boot-architecture May 2018

boot-architecture@lists.linaro.org

25 participants
38 discussions

Re: [Arm.ebbr-discuss] Booting from eMMC without the boot protocol

by William Mills

[explicitly cc'ing boot-arch to see if this solves the TI auth problems] On 05/04/2018 11:45 AM, Alexander Graf wrote: > On 05/04/2018 04:56 PM, Grant Likely wrote: >> On 04/05/2018 15:46, Grant Likely wrote: >>> On 03/05/2018 09:43, Daniel Thompson wrote: >>>> On Wed, May 02, 2018 at 06:09:15PM -0400, Tom Rini wrote: >>>>> On Wed, May 02, 2018 at 10:48:11PM +0100, Grant Likely wrote: >>>>>> On 02/05/2018 22:24, Tom Rini wrote: >>>>>>> On Wed, May 02, 2018 at 08:40:42PM +0100, Daniel Thompson wrote: >>>>>>>> >>>>>>>> In terms of the restrictions that come from EBBR mandating GPT: >>>>>>> >>>>>>> Can we step back, why is EBBR mandating GPT? >>>>>> >>>>>> I think EBBR should recommend GPT, but allow MBR if the SoC boot >>>>>> masked >>>>>> rom conflicts with GPT. >>>>>> >>>>>> In the early days of GPT there was also a hybrid GPT+MBR scheme that >>>>>> could list the boot partition in the MBR, but still have a full >>>>>> GPT. It >>>>>> isn't pretty, but there is precidence. >>>>> >>>>> How about recommends GPT but allows MBR, no qualifiers. As you note >>>>> there's a lot of ways to fiddle around and make it work, probably, on >>>>> all of the existing SoCs that do magic offsets. But it's a lot easier >>>>> to just allow MBR (what the SoCs were designed to have to live >>>>> with) and >>>>> guide line that in this case nothing before the first 2MiB be used by >>>>> the OS. With a few more spec words around all of that so it's nice >>>>> and >>>>> formal :) >>>> >>>> I'm OK to allow MBR. >>>> >>>> I'd be inclined to require that protective partitions be used to defend >>>> the first 2MB though. They are more flexible and are a useful hint to >>>> anyone trying to manually partition. >>>> >>>> >>>> In a different mail Tom wrote: >>>>> And I agree with the high level idea of needing to do something to >>>>> protect systems with a magic in-use spot. >>>> >>>> There are a couple of extra details. >>>> >>>> 1. We can't allocate a GUID to discourage an automatic partitioner >>>> from harming a protected partition. We only have the 8-bit >>>> partition type. >>>> Some potential candidates could be 0xA2 (which Altera appear use >>>> for a similar purpose), 0xE7 (wikipedia does not report existing >>>> uses) or 0xF0 (PA-RISC Linux boot loader). >>>> >>>> 2. Boot ROMs that have built-in support for FAT could be hard coded to >>>> require a specific partition type. > >>>> I think we don't need to worry about #2 to much: systems with built-in >>>> MBR/FAT parsing can use hybrid MBR/GPT to communicate to distros >>>> which partitions are protected because (presumably) they allow >>>> flexibility in placing the first sector of the FAT partition. >>> >>> Can we start a list of SoCs that have special requirements on the >>> boot eMMC/SD/USB? It would be useful to see the cross-section of >>> requirements. >>> >>> I've created a wiki page to start capturing data. From their we can >>> decide what scenarios the spec needs to cover. >>> >>> https://github.com/glikely/ebbr-for-discussion/wiki/Boot-Media-Behaviour >> >> One more thought, are there many new SoCs still using hard coded >> offsets instead of an MBR or GPT? It may be that there aren't enough >> left for us to care about for EBBR level 0. In which case EBBR Level 0 >> should support both MBR and GPT (non-hybrid), and then narrow to GPT >> only in a future revision. > > I don't think we'll be able to move away from MBR anytime soon. For a > quick glimpse on what SoCs need to have blobs installed where, take a > look at our image creation script: > > https://build.opensuse.org/package/view_file/openSUSE:Factory:ARM:Live/JeOS… > > > There you can see that we force to MBR (for various reasons) on: > > * RPi (reads MBR) > * i.MX 5x/6 (SPL at sector 2) > * Exynos 4/5 (SPL is in sector 1, not sure about newer ones) > * AM905 (SPL in sector 1) > * Kirkwood (SPL in sector 1) > * Zynq(MP) (convenient to store boot.bin on FAT partition in MBR) > > I think we should simply dictate that EBBR compliant OSs do not start > any partitions before a sane boundary (1MB? 2MB?). IIRC most > partitioning tools these days won't start partitions before 1MB anyway, > so if we declare 1MB a safe bound we essentially have no work to do. > > I did skim (not study) the script. Looks like a good resource of current board info. I see you are using raw mode for many boards. I am missing something. If there is only MBR and no GPT then there is no GUID type for EFI Partition. So how does the firmware find the "EFI Partition" and the default /efi/boot/boot*.efi file? Does it just use the partition with boot flag?

