[explicitly cc'ing boot-arch to see if this solves the TI auth problems]
On 05/04/2018 11:45 AM, Alexander Graf wrote:
> On 05/04/2018 04:56 PM, Grant Likely wrote:
>> On 04/05/2018 15:46, Grant Likely wrote:
>>> On 03/05/2018 09:43, Daniel Thompson wrote:
>>>> On Wed, May 02, 2018 at 06:09:15PM -0400, Tom Rini wrote:
>>>>> On Wed, May 02, 2018 at 10:48:11PM +0100, Grant Likely wrote:
>>>>>> On 02/05/2018 22:24, Tom Rini wrote:
>>>>>>> On Wed, May 02, 2018 at 08:40:42PM +0100, Daniel Thompson wrote:
>>>>>>>>
>>>>>>>> In terms of the restrictions that come from EBBR mandating GPT:
>>>>>>>
>>>>>>> Can we step back, why is EBBR mandating GPT?
>>>>>>
>>>>>> I think EBBR should recommend GPT, but allow MBR if the SoC boot
>>>>>> masked
>>>>>> rom conflicts with GPT.
>>>>>>
>>>>>> In the early days of GPT there was also a hybrid GPT+MBR scheme that
>>>>>> could list the boot partition in the MBR, but still have a full
>>>>>> GPT. It
>>>>>> isn't pretty, but there is precidence.
>>>>>
>>>>> How about recommends GPT but allows MBR, no qualifiers. As you note
>>>>> there's a lot of ways to fiddle around and make it work, probably, on
>>>>> all of the existing SoCs that do magic offsets. But it's a lot easier
>>>>> to just allow MBR (what the SoCs were designed to have to live
>>>>> with) and
>>>>> guide line that in this case nothing before the first 2MiB be used by
>>>>> the OS. With a few more spec words around all of that so it's nice
>>>>> and
>>>>> formal :)
>>>>
>>>> I'm OK to allow MBR.
>>>>
>>>> I'd be inclined to require that protective partitions be used to defend
>>>> the first 2MB though. They are more flexible and are a useful hint to
>>>> anyone trying to manually partition.
>>>>
>>>>
>>>> In a different mail Tom wrote:
>>>>> And I agree with the high level idea of needing to do something to
>>>>> protect systems with a magic in-use spot.
>>>>
>>>> There are a couple of extra details.
>>>>
>>>> 1. We can't allocate a GUID to discourage an automatic partitioner
>>>> from harming a protected partition. We only have the 8-bit
>>>> partition type.
>>>> Some potential candidates could be 0xA2 (which Altera appear use
>>>> for a similar purpose), 0xE7 (wikipedia does not report existing
>>>> uses) or 0xF0 (PA-RISC Linux boot loader).
>>>>
>>>> 2. Boot ROMs that have built-in support for FAT could be hard coded to
>>>> require a specific partition type. >
>>>> I think we don't need to worry about #2 to much: systems with built-in
>>>> MBR/FAT parsing can use hybrid MBR/GPT to communicate to distros
>>>> which partitions are protected because (presumably) they allow
>>>> flexibility in placing the first sector of the FAT partition.
>>>
>>> Can we start a list of SoCs that have special requirements on the
>>> boot eMMC/SD/USB? It would be useful to see the cross-section of
>>> requirements.
>>>
>>> I've created a wiki page to start capturing data. From their we can
>>> decide what scenarios the spec needs to cover.
>>>
>>> https://github.com/glikely/ebbr-for-discussion/wiki/Boot-Media-Behaviour
>>
>> One more thought, are there many new SoCs still using hard coded
>> offsets instead of an MBR or GPT? It may be that there aren't enough
>> left for us to care about for EBBR level 0. In which case EBBR Level 0
>> should support both MBR and GPT (non-hybrid), and then narrow to GPT
>> only in a future revision.
