* dtboverlay to U-Boot runtime dtb
@ 2022-07-04 12:36 Peng Fan (OSS)
2022-07-04 12:51 ` Peter Robinson
0 siblings, 1 reply; 5+ messages in thread
From: Peng Fan (OSS) @ 2022-07-04 12:36 UTC (permalink / raw)
To: Tom Rini, Simon Glass, ilias.apalodimas, masahisa.kojima,
xypron.glpk, takahiro.akashi
Cc: Vincent Stehle, u-boot, Ye Li
Hi,
I did a test to do overlay for U-Boot runtime dtb, but after overlay
finish, U-Boot DM driver not work properly because the of_node
pointer is changed in a device.
So I am thinking whether this is valid to overlay to runtime U-Boot
dtb or not. The reason I try this is that I wanna overlay the EFI capsule
signature to U-Boot dtb, then capsule update with authentication
could work, otherwise I need integrate the signature in dts and
rebuild the image. I understand current U-Boot not support
overlay U-Boot runtime dtb, just thinking whether this is valid or
should we support it.
Thanks,
Peng.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: dtboverlay to U-Boot runtime dtb
2022-07-04 12:36 dtboverlay to U-Boot runtime dtb Peng Fan (OSS)
@ 2022-07-04 12:51 ` Peter Robinson
2022-07-04 13:27 ` Heinrich Schuchardt
0 siblings, 1 reply; 5+ messages in thread
From: Peter Robinson @ 2022-07-04 12:51 UTC (permalink / raw)
To: Peng Fan (OSS)
Cc: Tom Rini, Simon Glass, ilias.apalodimas, masahisa.kojima,
xypron.glpk, takahiro.akashi, Vincent Stehle, u-boot, Ye Li
Hi Peng,
> I did a test to do overlay for U-Boot runtime dtb, but after overlay
> finish, U-Boot DM driver not work properly because the of_node
> pointer is changed in a device.
>
> So I am thinking whether this is valid to overlay to runtime U-Boot
> dtb or not. The reason I try this is that I wanna overlay the EFI capsule
> signature to U-Boot dtb, then capsule update with authentication
> could work, otherwise I need integrate the signature in dts and
> rebuild the image. I understand current U-Boot not support
> overlay U-Boot runtime dtb, just thinking whether this is valid or
> should we support it.
Bootin did a pretty good blog post for DT overlays in U-Boot, not sure
if that's useful for this usecase but for reference:
https://bootlin.com/blog/using-the-u-boot-extension-board-manager-beaglebone-boards-example/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: dtboverlay to U-Boot runtime dtb
2022-07-04 12:51 ` Peter Robinson
@ 2022-07-04 13:27 ` Heinrich Schuchardt
2022-07-04 13:39 ` Tom Rini
0 siblings, 1 reply; 5+ messages in thread
From: Heinrich Schuchardt @ 2022-07-04 13:27 UTC (permalink / raw)
To: Peng Fan (OSS)
Cc: Tom Rini, Simon Glass, ilias.apalodimas, masahisa.kojima,
takahiro.akashi, Vincent Stehle, u-boot, Ye Li, Peter Robinson
On 7/4/22 14:51, Peter Robinson wrote:
> Hi Peng,
>
>> I did a test to do overlay for U-Boot runtime dtb, but after overlay
>> finish, U-Boot DM driver not work properly because the of_node
>> pointer is changed in a device.
>>
>> So I am thinking whether this is valid to overlay to runtime U-Boot
>> dtb or not. The reason I try this is that I wanna overlay the EFI capsule
>> signature to U-Boot dtb, then capsule update with authentication
>> could work, otherwise I need integrate the signature in dts and
>> rebuild the image. I understand current U-Boot not support
>> overlay U-Boot runtime dtb, just thinking whether this is valid or
>> should we support it.
Applying overlays to the control device-tree is not supported. Allowing
console access on a system where you plan to apply authenticated
capsules seems unwise from a security viewpoint. So we should not
support your scenario.
You can apply overlays to the device-tree passed to the Linux kernel.
