- boot-architecture - lists.linaro.org

[PATCH 1/1] GetMemoryMap(), handling of no-map DT property

by Heinrich Schuchardt

Closes: #52 The no-map property of the /reserved-memory device tree nodes is used to signal that a memory region shall not be accessed by the operating system, even not via speculative access. /reserved-memory nodes without the no-map property describe memory that have special usage by the operating system. This difference has to be reflected in the memory map returned by GetMemoryMap(). Signed-off-by: Heinrich Schuchardt <xypron.glpk(a)gmx.de> --- source/chapter2-uefi.rst | 13 +++++++++++++ source/references.rst | 4 ++++ 2 files changed, 17 insertions(+) diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst index 74ef70e..f410c57 100644 --- a/source/chapter2-uefi.rst +++ b/source/chapter2-uefi.rst @@ -74,6 +74,19 @@ that virtual addresses must equal physical addresses. The default RAM allocated attribute must be EFI_MEMORY_WB. +In the device tree reserved memory in modelled as a /reserved-memory nodes +[RESMEM]_. The reserved-memory node MAY carry either the no-map or the resue +property. It MUST NOT carry both properties as this would be contradictary. + +A 'no-map' reserved memory node describes memory that the UEFI payload MUST NOT +access. It MUST be modelled as a EfiReservedMemoryType entry in the memory map. + +A reserved memory without the 'no-map' describes memory that MAY be used by the +UEFI payload after ExitBootServices(). It MUST be modelled as a memory map entry +that can only be used by the UEFI payload after ExitBootServices(). It +is recommended to use EfiBootServicesData. The node MUST NOT be modelled as +EfiReservedMemoryType and NOT as EfiConventionalMemory. + Configuration Tables -------------------- diff --git a/source/references.rst b/source/references.rst index 1eb0509..2434137 100644 --- a/source/references.rst +++ b/source/references.rst @@ -16,6 +16,10 @@ <https://static.docs.arm.com/den0022/c/DEN0022C_Power_State_Coordination_Int…>`_ 30 January 2015, `Arm Limited <http://arm.com>`_ +.. [RESMEM] `Reserved memory regions + <https://www.kernel.org/doc/Documentation/devicetree/bindings/reserved-memor…>`_, + 21 July 2020, Linux kernel + .. [SBBR] `Arm Server Base Boot Requirements specification Issue B (v1.0) <https://static.docs.arm.com/den0044/b/DEN0044B_Server_Base_Boot_Requirement…>`_ 8 March 2016, `Arm Limited <http://arm.com>`_ -- 2.28.0

4 years, 10 months

4
22
0 0

[PATCH] Refine firmware shared storage requirements.

by Grant Likely

The existing language around how firmware and an OS can share a storage device doesn't go into sufficient detail on how the firmware should protect firmware data on the device. Add language for both the GPT and MBR partitioning schemes on how firmware images should be described in the partition table. Signed-off-by: Grant Likely <grant.likely(a)arm.com> --- I posted this patch before the v1.0.1 release, but didn't merge it at that time because it needs a little more due diligence than can be give on a minor point release. Posting it now for proper review. source/chapter4-firmware-media.rst | 67 +++++++++++++++++++++++------- 1 file changed, 51 insertions(+), 16 deletions(-) diff --git a/source/chapter4-firmware-media.rst b/source/chapter4-firmware-media.rst index fc71274..65da603 100644 --- a/source/chapter4-firmware-media.rst +++ b/source/chapter4-firmware-media.rst @@ -47,13 +47,19 @@ conflict with normal usage of the media by an OS. Partitioning of Shared Storage ============================== -A shared storage device shall use GPT partitioning unless it is incompatible -with the platform boot sequence. -In which case, MBR partitioning shall be used. [#MBRReqExample]_ - -.. [#MBRReqExample] For example, if the boot ROM doesn't understand GPT - partitioning, and will only work with an MBR, then the storage must be - partitioned using an MBR. +The shared storage device must use the GUID Partition Table (GPT) disk +layout as defined in [UEFI]_ § 5.3, unless the platform boot sequence is +fundamentally incompatible with the GPT disk layout. +In which case, a legacy Master Boot Recored (MBR) must be used. +[#MBRReqExample]_ + +.. [#MBRReqExample] For example, if the SoC boot ROM requires an MBR to + find the next stage firmware image, then it is incompatible with + the GPT boot layout. + Similarly, if the boot ROM expects the next stage firmware to be located + at LBA1 (the location of the GPT Header), then it is incompatible with + the GPT disk layout. + In both cases the shared storage device must use legacy MBR partitioning. .. warning:: @@ -71,15 +77,14 @@ the partition(s) containing firmware. However, some SoCs load firmware from a fixed offset into the storage media. In this case, to protect against partitioning tools overwriting firmware, the -firmware image shall either reside entirely within the first 1MiB of storage, -or should be covered by a protective partition entry in the partition table as +partition table must be formed in a way to protect the firmware image(s) as described in sections :ref:`section-gpt-parts` and :ref:`section-mbr-parts`. -Automatic partitioning tools (e.g. an OS installer) must not create -partitions within the first 1MiB of storage, or delete, move, or modify -protective partition entries. +Automatic partitioning tools (e.g. an OS installer) must not +delete the protective information in the partition table, or +delete, move, or modify protective partition entries. Manual partitioning tools should provide warnings when modifying -protective partitions or creating partitions within the first 1MiB. +protective partitions. .. warning:: @@ -95,19 +100,49 @@ GPT partitioning ---------------- The partition table must strictly conform to the UEFI specification and include -a protective MBR authored exactly as described in [UEFI]_ § 5 (hybrid +a protective MBR authored exactly as described in [UEFI]_ § 5.3 (hybrid partitioning schemes are not permitted). -Protective partitions must have the Platform Required Attribute Flag set. +Fixed-location firmware images must be protected by creating protective +partition entries, or by placing GPT data structures away from the LBAs +occupied by firmware, + +Protective partitions are entries in the partition table that cover the +LBA region occupied by firmware and have the 'Required Partition' attribute +set. +A protective partition must use a `PartitionTypeGUID` that identifies it +as a firmware protective partition. (e.g., don't reuse a GUID used by +non-protective partitions). +There are no requirements on the contents or layout of the firmware +protective partition. + +Placing GPT data structures away from firmware images can be accomplished by +adjusting the GUID Partition Entry array location +(adjusting the values of `PartitionEntryLBA` and `NumberOfPartitionEntries`, +and `SizeOfPartitionEntry`), +or by specifying the usable LBAs (Choosing `FirstUsableLBA`/`LastUsableLBA` +to not overlap the fixed firmware location). +See [UEFI]_ § 5.3.2. + +Given the choice, platforms should use protective partitions over +adjusting the placement of GPT data structures because protective partitions +provide explicit information about the protected region. .. _section-mbr-parts: MBR partitioning ^^^^^^^^^^^^^^^^ -Protective partitions should have a partition type of 0xF8 unless some +If firmware is at a fixed location entirely within the first 1MiB of +storage (<= LBA2047) then no protective partitions are required. +If firmware resides in a fixed location outside the first 1MiB, +then a protective partition must be used to cover the firmware LBAs. +Protective partitions should have a partition type of 0xF8 unless an immutable feature of the platform makes this impossible. +OS partitioning tools must not create partitions in the first 1MiB +of the storage device, and must not remove protective partitions. + .. _section-fw-partition-fs: Firmware Partition Filesystem -- 2.20.1