>
> I don't think we'll be able to move away from MBR anytime soon. For a
> quick glimpse on what SoCs need to have blobs installed where, take a
> look at our image creation script:
>
> https://build.opensuse.org/package/view_file/openSUSE:Factory:ARM:Live/JeOS…
>
>
> There you can see that we force to MBR (for various reasons) on:
>
> * RPi (reads MBR)
> * i.MX 5x/6 (SPL at sector 2)
> * Exynos 4/5 (SPL is in sector 1, not sure about newer ones)
> * AM905 (SPL in sector 1)
> * Kirkwood (SPL in sector 1)
> * Zynq(MP) (convenient to store boot.bin on FAT partition in MBR)
>
> I think we should simply dictate that EBBR compliant OSs do not start
> any partitions before a sane boundary (1MB? 2MB?). IIRC most
> partitioning tools these days won't start partitions before 1MB anyway,
> so if we declare 1MB a safe bound we essentially have no work to do.
>
>
I did skim (not study) the script. Looks like a good resource of
current board info. I see you are using raw mode for many boards.
I am missing something. If there is only MBR and no GPT then there is
no GUID type for EFI Partition. So how does the firmware find the "EFI
Partition" and the default /efi/boot/boot*.efi file? Does it just use
the partition with boot flag?
On 04/05/2018 16:00, Tom Rini wrote:
> On Fri, May 04, 2018 at 03:46:52PM +0100, Grant Likely wrote:
[...]
>> Can we start a list of SoCs that have special requirements on the boot
>> eMMC/SD/USB? It would be useful to see the cross-section of requirements.
>>
>> I've created a wiki page to start capturing data. From their we can
>> decide what scenarios the spec needs to cover.
>>
>> https://github.com/glikely/ebbr-for-discussion/wiki/Boot-Media-Behaviour
>
> I'm not sure if there's a button somewhere to allow more widely used
> editing of the wiki part of github. Maybe rename it to something like
> notes/ in the ebbr-for-discussion repo itself so the usual PR workflow
> is available? Thanks!
Done:
https://github.com/glikely/ebbr-for-discussion/blob/master/soc-boot-behavio…
g.
I took an action last week to provide a block of text for how
platforms without persistent variable storage should behave. Here's my
opening play:
Boot manager behaviour without persistent variable store
=======================================================
Platforms that do not implement persistent variable storage must
support the Removable Media Boot Behaviour as described by UEFI.
Such platforms can additionally implement support for additional
statically[1] defined images to be processed as SysPrep####,
Driver#### and Boot### global variable entries. If present, these
entries will be processed in the order specified by corresponding
statically defined SysPrepOrder, DriverOrder and BootOrder global
variables.
Any images referred to by such variables must reside in a
vendor-specific subdirectory on the EFI System Partition, as recorded
in http://uefi.org/registry. /BOOT must not be used except where
explicitly permitted by UEFI.
Where an executable is present in the prescribed Removable Media
location, boot of that must be attempted, and only after this fails
should any of the Boot#### entries be processed.
Statically configured BootNext, OsRecovery#### or PlatformRecovery####
entries must not be used.
[1] This is worth discussing, but if we were to support dynamic
creation of these, we need _very_ strict rules around it.
On Fri, May 4, 2018 at 8:25 PM, Mark Brown <broonie(a)kernel.org> wrote:
> On Wed, May 02, 2018 at 07:49:57PM +0100, Robin Murphy wrote:
>
>> I guess there's also the possibility that a single driver may want multiple
>> behaviours, if e.g. if SoC variants A and B have some identical peripherals
>> but slightly different pinctrl/IOMMU/etc. hardware such that A has workable
>> default behaviour and can be treated as optional, whereas B absolutely must
>> be controlled by the kernel for the consumers to function properly, and they
>> *should* defer forever otherwise. I think that would pretty much demand some
>> sort of explicitly-curated white/blacklist setup at the subsystem or driver
>> level.
>
> Different board variants, and possibly even different bootloaders might
> also be an issue here - a vendor bootloader might do pinmuxing that an
> upstream bootloader doesn't for example. In some cases the pinmuxing
> even depends on the boot method with things only getting configured if
> the bootloader wanted to use them.
I think this is going to be too big of a hammer for pinctrl at least.