Best regards
Heinrich
>
> Bootin did a pretty good blog post for DT overlays in U-Boot, not sure
> if that's useful for this usecase but for reference:
> https://bootlin.com/blog/using-the-u-boot-extension-board-manager-beaglebone-boards-example/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: dtboverlay to U-Boot runtime dtb
2022-07-04 13:27 ` Heinrich Schuchardt
@ 2022-07-04 13:39 ` Tom Rini
2022-07-04 13:56 ` Heinrich Schuchardt
0 siblings, 1 reply; 5+ messages in thread
From: Tom Rini @ 2022-07-04 13:39 UTC (permalink / raw)
To: Heinrich Schuchardt
Cc: Peng Fan (OSS),
Simon Glass, ilias.apalodimas, masahisa.kojima, takahiro.akashi,
Vincent Stehle, u-boot, Ye Li, Peter Robinson
[-- Attachment #1: Type: text/plain, Size: 1555 bytes --]
On Mon, Jul 04, 2022 at 03:27:26PM +0200, Heinrich Schuchardt wrote:
> On 7/4/22 14:51, Peter Robinson wrote:
> > Hi Peng,
> >
> > > I did a test to do overlay for U-Boot runtime dtb, but after overlay
> > > finish, U-Boot DM driver not work properly because the of_node
> > > pointer is changed in a device.
> > >
> > > So I am thinking whether this is valid to overlay to runtime U-Boot
> > > dtb or not. The reason I try this is that I wanna overlay the EFI capsule
> > > signature to U-Boot dtb, then capsule update with authentication
> > > could work, otherwise I need integrate the signature in dts and
> > > rebuild the image. I understand current U-Boot not support
> > > overlay U-Boot runtime dtb, just thinking whether this is valid or
> > > should we support it.
>
> Applying overlays to the control device-tree is not supported. Allowing
> console access on a system where you plan to apply authenticated
> capsules seems unwise from a security viewpoint. So we should not
> support your scenario.
Note that Peng didn't say "apply an overlay from the console". I had
assumed the desire was to see about doing all of this automatically as
part of processing the update/etc.
I thought we had something similar already, so that we could start with
a "generic" device tree, figure out we're on board X, grab that device
tree (as we're a FIT image and had N dtbs), and then switch to that.
But right now I only spot the logic for selecting that dtb in SPL and
telling full U-Boot to use that tree.
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: dtboverlay to U-Boot runtime dtb
2022-07-04 13:39 ` Tom Rini
@ 2022-07-04 13:56 ` Heinrich Schuchardt
0 siblings, 0 replies; 5+ messages in thread
From: Heinrich Schuchardt @ 2022-07-04 13:56 UTC (permalink / raw)
To: Tom Rini
Cc: Peng Fan (OSS),
Simon Glass, ilias.apalodimas, masahisa.kojima, takahiro.akashi,
Vincent Stehle, u-boot, Ye Li, Peter Robinson
On 7/4/22 15:39, Tom Rini wrote:
> On Mon, Jul 04, 2022 at 03:27:26PM +0200, Heinrich Schuchardt wrote:
>> On 7/4/22 14:51, Peter Robinson wrote:
>>> Hi Peng,
>>>
>>>> I did a test to do overlay for U-Boot runtime dtb, but after overlay
>>>> finish, U-Boot DM driver not work properly because the of_node
>>>> pointer is changed in a device.
>>>>
>>>> So I am thinking whether this is valid to overlay to runtime U-Boot
>>>> dtb or not. The reason I try this is that I wanna overlay the EFI capsule
>>>> signature to U-Boot dtb, then capsule update with authentication
>>>> could work, otherwise I need integrate the signature in dts and
>>>> rebuild the image. I understand current U-Boot not support
>>>> overlay U-Boot runtime dtb, just thinking whether this is valid or
>>>> should we support it.
>>
>> Applying overlays to the control device-tree is not supported. Allowing
>> console access on a system where you plan to apply authenticated
>> capsules seems unwise from a security viewpoint. So we should not
>> support your scenario.
>
> Note that Peng didn't say "apply an overlay from the console". I had
> assumed the desire was to see about doing all of this automatically as
> part of processing the update/etc.
>
> I thought we had something similar already, so that we could start with
> a "generic" device tree, figure out we're on board X, grab that device
> tree (as we're a FIT image and had N dtbs), and then switch to that.
> But right now I only spot the logic for selecting that dtb in SPL and
> telling full U-Boot to use that tree.
>
His question was about avoiding rebuilding the image. So he wants to
apply an overlay at run-time not at build time to change the key used to
check capsule signatures. This should not be allowed.
Best regards
Heinrich
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-07-04 13:57 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-04 12:36 dtboverlay to U-Boot runtime dtb Peng Fan (OSS)
2022-07-04 12:51 ` Peter Robinson
2022-07-04 13:27 ` Heinrich Schuchardt
2022-07-04 13:39 ` Tom Rini
2022-07-04 13:56 ` Heinrich Schuchardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.