Firmware Management Parameters
Firmware Management Parameters (aka FWMP) are optional settings that can be stored in the TPM to control some aspects of developer mode for developers and system administrators.
What's in the FWMP?
The FWMP contains a set of flags and an optional developer key hash.
The flags are as follows:
Flag | Name | Meaning | |
0x01 | FWMP_DEV_DISABLE_BOOT | Disable developer mode. If this flag is set, booting the device in developer mode will take you straight to the TONORM screen, which asks you to confirm turning developer mode off. | |
0x02 | FWMP_DEV_DISABLE_RECOVERY | Disable developer features of recovery images. | |
0x04 | FWMP_DEV_ENABLE_USB | Enable Ctrl+U to boot from USB. | Same effect as 'crossystem dev_boot_usb=1' |
0x08 | FWMP_DEV_ENABLE_LEGACY | Enable Ctrl+L to boot from legacy OS | Same effect as 'crossystem dev_boot_legacy=1' |
0x10 | FWMP_DEV_ENABLE_OFFICIAL_ONLY | Only accept developer images signed with the official Chrome OS key. | Same effect as 'crossystem dev_boot_signed_only=1' |
0x20 | FWMP_DEV_USE_KEY_HASH | Only accept developer images signed a specific key. If this is set, the SHA-256 digest of the kernel key data is compared with the digest stored in the FWMP. This enables you to decide what developer images will boot on your device, instead of blindly trusting them all. Particularly handy when combined with FWMP_DEV_ENABLE_USB. |
The key hash is the SHA-256 of the key data for the kernel key. There isn't a tidy way to extract this from a keyblock yet; coming soon.
Setting the FWMP
Use cryptohome to set the FWMP. To do this, the TPM must just have been owned, or you must know the owner password:
cryptohome --action=set_firmware_management_parameters --flags={flags_as_decimal_or_0xhex} [--developer_key_hash={hash_as_hex_string}]
To remove the FWMP:
cryptohome --action=remove_firmware_management_parameters
And, of course, you can see what it contains; this works even if you don't know the owner password:
cryptohome --action=get_firmware_management_parameters
System administrators can automatically set the FWMP on enterprise-enrolled devices during the initial device enrollment.
Removing the FWMP
If you have somehow locked yourself out of your system - say, by setting FWMP_DEV_DISABLE_BOOT, or by setting FWMP_DEV_USE_KEY_HASH but specifying the wrong hash, all is not lost.
If your Chrome OS device is NOT enterprise-enrolled, disable developer mode, recovery your system to a fresh state, then log in. That will automatically remove the FWMP. And whatever else was on your system.
If your Chrome OS device is enterprise-enrolled, see your system administrator.
I Can't Get Into Developer Mode
If you've enabled developer mode, and you're getting this warning at boot time:
Developer mode is disabled on this device by system policy.
For more information, see https://www.chromium.org/chromium-os/fwmp
that's because FWMP_DEV_DISABLE_BOOT is set. See the previous section on removing the FWMP.