[PATCH] fdt_support.c: Allow late kernel cmdline modification

Niko Mauno niko.mauno at vaisala.com
Thu Mar 11 08:34:09 CET 2021 

On 2/25/21 6:09 PM, Niko Mauno wrote:
> On 2/24/21 3:51 PM, Tom Rini wrote:
>> On Tue, Feb 23, 2021 at 08:33:36AM +0200, Niko Mauno wrote:
>>> On 2/22/21 10:21 PM, Tom Rini wrote:
>>>> On Mon, Feb 22, 2021 at 07:18:51PM +0000, Niko Mauno wrote:
>>>>
>>>>> By declaring board-specific board_fdt_chosen_bootargs() the kernel
>>>>> command line arguments can be adjusted before injecting to flat dt
>>>>> chosen node.
>>>>>
>>>>> Signed-off-by: Niko Mauno <niko.mauno at vaisala.com>
>>>>> ---
>>>>>    common/fdt_support.c  | 12 +++++++++++-
>>>>>    include/fdt_support.h | 10 ++++++++++
>>>>>    2 files changed, 21 insertions(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/common/fdt_support.c b/common/fdt_support.c
>>>>> index 08d540bfc8..4379507e30 100644
>>>>> --- a/common/fdt_support.c
>>>>> +++ b/common/fdt_support.c
>>>>> @@ -269,6 +269,15 @@ int fdt_initrd(void *fdt, ulong initrd_start, 
>>>>> ulong initrd_end)
>>>>>        return 0;
>>>>>    }
>>>>> +/**
>>>>> + * board_fdt_chosen_bootargs - boards may override this function 
>>>>> to use
>>>>> + *                             alternative kernel command line 
>>>>> arguments
>>>>> + */
>>>>> +__weak char *board_fdt_chosen_bootargs(void)
>>>>> +{
>>>>> +    return env_get("bootargs");
>>>>> +}
>>>>> +
>>>>>    int fdt_chosen(void *fdt)
>>>>>    {
>>>>>        int   nodeoffset;
>>>>> @@ -286,7 +295,8 @@ int fdt_chosen(void *fdt)
>>>>>        if (nodeoffset < 0)
>>>>>            return nodeoffset;
>>>>> -    str = env_get("bootargs");
>>>>> +    str = board_fdt_chosen_bootargs();
>>>>> +
>>>>>        if (str) {
>>>>>            err = fdt_setprop(fdt, nodeoffset, "bootargs", str,
>>>>>                      strlen(str) + 1);
>>>>
>>>> What's this look like in practice?  I'm very wary about changing "set
>>>> bootargs to what you pass to the kernel" logic that's been there for
>>>> forever and a constant of every platform.  Thanks!
>>>>
>>> Hi Tom,
>>>
>>>     Effectively this change as such should introduce no changes to 
>>> prevalent
>>> "bootargs" logic when an overriding board_fdt_chosen_bootargs() is not
>>> defined. Our motivation for proposing this change is that it provides us
>>> with a means to introduce an entry point where we can append rootfs 
>>> specific
>>> dm-verity kernel command line metrics (such as described in
>>> https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html) 
>>>
>>> by reading a property from within a kernel tier FIT image header, in 
>>> order
>>> to facilitate secure boot process all the way to root filesystem.
>>
>> Right.  But what does that logic look like, and why must it be done in
>> C?  People have used dm-verity with U-Boot for ages, for example.
>>
> 
> Our build time implementation injects rootfs specific dm-verity metrics 
> in FIT conf node property, effectively coupling the particular (kernel 
> tier) FIT image and particular rootfs image containing trailing verity 
> hash tree.
> 
> Below is a sample of such conf node - please note also that the two 
> '${rootdev}' placeholder strings in the injected property are replaced 
> with device node path to 'active' rootfs (in a dual bank scheme where 
> the 'active' rootfs bank is resolved runtime).
> 
>      configurations {
>          default = "conf-c";
>          conf-c {
>              description = "Linux kernel and FDT blob";
>              kernel = "kernel";
>              fdt = "fdt-c";
>              vaisala,dm-verity-args = "dm-mod.create="dm-verity, 
> ec077aa7-78e5-43b7-9605-0d7f72fc65b9, , ro,  0 136220 verity 1 
> ${rootdev} ${rootdev} 1024 4096 68110 17028 sha256 
> 2dcd25db0f5b94603843316e5a16ca7717585802bf9a3fbced1443d7f83ec5f6 
> fec6bf67513d044bc704c63e37508b223d75867842ac828ba0147c6080578698 1 
> restart_on_corruption" root=/dev/dm-0 ro";
>              signature {
>                  ...
>              };
>          };
> 
> In the boot flow the FIT needs to be signature verified and is processed 
> only after boot command has been issued. Resorting to u-boot scripting 
> means it would require parsing FIT twice and do all verifications twice. 
> Using C avoids this redundancy.
> 
> The command line approach is supported since Linux kernel version 5.1 
> onwards (CONFIG_DM_INIT), and it avoids us the need to bundle a 
> "trampoline" initramfs with Linux kernel for issuing veritysetup and 
> mount commands. The bundling approach struck as more time consuming and 
> also more cumbersome on Yocto to build for various different image types 
> in same build, and introduces additional booting overhead on target.
> 
> Related to existing dm-verity support in U-Boot, I observed there is 
> Android Verified Boot 2.0 code which seemed to resort to appending the 
> kernel command line, which lead us to propose this change which would 
> allow us to perform the picking of the property from the FIT image, 
> processing it and appending it to our default "bootargs" in a board 
> specific function.
> 
> -Niko

Since discussion seems discontinued, adding Mr. Simon Glass to 
recipients as custodian of common/fdt_support.c as reported by 
scripts/get_maintainer.pl

More information about the U-Boot mailing list