4 years, 10 months

4
12
0 0

[PATCH] Add a reference to RFC 2119

by Daniel Thompson

Define the meanings of "MUST" and similar language for clarity. Fixes: #46 Signed-off-by: Daniel Thompson <daniel.thompson(a)linaro.org> --- source/chapter1-about.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/source/chapter1-about.rst b/source/chapter1-about.rst index 3744d8a14086..3b5339a9c202 100644 --- a/source/chapter1-about.rst +++ b/source/chapter1-about.rst @@ -171,6 +171,10 @@ UEFI § 6.1 - Reference to the UEFI specification [UEFI]_ section 6.1 Terms and abbreviations ======================= +The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", +SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this +document are to be interpreted as described in :rfc:`2119`. + This document uses the following terms and abbreviations. .. glossary:: -- 2.25.4

4 years, 10 months

2
2
0 0

[PATCH 1/1] EBBR: GetMemoryMap(), handling of no-map DT property

by Heinrich Schuchardt

Closes: #52 The no-map property of the /reserved-memory DT node is used by Linux to signal that a memory region shall not be mapped and that speculative access shall not be permitted. The memory map returned by GetMemoryMap() does not have a flag corresponding to no-map. So the closest thing we can do is not to include no-map reserved memory into the map returned by GetMemoryMap(). Signed-off-by: Heinrich Schuchardt <xypron.glpk(a)gmx.de> --- source/chapter2-uefi.rst | 4 ++++ source/references.rst | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst index 2add2de..1e57164 100644 --- a/source/chapter2-uefi.rst +++ b/source/chapter2-uefi.rst @@ -74,6 +74,10 @@ that virtual addresses must equal physical addresses. The default RAM allocated attribute must be EFI_MEMORY_WB. +Reserved memory with property no-map [RESMEM]_ in the /reserved-memory +device-tree node shall not be included in the memory map returned by +GetMemoryMap(). + Configuration Tables -------------------- diff --git a/source/references.rst b/source/references.rst index 1eb0509..2434137 100644 --- a/source/references.rst +++ b/source/references.rst @@ -16,6 +16,10 @@ <https://static.docs.arm.com/den0022/c/DEN0022C_Power_State_Coordination_Int…>`_ 30 January 2015, `Arm Limited <http://arm.com>`_ +.. [RESMEM] `Reserved memory regions + <https://www.kernel.org/doc/Documentation/devicetree/bindings/reserved-memor…>`_, + 21 July 2020, Linux kernel + .. [SBBR] `Arm Server Base Boot Requirements specification Issue B (v1.0) <https://static.docs.arm.com/den0044/b/DEN0044B_Server_Base_Boot_Requirement…>`_ 8 March 2016, `Arm Limited <http://arm.com>`_ -- 2.28.0

4 years, 10 months

4
13
0 0

[EBBR RFC] Remove the exclusive-or language around DT or ACPI

by Grant Likely

Early in EBBR discussions the decision was made that firmware should not provide both DT and ACPI at the same time. The reasoning had been that we didn't want to encourage 'hybrid' approaches where the OS tries to consume both DT and ACPI descriptions. However, this fear has not so-far born out, and feedback has been that requiring a boot-time switch to select either DT or ACPI is a support issue for OS vendors. They would rather see ACPI (or DT) always turned on if it is an option and the OS can choose to use it or not. Thoughts? Can the exclusive or be relaxed here? Signed-off-by: Grant Likely <grant.likely(a)arm.com> --- source/chapter2-uefi.rst | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst index 066fefb..e0e71d6 100644 --- a/source/chapter2-uefi.rst +++ b/source/chapter2-uefi.rst @@ -80,18 +80,12 @@ Configuration Tables A UEFI system that complies with this specification may provide the additional tables via the EFI Configuration Table. -Compliant systems are required to provide one, but not both, of the following +Compliant systems are required to provide at least one of the following tables: - an Advanced Configuration and Power Interface [ACPI]_ table, or - a Devicetree [DTSPEC]_ system description -EBBR systems must not provide both ACPI and Devicetree -tables at the same time. -Systems that support both interfaces must provide a configuration -mechanism to select either ACPI or Devicetree, -and must ensure only the selected interface is provided to the OS loader. - Devicetree ^^^^^^^^^^ -- 2.20.1

