With respect to the 4 points you brought up regarding dev-mode:
o you can re-enable verified boot, while still remaining in dev-mode. Its a single command.
o you can set a linux password for the user 'chronos'. Again, its a single command. This takes care of the open vt-2 (you need to give the chronos password) and the open sudo access to root (again, you have to now give the chronos password)
yes, you can see the contents of your home directory now, including all the chrome data. Just as you can when installing chrome on any other linux distribution (or OS). Basically, this just means "you now have a bash shell, with gnu coreutils, so you can peruse the filesystem". I'm not sure how this qualifies as a problem.
Hope the above doesn't come across as 'snarky' - thats not the intention.
Thing is, dev-mode chrome os can be close to a fully fledged linux distro - if that is your want. It even has a native pkg manager (chromebrew) to install the missing bits (gcc, tcl, ruby, python, tmux etc). The only thing that really gets in the way is the non standard display server (google's sommelier can help to partly overcome this - installable via chromebrew if you wish).
The only real warning against dev-mode ought to be - "if you're not especially comfortable on linux boxen, don't do it"
Not that its "insecure". It really isn't, once you set it up correctly (again, thats only 2 commands). The real insecurity comes down to what stuff you then go on to install and run on your machine.
And thats true of any system, once you have control over it.
I was aware that you can set a password for chronos user, but I was not aware that you can re-enable Verified Boot. Do you have a link to this you can share? Did a quick search for "enable verified boot in dev mode", but didn't find any relevant articles.
crossystem is your swiss army toolbox for interacting with the boot-time features of chrome os.
The specific knob to tweak here is:
crossystem dev-boot-signed-only=1
With crossystem, you can also turn legacy boot (the open "legacy" bios bootloader, accesed by ctrl-l at boottime) off, and usb boot (ctrl-u, used to boot chrome or chromium os usb installs) off.
(of course, you only do that if you have no interest in dual booting. The user has the power to decide - as it should be)
Once you have that, your dev-mode chromebook can ONLY boot the google supplied chrome os kernel, and it will verify the checksum on the kernel partition, just to make sure.
See? Dev-mode AND security. In only 2 commands (including setting the password).
(I've never figured out how such an easy-to-lockdown system gets so many articles posted on it - all warning how insecure it is and "don't do it".)
you can re-enable verified boot, while still remaining in dev-mode. Its a single command.
Can you share the command? All the top google results give steps for re-enabling verified boot by turning off dev mode (i.e. by pressing space at boot and wiping user data).
Having said that, I haven't been using ChromeOS devices for several years now, so do it at your own risk.
Also, there is more detailed information about this in the crouton project's wiki here and here.
TL;DR:
[crouton] re-enables verified boot when it can, although this is a bit of a false sense of security, as anything with the ability to escape the chroot and edit the rootfs also has the permissions necessary to disable verified boot again as well.
The command to do this is:
crossystem dev-boot-signed-only=1
Some comments have been hidden by the post's author - find out more
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Peter,
With respect to the 4 points you brought up regarding dev-mode:
o you can re-enable verified boot, while still remaining in dev-mode. Its a single command.
o you can set a linux password for the user 'chronos'. Again, its a single command. This takes care of the open vt-2 (you need to give the chronos password) and the open sudo access to root (again, you have to now give the chronos password)
Hope the above doesn't come across as 'snarky' - thats not the intention.
Thing is, dev-mode chrome os can be close to a fully fledged linux distro - if that is your want. It even has a native pkg manager (chromebrew) to install the missing bits (gcc, tcl, ruby, python, tmux etc). The only thing that really gets in the way is the non standard display server (google's sommelier can help to partly overcome this - installable via chromebrew if you wish).
The only real warning against dev-mode ought to be - "if you're not especially comfortable on linux boxen, don't do it"
Not that its "insecure". It really isn't, once you set it up correctly (again, thats only 2 commands). The real insecurity comes down to what stuff you then go on to install and run on your machine.
And thats true of any system, once you have control over it.
Hi Imran,
Thank you for the feedback.
I was aware that you can set a password for
chronosuser, but I was not aware that you can re-enable Verified Boot. Do you have a link to this you can share? Did a quick search for "enable verified boot in dev mode", but didn't find any relevant articles.crossystemis your swiss army toolbox for interacting with the boot-time features of chrome os.The specific knob to tweak here is:
With crossystem, you can also turn legacy boot (the open "legacy" bios bootloader, accesed by ctrl-l at boottime) off, and usb boot (ctrl-u, used to boot chrome or chromium os usb installs) off.
(of course, you only do that if you have no interest in dual booting. The user has the power to decide - as it should be)
Once you have that, your dev-mode chromebook can ONLY boot the google supplied chrome os kernel, and it will verify the checksum on the kernel partition, just to make sure.
See? Dev-mode AND security. In only 2 commands (including setting the password).
(I've never figured out how such an easy-to-lockdown system gets so many articles posted on it - all warning how insecure it is and "don't do it".)
FYI here's how to toggle USB and legacy boot:
chromium.org/chromium-os/developer...
Both should be already disabled by default.
Can you share the command? All the top google results give steps for re-enabling verified boot by turning off dev mode (i.e. by pressing space at boot and wiping user data).
Carl, it's provided in a reply here.
Having said that, I haven't been using ChromeOS devices for several years now, so do it at your own risk.
Also, there is more detailed information about this in the crouton project's wiki here and here.
TL;DR:
The command to do this is: