. The, 's master key using the passkey provided. When work executes in parallel with the critical path, the boot time impact will be much smaller. The user can request a wipe for purposes of restoring it to a clean state. , there should be comments detailing the callers that do the work. Q: What are the requirements for the boot-complete job? Waiting for an update is unlikely to be useful in most cases: The chromeos-install script can be used to install an image from scratch on a device. Although the UX in the two cases is quite different, the system state after installation in either case is indistinguishable. It covers what happens after /sbin/init first starts execution, until all services in the system are ready. Boot divides into three sequential phases with four publicly defined Upstart events: Initialization of basic services needed by the rest of the system. Below this threshold, the only considerations are the basic software engineering considerations of maintainable, easy-to-understood source code. For Chrome OS, these requirements apply; they may not be applicable on all platforms. Also as with stateful wipe, after rebooting the system will rebuild directories and mount points in the stateful file system. Defend lock errors are always transient, but the back-off period, is variable. Other than the four public events, Upstart jobs and events generated by the, package should be considered private to the package, and subject to change at any time. . This work takes a few hundred milliseconds, the bulk which is spent on decompression. If the service becomes obsolete, the job will go away when the services package is deleted. To prevent the rollback, the system must mark the kernel as good by setting the tries count to 0 and the successful flag to 1 sometime after booting. Finally, the boot time numbers tend to very noisy; small changes are likely not to be statistically significant. Instead, whenever the ui job stops, a separate ui-respawn job determines what to do according to these rules: Special handling for abnormal termination is subject to rate limitations: If a failure isnt handled by respawning or rebooting, the ui job stops, but the system stays up. The script uses. If no user session exists for the Mount instance, offline credential test falls, 's cryptohome is automatically created when the vault directory for the, user does not exist and the cryptohome service gets a call to mount the, can be called regardless of whether a user, cryptohome is mounted. When the feature is not used, Some special flows involve presenting simple messages to the user prior during basic services startup. After started boot-services, the failsafe-delay job starts a 30 second timer. For Chrome OS, these are the longest running steps in the critical path: X server startup until session_manager emits the x-started event. The crypthohome vault (the directory that is mounted via ecryptfs) is, c. The vault keyset is stored at /home/.shadow//master.0, i. Consult your friendly neighborhood Upstart guru for advice. service, the firmware, and the system application. Use these rules when evaluating what trade-offs may be necessary for performance: Note that these guidelines apply equally to improvements and regressions: Just as 50 ms slower isnt a regression, 50 ms faster isnt an improvement. removed), resulting in a one-time slower boot. The encrypted blob in the vault keyset is decrypted using the user. In this case, the system is given a chance to migrate the keys by, using scrypt fails, it is assumed that the password is incorrect, as, - If adding the decrypted keyset to the kernel keyring before ecryptfs, mount fails, it is assumed that the key material was decrytped, properly but some other problem exists outside of the control of, some other problem exists outside of the control of cryptohome. Rebooting is only attempted if the particular error termination happens more than once in 3 minutes; otherwise it just respawns. is used to accommodate the restricted operating environment: he X server is not running. If theres no such repository (e.g. The stateful update procedure operates in two stages: The Chrome browser is the system application for Chrome OS. are important to help prevent memory or resource leaks in services from freezing the system. The job is required before the system application can provide service, or. Consequently, rollback will be triggered if a newly updated image consistently fails in any of the following ways: Note that the user will typically have to forcibly power cycle a unit multiple times in any failure case other than a kernel panic. Platforms that want to use ureadahead must configure some specific kernel tracing features. Q: When should I use start on started system-services? - If writing the encrypted vault keyset to disk fails for any reason, - If decrypting the vault keyset fails because the call to decrypt. You have a service that provides a shared resource in the file system (e.g. Basic services are the indispensable services required by the system application and the rest of the system. The. Depending on a job makes it easier to find the sources of events, and trace their flow through the source code. your service is an upstream package), create a new package to install the job. If the device allows manual disabling of the TPM, this, error would not be transient, and the user would have to re-enable the, TPM. Below is a list of the principle directories, listed in the order theyre processed. However, if two packages are already coupled for sound technical reasons, its reasonable for one of the package to depend on the others Upstart jobs. . Initializing environment variables for the Chrome browser process. Initializing the system resources (e.g. A file named. best to reboot the system to clear this state.