4 years, 10 months

6
13
0 0

Re: [System-dt] Notes (brief) from System DT call: OpenAMP bindings

by Stefano Stabellini

On Tue, 1 Sep 2020, François Ozog via System-dt wrote: > On Tue, 1 Sep 2020 at 14:49, Tomas Evensen <tomase(a)xilinx.com> wrote: > Here are some brief notes from the meeting. > > If nothing else as a showcase on how much we miss Nathalie when she is on vacation 😉 > > Krzysztof Kepa – GE > Mathieu Poirier – Linaro > Etsam Anjum – Mentor > Anrnoud Pouliquen – ST > Loic Pallardy - ST > Suman Anna - TI > Dan Milea – Wind River > Mark Dapoz – Wind River > Tomas Evensen – Xilinx > Stefano Stabellini – Xilinx > Bruce Ashfield – Xilinx > Ed Mooring – Xilinx > Ben Levinsky - Xilinx > > Stefano went through slides. > Overall idea: > > 1. Specify remoteproc channels with minimal information in System-DT in a way that is as common as possible for all vendors. > In particular, we are avoiding to have to specify the same memory regions in more than one place. A resource group is specially > marked to contain most information. > 2. Use Lopper to create the vendor specific remoteproc specification > Generating reserved-memory, etc. information that has duplicate information. > For the time being, no plans to unify the vendor specific information that goes into the traditional device tree for Linux > 3. Later (or in parallel), but without making it a gating item, start discussions on what we can do to unify the vendor > specific information in the traditional DT > > Discussion about how TI and ST might generate their specific information from this specification. > > Stefano to send out examples and slides. > Ben: Xilinx backend to Lopper is upstreamed and available as an example. Might change as upstreaming continues. > > Question: > * How do we configure VirtIO? > > Could you describe more the VirtIO question so that relationship with Linaro project Stratos is assessed? I think this point refers to various vdev<x> buffers described under /reserved-memory which are linked from RemoteProc. From the Xilinx bindings: reserved-memory { #address-cells = <1>; #size-cells = <1>; ranges; rpu0vdev0vring0: rpu0vdev0vring0@3ed40000 { compatible = "xilinx,openamp-ipc-1.0"; no-map; reg = <0x3ed40000 0x4000>; }; rpu0vdev0vring1: rpu0vdev0vring1@3ed44000 { compatible = "xilinx,openamp-ipc-1.0"; no-map; reg = <0x3ed44000 0x4000>; }; rpu0vdev0buffer: rpu0vdev0buffer@3ed48000 { compatible = "xilinx,openamp-ipc-1.0"; no-map; reg = <0x3ed48000 0x100000>; }; rproc_0_reserved: rproc@3ed000000 { compatible = "xilinx,openamp-ipc-1.0"; no-map; reg = <0x3ed00000 0x40000>; }; };

4 years, 10 months

3
2
0 0

Storage of public key certificates for capsule authentication

by Sughosh Ganu

hi, I am currently working on adding support for the capsule authentication in the SetImage function of the efi firmware management protocol in u-boot. This work is part of adding functionality in u-boot for firmware updates using the uefi capsule format. The capsule authentication is done using a public key stored as a pkcs7 certificate. The uefi specification does not have any mention of how this certificate needs to be stored. This is unlike the case of the certificates used for image authentication when UEFI secure boot feature is enabled, where the certificates and hash values are stored as part of the authenticated variables like KEK, db, dbx. Can we use an authenticated variable like KEK to store the certificate used for authentication of the capsule payload. Would it make sense to have this mentioned in EBBR, or even the UEFI specification. Please let me know your thoughts. Thanks. -sughosh

4 years, 10 months

6
13
0 0

Notes (brief) from System DT call: OpenAMP bindings

by Tomas Evensen

Here are some brief notes from the meeting. If nothing else as a showcase on how much we miss Nathalie when she is on vacation 😉 Krzysztof Kepa – GE Mathieu Poirier – Linaro Etsam Anjum – Mentor Anrnoud Pouliquen – ST Loic Pallardy - ST Suman Anna - TI Dan Milea – Wind River Mark Dapoz – Wind River Tomas Evensen – Xilinx Stefano Stabellini – Xilinx Bruce Ashfield – Xilinx Ed Mooring – Xilinx Ben Levinsky - Xilinx Stefano went through slides. Overall idea: 1. Specify remoteproc channels with minimal information in System-DT in a way that is as common as possible for all vendors. In particular, we are avoiding to have to specify the same memory regions in more than one place. A resource group is specially marked to contain most information. 2. Use Lopper to create the vendor specific remoteproc specification Generating reserved-memory, etc. information that has duplicate information. For the time being, no plans to unify the vendor specific information that goes into the traditional device tree for Linux 3. Later (or in parallel), but without making it a gating item, start discussions on what we can do to unify the vendor specific information in the traditional DT Discussion about how TI and ST might generate their specific information from this specification. Stefano to send out examples and slides. Ben: Xilinx backend to Lopper is upstreamed and available as an example. Might change as upstreaming continues. Question: * How do we configure VirtIO? From: nathalie(a)xilinx.com When: 8:00 AM - 9:00 AM August 31, 2020 Subject: [System-dt] System DT call: OpenAMP bindings Location: webex CAUTION: This message has originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. Hi all, The OpenAMP-remoteproc working group is looking forward to discuss OpenAMP bindings with the System DT working group & all others interested in System DT. Best regards, Nathalie C. Chan King Choy Program Manager focused on Open Source & Community Meeting number (access code): 145 853 2028 Meeting password: NgTwf4r8R$3 Monday, August 31, 2020 8:00 am | (UTC-07:00) Pacific Time (US & Canada) | 1 hr Join meeting<https://xilinx.webex.com/xilinx/j.php?MTID=mcd4ad9bca009dfef38671c26d5a1d301> Canada toll free 1-844-426-4405 France toll free 0800-912-485 India toll free 000-800-040-1016 Sweden toll free 020-033-6721 UK toll free 08000315372 United States Toll Free 1-844-621-3956 Global call-in numbers<https://xilinx.webex.com/xilinx/globalcallin.php?MTID=m370fae0984a8792a3592…> | Toll-free calling restrictions<https://www.webex.com/pdf/tollfree_restrictions.pdf> This email and any attachments are intended for the sole use of the named recipient(s) and contain(s) confidential information that may be proprietary, privileged or copyrighted under applicable law. If you are not the intended recipient, do not read, copy, or forward this email message or any attachments. Delete this email message and any attachments immediately.

4 years, 10 months

3
2
0 0

[PATCH] EBBR: ResetSystem has return type void

by Heinrich Schuchardt

Closes: #50 ResetSystem() has return type void. So it cannot return EFI_UNSUPPORTED. Signed-off-by: Heinrich Schuchardt <xypron.glpk(a)gmx.de> --- source/chapter2-uefi.rst | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/source/chapter2-uefi.rst b/source/chapter2-uefi.rst index 2add2de..74ef70e 100644 --- a/source/chapter2-uefi.rst +++ b/source/chapter2-uefi.rst @@ -209,9 +209,10 @@ ResetSystem() is required to be implemented in boot services, but it is optional for runtime services. During runtime services, the operating system should first attempt to use ResetSystem() to reset the system. -If firmware doesn't support ResetSystem() during runtime services, -then the call will immediately return EFI_UNSUPPORTED, and the OS should -fall back to an architecture or platform specific reset mechanism. + +If firmware doesn't support ResetSystem() during runtime services, then the call +will immediately return, and the OS should fall back to an architecture or +platform specific reset mechanism. On AArch64 platforms implementing [PSCI]_, if ResetSystem() is not implemented then the Operating System should fall -- 2.28.0

4 years, 10 months

3
2
0 0

Re: [System-dt] Notes (brief) from System DT call: OpenAMP bindings

by Stefano Stabellini

On Mon, 31 Aug 2020, Bjorn Andersson via System-dt wrote: > On Mon 31 Aug 16:04 UTC 2020, Tomas Evensen via System-dt wrote: > > > Here are some brief notes from the meeting. > > > > If nothing else as a showcase on how much we miss Nathalie when she is on vacation ???? > > > > Krzysztof Kepa – GE > > Mathieu Poirier – Linaro > > Etsam Anjum – Mentor > > Anrnoud Pouliquen – ST > > Loic Pallardy - ST > > Suman Anna - TI > > Dan Milea – Wind River > > Mark Dapoz – Wind River > > Tomas Evensen – Xilinx > > Stefano Stabellini – Xilinx > > Bruce Ashfield – Xilinx > > Ed Mooring – Xilinx > > Ben Levinsky - Xilinx > > > > Stefano went through slides. > > Overall idea: > > > > 1. Specify remoteproc channels with minimal information in System-DT in a way that is as common as possible for all vendors. > > In particular, we are avoiding to have to specify the same memory regions in more than one place. A resource group is specially marked to contain most information. > > 2. Use Lopper to create the vendor specific remoteproc specification > > Generating reserved-memory, etc. information that has duplicate information. > > For the time being, no plans to unify the vendor specific information that goes into the traditional device tree for Linux > > 3. Later (or in parallel), but without making it a gating item, start discussions on what we can do to unify the vendor specific information in the traditional DT > > Can anyone point me to some examples of vendor specific information > referred to here? Some of the other attendees might have better examples than this. The ones I was mentioning this morning are the "mboxes" and "mbox-names" properties you can see in the "output.txt" example. Also the memory regions listed under the "memory-region" property and under "reserved-memory".

4 years, 10 months

1
0
0 0

Re: [System-dt] Notes (brief) from System DT call: OpenAMP bindings

by Stefano Stabellini

On Mon, 31 Aug 2020, Tomas Evensen via System-dt wrote: > Stefano to send out examples and slides I am attaching the slides and examples, where: - input.txt is the system device tree snippet, input to lopper - output.txt is the traditional device tree snipper, output from lopper

4 years, 10 months

1
0
0 0

Re: [System-dt] Notes (brief) from System DT call: OpenAMP bindings

by Bjorn Andersson

On Mon 31 Aug 16:04 UTC 2020, Tomas Evensen via System-dt wrote: > Here are some brief notes from the meeting. > > If nothing else as a showcase on how much we miss Nathalie when she is on vacation ???? > > Krzysztof Kepa – GE > Mathieu Poirier – Linaro > Etsam Anjum – Mentor > Anrnoud Pouliquen – ST > Loic Pallardy - ST > Suman Anna - TI > Dan Milea – Wind River > Mark Dapoz – Wind River > Tomas Evensen – Xilinx > Stefano Stabellini – Xilinx > Bruce Ashfield – Xilinx > Ed Mooring – Xilinx > Ben Levinsky - Xilinx > > Stefano went through slides. > Overall idea: > > 1. Specify remoteproc channels with minimal information in System-DT in a way that is as common as possible for all vendors. > In particular, we are avoiding to have to specify the same memory regions in more than one place. A resource group is specially marked to contain most information. > 2. Use Lopper to create the vendor specific remoteproc specification > Generating reserved-memory, etc. information that has duplicate information. > For the time being, no plans to unify the vendor specific information that goes into the traditional device tree for Linux > 3. Later (or in parallel), but without making it a gating item, start discussions on what we can do to unify the vendor specific information in the traditional DT Can anyone point me to some examples of vendor specific information referred to here? Regards, Bjorn > > Discussion about how TI and ST might generate their specific information from this specification. > > Stefano to send out examples and slides. > Ben: Xilinx backend to Lopper is upstreamed and available as an example. Might change as upstreaming continues. > > Question: > * How do we configure VirtIO? > > > > From: nathalie(a)xilinx.com > When: 8:00 AM - 9:00 AM August 31, 2020 > Subject: [System-dt] System DT call: OpenAMP bindings > Location: webex > > > CAUTION: This message has originated from an External Source. Please use proper judgment and caution when opening attachments, clicking links, or responding to this email. > > Hi all, > > The OpenAMP-remoteproc working group is looking forward to discuss OpenAMP bindings with the System DT working group & all others interested in System DT. > > Best regards, > > Nathalie C. Chan King Choy > Program Manager focused on Open Source & Community > > Meeting number (access code): 145 853 2028 > > Meeting password: NgTwf4r8R$3 > > > > Monday, August 31, 2020 > 8:00 am | (UTC-07:00) Pacific Time (US & Canada) | 1 hr > > > > Join meeting<https://xilinx.webex.com/xilinx/j.php?MTID=mcd4ad9bca009dfef38671c26d5a1d301> > > > > Canada toll free 1-844-426-4405 > France toll free 0800-912-485 > India toll free 000-800-040-1016 > Sweden toll free 020-033-6721 > UK toll free 08000315372 > United States Toll Free 1-844-621-3956 > > Global call-in numbers<https://xilinx.webex.com/xilinx/globalcallin.php?MTID=m370fae0984a8792a3592…> | Toll-free calling restrictions<https://www.webex.com/pdf/tollfree_restrictions.pdf> > This email and any attachments are intended for the sole use of the named recipient(s) and contain(s) confidential information that may be proprietary, privileged or copyrighted under applicable law. If you are not the intended recipient, do not read, copy, or forward this email message or any attachments. Delete this email message and any attachments immediately. > -- > System-dt mailing list > System-dt(a)lists.openampproject.org > https://lists.openampproject.org/mailman/listinfo/system-dt

4 years, 10 months

1
0
0 0

DTE call this Wednesday

by François Ozog

Hi, This Wednesday agenda is: - Presentation of RiscV DT by Atish Patra - Proposal of DT authentication/identification/format PoC by Joakim/FF Cordially, FF

4 years, 10 months

1
1
0 0

Restarting EBBR biweekly meetings

by Grant Likely

It has been a long time since there has been a regular EBBR review meeting, and with the amount of activity that has happened in the last year I think it is time to start meeting again. I'd like to start talking about content for EBBR v1.0+. A biweekly cadence seems about right to me, but we can discuss when we start meetings again. Would Monday, 31 Aug at 16:00BST, 08:00PST work? Email me privately if you want me to send you a calendar invite. Discussion topics: - EBBR testing progress - EBBR Scope -- doing a better job to describe the purpose of EBBR - Tightening requirements as U-Boot implementation matures (make fewer things optional) - Security requirements - Secure boot and secure capsule update - issue review - Signing requirements on dtbs and variables Send me an email if you want to add to the agenda, or add an issue to the github page: https://github.com/arm-software/ebbr/issues g. ---- Time: Every second Monday starting 31 Aug at 16:00BST, 08:00PST Join Zoom Meeting https://armltd.zoom.us/j/92081365511?pwd=SFZpRitXUEp3Zy9GM0h3UUZ1b1pnUT09 Meeting ID: 920 8136 5511 Password: 490324 One tap mobile +14086380968,,92081365511#,,#,490324# US (San Jose) +16465189805,,92081365511#,,#,490324# US (New York) Dial by your location +1 408 638 0968 US (San Jose) +1 646 518 9805 US (New York) +1 346 248 7799 US (Houston) Meeting ID: 920 8136 5511 Password: 490324 Find your local number: https://armltd.zoom.us/u/adYiWaDyys IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

4 years, 10 months

1
2
0 0

Trusting DT

by François Ozog

Hi, I just updated the technical report <https://docs.google.com/document/d/1CLkhLRaz_zcCq44DLGmPZQFPbYHOC6nzPowaL0X…> with a section on "Trusting DT" that is the result of my analysis of the discussion we had (not what I presented). Please comment, correct, update... Cordially, FF -- François-Frédéric Ozog | *Director Linaro Edge & Fog Computing Group* T: +33.67221.6485 francois.ozog(a)linaro.org | Skype: ffozog

4 years, 10 months

2
3
0 0

System DT call: OpenAMP bindings

by Nathalie Chan King Choy

Hi all, The OpenAMP-remoteproc working group is looking forward to discuss OpenAMP bindings with the System DT working group & all others interested in System DT. Best regards, Nathalie C. Chan King Choy Program Manager focused on Open Source & Community Meeting number (access code): 145 853 2028 Meeting password: NgTwf4r8R$3 Monday, August 31, 2020 8:00 am | (UTC-07:00) Pacific Time (US & Canada) | 1 hr Join meeting<https://xilinx.webex.com/xilinx/j.php?MTID=mcd4ad9bca009dfef38671c26d5a1d301> Canada toll free 1-844-426-4405 France toll free 0800-912-485 India toll free 000-800-040-1016 Sweden toll free 020-033-6721 UK toll free 08000315372 United States Toll Free 1-844-621-3956 Global call-in numbers<https://xilinx.webex.com/xilinx/globalcallin.php?MTID=m370fae0984a8792a3592…> | Toll-free calling restrictions<https://www.webex.com/pdf/tollfree_restrictions.pdf>

