Standard Boot integration - script validation before execution

Tom Rini trini at konsulko.com
Tue Dec 16 15:31:38 CET 2025 

On Tue, Dec 16, 2025 at 03:13:59PM +0100, Patryk wrote:

> Hi
> I would like to integrate Standard Boot on our custom board based on
> NXP LS1028a, as it currently uses a so-called distro boot.
> Normally I would just follow the instructions in the doc about
> converting from distro boot to standard boot, but things are in fact a
> bit more complicated. My board supports dual rootfs following the A/B
> update scheme, so I need a place where I can check the boot state,
> boot counter and so on, so as to set the final rootfs partition to
> pass to the kernel. That's actually not a problem - I can just use the
> bootmeth script and put all the logic there. The problem is that on a
> production system, the devics will be protected by the Secure Boot
> procedure, so the script to be executed should also be verified before
> the execution. In the current solution (distro boot), the boot
> command, first loads the script, then calls esbc_validate over the
> script header and if the validation passes it sources the script so
> the OS can be loaded. In current bootmeth_script there is no place (or
> I'm not aware of) that would allow me to do vendor-specific validation
> over the script. What would you advise in this case? Is there any way
> to "inject" some plugins into the existing boot methods, like  e.g. a
> plugin that would be overriding or adding some functionalities to
> existing bootmeth_script? I can of course patch the existing
> bootmeth_script with a command that would perform the validation but
> this would no longer be a generic boot method. Or perhaps should I
> create my own boot method?

I think, given how RAUC has been implemented (which in the "distro boot"
days was a complex boot script), you're likely best off making a custom
boot method.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20251216/6daa1544/attachment.sig>

More information about the U-Boot mailing list