6 years, 7 months

Re: [Arm.ebbr-discuss] Booting from eMMC without the boot protocol

by Grant Likely

On 04/05/2018 16:00, Tom Rini wrote: > On Fri, May 04, 2018 at 03:46:52PM +0100, Grant Likely wrote: [...] >> Can we start a list of SoCs that have special requirements on the boot >> eMMC/SD/USB? It would be useful to see the cross-section of requirements. >> >> I've created a wiki page to start capturing data. From their we can >> decide what scenarios the spec needs to cover. >> >> https://github.com/glikely/ebbr-for-discussion/wiki/Boot-Media-Behaviour > > I'm not sure if there's a button somewhere to allow more widely used > editing of the wiki part of github. Maybe rename it to something like > notes/ in the ebbr-for-discussion repo itself so the usual PR workflow > is available? Thanks! Done: https://github.com/glikely/ebbr-for-discussion/blob/master/soc-boot-behavio… g.

6 years, 7 months

ebbr: boot behaviour without persistent variables

by Leif Lindholm

I took an action last week to provide a block of text for how platforms without persistent variable storage should behave. Here's my opening play: Boot manager behaviour without persistent variable store ======================================================= Platforms that do not implement persistent variable storage must support the Removable Media Boot Behaviour as described by UEFI. Such platforms can additionally implement support for additional statically[1] defined images to be processed as SysPrep####, Driver#### and Boot### global variable entries. If present, these entries will be processed in the order specified by corresponding statically defined SysPrepOrder, DriverOrder and BootOrder global variables. Any images referred to by such variables must reside in a vendor-specific subdirectory on the EFI System Partition, as recorded in http://uefi.org/registry. /BOOT must not be used except where explicitly permitted by UEFI. Where an executable is present in the prescribed Removable Media location, boot of that must be attempted, and only after this fails should any of the Boot#### entries be processed. Statically configured BootNext, OsRecovery#### or PlatformRecovery#### entries must not be used. [1] This is worth discussing, but if we were to support dynamic creation of these, we need _very_ strict rules around it.

6 years, 7 months

Re: [RFC PATCH] driver core: make deferring probe forever optional

by Rob Herring

On Fri, May 4, 2018 at 8:25 PM, Mark Brown <broonie(a)kernel.org> wrote: > On Wed, May 02, 2018 at 07:49:57PM +0100, Robin Murphy wrote: > >> I guess there's also the possibility that a single driver may want multiple >> behaviours, if e.g. if SoC variants A and B have some identical peripherals >> but slightly different pinctrl/IOMMU/etc. hardware such that A has workable >> default behaviour and can be treated as optional, whereas B absolutely must >> be controlled by the kernel for the consumers to function properly, and they >> *should* defer forever otherwise. I think that would pretty much demand some >> sort of explicitly-curated white/blacklist setup at the subsystem or driver >> level. > > Different board variants, and possibly even different bootloaders might > also be an issue here - a vendor bootloader might do pinmuxing that an > upstream bootloader doesn't for example. In some cases the pinmuxing > even depends on the boot method with things only getting configured if > the bootloader wanted to use them. I think this is going to be too big of a hammer for pinctrl at least. My current thought is to define a pinctrl DT property to indicate pins are configured already which the OS can use to decide if pinctrl is optional or not. I'd prefer to keep it simple and be a per pin controller flag even though this is quite possibly a per client or pin group state (as you say, the bootloader may only configure what it uses). Making this per pin group could be a lot of nodes and difficult to really get right without testing. Making it per pin controller could make drivers fail in less predictable ways if their pins are not configured. Rob