4 years, 10 months

1
0
0 0

Adding RISC-V to EBBR

by Atish Patra

Hi All, We are interested in adopting EBBR as the boot specification for the embedded RISC-V platforms. We firmly believe that EBBR is a very well defined specification for boot requirement and there is no need for reinventing the wheel for RISC-V. Hence, this is a thread to discuss all the requirements for adding RISC-V to EBBR. Here is my current understanding. Please correct me if I am wrong. Logistic Requirement: 1. As per the contribution guidelines[1], patches should be sent to boot-architecture(a)lists.linaro.org. and the specification will be hosted under "ARM-software" Github. I am hoping that introducing RISC-V related changes are okay with the current maintainers. 2. The specification is licensed under Creative Commons. The RISC-V related changes will refer to some of the RISC-V specifications as well. AFAIK, there shouldn't be an issue with that. 3. It should be okay to add other copyrights in addition to "Arm Limited and Contributors". Technical Requirement: 1. Software status: a. UEFI support for RISC-V Linux kernel is already available in the mailing list[2]. The targeted upstream merge is the 5.10 merge window. b. U-Boot already supports UEFI for RISC-V. c. EDK2 upstreaming is currently under progress [3] as well. Is it okay to start sending patches for EBBR RISC-V related changes now or do we need to wait for EDK2 and Linux kernel patches to be available upstream ? 2. RISC-V related sections in EBBR a. UEFI: Currently, RISC-V doesn't support a EFI_RESET_SYSTEM boot service as firmware doesn't have a standard way to reset the system. There is a proposal to add a system reset function to Supervisor Binary Specification(SBI) which can be mapped to EFI_RESET_SYSTEM by the firmware. Apart from that, I believe RISC-V supports all UEFI boot and run time services mandated by EBBR. Is it a blocker for RISC-V EBBR compatibility? b. RISC-V Multiprocessor Startup Protocol: This section will contain the details of booting protocol for RISC-V and mandatory RISC-V specifications that need to be implemented. c. Firmware Storage: AFAIK, RISC-V platforms are already compatible with this. Please let me know if I missed something or oversimplified any requirement. We want to make RISC-V compatible with EBBR sooner than later and ready work on any missing pieces if any. [1] https://github.com/ARM-software/ebbr/blob/master/CONTRIBUTING.rst [2] https://lkml.org/lkml/2020/8/19/1252 [3] https://edk2.groups.io/g/devel/message/63831?p=,,,20,0,0,0::Created,,RISC-V… [4] https://lists.riscv.org/g/tech-unixplatformspec/message/49?p=,,,20,0,0,0::r… -- Regards, Atish

4 years, 10 months

10
24
0 0

UN regulations about cybersecurity and automotive

by François Ozog

At some point, the following regulations and forming standard ISO 24089 will impact how we implement firmware updates and securely boot OSes in vehicles. https://www.unece.org/info/media/presscurrent-press-h/transport/2020/un-reg… https://www.unece.org/fileadmin/DAM/trans/doc/2020/wp29grva/ECE-TRANS-WP29-… http://www.unece.org/fileadmin/DAM/trans/doc/2019/wp29grva/ECE-TRANS-WP29-G… Cheers FF

4 years, 11 months

1
0
0 0

EBBR v1.0.1 released

by Grant Likely

Minor release to clean up a few problems. Thanks to all who helped get the text updated. https://github.com/ARM-software/ebbr/releases/tag/v1.0.1 Cheers, g.

4 years, 11 months

1
0
0 0

Fwd: There’s a Hole in the Boot - Eclypsium

by Joakim Bech

Hi, Yet another security issue surfaced yesterday, see this blog post about it https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ When I was reading it I cannot avoid seeing similarities to what I've tried to raise in the DT(E) discussions. I.e., firmware run-time exploits running after signatures have been verified successfully (slide 27, 28 [1]) can be devastating and therefore I've tried to suggest that each component verifies the DTB that it gets from the previous firmware component (slide 29, 30 [1]), alternatively and probably better ... doing something like a measured boot (including DTB's) where you compute a running hash spanning across all firmware (+configuration) being loaded. Some quotes from the blog post: > Almost all signed versions of GRUB2 are vulnerable, meaning virtually > every Linux distribution is affected. We don't want to read something similar about DTS/DTB in the future. > Additionally, as we will show in this blog post, a vulnerability in the boot > process that enables arbitrary code execution can allow attackers to control > the boot process and operating system, even when secure boot signatures are verified. Confirm my concerns. > In the course of Eclypsium’s analysis, we have identified a buffer overflow vulnerability > in the way that GRUB2 parses content from the GRUB2 config file (grub.cfg). > Of note: The GRUB2 config file is a text file and typically is not signed like other files > and executables. This vulnerability enables arbitrary code execution within GRUB2 and > thus control over the booting of the operating system. As a result, an attacker could > modify the contents of the GRUB2 configuration file to ensure that attack code is run > before the operating system is loaded. In this way, attackers gain persistence on the device. Replace "GRUB2" with "DT" and "grub.cfg" with "*.dts/dtb" in the quote above and we have another potential future quote about DT security issues. A solid, useable and robust solution for problems like this might be complex to realize, but I think it's worth continuing to look into what can be done, since it seems risky to continue loading and running "DT code" like we're doing in many places today (and it's not only DT that is subject to this, regular firmware suffers with the same kind of issues). I.e., I'm going to raise this again in future DT(E) calls. [1] https://docs.google.com/presentation/d/1CvKBBZ33ggzyhP2ub8iZ410I_KGrFjHftZL… <https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/> Regards, Joakim

