On Wed, 5 Jun 2019 at 19:30, Tom Rini trini@konsulko.com wrote:

On Wed, Jun 05, 2019 at 06:14:08PM +0100, Mark Brown wrote:

...

On Wed, Jun 05, 2019 at 02:16:11PM +0200, Ard Biesheuvel wrote:

...

The idea of EBBR is to move away from a vertically integrated model, and permit systems or appliances to use packaged OSes in the field, similar to how this is being done on servers today. The idea that it is required for, say, company X shipping product Yrev0, to upstream a new rev of the DT in order to tweak their board and ship product Yrev1 is simply ridiculous. It doesn't scale, and we shouldn't care - the DT bindings is what we care about, and if it adheres to those, the platform can provide any DT it wants, and there is no reason the kernel devs should ever need to look at it.

I don't think anyone is particularly suggesting that (at least not in the portions of the thread I read properly, I have to confess I was skimming a bunch of it)?

Just so we're all on the same page, we do understand that someone somewhere is providing Yrev0.dtb and Yrev1.dtb, yes? Or are we expecting someone to be run-time fixing up Yboard.dtb for rev0 vs rev1 vs .. ?

Let me put it like this: company X is not interested in having to engage with the distros to get Yrev1.dtb into the OS, nor do they want to be forced to start from an official DTB and apply deltas to make it correct. You ship a board with some description of the board that the OS can understand - this is how the OS identifies which hardware it runs on: the DT description.

...

...

For development, things are obviously different, I understand that. Shipping DTs for devboards makes sense, especially while the DT bindings are not set in stone yet. But imposing this model for production is unsustainable.

I don't think I've particularly seen anyone trying to do that for anything other than devboards, like Tom says people with actual products usually don't even consider it. It's more that there is this devboard case where the DTs are currently in kernel and a lot of the people hacking on things are using devboards if only for want of anything else so they naturally end up caring about that case.

Keep in mind that the in-kernel dev board ones _are_ important as that's what you start your custom platform from, 9 times out of 10. It's quite often the case of "OK, $vendor gave us schematics for EVB, lets cut what we don't need and tweak" with a matching set of cuts and tweaks to the dts for the EVB. In the case of carrier+SOM it's just adding to, if using the stock carrier, or again adapting things for the custom carrier.

Of course. But how is this relevant? I am not saying DTs have to be truly original works, just that the OS should not be the one providing it.

But maybe it's just me that's confused about what "shipping" means in this context. Almost no one bothers "shipping" the DTS files for a custom product to mainline Linux as no one is supposed to be running anything other than the provided software on the custom device and so it goes where ever it goes for that products needs and support plans. Rarely does a board, devboard or finished end-user product, ship with a DTB file stored stand-alone in a flash chip, that is intended as the final forever DTB. It's just another part of firmware-by-which-I-mean-the-whole-software-stack.

Who said anything about the DT being stored in a flash chip? I already explained more than once that it is up to the firmware to decide *how* it stores the DT, and the filesystem is fine if it does not care about security or if it implements some form of authentication.

The point is that we are trying to move from this custom device model to a model where you can run a generic distro, without having to put the burden on the OS vendor to bundle a DT for every platform that it will ever run on, which is especially tricky if those platforms do not exist yet.

Which is why my whole point here has been that the DTB needs to be treated and signature checked just like any other part of what's being loaded (kernel, initrd, grub and grub.conf OR systemd-boot and systemd-boot.conf, etc, etc).

Again, I am not arguing that the DT should be linked into the firmware executable, I am only saying that UEFI secure boot is not appropriate for authenticating it (and that the OS should not be providing it)