)]}'
{
  "commit": "719fc794c77ab6d09fe3cfaa563b18cf778a4d15",
  "tree": "f29fc3e9b0eb8a109a644ff7c97eb5b4f0365a3f",
  "parents": [
    "e82a34f7b1dead85bd595aab5a9471c776d5ddbe"
  ],
  "author": {
    "name": "Willy Tu",
    "email": "wltu@google.com",
    "time": "Mon Dec 15 22:26:20 2025 +0000"
  },
  "committer": {
    "name": "Willy Tu",
    "email": "wltu@google.com",
    "time": "Tue Dec 16 09:44:34 2025 -0800"
  },
  "message": "key_rotation: Support image_family restriction\n\nCheck the IMAGE_FAMILY from BIOS key against the image family of the BIOS image.\n\nTested:\n- Failure Example:\n```\nDec 15 23:12:49 ladai15-nfd11.prod.google.com msvfud[4718]: libcr51sign_validate: potential image descriptor found @10000\nDec 15 23:12:49 ladai15-nfd11.prod.google.com msvfud[4718]:  check cr51hash: b15fef5a03633bc69e1b1fea284e199272a331b66234b6da4304766a53306133\nDec 15 23:12:49 ladai15-nfd11.prod.google.com msvfud[4718]:  Hoth RoT config defined 0 KEY_ROTATION_CHUNK_TYPE_CODE_BASH\nDec 15 23:12:49 ladai15-nfd11.prod.google.com msvfud[4718]:  Not match any trusted bios allowed hash\nDec 15 23:12:49 ladai15-nfd11.prod.google.com msvfud[4718]:  Calculating fingerprint of key in CR51 signature structure with scheme(SIGNATURE_RSA3072_PKCS15), size(780)\nDec 15 23:12:49 ladai15-nfd11.prod.google.com msvfud[4718]:  fingerprint of key in CR51 signature: ba6681661fb19e5f5fa59453257f8a5edc020787caf7d60668ab8dfc40de7b8d\nDec 15 23:12:49 ladai15-nfd11.prod.google.com msvfud[4718]:  Hoth RoT config defined 1 KEY_ROTATION_CHUNK_TYPE_CODE_BKEY\nDec 15 23:12:49 ladai15-nfd11.prod.google.com msvfud[4718]:  trusted bios key finger print in KEY_ROTATION_CHUNK_TYPE_CODE_BKEY_0: ba6681661fb19e5f5fa59453257f8a5edc020787caf7d60668ab8dfc40de7b8d\nDec 15 23:12:49 ladai15-nfd11.prod.google.com msvfud[4718]:  Match trusted bios key finger print in KEY_ROTATION_CHUNK_TYPE_CODE_BKEY_0, but mismatch IMAGE_FAMILY 117 vs. 162\nDec 15 23:12:49 ladai15-nfd11.prod.google.com msvfud[4718]:  Not match any trusted bios key\nDec 15 23:12:49 ladai15-nfd11.prod.google.com msvfud[4718]: validate_signature_with_key_in_signature_struct: key in signature struct is not trusted\n```\n\nGoogle-Bug-Id: 466454964\nGoogle-Bug-Id: 468135652\nChange-Id: Iaba285d29681529a1b21610ae3434162f4c1471d\nSigned-off-by: Willy Tu \u003cwltu@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "96369771803170fe28d39a3f8e3d1f7d9cf8573b",
      "old_mode": 33188,
      "old_path": "subprojects/flashupdate/src/validator/key_rotate_helper.cpp",
      "new_id": "d272628e26e7a333629714f371be2c2933aeefc3",
      "new_mode": 33188,
      "new_path": "subprojects/flashupdate/src/validator/key_rotate_helper.cpp"
    },
    {
      "type": "modify",
      "old_id": "308f0778710e61d02e69ce69e8906b4bb4e98238",
      "old_mode": 33188,
      "old_path": "subprojects/flashupdate/test/validator/key_rotate_helper.cpp",
      "new_id": "da88f19e5d45ae31f894dd62dc5f8662d634d87e",
      "new_mode": 33188,
      "new_path": "subprojects/flashupdate/test/validator/key_rotate_helper.cpp"
    }
  ]
}