4 years, 11 months

1
0
0 0

July 22nd meeting notes

by François Ozog

Attendees François-Frédéric Ozog (Linaro) Frank Rowand Simon Glass (Google) Ilias Apalodimas (Linaro) Atish Patra (Western Digital) Mark Brown (Arm) Heinrich Schuchardt CVS Arnd Bergmann Rob Herring (Arm) Loic Pallardy (ST) Poonam (NXP) Ruchika Loic Pallardy (ST) Don Harbin(linaro) Presentation SLIDE 2 Francois: if we want authentication, we can’t do fix up Simon: what is fix up? Can’t change DT or ok to change it? Francois: can orchestrate transition, [edit as typing notes: changing is not OK because you can’t identify the scope of change; adding a new node may be acceptable - because scope is easy to frame] Simon: code doing the fixup is signed , so it may be a signal that the changes are OK; don’t know how to pass that to Linux. In principle you should rely on signed code to make changes Francois: [rephrasing at note editing] two trust models 1) implicit - trust because generating/updating code is signed 2) explicit - trust because you can check signature of the DT Heinrich: if the DT comes from file system, it should be signed; for DT embedded in signed code: no need to have a signature; signature for things from file but not from memory [at writing notes, I understand this as a DT fragment generated by FT-A in memory does not need to be signed] SLIDE 3 Francois: cold-plug by U-Boot, hotplug by OS Francois: Board DTB + cape DTBo + cape_on_board DTBo (pin muxing config, irq config…) Frank: Device removal triggers DT correspond node(s) removal? If so, then we should limiting a single device per overlay Francois: yes. It is also connected to device assignment. There should be a way to identify all nodes of a device in DT to actually simplify device assignment (to be discussed later in the deck) SLIDE 4 Lets use a special config DTBo (chosen…) Let’s get the parameters out of DT in local OS config (or worst case, in that config DTBo) Rob: problem with systems with loadable modules Arnd: can be passed on command line Rob: Greg KH say: don’t add module parameters Arnd: device specific parameters should be done via sysfs/ioctl; driver wide parameters could be as module parameters or boot command line Frank or it could be a “chosen” [editig time] Francois: for Linux, can we organize module parameters in modules.d are parsed when modules are statically linked? Let’s not use DT when we can avoid (OP-TEE bus to discover TAs) SLIDE 5 Francois: wherever we choose, we shall ensure backward compatibility SLIDE 6 DTB=base board + 1 DTBo per device Statically merge DTB + DTBos at compile time and keep metadata about the merge in a section of the new DT file format. SLIDE 7 Arnd/Simon: Right now the Android boot loader merges DTB/DTBos and passes one DTB to the kernel Simon: ChromeOS has a FIT image with multiple DTs, it selects one to pass to OS Arnd/Ilias: FIT is only understood by U-Boot Francois: wherever we choose, we shall ensure backward compatibility Arnd: It’s simpler to have a single DTB for the kernel Early kernel is not really powerful There are security advantages in signed DTBos Francois: I think the key question is decide on a model. Allow bootloaders to change the DTB and rely on signed DTBos? Simon: is either or ? [explicit vs implicit trust models], what is the threat model? Francois: yes, I think so. Heinrich: problem is wrong voltage in DT results in destroying the board Arnd: steal sensitive data Ilias: DoS can become a problem Ilias: signing per device (key mgmt complexity) ? or per device model (can compromise all devices of a model)? Francois: Who signs what is also a fundamental concept, because there might be different signing authorities Loic: That’s the current case wit ST devices Arnd: There’s 3 options here: Kernel with embedded DTB, if the kernel signature is checked, the DTB does not need to be checked The bootloader loads the kernel from a disk Nothing is checked Checking one of those makes no sense Simon: we have to be careful in not tying ourselves in a knot. There is *no* bidirectional root of trust. The model is that trust is built starting from the root of trust, the next level implicitly trusts the level that loaded it. Mark Brown: DT is used with EDK2 Loic: there is no direct boot from U-Boot to kernel, it is vouched by OP-TEE. security of co-processors requires the same model Hardware firewall (device and memory) can be leveraged to ensure full security DTE Project information portal: https://collaborate.linaro.org/display/DTE/DTE+Progress+Updates Security presentation: (listed in the portal, but copied here for simple access): https://docs.google.com/presentation/d/1CvKBBZ33ggzyhP2ub8iZ410I_KGrFjHftZL…

4 years, 11 months

1
0
0 0

DTE call this wednesday

by François Ozog

Hi, I think we have gathered enough knowledge in the Technical Report to try architecting DT evolution technologies. To that end, I'll kick start discussion with: https://docs.google.com/presentation/d/1jACxdO-3fDzSk5MEMUEmAu0iMjtp9Td7Xbb… Everyone has commenter capabilities in the document, so please use it. I am sure most of the proposals cannot be "decided on" during the call. But I'd like to come to a conclusion on one topic: whether or not fix ups are allowed. If we introduce signature of any form with DTB, then I believe fixups are not possible anymore. Cheers -- FF

4 years, 12 months

1
0
0 0

2020-07-20 System DT call notes and action items

by Nathalie Chan King Choy

Hi all, The notes from today's call can be found on the OpenAMP Wiki at https://github.com/OpenAMP/open-amp/wiki/System-DT-Meeting-Notes-2020#2020J… The action items are: * Stefano to share slides * Xilinx and ST to discuss interconnect binding, considering that it could be expanded beyond QoS, and review Rob's earlier feedback to Benjamin on pin control * Stefano to check if configuration interface assumes that IDs are global * Stefano to work with Bruce to prototype something w/ Lopper to generate a bus firewall configuration table * Stefano to present openamp-remoteproc binding for System DT at next call @ Stefano, Loic, Rob, Ilias, Tomas (and anyone else who spoke, if I missed you): Please check if there are any errors or important omissions in what I captured for your parts. You can make corrections directly in the wiki page. Thanks & regards, Nathalie C. Chan King Choy Program Manager focused on Open Source and Community