6 years, 7 months

Re: [Arm.ebbr-discuss] Booting from eMMC without the boot protocol

by Leif Lindholm

(Whoops, boot-architecture wasn't on cc on this thread, forwarding message there for public archiving. Please add arm.ebbr-discuss to cc on any replies.) On Wed, May 02, 2018 at 06:09:15PM -0400, Tom Rini wrote: > On Wed, May 02, 2018 at 10:48:11PM +0100, Grant Likely wrote: > > On 02/05/2018 22:24, Tom Rini wrote: > > >On Wed, May 02, 2018 at 08:40:42PM +0100, Daniel Thompson wrote: > > >> > > >>In terms of the restrictions that come from EBBR mandating GPT: > > > > > >Can we step back, why is EBBR mandating GPT? > > > > I think EBBR should recommend GPT, but allow MBR if the SoC boot masked > > rom conflicts with GPT. > > > > In the early days of GPT there was also a hybrid GPT+MBR scheme that > > could list the boot partition in the MBR, but still have a full GPT. It > > isn't pretty, but there is precidence. > > How about recommends GPT but allows MBR, no qualifiers. So, first of all - a level 0 EBBR _must_ permit MBR, since many SoCs already out there have ROMs that load firmware. Secondly, I don't know if should be within the scope of EBBR to mandate anything at all about a partitioning scheme that is not within the control of the firmware. It could mandate support in the _firmware_ for GPT partitioning. But that is already mandated by UEFI (as well as support for MBR and El Torito). But I would really like to see some note and explanation of restrictions placed on operating systems (i.e., the consumers of the guarantees provided by the document) by such behaviour in the EBBR. > As you note > there's a lot of ways to fiddle around and make it work, probably, on > all of the existing SoCs that do magic offsets. But it's a lot easier > to just allow MBR (what the SoCs were designed to have to live with) and > guide line that in this case nothing before the first 2MiB be used by > the OS. With a few more spec words around all of that so it's nice and > formal :) And if there is a corresponding EBSA coming, I would _really_ like to see some compliance level banning the reservation of LBA1-LBA33 and (-LBA1)-(-LBA33) for boot ROM use on any general-purpose block storage. Clearly not level 0, though. / Leif

6 years, 7 months

DT handling, [Ref Linux-Efi]

by Udit Kumar

Hi There is bit of discussion on linux-efi too , to handle DT update I guess some members of this forum are active there too. https://www.spinics.net/lists/linux-efi/msg13700.html To summaries 1/ Ownership of DTB IMO should be firmware and we should retain this ownership in EBBR as well, Any objections/thoughts ? Update 1/ Updating whole device tree from OS [Capsule update can be used ] 2/ Just modifying the device tree DTBO My preferred way to handle DTBO in firmware will be https://source.android.com/devices/architecture/dto/multiple See picture Runtime DTO implementation for multiple DTs To store this information in partition, options we have 1/ Run time variables 2/ Some driver in Linux writing to DTBO partition 3/ Some other way ?? I am not sure, if distro are updating device tree which is default shipped with board ?? Thanks Udit

