I introduced the discussion topic to LEDGE Steering Committee today.
Linaro will focus on the use case where the DT is provided by the firmware. Other use cases may be considered at a later stage.
On Thu, 6 Jun 2019 at 11:10, Tom Rini trini@konsulko.com wrote:
On Thu, Jun 06, 2019 at 09:08:25AM +0200, Ard Biesheuvel wrote:
On Wed, 5 Jun 2019 at 21:28, Tom Rini trini@konsulko.com wrote:
On Wed, Jun 05, 2019 at 08:30:12PM +0200, Ard Biesheuvel wrote:
On Wed, 5 Jun 2019 at 19:30, Tom Rini trini@konsulko.com wrote:
On Wed, Jun 05, 2019 at 06:14:08PM +0100, Mark Brown wrote:
On Wed, Jun 05, 2019 at 02:16:11PM +0200, Ard Biesheuvel wrote:
> The idea of EBBR is to move away from a vertically integrated
model,
> and permit systems or appliances to use packaged OSes in the
field,
> similar to how this is being done on servers today. The idea
that it
> is required for, say, company X shipping product Yrev0, to
upstream a
> new rev of the DT in order to tweak their board and ship
product Yrev1
> is simply ridiculous. It doesn't scale, and we shouldn't care
- the DT
> bindings is what we care about, and if it adheres to those, the > platform can provide any DT it wants, and there is no reason
the
> kernel devs should ever need to look at it.
I don't think anyone is particularly suggesting that (at least
not in
the portions of the thread I read properly, I have to confess I
was
skimming a bunch of it)?
Just so we're all on the same page, we do understand that someone somewhere is providing Yrev0.dtb and Yrev1.dtb, yes? Or are we expecting someone to be run-time fixing up Yboard.dtb for rev0 vs
rev1
vs .. ?
Let me put it like this: company X is not interested in having to engage with the distros to get Yrev1.dtb into the OS, nor do they
want
to be forced to start from an official DTB and apply deltas to make
it
correct. You ship a board with some description of the board that the OS can understand - this is how the OS identifies which hardware it runs on: the DT description.
Where does this description that's coming with the board come from? That _matters_ if you want to have any idea what will be able to use
it.
From the platform, not from the OS. How the firmware achieves that is left unspecified by EBBR, it only mandates that it is passed to the OS via a config table.
But it's part of the OS.
> For development, things are obviously different, I understand
that.
> Shipping DTs for devboards makes sense, especially while the DT > bindings are not set in stone yet. But imposing this model for > production is unsustainable.
I don't think I've particularly seen anyone trying to do that for anything other than devboards, like Tom says people with actual
products
usually don't even consider it. It's more that there is this
devboard
case where the DTs are currently in kernel and a lot of the
people
hacking on things are using devboards if only for want of
anything else
so they naturally end up caring about that case.
Keep in mind that the in-kernel dev board ones _are_ important as
that's
what you start your custom platform from, 9 times out of 10. It's
quite
often the case of "OK, $vendor gave us schematics for EVB, lets
cut what
we don't need and tweak" with a matching set of cuts and tweaks to
the
dts for the EVB. In the case of carrier+SOM it's just adding to,
if
using the stock carrier, or again adapting things for the custom carrier.
Of course. But how is this relevant? I am not saying DTs have to be truly original works, just that the OS should not be the one
providing
it.
Because we've been talking about where the device tree comes from, and
I
keep trying to point out that we are no where near a proven record of "DTB is always valid and functional with the Linux Kernel from here on out". There's not the tooling nor review to enforce that and
there's
a few examples every year (of just in-tree device trees, not custom end products) where it gets broken.
So now, you are saying companies should only ship products with devices trees that have been reviewed by the kernel community?
No, but I am saying that intentions and reality disagree on "DTB + any kernel that supports those bindings" always resulting in "Everything continues to function as expected".
This makes no sense to me whatsoever: the DT *bindings* are the contract that we have with the platforms. If someone ships a DT that adheres to the bindings, we are on the hook to fix it. If someone ships a broken DT, it is their problem and they are fix it in their OS fork, or they issue a firmware update that fixes it.
I'm saying the DT binding contracts get broken, have a track record of getting broken and will continue to be broken. The DTB is part of the OS.
But maybe it's just me that's confused about what "shipping" means
in
this context. Almost no one bothers "shipping" the DTS files for a custom product to mainline Linux as no one is supposed to be
running
anything other than the provided software on the custom device and
so it
goes where ever it goes for that products needs and support plans. Rarely does a board, devboard or finished end-user product, ship
with a
DTB file stored stand-alone in a flash chip, that is intended as
the
final forever DTB. It's just another part of firmware-by-which-I-mean-the-whole-software-stack.
Who said anything about the DT being stored in a flash chip? I
already
explained more than once that it is up to the firmware to decide
*how*
it stores the DT, and the filesystem is fine if it does not care
about
security or if it implements some form of authentication.
It's been stated I believe in other parts of this thread or perhaps I'm just thinking of the many other times people have talked about hardware shipping a device tree. If the hardware is shipping the DTB to use, it's often stored someplace other than normal storage so that it's not overwritten by accident. Similar to ACPI tables :)
The point is that we are trying to move from this custom device model to a model where you can run a generic distro, without having to put the burden on the OS vendor to bundle a DT for every platform that it will ever run on, which is especially tricky if those platforms do
not
exist yet.
So we are, or are not trying to come up with recommendations for shipping a DTB file for hardware?
I'm not sure i understand the question, but EBBR is not just a recommendation. If you want to claim EBBR compliance, your platform should be able to boot an OS that comes without bundled DTB images.
No, that's not right. You are either OS+ACPI or OS+DTB. In the case of ACPI, other specifications deal with that. In the case of DTB there is not a specification that deals with these expectations, so EBBR needs to say something.
Which is why my whole point here has been that the DTB needs to be treated and signature checked just like any other part of what's
being
loaded (kernel, initrd, grub and grub.conf OR systemd-boot and systemd-boot.conf, etc, etc).
Again, I am not arguing that the DT should be linked into the
firmware
executable, I am only saying that UEFI secure boot is not appropriate for authenticating it (and that the OS should not be providing it)
Are you just saying "the DT exists in the config table GUID, it is
good"
and ignoring the question of how the DT is put into the config table
and
any sort of "it is good" test?
So now we are policing the DT as well, and checking whether it is 'good' or not? The platform knows best how to describe the hardware, so it is the hardware that provides the DT period. If a crappy product provides a crappy DT, then you will get a crappy experience, just as you might expect.
I don't know why this keeps coming up. In this context, which is "secure boot", good means "we have done some form of cryptographic validation that this blob has been signed".
Finally, is UEFI secure boot appropriate for authentication of the initrd? The bootloader config files?
No. initrd is a file system interpreted by the Linux kernel, and we already have ways to authenticate that (unless you build it into the kernel image, in which case you get it for free)
How are you seeing the initrd being authenticated, if not via the UEFI secure boot hooks?
bootloader config files are an implementation detail of the bootloader, and the same reasoning applies: UEFI secure boot authenticates the OS to the platform, not the other way around. If the firmware wants to sign its config files, it can, and it might even reuse some of the crypto code that UEFI secure boot uses. But it is not part of UEFI secure boot.
I disagree.
-- Tom