[PATCH 00/28] Initial implementation of bootmethod/bootflow

Mark Kettenis mark.kettenis at xs4all.nl
Thu Aug 26 15:32:52 CEST 2021


> Date: Thu, 26 Aug 2021 09:00:01 -0400
> From: Tom Rini <trini at konsulko.com>
> 
> On Thu, Aug 26, 2021 at 02:01:07PM +0200, Mark Kettenis wrote:
> > > Date: Wed, 25 Aug 2021 18:06:05 -0400
> > > From: Tom Rini <trini at konsulko.com>
> > > 
> > > On Wed, Aug 25, 2021 at 11:54:58PM +0200, Mark Kettenis wrote:
> > > > > Date: Wed, 25 Aug 2021 10:56:35 -0400
> > > > > From: Tom Rini <trini at konsulko.com>
> > > > > 
> > > > > On Wed, Aug 25, 2021 at 11:42:51PM +0900, AKASHI Takahiro wrote:
> > > > > > Simon,
> > > > > > 
> > > > > > On Wed, Aug 25, 2021 at 07:11:44AM -0600, Simon Glass wrote:
> > > > > > > Hi,
> > > > > > > 
> > > > > > > On Wed, 25 Aug 2021 at 04:45, Emmanuel Vadot <manu at bidouilliste.com> wrote:
> > > > > > > >
> > > > > > > > On Tue, 24 Aug 2021 12:22:42 +0200 (CEST)
> > > > > > > > Mark Kettenis <mark.kettenis at xs4all.nl> wrote:
> > > > > > > >
> > > > > > > > > > Date: Mon, 23 Aug 2021 16:01:46 -0400
> > > > > > > > > > From: Tom Rini <trini at konsulko.com>
> > > > > > > > > >
> > > > > > > > > > On Mon, Aug 23, 2021 at 11:25:42AM -0600, Simon Glass wrote:
> > > > > > > > > > > Hi Mark,
> > > > > > > > > > >
> > > > > > > > > > > On Mon, 23 Aug 2021 at 05:54, Mark Kettenis <mark.kettenis at xs4all.nl> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > From: Simon Glass <sjg at chromium.org>
> > > > > > > > > > > > > Date: Wed, 18 Aug 2021 21:45:33 -0600
> > > > > > > > > > > > >
> > > > > > > > > > > > > Bootmethod and bootflow provide a built-in way for U-Boot to automatically boot
> > > > > > > > > > > > > an Operating System without custom scripting and other customisation:
> > > > > > > > > > > > >
> > > > > > > > > > > > >   - bootmethod - a method to scan a device to find bootflows (owned by U-Boot)
> > > > > > > > > > > > >   - bootflow - a description of how to boot (owned by the distro)
> > > > > > > > > > > > >
> > > > > > > > > > > > > This series provides an initial implementation of these, enable to scan
> > > > > > > > > > > > > for bootflows from MMC and Ethernet. The only bootflow supported is
> > > > > > > > > > > > > distro boot, i.e. an extlinux.conf file included on a filesystem or
> > > > > > > > > > > > > tftp server. It works similiarly to the existing script-based approach,
> > > > > > > > > > > > > but is native to U-Boot.
> > > > > > > > > > > > >
> > > > > > > > > > > > > With this we can boot on a Raspberry Pi 3 with just one command:
> > > > > > > > > > > > >
> > > > > > > > > > > > >    bootflow scan -lb
> > > > > > > > > > > > >
> > > > > > > > > > > > > which means to scan, listing (-l) each bootflow and trying to boot each
> > > > > > > > > > > > > one (-b). The final patch shows this.
> > > > > > > > > > > > >
> > > > > > > > > > > > > It is intended that this approach be expanded to support mechanisms other
> > > > > > > > > > > > > than distro boot, including EFI-related ones. With a standard way to
> > > > > > > > > > > > > identify boot devices, these features become easier. It also should
> > > > > > > > > > > > > support U-Boot scripts, for backwards compatibility only.
> > > > > > > > > > > > >
> > > > > > > > > > > > > The first patch of this series moves boot-related code out of common/ and
> > > > > > > > > > > > > into a new boot/ directory. This helps to collect these related files
> > > > > > > > > > > > > in one place, as common/ is quite large.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Like sysboot, this feature makes use of the existing PXE implementation.
> > > > > > > > > > > > > Much of this series consists of cleaning up that code and refactoring it
> > > > > > > > > > > > > into something closer to a module that can be called, teasing apart its
> > > > > > > > > > > > > reliance on the command-line interpreter to access filesystems and the
> > > > > > > > > > > > > like. Also it now uses function arguments and its own context struct
> > > > > > > > > > > > > internally rather than environment variables, which is very hard to
> > > > > > > > > > > > > follow. No core functional change is included in the included PXE patches.
> > > > > > > > > > > > >
> > > > > > > > > > > > > For documentation, see the 'doc' patch.
> > > > > > > > > > > > >
> > > > > > > > > > > > > There is quite a long list of future work included in the documentation.
> > > > > > > > > > > > > One question is the choice of naming. Since this is a bootloader, should
> > > > > > > > > > > > > we just call this a 'method' and a 'flow' ? The 'boot' prefix is already
> > > > > > > > > > > > > shared by other commands like bootm, booti, etc.
> > > > > > > > > > > > >
> > > > > > > > > > > > > The design is described here:
> > > > > > > > > > > > >
> > > > > > > > > > > > > https://drive.google.com/file/d/1ggW0KJpUOR__vBkj3l61L2dav4ZkNC12/view?usp=sharing
> > > > > > > > > > > > >
> > > > > > > > > > > > > The series is available at u-boot-dm/bmea-working
> > > > > > > > > > > >