6 years, 7 months

Re: [Arm.ebbr-discuss] DT handling, [Ref Linux-Efi]

by Daniel Thompson

On Wed, May 02, 2018 at 05:39:02PM -0400, Tom Rini wrote: > On Wed, May 02, 2018 at 05:12:03AM +0000, Chang, Abner (HPS SW/FW Technologist) wrote: > > > > -----Original Message----- > > > From: Udit Kumar [mailto:udit.kumar@nxp.com] > > > Sent: Wednesday, May 02, 2018 12:26 PM > > > To: Chang, Abner (HPS SW/FW Technologist) <abner.chang(a)hpe.com>; > > > Alexander Graf <agraf(a)suse.de>; William Mills <wmills(a)ti.com> > > > Cc: boot-architecture(a)lists.linaro.org; nd(a)arm.com; Rod Dorris > > > <rod.dorris(a)nxp.com>; arm.ebbr-discuss(a)arm.com > > > Subject: RE: DT handling, [Ref Linux-Efi] > > > > > > > We probably don't need to provide a genetic DT driver in UEFI U-Boot, > > > > instead, we will have to mention how SoC/platform vendors publish > > > > DTB/DTBO in EBBR spec. > > > > For example, > > > > The EFI_CONFIGURATION_TABLE in EFI System table could be used to > > > > publish the pointer to DTB and DTBO. Declare two GUIDs in EBBR, one > > > > for DTB another for DTBO. OS boot loader is responsible to merge > > > > DTB/DTBO according DTB/DTBO discovered in EFI Configuration Table. To > > > > read DT from EFI variable into memory, memory map to DT in EEPROM or > > > > other mechanisms is platform implementation. No matter which approach, > > > > DT producer has to create configuration table in EFI system table > > > > follow the data structure defined in EBBR. > > > > Another way instead of using GUID in configuration table is to publish > > > > DTB/DTBO in EFI device path, this way is more UEFI oriented IMO. > > > > However, we have to defined corresponding device path node in UEFI > > > > spec for DT. Similar to using system configuration table. DT producer > > > > has to install EFI device path for either DTB or DTBO. Then OS boot > > > > loaders locate those EFI device paths of DTB and DTBO and merge it. > > > > > > We are adding a requirement on OS boot loaders to merge it. > > > IMO, merging should be done by firmware itself. > > > In case, we want to host multiple distribution at same time, then this is likely > > > to go with OS boot loaders > > > > That is fine to merge DT by firmware, we still can standardize how > > UBoot merges DT in EBBR. For example, SoC and other platform UBoot > > drivers produce their DT or DTO in their own drivers. UBoot provides a > > centralized EFI DT driver to collect DT/DTO from either EFI system > > configuration table or EFI device path. Then this centralized EFI DT > > driver produces the pointer to point to final DT in EFI system > > configuration table. OS boot loader cab just check EFI system > > configuration table to retrieve DT, something like this. > > I think I need to step in here to clarify something. U-Boot drivers > don't produce a DT and while it's possible, it's generally[1] not done, > that U-Boot uses _the_ device tree that we pass along to the next stage > (we've likely filtered things out for space and added a few specific > things of our own). > > IMHO, what EBBR should cover is saying that firmware may apply overlays > because we know there's N valid use cases of taking a base and fixing it > up in both big and small ways. Then firmware will pass along to the > next stage (EFI application such as GRUB or *BSD loader or a Linux > Kernel or ...). Which bits of this discussion target level 0 and which target a later level 1? Personally I'm not sure there is enough prior art w.r.t. device tree overlay for anything much related to overlays to target level 0. In fact if we take the view that EBBR defines a contract between the system firmware and the OS then arguably DT update is also out of scope unless we are defining runtime services by which the OS can update the DT. Again not something I think is ready for level 0. To be clear I don't dispute that good system firmware should make DT update easy, simply that I'm not sure how it fits into EBBR. Daniel.

