[PATCH] fdt_support.c: Allow late kernel cmdline modification

Simon Glass sjg at chromium.org
Mon Mar 15 06:28:55 CET 2021


Hi Niko,

On Thu, 11 Mar 2021 at 20:34, Niko Mauno <niko.mauno at vaisala.com> wrote:
>
> On 2/25/21 6:09 PM, Niko Mauno wrote:
> > On 2/24/21 3:51 PM, Tom Rini wrote:
> >> On Tue, Feb 23, 2021 at 08:33:36AM +0200, Niko Mauno wrote:
> >>> On 2/22/21 10:21 PM, Tom Rini wrote:
> >>>> On Mon, Feb 22, 2021 at 07:18:51PM +0000, Niko Mauno wrote:
> >>>>
> >>>>> By declaring board-specific board_fdt_chosen_bootargs() the kernel
> >>>>> command line arguments can be adjusted before injecting to flat dt
> >>>>> chosen node.
> >>>>>
> >>>>> Signed-off-by: Niko Mauno <niko.mauno at vaisala.com>
> >>>>> ---
> >>>>>    common/fdt_support.c  | 12 +++++++++++-
> >>>>>    include/fdt_support.h | 10 ++++++++++
> >>>>>    2 files changed, 21 insertions(+), 1 deletion(-)
> >>>>>
> >>>>> diff --git a/common/fdt_support.c b/common/fdt_support.c
> >>>>> index 08d540bfc8..4379507e30 100644
> >>>>> --- a/common/fdt_support.c
> >>>>> +++ b/common/fdt_support.c
> >>>>> @@ -269,6 +269,15 @@ int fdt_initrd(void *fdt, ulong initrd_start,
> >>>>> ulong initrd_end)
> >>>>>        return 0;
> >>>>>    }
> >>>>> +/**
> >>>>> + * board_fdt_chosen_bootargs - boards may override this function
> >>>>> to use
> >>>>> + *                             alternative kernel command line
> >>>>> arguments
> >>>>> + */
> >>>>> +__weak char *board_fdt_chosen_bootargs(void)
> >>>>> +{
> >>>>> +    return env_get("bootargs");
> >>>>> +}
> >>>>> +
> >>>>>    int fdt_chosen(void *fdt)
> >>>>>    {
> >>>>>        int   nodeoffset;
> >>>>> @@ -286,7 +295,8 @@ int fdt_chosen(void *fdt)
> >>>>>        if (nodeoffset < 0)
> >>>>>            return nodeoffset;
> >>>>> -    str = env_get("bootargs");
> >>>>> +    str = board_fdt_chosen_bootargs();
> >>>>> +
> >>>>>        if (str) {
> >>>>>            err = fdt_setprop(fdt, nodeoffset, "bootargs", str,
> >>>>>                      strlen(str) + 1);
> >>>>
> >>>> What's this look like in practice?  I'm very wary about changing "set
> >>>> bootargs to what you pass to the kernel" logic that's been there for
> >>>> forever and a constant of every platform.  Thanks!
> >>>>
> >>> Hi Tom,
> >>>
> >>>     Effectively this change as such should introduce no changes to
> >>> prevalent
> >>> "bootargs" logic when an overriding board_fdt_chosen_bootargs() is not
> >>> defined. Our motivation for proposing this change is that it provides us
> >>> with a means to introduce an entry point where we can append rootfs
> >>> specific
> >>> dm-verity kernel command line metrics (such as described in
> >>> https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html)
> >>>
> >>> by reading a property from within a kernel tier FIT image header, in
> >>> order
> >>> to facilitate secure boot process all the way to root filesystem.
> >>
> >> Right.  But what does that logic look like, and why must it be done in
> >> C?  People have used dm-verity with U-Boot for ages, for example.
> >>
> >
> > Our build time implementation injects rootfs specific dm-verity metrics
> > in FIT conf node property, effectively coupling the particular (kernel
> > tier) FIT image and particular rootfs image containing trailing verity
> > hash tree.
> >
> > Below is a sample of such conf node - please note also that the two
> > '${rootdev}' placeholder strings in the injected property are replaced
> > with device node path to 'active' rootfs (in a dual bank scheme where
> > the 'active' rootfs bank is resolved runtime).
> >
> >      configurations {
> >          default = "conf-c";
> >          conf-c {
> >              description = "Linux kernel and FDT blob";
> >              kernel = "kernel";
> >              fdt = "fdt-c";
> >              vaisala,dm-verity-args = "dm-mod.create="dm-verity,
> > ec077aa7-78e5-43b7-9605-0d7f72fc65b9, , ro,  0 136220 verity 1
> > ${rootdev} ${rootdev} 1024 4096 68110 17028 sha256
> > 2dcd25db0f5b94603843316e5a16ca7717585802bf9a3fbced1443d7f83ec5f6
> > fec6bf67513d044bc704c63e37508b223d75867842ac828ba0147c6080578698 1
> > restart_on_corruption" root=/dev/dm-0 ro";
> >              signature {
> >                  ...
> >              };
> >          };
> >
> > In the boot flow the FIT needs to be signature verified and is processed
> > only after boot command has been issued. Resorting to u-boot scripting
> > means it would require parsing FIT twice and do all verifications twice.
> > Using C avoids this redundancy.
> >
> > The command line approach is supported since Linux kernel version 5.1
> > onwards (CONFIG_DM_INIT), and it avoids us the need to bundle a
> > "trampoline" initramfs with Linux kernel for issuing veritysetup and
> > mount commands. The bundling approach struck as more time consuming and
> > also more cumbersome on Yocto to build for various different image types
> > in same build, and introduces additional booting overhead on target.
> >
> > Related to existing dm-verity support in U-Boot, I observed there is
> > Android Verified Boot 2.0 code which seemed to resort to appending the
> > kernel command line, which lead us to propose this change which would
> > allow us to perform the picking of the property from the FIT image,
> > processing it and appending it to our default "bootargs" in a board
> > specific function.
> >
> > -Niko
>
> Since discussion seems discontinued, adding Mr. Simon Glass to
> recipients as custodian of common/fdt_support.c as reported by
> scripts/get_maintainer.pl

This is used on coral which enables CONFIG_BOOTARGS_SUBST so you might
find that does what you want. Once you have the args in an env var
then bootm should do it for you.

Regards,
Simon


More information about the U-Boot mailing list