> > > > > > > > > > > > How does the user control the order in which devices are scanned/booted?
> > > > > > > > > > >
> > > > > > > > > > > That is not supported in distroboot at present, at least so far as I
> > > > > > > > > > > can see. For Fedora it seems to happen in grub. Do I have that right?
> > > > > > > > > >
> > > > > > > > > > Well, there's "find the next stage", which is boot_targets environment
> > > > > > > > > > variable, and then "where that next stage looks for stuff" which is
> > > > > > > > > > OS-dependent.  Sometimes the ESP grub.cfg file is just enough to tell
> > > > > > > > > > grub to find the full grub.cfg file elsewhere, and sometimes it's a full
> > > > > > > > > > grub.cfg file.  I think Mark is talking about the former, and you've
> > > > > > > > > > said it's not part of this series, yet, but on the TODO list.
> > > > > > > > >
> > > > > > > > > Right.  With the current distroboot code the order of the devices that
> > > > > > > > > appears in boot_targets is determined by per-board/SOC/machine config
> > > > > > > > > files and the order isn't the same for all of them.  Users can change
> > > > > > > > > the order if necessary by modifying the environment variable and
> > > > > > > > > saving the environment.  And for a one-off boot from a different
> > > > > > > > > device they can simply run an appropriate boot command.  The
> > > > > > > > > boot_targets variable in particular is documented in various install
> > > > > > > > > documents so it would probably be good of the new "bootmethod" code
> > > > > > > > > would respect this variable.
> > > > > > > > >
> > > > > > > > > For OpenBSD I'm not really interested in the bootflow part.  As I
> > > > > > > > > explained in the past, that part of the problem is solved in a
> > > > > > > > > (mostly) uniform way across platforms by the OpenBSD bootloader which
> > > > > > > > > can read an /etc/boot.conf that allows bootflow customization.  So as
> > > > > > > > > long as the default of the new code still results in
> > > > > > > > > \EFI\BOOT\BOOT{machine type short-name}.EFI being loaded and run if
> > > > > > > > > there is no U-Boot specific bootflow configured, I'm happy.
> > > > > > > >
> > > > > > > >  Mostly the same for FreeBSD, as long as the efi boot<arch>.efi is
> > > > > > > > loaded and run by default (respecting the boot_targets order) we will
> > > > > > > > be fine.
> > > > > > > 
> > > > > > > OK thanks for the info. My expectation is that bootmethod/bootflow can
> > > > > > > support this easily enough (it is actually simpler than distro boot).
> > > > > > > 
> > > > > > > >
> > > > > > > > > I can't speak for the other BSDs, but my impression is that they are
> > > > > > > > > pretty much in the same position.  The FreeBSD bootloader for example
> > > > > > > > > supports a high-degree of "bootflow" customization and I doubt that
> > > > > > > > > taking it out of the loop is a viable option for most users.
> > > > > > > 
> > > > > > > I think the same may happen with grub. E.g. with Ubuntu I see quite a
> > > > > > > bit of code in the grub.cfg file and it's not clear to me that it can
> > > > > > > be replaced with a 'data instead of code' approach. Still, a valid
> > > > > > > bootflow is simply to jump to an EFI app, which seems to be what is
> > > > > > > happening here. The bootflow side is really just about describing what
> > > > > > > to do, and this case is no different. For now I see three types of
> > > > > > > bootflow, PXE/syslinux, EFI boot manager and EFI app.
> > > > > > 
> > > > > > By "EFI app", do you mean a way of booting "/efi/boot/bootXX.efi"
> > > > > > (default file name in case that no image path is specified)?
> > > > > > 
> > > > > > In fact, this behavior, or removable media support, is defined
> > > > > > as part of UEFI boot manager in UEFI specification. (See section 3.5)
> > > > > > What this means is that the boot order, including a removable media
> > > > > > case and user-provided BootXXXX cases, should be controlled solely
> > > > > > by "BootOrder" variable.
> > > > > > So the current combination of distro_bootcmd + UEFI boot manger doesn't
> > > > > > fully comply with the specification.
> > > > > > 
> > > > > > Even if those two cases are integrated, I don't know how "BootOrder"
> > > > > > semantics can be preserved in your approach.
> > > > > 
> > > > > I think the high level answer is that whereas today part of
> > > > > distro_bootcmd (and so iterating over boot_targets) "bootefi bootmgr"
> > > > > gets run, with what Simon is proposing we would have an easier / quicker
> > > > > way to get over to just running that.  Perhaps a clean-up to just use
> > > > > that, even?  Or are we not to the point yet where we could remove the
> > > > > direct fall-back to /efi/boot/bootXX.efi ?
> > > > 
> > > > I think "bootefi bootmgr" only works if the BootOrder variable is
> > > > defined, and currently that isn't the case.
> > > > 
> > > > The boot manager behaviour as specified in the UEFI specification is
