File: README.md

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (57 lines) | stat: -rw-r--r-- 2,499 bytes parent folder | download | duplicates (11) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
 
#Ownership

[TOC]

## Objective

The concept of ownership allows ChromeOS to decide who should have the full
control over the device, including changing settings that might affect all users
on the device.

## Terminology
- Owner: The entity that “owns” the device. This could be a user or a device
management organization. The owner possesses the owner private key.
- Owner private key: The private key used to sign device settings. Only the
owner has access to it.
- Owner public key: The public key used to verify device settings. All users on
the device have access to it.
- Owner key pair: The key pair consisting of owner private key and owner public
key.

## Consumer ownership

A ChromeOS device can be owned by a single user (in contrast to an
organization), in which case it is consumer owned.

The first user created on the device becomes the owner. ChromeOS generates an
owner key pair for the user and produces initial device settings. The device
settings mention the owner user as the author, they include the public part of
the owner key and they are signed by the private part of the owner key. Chrome
sends signed device settings to the session manager daemon for storing them on
disk. Session manager also stores the public owner key separately, so all users
can verify the signature on the device settings.

Later the owner user can produce, sign and store new device settings as long as
they have the owner key. And other users can read and verify them, but they
cannot change them.

If the public part of the owner key gets lost or corrupted, it can be restored
by the session manager from the device settings. If the private part of the key
is lost and the device settings claim that the current user is the owner, it is
allowed to generate a new owner key and store new device settings signed with
it. As a last resort the local state preferences also store which user is the
owner.

## Enterprise ownership

A ChromeOS device can be owned by an organization, in which case it is
enterprise managed.

To initiate this mode the device needs to be enterprise enrolled on the OOBE
(out-of-the-box experience) screen or automatically. The owner key pair is owned
by the management server and the device only receives the public part of the
owner key together with device policies from it. Session manager processes
device policies from the management server in the same way as device settings
on consumer devices.

The management server has an ability to rotate the owner key.