6 years, 7 months

EBBR Weekly - Notes 26 Apr 2018

by Grant Likely

# 26 April 2018 ## Attendees * Abner Chang (HPE) * Palmer Dabbelt (SiFive) * Andreas Färber (SUSE) * Alex Graf (SUSE) * Ryan Harkin (Linaro) * Rob Herring (Linaro) * Udit Kumar (NXP) * Grant Likely (Arm) * Leif Lindholm (Linaro) * Bill Mills (TI) * Tom Rini (Konsulko) * Michal Simek (Xilinx) * Daniel Thompson (Linaro) * Dong Wei (Arm) ## Agenda * Action item review * Behaviour without persistent variables * DTB Update policy/behaviour * Any other business ## Notes ### Action item review * Relicense and publish EBBR * Slipped by one week per week (progress as been made… but wheels still need to turn) * Github repo * Complete but cannot be published until relicensing action (above) is complete * Policy for sharing HW between firmware and OS * NTR, next week * Handling platforms without persistent variables * Proposed text shared on mailing list ### Behaviour without persistent variables * Grant: Role of EBBR. It **interprets** UEFI and it **restricts** UEFI (by implication to things supportable in u-boot) * Alex: * Current code in SUSE depends on no variables presented if persistent variables are not supported * would return device error for EBBR level 0 on GetVariable() * Leif: Need plan for read-only variable implementation * Daniel/Grant: No flag day. EBBR level 0 OS must be able to run on EBBR level 1 firmware. Makes above problematic. * Bill: No get/set, Get but not set, get/set-temporary, get/set-persisent * Daniel: Let's ban get/set-temporary * Leif: get/set-temporary exists in the wild (is it OK for such systems to be non compliant. * Identified scenarios: * No get/set * Get, but no set * Get & Set, but Set does not persist * Get & Set fully works * Use case 1: * Distro needs to decide how to install itself * Either using variables (standards compliant) or like removable media * Use case 2: * Use non-persistent variables to alter boot order and allow the variable to survive, in RAM, through the OS and firmware reset and allow it to select the next kernel to be booted * Bill/Daniel: Distros already have a tool that can achieve similar use-case (grub) and this is a property of the distro not a property of EBBR * Grant: [https://cateee.net/lkddb/web-lkddb/EFI_BOOTLOADER_CONTROL.html](https://cat… (not full variable support, simply a means to pass a single message bootloader, good for A/B style updates and temporary diversions of kernel under dirtect) * Leif: Boot manager behaviour without persistent variable store ======================================================== Platforms that do not implement persistent variable storage must support the Removable Media Boot Behaviour as described by UEFI. Such platforms can additionally implement support for additional statically[1] defined images to be processed as SysPrep####, Driver#### and Boot### global variable entries. If present, these entries will be processed in the order specified by corresponding statically defined SysPrepOrder, DriverOrder and BootOrder global variables. Any images referred to by such variables must reside in a vendor-specific subdirectory on the EFI System Partition, as recorded in[ http://uefi.org/registry](http://uefi.org/registry). /BOOT must not be used except where explicitly permitted by UEFI. Where an executable is present in the prescribed Removable Media location, boot of that must be attempted, and only after this fails should any of the Boot#### entries be processed. Statically configured BootNext, OsRecovery#### or PlatformRecovery#### entries must not be used. [1] This is worth discussing, but if we were to support dynamic creation of these, we need _very_ strict rules around it._ * Grant: What are the scenarios/use-cases enabled by the statically defined image support, etc. * Leif: Is this images exists then I want to run it on boot, update configuration tables, etc. * Grant: Need concrete use-cases, could ban these variables from existing unless user interferes/hacks with the bootloader (e.g. u-boot has persistent variables… its just that we cannot set them at runtime) * Grant: Can/should an EFI application be able to set variables persistently (or temporarily)? (for example configuring network booting parameters during initial commissioning) * Summary: * We follow UEFI spec w.r.t variables * Boot, OSRecover, etc variables ship undefined * Fallback to removable media boot in the absence of boot variables * Didn't catch the last one! * Leif: Did we get agreement to require that variables be persistent but only if they are set from boot services? ### Any other business * Capsule update and other runtime variables * Udit: Is this optional? Like persistent variables. * Leif: Yes, in first version we should make this optional for similar reasons to persistent variables * Leif: We **want** the runtime services to be supported long term, so we focus on optionality on a case by case basis rather than ruling them all out wholesale * Grant: Runtime services are not optional… we are simply allowing them not to work (return failed) * Udit: Also wants get/set long term IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

6 years, 7 months

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

boot-architecture May 2018