> > > > somewhat problematic to implement in U-Boot because of the limitations
> > > > in how variables can be set at runtime.  This is one of the reasons
> > > > OpenBSD doesn't actually bother with setting the variables and simple
> > > > relies on the "removable media" support mentioned above.  All my
> > > > OpenBSD systems that use U-Boot print the follwing lines:
> > > > 
> > > >   BootOrder not defined
> > > >   EFI boot manager: Cannot load any image
> > > >   Found EFI removable media binary efi/boot/bootaa64.efi
> > > > 
> > > > But maybe that last step can be intgrated into bootefi bootmgr at some
> > > > point?
> > > > 
> > > > Also note that manually manipulating the EFI variables to change the
> > > > boot order is quite cumbersome; it isn't a matter of just changed the
> > > > aforementioned BootOrder variable.  That's why I think boot_targets is
> > > > the preferable way to define the order in which devices should be
> > > > booted.  I don't think that violates the UEFI specification.  It
> > > > merely is the way U-Boot implements the boot device selection that
> > > > more traditional UEFI implementations implement using a menu.
> > > 
> > > As I don't want to side-track Simon's thread even further, I would like
> > > to see a bit more detailed explanation of why U-Boot cannot support EFI
> > > variables, or if it's just a matter of someone doing the work, and it's
> > > not been a priority yet.
> > 
> > U-Boot has some support for EFI variables, but there are some
> > fundamental problems that make "full" support for them hard or even
> > impossible.
> > 
> > Some non-volatile storage is necessary for these variables such that
> > they can be persistent across boots.  Obviously this very much applies
> > to the BootOrder variable.  EFI defines calls to manipulate variables
> > as part of its runtime services.  This means that the NV storage has
> > to implemented in a way that doesn't interfere with normal OS usage of
> > the hardware.  That pretty much means that you need dedicated hardware
> > for this, which most devices supported by U-Boot simply don't have.
> > Having the EFI variables in the U-Boot environment on a reserved part
> > of a uSD card isn't going to work if the OS assumes it has full
> > control over the uSD controller.
> > 
> > Recent versions of the UEFI have made the implementation of some of
> > the runtime services optional (more or less at the request of the EBBR
> > folks) and allow certain calls (e.g. the SetVariable() call) to fail.
> > This poses a bit of a problem though, which I'll try to sketch here:
> > 
> > The way things typically work on a x86 EFI system is that you boot
> > your OS installer from removable media.  The OS installer does its
> > thing (partitions the disk, creates filesystems, installs the OS
> > kernel, etc.) and at the end creates a boot option for the boot
> > manager by creating an apropriate Boot#### variable and possibly
> > modifying the BootOrder variable to include the newly created boot
> > option.  A typical x86 Linux distro will create a Boot#### variable
> > that is effectively a devicepath pointing at grub.efi.  Unfortunately
> > that won't work if the SetVariable() EFI runtime interface doesn't
> > work.
> > 
> > I'm not sure how the EBBR folks envisaged the OS installation user
> > experience on these systems.  Maybe Takahiro can explain.  But as long
> > as you don't really care about booting multiple OSes on a system,
> > relying on the default removable media boot path works fine in most
> > cases in that it automatically boots into the installed OS when you
> > reboot after removing the installation media.
> 
> Ah right, run-time variables are where it gets tricky.  I would think
> that when ENV_IS_IN_MMC/etc, where it's a hard location on something,
> and not a file (which would be hard to share since it's likely mounted
> via the OS) would let us get past that.

Not really.  As soon as the OS takes over the MMC controller, U-Boot
can't touch it anymore.  The only thing that really works is using a
dedicated device that isn't exposed to the OS.  So U-Boot would need
to remove its nodes from the device tree.  But even then things get
tricky with shared clocks and such.

The only really safe option is to use something like TrustZone on ARM
devices to completely hide things from the non-secure world.  I
believe that is what Linaro is actually doing in their U-Boot based
implementation where the EFI variable store is actually implemented in
OP-TEE running in the secure world.  However that places demands on
the hardware that many SoCs and boards won't be able to fulfill.

A lot of the more advance EFI features that have been
implemented/proposed (secure boot, capsule updates) do rely on having
proper run-time variable support.  So Simon does have a point that the
EFI based approach for that has some serious issues that a "native"
U-Boot implementation could avoid and that enabling these EFI features
by default adds unecessary "bloat".


More information about the U-Boot mailing list