4 years, 12 months

1
0
0 0

System Device Tree call - July

by Nathalie Chan King Choy

[Invitation going out to both the sytem-dt list and the boot-architecture list, based on recommendation from Francois] Hi all, It has been a while since our last call, because work was happening on the 4th action item below. Now, there are some updates to present. The notes from the previous call can be found on the OpenAMP wiki at this link: https://github.com/OpenAMP/open-amp/wiki/System-DT-Meeting-Notes-2020 Action items from the previous call: * Nathalie sync up w/ Francois about who should be invited to System DT call (some individuals at DTE call didn't get this invitation) * Stefano to go back & discuss w/ Xilinx XMPU expert. * Stefano: Revisit wording of IDs * Stefano & Tomas to sync-up with Loic & Benjamin. Target for next System DT call to discuss how the 2 proposals combine. Include description of the use cases you're giving solution for. For info about the system-dt list, link to the archives, to unsubscribe yourself, or for someone to subscribe themselves, visit: https://lists.openampproject.org/mailman/listinfo/system-dt For information about the System Device Trees effort, including a link to the intro presentation from Linaro Connect SAN19: https://github.com/OpenAMP/open-amp/wiki/System-Device-Trees Best regards, Nathalie C. Chan King Choy Program Manager focused on Open Source and Community =================== Nathalie Chan King Choy is inviting you to a scheduled Zoom meeting. Topic: System DT call - July Time: Jul 20, 2020 08:00 AM Pacific Time (US and Canada) Join Zoom Meeting https://us02web.zoom.us/j/89143577824 Meeting ID: 891 4357 7824 One tap mobile +13126266799,,89143577824# US (Chicago) +13462487799,,89143577824# US (Houston) Dial by your location +1 312 626 6799 US (Chicago) +1 346 248 7799 US (Houston) +1 646 558 8656 US (New York) +1 669 900 9128 US (San Jose) +1 253 215 8782 US (Tacoma) +1 301 715 8592 US (Germantown) +1 587 328 1099 Canada +1 647 374 4685 Canada +1 647 558 0588 Canada +1 778 907 2071 Canada +1 204 272 7920 Canada +1 438 809 7799 Canada +44 203 051 2874 United Kingdom +44 203 481 5237 United Kingdom +44 203 481 5240 United Kingdom +44 203 901 7895 United Kingdom +44 131 460 1196 United Kingdom +33 1 7037 9729 France +33 1 7095 0103 France +33 1 7095 0350 France +33 1 8699 5831 France +33 1 7037 2246 France +46 8 5050 0828 Sweden +46 8 5050 0829 Sweden +46 8 5052 0017 Sweden +46 850 539 728 Sweden +46 8 4468 2488 Sweden +46 8 5016 3827 Sweden Meeting ID: 891 4357 7824 Find your local number: https://us02web.zoom.us/u/k6bFgrs5K

5 years

1
0
0 0

Meeting notes from DTE June 24

by François Ozog

Hi, Here are the notes from our last meeting. (For next calls, it would be nice people take some notes in the shared scratch document so that we increase quality of them) Attendees Tom Rini Joakim Bech (Linaro) François-Frédéric Ozog (Linaro) Ilias Apalodimas (Linaro) Mark Brown (Arm) Heinrich Schuchardt Priyanka Jain (NXP) Jens Wiklander (Linaro) Arnd Bergmann CVS Atish Patra (Western Digital) Grant Likely (Arm) Etienne Carriere (ST) ==================================== I - RISC-V Atish from Western Digital has a 4 developer team on. Focus on standardized boot flows: - U-Boot SPL + U-Boot. - coreBoot + EDK2 ==================================== II - Technical report github Atul volunteered FF: What format to use ? RST? MD? Other? Heinrich: RST and MD are rendered by github. ==================================== III - Technical report outline and content updates A proposal to be made so that a minimal UEFI set of requirements is defined with DT support. Frank: Should not put DT spec in the UEFI forum FF: this is not the goal, the goal is to get references to DT in UEFI Need to ensure we have terminology that can be applied to all architectures (for instance Arm+TFA+U-Boot and RISC-V+U-Boot SPL+U-Boot). Please make proposals for content including new sections for the use cases. ==================================== IV- Overlays presentation Franks Presentation notes: https://elinux.org/Frank%27s_Evolving_Overlay_Thoughts https://elinux.org/images/0/03/Elce_2018_dt_bof.pdf https://elinux.org/Device_Tree_Reference -> OverLays Overlay made simple with DTC extensions: use a reference to define the place in the tree where the update is to be made: &{/path/to/node} { <overlay definition> } Use cases: Hot swap Expansion slots (beaglebone) FPGAs (load from kernel to FPGA; led by Altera/Xilinx) Not too dynamic, in particular because there are still memory leaks Use of “apply overlay by the bootload” helps reducing the number of DTS/DTB files to deal with. plugable CPU: overlay is a solution few terms to define/standardise/clarify by frank: Cold-swap = ? < describe the actual use-case in simple terms > Hot-swap = ? < describe the actual use-case in simple terms > Real hot-swap will be difficult to support. Another use case for “hot-swap” is a developer helper to change parameter “dynamically” to avoid a full reboot. FF: DT event may be a wrong way to deal with dynamism: using bus events to trigger changes seem more natural Grant: event code is fragile, prefer pre-boot control

5 years

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

boot-architecture