				When no external media is found or when the recovery media is invalid, instructions are shown on screen. <br />
+				Trusted recovery media are external media (USB drives, SD cards, etc) that hold a kernel signed with the recovery key.
 			</p>
+
 			<p>
-				<a href="../index.html">Back to main index</a>.
+				Google provides images of such recovery media for Chrome OS (which are not advised to users as they contain proprietary software). <br />
+				They are signed with Google's recovery keys, that are pre-installed on the device when it ships.
 			</p>
+
+			<p>
+				When replacing the full flash of the device, the pre-installed keys are replaced.
+				When the recovery private key is available (e.g. when using self-generated keys), it can be used to sign a kernel for recovery purposes.
+			</p>
+
+		</div>
+
+		<div class="subsection">
+
+			<h2 id="enabling_developer_mode">Enabling developer mode</h2>
+
+			<p>
+				As instructed on the recovery mode screen, developer mode can be enabled by pressing <b>Ctrl + D</b>.<br />
+				Instructions to confirm enabling developer mode are then shown on screen.
+			</p>
+
+		</div>
+
+	</div>
+
+	<div class="section">
+
+		<h1 id="configuring_verified_boot_parameters">Configuring verified boot parameters</h1>
+
+		<p>
+			Depthcharge's behavior relies on the verified boot (vboot) reference implementation,
+			that can be configured with parameters stored in the verified boot non-volatile storage.<br />
+			These parameters can be modified with the <b>crossystem</b> tool, that requires sufficient privileges to access the verified boot non-volatile storage.
+		</p>
+
+		<p>
+			<b>crossystem</b> relies on <b>mosys</b>, that is used to access the verified boot non-volatile storage on some devices.
+			<b>crossystem</b> and <b>mosys</b> are both free software and their source code is made available by Google: <a href="https://chromium.googlesource.com/chromiumos/platform/vboot_reference/">crossystem</a>. <a href="https://chromium.googlesource.com/chromiumos/platform/mosys/">mosys</a>.<br />
+			These tools are not distributed along with Libreboot yet. However, they are preinstalled on the device, with ChromeOS.
+		</p>
+
+		<p>
+			Some of these parameters have the potential of <b>weakening the security of the device</b>.
+			In particular, disabling kernels signature verification, external media boot and legacy payload boot can weaken the security of the device.
+		</p>
+
+		<div class="subsection">
+
+			<p>
+				The following parameters can be configured:
+			</p>
+
+			<ul>
+
+				<li>
+					Kernels signature verification:
+					<ul>
+
+						<li>
+							Enabled with:<br />
+							# <b>crossystem dev_boot_signed_only=1</b>
+						</li>
+
+						<li>
+							Disabled with:<br />
+							# <b>crossystem dev_boot_signed_only=0</b>
+						</li>
+
+					</ul>
+				</li>
+
+				<li>
+					External media boot:
+					<ul>
+
+						<li>
+							Enabled with:<br />
+							# <b>crossystem dev_boot_usb=1</b>
+						</li>
+
+						<li>
+							Disabled with:<br />
+							# <b>crossystem dev_boot_usb=0</b>
+						</li>
+
+					</ul>
+				</li>
+
+				<li>
+					Legacy payload boot:
+					<ul>
+
+						<li>
+							Enabled with:<br />
+							# <b>crossystem dev_boot_legacy=1</b>
+						</li>
+
+						<li>
+							Disabled with:<br />
+							# <b>crossystem dev_boot_legacy=0</b>
+						</li>
+
+					</ul>
+				</li>
+
+				<li>
+					Default boot medium:
+					<ul>
+
+						<li>
+							Internal storage:<br />
+							# <b>crossystem dev_default_boot=disk</b>
+						</li>
+
+						<li>
+							External media:<br />
+							# <b>crossystem dev_default_boot=usb</b>
+						</li>
+
+						<li>
+							Legacy payload:<br />
+							# <b>crossystem dev_default_boot=legacy</b>
+						</li>
+
+					</ul>
+
+			</ul>
+
+		</div>
+
 	</div>
 
 	<div class="section">
 
 		<p>
-			Copyright &copy;  2015 Francis Rowe &lt;info@gluglug.org.uk&gt;<br/>
+			Copyright &copy;  2015 Paul Kocialkowski &lt;contact@paulk.fr&gt;<br/>
 			Permission is granted to copy, distribute and/or modify this document
 			under the terms of the GNU Free Documentation License, Version 1.3
 			or any later version published by the Free Software Foundation;