Auto-update removes the ureadahead pack file during its post-install phase. That program is responsible for the following: Once Chrome has successfully displayed the initial startup screen, it kicks off the following sequence of events: When a user logs out of Chrome, the browser process terminates normally. Mounting and unmounting the encrypted data is handled by the mount-encrypted command. script can be used to install an image from scratch on a device. job is guaranteed to start even if the system application fails. package. The work should not be handled in. Q: What repository should hold my Upstart job? A: Ideally, the job should live in the source repository for the service it starts. You need to make sure that the file system resource is created before any service depending on. Principally, wiping the stateful partition means re-creating an empty filesystem using. After the started system-services event, services can rely on the following: By design, system services only start if the system application announces its successful initialization. The system application is responsible for this for two reasons: Delaying non-critical services allows the system application to start faster. If your job depends on a private event, changes to chromeos-init could cause your job to start at the wrong time, or not start at all.

Chrome OS Core supports a number of special boot flows, many of which are designed to handle system behaviors across multiple boots. Limits. The update_engine service updates these flags with specific values after applying an update, and again with different values after the system boots without failure. protection of the vault keyset. These are some of the key events reported by the tools: Session manager fork/exec of the Chrome browser process. After boot, the event will re-occur every time after a user logs out, or any time Chrome restarts after a crash. To support this requirement, a service can depend on the started failsafe event. , follow these guidelines to help readability: is called should name what jobs are affected, and how. Detection of devices deemed non-critical may be delayed until after the system application starts. Note that packages can and should rely on directories specified in the Linux FHS. No other services have a dependency. process in turn is responsible for managing the Chrome browser process. removed), resulting in a one-time slower boot. must erase and re-create the stateful partition. The system application is responsible for this for two reasons: For Chrome OS, boot-complete starts when the Chrome browser has displayed the initial login screen.

During basic services startup, the script chromeos_startup is responsible for mounting file systems, and creating the basic directory hierarchy. For reference, on Chrome OS, after stripping out comments and boilerplate, the. The script creates missing directories and mount points as necessary. Each phase of boot is dominated by one long running step. User input devices or other devices necessary to the system application will be detected, with modules loaded. As with stateful wipe, installation is responsible for creating the .developer_mode file when installing in dev mode. The diagram above shows an outline of the Chrome OS Core boot flow. emits this event after Chrome announces that has finished displaying its login screen. a. If tries is decremented to 0 and successful is never set to 1, the firmware will roll back to the previous working software. 3. However, it will always clear the current user'.

Moreover, the feature presupposes some specific privacy requirements. Handling Chrome Shutdown, Crashes, and Restarts.

a directory in, ), your service is responsible for creating the files and directories. The flags are designated priority, successful, and tries. At the end of basic services startup (that is, when Upstart emits started boot-services), the following services are guaranteed available: Note that jobs that run during this phase must by their nature work in an environment where the services above may not be available. For an example, see the chromeos-base/openssh-server-init package. For Chrome OS, that application is the Chrome browser. For an example, see the, A: This is the preferred way to start any job that should run once at boot time. . This also increases the brute-force, cost of attacking the SerializedVaultKeyset offline as it means that the, attacker would have to do a TPM cipher operation per password attempt. When a user logs out of Chrome, the browser process terminates normally. In the best case, work in parallel will consume resources that would otherwise be idle, meaning boot time is unaffected. Work to create this storage should belong to the package that owns the service. (including device recovery), or automatic update, a reboot is necessary for the new software to take effect. The. For Chrome OS, these requirements apply; they may not be applicable on all platforms. This happens after every Chrome restart. The script is invoked from the. Most services cannot operate until these basic services are running normally. .