My current thought is to define a pinctrl DT property to indicate pins
are configured already which the OS can use to decide if pinctrl is
optional or not. I'd prefer to keep it simple and be a per pin
controller flag even though this is quite possibly a per client or pin
group state (as you say, the bootloader may only configure what it
uses). Making this per pin group could be a lot of nodes and difficult
to really get right without testing. Making it per pin controller
could make drivers fail in less predictable ways if their pins are not
configured.
Rob
(Whoops, boot-architecture wasn't on cc on this thread, forwarding
message there for public archiving. Please add arm.ebbr-discuss to cc
on any replies.)
On Wed, May 02, 2018 at 06:09:15PM -0400, Tom Rini wrote:
> On Wed, May 02, 2018 at 10:48:11PM +0100, Grant Likely wrote:
> > On 02/05/2018 22:24, Tom Rini wrote:
> > >On Wed, May 02, 2018 at 08:40:42PM +0100, Daniel Thompson wrote:
> > >>
> > >>In terms of the restrictions that come from EBBR mandating GPT:
> > >
> > >Can we step back, why is EBBR mandating GPT?
> >
> > I think EBBR should recommend GPT, but allow MBR if the SoC boot masked
> > rom conflicts with GPT.
> >
> > In the early days of GPT there was also a hybrid GPT+MBR scheme that
> > could list the boot partition in the MBR, but still have a full GPT. It
> > isn't pretty, but there is precidence.
>
> How about recommends GPT but allows MBR, no qualifiers.
So, first of all - a level 0 EBBR _must_ permit MBR, since many
SoCs already out there have ROMs that load firmware.
Secondly, I don't know if should be within the scope of EBBR to
mandate anything at all about a partitioning scheme that is not within
the control of the firmware.
It could mandate support in the _firmware_ for GPT partitioning. But
that is already mandated by UEFI (as well as support for MBR and El
Torito).
But I would really like to see some note and explanation of
restrictions placed on operating systems (i.e., the consumers of the
guarantees provided by the document) by such behaviour in the EBBR.
> As you note
> there's a lot of ways to fiddle around and make it work, probably, on
> all of the existing SoCs that do magic offsets. But it's a lot easier
> to just allow MBR (what the SoCs were designed to have to live with) and
> guide line that in this case nothing before the first 2MiB be used by
> the OS. With a few more spec words around all of that so it's nice and
> formal :)
And if there is a corresponding EBSA coming, I would _really_ like to
see some compliance level banning the reservation of LBA1-LBA33 and
(-LBA1)-(-LBA33) for boot ROM use on any general-purpose block
storage. Clearly not level 0, though.
/
Leif
Hi
There is bit of discussion on linux-efi too , to handle DT update
I guess some members of this forum are active there too.
https://www.spinics.net/lists/linux-efi/msg13700.html
To summaries
1/ Ownership of DTB
IMO should be firmware and we should retain this
ownership in EBBR as well, Any objections/thoughts ?
Update
1/ Updating whole device tree from OS
[Capsule update can be used ]
2/ Just modifying the device tree DTBO
My preferred way to handle DTBO in firmware will be
https://source.android.com/devices/architecture/dto/multiple
See picture Runtime DTO implementation for multiple DTs
To store this information in partition, options we have
1/ Run time variables
2/ Some driver in Linux writing to DTBO partition
3/ Some other way ??
I am not sure, if distro are updating device tree which is default shipped with board ??
Thanks
Udit
On Wed, May 02, 2018 at 05:39:02PM -0400, Tom Rini wrote:
> On Wed, May 02, 2018 at 05:12:03AM +0000, Chang, Abner (HPS SW/FW Technologist) wrote:
>
> > > -----Original Message-----
> > > From: Udit Kumar [mailto:udit.kumar@nxp.com]
> > > Sent: Wednesday, May 02, 2018 12:26 PM
> > > To: Chang, Abner (HPS SW/FW Technologist) <abner.chang(a)hpe.com>;
> > > Alexander Graf <agraf(a)suse.de>; William Mills <wmills(a)ti.com>
> > > Cc: boot-architecture(a)lists.linaro.org; nd(a)arm.com; Rod Dorris
> > > <rod.dorris(a)nxp.com>; arm.ebbr-discuss(a)arm.com
> > > Subject: RE: DT handling, [Ref Linux-Efi]
> > >
> > > > We probably don't need to provide a genetic DT driver in UEFI U-Boot,
> > > > instead, we will have to mention how SoC/platform vendors publish
> > > > DTB/DTBO in EBBR spec.
