[U-Boot] Booting a second stage Bootloader in FIT image
Simon Glass
sjg at google.com
Wed Aug 5 01:24:48 CEST 2015
Hi Harsha,
On 4 August 2015 at 10:53, KJ H. Kiran <kj.h.kiran at us.abb.com> wrote:
> HI !
>
>
>
> I think I found a solution. I have created a new cmd in cmd_bootm file and I
> just loaded the loadable images. Now I am able to boot the second stage
> bootloader(or any application).
>
OK that is good. If you have figured out a good solution please send a
patch to the mailing list. The loadable support was added recently
and should support verified boot if you use the configuration
approach.
>
>
> Thanks,
>
> Harsha
>
>
>
> From: KJ H. Kiran
> Sent: Monday, August 03, 2015 5:34 PM
> To: 'sjg at chromium.org'; 'sjg at google.com'; u-boot at lists.denx.de
> Subject: RE: Booting a second stage Bootloader in FIT image
>
>
>
>
>
> Hi Simon,
>
>
>
> I am implementing the secure u-boot for our custom board and have a question
> with the current implementation of secure framework with u-boot loading the
> “loadables” images.
>
>
>
> I got the latest 2015.07 mainline branch and am trying to load a bootloader(
> FIT format) from already loaded bootloader !
>
>
>
> First stage--------------> 2nd stage -------------------> OS FIT
>
> (MLO,u-boot) (u-boot.bin) (kernel, RFS,DTB)
>
>
>
>
>
> I created an .its file just to boot a 2nd stage bootloader
>
>
>
> /dts-v1/;
>
>
>
> / {
>
> description = "ABB Measurement Product images";
>
> #address-cells = <1>;
>
>
>
> images {
>
> u-boot at 1 {
>
> data = /incbin/("u-boot.bin");
>
> type = "u-boot";
>
> arch = "arm";
>
> compression = "none";
>
> load = <0x82000000>;
>
> entry = <0x82000000>;
>
> hash at 1 {
>
> algo = "sha1";
>
> };
>
> };
>
>
>
> };
>
> configurations {
>
> default = "2100000 at xx";
>
> 2100000 at xx {
>
> description = "2nd stage
> BL";
>
> u-boot = "u-boot at 1";
>
> loadables =
> “u-boot at 1”
>
> signature at 1 {
>
> algo =
> "sha1,rsa2048";
>
> key-name-hint =
> "dev";
>
> sign-images =
> "u-boot";
>
> };
>
> };
>
>
>
> };
>
>
>
> };
>
>
>
> I am able to load it on my device and successfully verify the signature.
> How ever the bootm command is trying to find an os image every time. I have
> looked at the cmd_bootm.c file and looks like it checks for the valid os
> image for booting.
>
>
>
> I think it would be good if a special case in bootm is introduced which can
> just load the “loadable” images independent of the kernel image. This will
> allow the users to support multiple image scenario without any depencies. I
> think a separate command is necessary which can verify a signature and just
> load the “loadable” images in the required memory addresses.
>
>
>
> Is there a way kernel images loading can be ignored in bootm ?
>
>
>
> Testing:
>
>
>
> I tried to load my bootloader fit image and run it with bootm
> $loadaddr:u-boot command
>
> U-Boot# bootm $loadaddr:u-boot
>
> ## Loading kernel from FIT Image at 82800000 ...
>
> Trying 'u-boot' kernel subimage
>
> Description: unavailable
>
> Created: 2015-08-03 21:45:12 UTC
>
> Type: Standalone Program
>
> Compression: uncompressed
>
> Data Start: 0x828000b4
>
> Data Size: 385283 Bytes = 376.3 KiB
>
> Architecture: ARM
>
> Load Address: 0x82000000
>
> Entry Point: 0x82000000
>
> Hash algo: sha1
>
> Hash value: d44663a203a151fe52c93029ec1fecee0d30192a
>
> Verifying Hash Integrity ... sha1+ OK
>
> No Unknown OS ARM Kernel Image Image
>
> ERROR: can't get kernel image!
>
>
>
> If I use the bootm $loadaddr#configuration command it tries to run the
> kernel image and it crashes but loads my required image at the memory
> address.
Regards,
Simon
More information about the U-Boot
mailing list