[PATCH] fdt_support.c: Allow late kernel cmdline modification

Mon Mar 15 06:28:55 CET 2021

Hi Niko,

On Thu, 11 Mar 2021 at 20:34, Niko Mauno <niko.mauno at vaisala.com> wrote:
>
> On 2/25/21 6:09 PM, Niko Mauno wrote:
> > On 2/24/21 3:51 PM, Tom Rini wrote:
> >> On Tue, Feb 23, 2021 at 08:33:36AM +0200, Niko Mauno wrote:
> >>> On 2/22/21 10:21 PM, Tom Rini wrote:
> >>>> On Mon, Feb 22, 2021 at 07:18:51PM +0000, Niko Mauno wrote:
> >>>>
> >>>>> By declaring board-specific board_fdt_chosen_bootargs() the kernel
> >>>>> command line arguments can be adjusted before injecting to flat dt
> >>>>> chosen node.
> >>>>>
> >>>>> Signed-off-by: Niko Mauno <niko.mauno at vaisala.com>
> >>>>> ---
> >>>>>    common/fdt_support.c  | 12 +++++++++++-
> >>>>>    include/fdt_support.h | 10 ++++++++++
> >>>>>    2 files changed, 21 insertions(+), 1 deletion(-)
> >>>>>
> >>>>> diff --git a/common/fdt_support.c b/common/fdt_support.c
> >>>>> index 08d540bfc8..4379507e30 100644
> >>>>> --- a/common/fdt_support.c
> >>>>> +++ b/common/fdt_support.c
> >>>>> @@ -269,6 +269,15 @@ int fdt_initrd(void *fdt, ulong initrd_start,
> >>>>> ulong initrd_end)
> >>>>>        return 0;
> >>>>>    }
> >>>>> +/**
> >>>>> + * board_fdt_chosen_bootargs - boards may override this function
> >>>>> to use
> >>>>> + *                             alternative kernel command line
> >>>>> arguments
> >>>>> + */
> >>>>> +__weak char *board_fdt_chosen_bootargs(void)
> >>>>> +{
> >>>>> +    return env_get("bootargs");
> >>>>> +}
> >>>>> +
> >>>>>    int fdt_chosen(void *fdt)
> >>>>>    {
> >>>>>        int   nodeoffset;
> >>>>> @@ -286,7 +295,8 @@ int fdt_chosen(void *fdt)
> >>>>>        if (nodeoffset < 0)
> >>>>>            return nodeoffset;
> >>>>> -    str = env_get("bootargs");
> >>>>> +    str = board_fdt_chosen_bootargs();
> >>>>> +
> >>>>>        if (str) {
> >>>>>            err = fdt_setprop(fdt, nodeoffset, "bootargs", str,
> >>>>>                      strlen(str) + 1);
> >>>>
> >>>> What's this look like in practice?  I'm very wary about changing "set
> >>>> bootargs to what you pass to the kernel" logic that's been there for
> >>>> forever and a constant of every platform.  Thanks!
> >>>>
> >>> Hi Tom,
> >>>
> >>>     Effectively this change as such should introduce no changes to
> >>> prevalent
> >>> "bootargs" logic when an overriding board_fdt_chosen_bootargs() is not
> >>> defined. Our motivation for proposing this change is that it provides us
> >>> with a means to introduce an entry point where we can append rootfs
> >>> specific
> >>> dm-verity kernel command line metrics (such as described in
> >>> https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html)
> >>>
> >>> by reading a property from within a kernel tier FIT image header, in
> >>> order
> >>> to facilitate secure boot process all the way to root filesystem.
> >>
> >> Right.  But what does that logic look like, and why must it be done in
> >> C?  People have used dm-verity with U-Boot for ages, for example.
> >>
> >
> > Our build time implementation injects rootfs specific dm-verity metrics
> > in FIT conf node property, effectively coupling the particular (kernel
> > tier) FIT image and particular rootfs image containing trailing verity
> > hash tree.
> >
> > Below is a sample of such conf node - please note also that the two
> > '${rootdev}' placeholder strings in the injected property are replaced
> > with device node path to 'active' rootfs (in a dual bank scheme where
> > the 'active' rootfs bank is resolved runtime).
> >
> >      configurations {
> >          default = "conf-c";
> >          conf-c {
> >              description = "Linux kernel and FDT blob";
> >              kernel = "kernel";
> >              fdt = "fdt-c";
> >              vaisala,dm-verity-args = "dm-mod.create="dm-verity,
> > ec077aa7-78e5-43b7-9605-0d7f72fc65b9, , ro,  0 136220 verity 1
> > ${rootdev} ${rootdev} 1024 4096 68110 17028 sha256
> > 2dcd25db0f5b94603843316e5a16ca7717585802bf9a3fbced1443d7f83ec5f6
> > fec6bf67513d044bc704c63e37508b223d75867842ac828ba0147c6080578698 1
> > restart_on_corruption" root=/dev/dm-0 ro";
> >              signature {
> >                  ...
> >              };
> >          };
> >
> > In the boot flow the FIT needs to be signature verified and is processed
> > only after boot command has been issued. Resorting to u-boot scripting
> > means it would require parsing FIT twice and do all verifications twice.
> > Using C avoids this redundancy.
> >
> > The command line approach is supported since Linux kernel version 5.1
> > onwards (CONFIG_DM_INIT), and it avoids us the need to bundle a
> > "trampoline" initramfs with Linux kernel for issuing veritysetup and
> > mount commands. The bundling approach struck as more time consuming and
> > also more cumbersome on Yocto to build for various different image types
> > in same build, and introduces additional booting overhead on target.
> >
> > Related to existing dm-verity support in U-Boot, I observed there is
> > Android Verified Boot 2.0 code which seemed to resort to appending the
> > kernel command line, which lead us to propose this change which would
> > allow us to perform the picking of the property from the FIT image,
> > processing it and appending it to our default "bootargs" in a board
> > specific function.
> >
> > -Niko
>
> Since discussion seems discontinued, adding Mr. Simon Glass to
> recipients as custodian of common/fdt_support.c as reported by
> scripts/get_maintainer.pl

This is used on coral which enables CONFIG_BOOTARGS_SUBST so you might
find that does what you want. Once you have the args in an env var
then bootm should do it for you.

Regards,
Simon