> > > > For example,
> > > > The EFI_CONFIGURATION_TABLE in EFI System table could be used to
> > > > publish the pointer to DTB and DTBO. Declare two GUIDs in EBBR, one
> > > > for DTB another for DTBO. OS boot loader is responsible to merge
> > > > DTB/DTBO according DTB/DTBO discovered in EFI Configuration Table. To
> > > > read DT from EFI variable into memory, memory map to DT in EEPROM or
> > > > other mechanisms is platform implementation. No matter which approach,
> > > > DT producer has to create configuration table in EFI system table
> > > > follow the data structure defined in EBBR.
> > > > Another way instead of using GUID in configuration table is to publish
> > > > DTB/DTBO in EFI device path, this way is more UEFI oriented IMO.
> > > > However, we have to defined corresponding device path node in UEFI
> > > > spec for DT. Similar to using system configuration table. DT producer
> > > > has to install EFI device path for either DTB or DTBO. Then OS boot
> > > > loaders locate those EFI device paths of DTB and DTBO and merge it.
> > >
> > > We are adding a requirement on OS boot loaders to merge it.
> > > IMO, merging should be done by firmware itself.
> > > In case, we want to host multiple distribution at same time, then this is likely
> > > to go with OS boot loaders
> >
> > That is fine to merge DT by firmware, we still can standardize how
> > UBoot merges DT in EBBR. For example, SoC and other platform UBoot
> > drivers produce their DT or DTO in their own drivers. UBoot provides a
> > centralized EFI DT driver to collect DT/DTO from either EFI system
> > configuration table or EFI device path. Then this centralized EFI DT
> > driver produces the pointer to point to final DT in EFI system
> > configuration table. OS boot loader cab just check EFI system
> > configuration table to retrieve DT, something like this.
>
> I think I need to step in here to clarify something. U-Boot drivers
> don't produce a DT and while it's possible, it's generally[1] not done,
> that U-Boot uses _the_ device tree that we pass along to the next stage
> (we've likely filtered things out for space and added a few specific
> things of our own).
>
> IMHO, what EBBR should cover is saying that firmware may apply overlays
> because we know there's N valid use cases of taking a base and fixing it
> up in both big and small ways. Then firmware will pass along to the
> next stage (EFI application such as GRUB or *BSD loader or a Linux
> Kernel or ...).
Which bits of this discussion target level 0 and which target a later
level 1?
Personally I'm not sure there is enough prior art w.r.t. device tree
overlay for anything much related to overlays to target level 0.
In fact if we take the view that EBBR defines a contract between the
system firmware and the OS then arguably DT update is also out of scope
unless we are defining runtime services by which the OS can update the
DT. Again not something I think is ready for level 0.
To be clear I don't dispute that good system firmware should make DT
update easy, simply that I'm not sure how it fits into EBBR.
Daniel.
