[PATCH] fdt_support.c: Allow late kernel cmdline modification

Niko Mauno niko.mauno at vaisala.com
Thu Feb 25 17:09:37 CET 2021 

On 2/24/21 3:51 PM, Tom Rini wrote:
> On Tue, Feb 23, 2021 at 08:33:36AM +0200, Niko Mauno wrote:
>> On 2/22/21 10:21 PM, Tom Rini wrote:
>>> On Mon, Feb 22, 2021 at 07:18:51PM +0000, Niko Mauno wrote:
>>>
>>>> By declaring board-specific board_fdt_chosen_bootargs() the kernel
>>>> command line arguments can be adjusted before injecting to flat dt
>>>> chosen node.
>>>>
>>>> Signed-off-by: Niko Mauno <niko.mauno at vaisala.com>
>>>> ---
>>>>    common/fdt_support.c  | 12 +++++++++++-
>>>>    include/fdt_support.h | 10 ++++++++++
>>>>    2 files changed, 21 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/common/fdt_support.c b/common/fdt_support.c
>>>> index 08d540bfc8..4379507e30 100644
>>>> --- a/common/fdt_support.c
>>>> +++ b/common/fdt_support.c
>>>> @@ -269,6 +269,15 @@ int fdt_initrd(void *fdt, ulong initrd_start, ulong initrd_end)
>>>>    	return 0;
>>>>    }
>>>> +/**
>>>> + * board_fdt_chosen_bootargs - boards may override this function to use
>>>> + *                             alternative kernel command line arguments
>>>> + */
>>>> +__weak char *board_fdt_chosen_bootargs(void)
>>>> +{
>>>> +	return env_get("bootargs");
>>>> +}
>>>> +
>>>>    int fdt_chosen(void *fdt)
>>>>    {
>>>>    	int   nodeoffset;
>>>> @@ -286,7 +295,8 @@ int fdt_chosen(void *fdt)
>>>>    	if (nodeoffset < 0)
>>>>    		return nodeoffset;
>>>> -	str = env_get("bootargs");
>>>> +	str = board_fdt_chosen_bootargs();
>>>> +
>>>>    	if (str) {
>>>>    		err = fdt_setprop(fdt, nodeoffset, "bootargs", str,
>>>>    				  strlen(str) + 1);
>>>
>>> What's this look like in practice?  I'm very wary about changing "set
>>> bootargs to what you pass to the kernel" logic that's been there for
>>> forever and a constant of every platform.  Thanks!
>>>
>> Hi Tom,
>>
>>     Effectively this change as such should introduce no changes to prevalent
>> "bootargs" logic when an overriding board_fdt_chosen_bootargs() is not
>> defined. Our motivation for proposing this change is that it provides us
>> with a means to introduce an entry point where we can append rootfs specific
>> dm-verity kernel command line metrics (such as described in
>> https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html)
>> by reading a property from within a kernel tier FIT image header, in order
>> to facilitate secure boot process all the way to root filesystem.
> 
> Right.  But what does that logic look like, and why must it be done in
> C?  People have used dm-verity with U-Boot for ages, for example.
> 

Our build time implementation injects rootfs specific dm-verity metrics 
in FIT conf node property, effectively coupling the particular (kernel 
tier) FIT image and particular rootfs image containing trailing verity 
hash tree.

Below is a sample of such conf node - please note also that the two 
'${rootdev}' placeholder strings in the injected property are replaced 
with device node path to 'active' rootfs (in a dual bank scheme where 
the 'active' rootfs bank is resolved runtime).

     configurations {
         default = "conf-c";
         conf-c {
             description = "Linux kernel and FDT blob";
             kernel = "kernel";
             fdt = "fdt-c";
             vaisala,dm-verity-args = "dm-mod.create="dm-verity, 
ec077aa7-78e5-43b7-9605-0d7f72fc65b9, , ro,  0 136220 verity 1 
${rootdev} ${rootdev} 1024 4096 68110 17028 sha256 
2dcd25db0f5b94603843316e5a16ca7717585802bf9a3fbced1443d7f83ec5f6 
fec6bf67513d044bc704c63e37508b223d75867842ac828ba0147c6080578698 1 
restart_on_corruption" root=/dev/dm-0 ro";
             signature {
                 ...
             };
         };

In the boot flow the FIT needs to be signature verified and is processed 
only after boot command has been issued. Resorting to u-boot scripting 
means it would require parsing FIT twice and do all verifications twice. 
Using C avoids this redundancy.

The command line approach is supported since Linux kernel version 5.1 
onwards (CONFIG_DM_INIT), and it avoids us the need to bundle a 
"trampoline" initramfs with Linux kernel for issuing veritysetup and 
mount commands. The bundling approach struck as more time consuming and 
also more cumbersome on Yocto to build for various different image types 
in same build, and introduces additional booting overhead on target.

Related to existing dm-verity support in U-Boot, I observed there is 
Android Verified Boot 2.0 code which seemed to resort to appending the 
kernel command line, which lead us to propose this change which would 
allow us to perform the picking of the property from the FIT image, 
processing it and appending it to our default "bootargs" in a board 
specific function.

-Niko

More information about the U-Boot mailing list