The system application receives special treatment in the boot flow. That script marks the kernel as good, after which rollback is no longer possible. However some services may require that they start eventually, even if the system as a whole has failed. Changes more than 250ms (.25s) are significant. The rationale is that if a system is failing in this way, rollback is by far the most preferable way to recover. The failsafe job is guaranteed to start even if the system application fails. The directory is a bind mount over, As a security measure to protect private data, the portions of the stateful partition under, are mounted from an encrypted blob stored in the stateful partition. The end-user. Device hotplug detection. event time matter. After update_engine has finished downloading and installed a new image, the updates post-install phase marks the GPT flags for the new kernel to have the highest priority for boot, with tries set to 5, and successful set to 0. A: The job must have a start stanza that will start once the system application is up and providing service. If users wait for an update and the next update contains the same bug, that new update will have overwritten the working previous version. The flows involve one of two use cases: Because these messages are presented during basi services startup, a special script called chromeos-boot-alert is used to accommodate the restricted operating environment: In certain boot cases, chromeos_startup must erase and re-create the stateful partition. Tspi_TPM_TakeOwnership will be called with the Trousers default well-known, ownership password, and the Chromium OS well-known SRK password. As with stateful wipe, installation is responsible for creating the, file when installing in dev mode. starts. a. The system application cant finish initialization without this second service, and will wait until its ready. Below is a list of various Upstart events triggered by Chrome browser startup, and when they happen: This first occurs at boot after started boot-services. Below is a list of the principle directories, listed in the order theyre processed. The work must happen at boot: In general, there is no way to initialize writable storage at build time. For Chrome OS Core, there are four public Upstart events with well-defined, stable semantics. For examples, look at the tree of jobs for starting the network (see init/shill.conf in src/platform/shill) or cryptohome services (see init/cryptohomed.conf in src/platform/cryptohome). . If your package delivers more than one job, it is safe and reasonable for some jobs to depend on others in the same package instead of depending on the public events. This content is not delivered via the autoupdate mechanism. Moreover, the feature presupposes some specific privacy requirements. service updates these flags with specific values after applying an update, and again with different values after the system boots without failure. Below is a list of known caches affecting boot time, and a summary of what causes them to be invalidated. This content is not delivered via the autoupdate mechanism. - This directory is only mounted for developer and test systems. An ordinary user will perceive the device as fully functional. a directory in /var/lib), your service is responsible for creating the files and directories. . Not all Chrome OS Core platforms use this feature: The feature requires a TPM to be effective. Typically, this can happen in a, script in the Upstart job for the service. Theyre removed on the first boot after any update; this happens in, The VPD cache - this collection of files is created by, during basic services startup; see the sources under. etc. This means that the first boot after an update will be slower because ureadahead must regenerate the pack file. Typically, critical means that the system application expects the service to be present, or that the user would perceive the system as not functional without it. That work requires a few dozen milliseconds, and is attributed to kernel startup time. If your job depends on a private event, changes to. Creating the Stateful File System (the chromeos_startup script), At startup, there is no writable file system storage available. . MountGuestCryptohome, or MigratePasskey is made (regardless of success status). Generally, start and stop conditions for jobs should be based on job events like started and stopped, rather than starting or stopping jobs with initctl emit, start, or stop. Chrome browser startup, until login-prompt-visible. , and also to protect the filesystem from inadvertent damage. Additionally, device availability is not guaranteed in all cases; devices may not be initialized, and their drivers may not even be loaded. After the wipe procedure is complete, the system reboots; on reboot the system will, Interactions with Install, Recovery, and Update. When work executes in parallel with the critical path, the boot time impact will be much smaller. When the timer expires, update_engine invokes a script called chromeos-setgoodkernel. Initialization of all other services. Q: When should I use start on started failsafe? Even if jobs in parallel compete for resources with the critical path, the impact is typically smaller than the total resource requirement of the extra work. The installation process includes creating a stateful partition file system, similar to the process for stateful wipe. From time to time, an update may contain new firmware for the device. is a wrapper around this script. You have a service thats needed for administrative or debug access to your device. Q: How do I disable/enable the encrypted stateful feature? , or an Upstart job not related to your package. If you must use initctl emit, start, or stop, follow these guidelines to help readability: If your service requires writable storage (e.g. The encrypted storage is kept in /mnt/stateful_partition/encrypted. If the blob was protected using the TPM, and there is a failure in, 't correspond to a TPM clear, then a communications failure, iv. If the blob was protected using the TPM, and the TPM has been cleared. Boot performance is measured by capturing timestamps at specific moments during the boot flow. Readers should also have some understanding of Linux file system management concepts, like mounting and creating file systems. This time isnt recorded as part of the. Depending on a job makes it easier to find the sources of events, and trace their flow through the source code. The objective is that if your package isnt part of a distribution, it shouldnt create vestiges in the file systems of distributions that dont need it. Wipe after changing from dev mode to verified mode, or vice versa.