# 26 April 2018
## Attendees
* Abner Chang (HPE)
* Palmer Dabbelt (SiFive)
* Andreas Färber (SUSE)
* Alex Graf (SUSE)
* Ryan Harkin (Linaro)
* Rob Herring (Linaro)
* Udit Kumar (NXP)
* Grant Likely (Arm)
* Leif Lindholm (Linaro)
* Bill Mills (TI)
* Tom Rini (Konsulko)
* Michal Simek (Xilinx)
* Daniel Thompson (Linaro)
* Dong Wei (Arm)
## Agenda
* Action item review
* Behaviour without persistent variables
* DTB Update policy/behaviour
* Any other business
## Notes
### Action item review
* Relicense and publish EBBR
* Slipped by one week per week (progress as been made… but wheels
still need to turn)
* Github repo
* Complete but cannot be published until relicensing action
(above) is complete
* Policy for sharing HW between firmware and OS
* NTR, next week
* Handling platforms without persistent variables
* Proposed text shared on mailing list
### Behaviour without persistent variables
* Grant: Role of EBBR. It **interprets** UEFI and it **restricts**
UEFI (by implication to things supportable in u-boot)
* Alex:
* Current code in SUSE depends on no variables presented if
persistent variables are not supported
* would return device error for EBBR level 0 on GetVariable()
* Leif: Need plan for read-only variable implementation
* Daniel/Grant: No flag day. EBBR level 0 OS must be able to run on
EBBR level 1 firmware. Makes above problematic.
* Bill: No get/set, Get but not set, get/set-temporary, get/set-persisent
* Daniel: Let's ban get/set-temporary
* Leif: get/set-temporary exists in the wild (is it OK for such
systems to be non compliant.
* Identified scenarios:
* No get/set
* Get, but no set
* Get & Set, but Set does not persist
* Get & Set fully works
* Use case 1:
* Distro needs to decide how to install itself
* Either using variables (standards compliant) or like removable
media
* Use case 2:
* Use non-persistent variables to alter boot order and allow the
variable to survive, in RAM, through the OS and firmware reset and allow
it to select the next kernel to be booted
* Bill/Daniel: Distros already have a tool that can achieve
similar use-case (grub) and this is a property of the distro not a
property of EBBR
* Grant:
[https://cateee.net/lkddb/web-lkddb/EFI_BOOTLOADER_CONTROL.html](https://cat…
(not full variable support, simply a means to pass a single message
bootloader, good for A/B style updates and temporary diversions of
kernel under dirtect)
* Leif:
Boot manager behaviour without persistent variable store
========================================================
Platforms that do not implement persistent variable storage must
support the Removable Media Boot Behaviour as described by UEFI.
Such platforms can additionally implement support for additional
statically[1] defined images to be processed as SysPrep####,
Driver#### and Boot### global variable entries. If present, these
entries will be processed in the order specified by corresponding
statically defined SysPrepOrder, DriverOrder and BootOrder global
variables.
Any images referred to by such variables must reside in a
vendor-specific subdirectory on the EFI System Partition, as recorded
in[ http://uefi.org/registry](http://uefi.org/registry). /BOOT must
not be used except where
explicitly permitted by UEFI.
Where an executable is present in the prescribed Removable Media
location, boot of that must be attempted, and only after this fails
should any of the Boot#### entries be processed.
Statically configured BootNext, OsRecovery#### or PlatformRecovery####
entries must not be used.
[1] This is worth discussing, but if we were to support dynamic
creation of these, we need _very_ strict rules around it._
* Grant: What are the scenarios/use-cases enabled by the statically
defined image support, etc.
* Leif: Is this images exists then I want to run it on boot, update
configuration tables, etc.
* Grant: Need concrete use-cases, could ban these variables from
existing unless user interferes/hacks with the bootloader (e.g. u-boot
has persistent variables… its just that we cannot set them at runtime)
* Grant: Can/should an EFI application be able to set variables
persistently (or temporarily)? (for example configuring network booting
parameters during initial commissioning)
* Summary:
* We follow UEFI spec w.r.t variables
* Boot, OSRecover, etc variables ship undefined
* Fallback to removable media boot in the absence of boot variables
* Didn't catch the last one!
* Leif: Did we get agreement to require that variables be persistent
but only if they are set from boot services?
### Any other business
* Capsule update and other runtime variables
* Udit: Is this optional? Like persistent variables.
* Leif: Yes, in first version we should make this optional for
similar reasons to persistent variables
* Leif: We **want** the runtime services to be supported long
term, so we focus on optionality on a case by case basis rather than
ruling them all out wholesale
* Grant: Runtime services are not optional… we are simply
allowing them not to work (return failed)
* Udit: Also wants get/set long term
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
