From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E3BB9C433EF for ; Sat, 18 Sep 2021 10:10:53 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id D71E161052 for ; Sat, 18 Sep 2021 10:10:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org D71E161052 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=xs4all.nl Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 90B8E829FC; Sat, 18 Sep 2021 12:10:50 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=xs4all.nl Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id B845C82BE5; Sat, 18 Sep 2021 12:10:48 +0200 (CEST) Received: from sibelius.xs4all.nl (sibelius.xs4all.nl [83.163.83.176]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D375E80608 for ; Sat, 18 Sep 2021 12:10:44 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=xs4all.nl Authentication-Results: phobos.denx.de; spf=fail smtp.mailfrom=mark.kettenis@xs4all.nl Received: from localhost (bloch.sibelius.xs4all.nl [local]) by bloch.sibelius.xs4all.nl (OpenSMTPD) with ESMTPA id 6287433c; Sat, 18 Sep 2021 12:10:42 +0200 (CEST) Date: Sat, 18 Sep 2021 12:10:42 +0200 (CEST) From: Mark Kettenis To: Moiz Imtiaz Cc: sjg@chromium.org, trini@konsulko.com, u-boot@lists.denx.de, moiz.imtiaz@skyelectric.com, jehannazkhan@skyelectric.com In-Reply-To: (message from Moiz Imtiaz on Sat, 18 Sep 2021 14:47:51 +0500) Subject: Re: Problem with U-boot | Configuration Signature not being checked while booting References: <561452b36639d218@bloch.sibelius.xs4all.nl> <56145f817ba7aedc@bloch.sibelius.xs4all.nl> <20210917172605.GA8971@bill-the-cat> Message-ID: <561469190b08558b@bloch.sibelius.xs4all.nl> X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean > From: Moiz Imtiaz > Date: Sat, 18 Sep 2021 14:47:51 +0500 > > >Nice! If you want to write something up extending the >documentation on > >how you made this work for Pi it would be much appreciated. > > Sure, would love to do a PR. > > I basically replaced the dtb that pi loads with control Dtb of uboot, but > will do a PR of documentation addition in respect to pi_4, detailing > everything shortly :) Sorry, but I don't think this is safe. The Raspberry Pi firmware makes changes to the device tree and it is unclear what requirements it has in terms of names of nodes and compatible strings since the firmware is closed source. It should be fine to add stuff to the DTB that came with the firmware, but replacing it altogether is probably going to break things in subtle ways. So I don't think that is something we should advocate by documenting it in U-Boot. Creating a DT overlay and specifying it in config.txt should be much more robust than doing a wholesale replacement of the firmware DT. > It does verifies the kernel, and other loadables, except (Dtb) because this > is what Pi is giving to Uboot , not sure whether at "starting kernel" stage > Uboot passes its own Dtb (verified one) or the one passed by pi > (unverified/ can't be verified, as it gets passed to Uboot by pi). So in > true sense it's not a complete secure boot. Plus Pi_4 doesn't implement the > trustzone that Armv8 provides (Cortex A-72 ) so I am not sure how difficult > it would be for someone to change the config.txt(kernel=u-boot.bin) in > memory (from attackers perspective), resulting in normal pi bootloader to be > loaded rather Uboot on next reboot. > > If pi can make the config.txt immutable from memory , have kind of secure > world, than it would be great. Not sure, if pi has something as of this in > mind in near future implementation either. > > On Sat, 18 Sep 2021, 14:28 Simon Glass, wrote: > > Hi Tom, > > On Fri, 17 Sept 2021 at 11:26, Tom Rini wrote: > > > > On Fri, Sep 17, 2021 at 10:19:18AM -0600, Simon Glass wrote: > > > Hi Mark, > > > > > > On Wed, 15 Sept 2021 at 05:52, Mark Kettenis > wrote: > > > > > > > > > From: Simon Glass > > > > > Date: Wed, 15 Sep 2021 04:13:24 -0600 > > > > > > > > Hi Simon, > > > > > > > > > Hi Mark, > > > > > > > > > > On Sat, 11 Sept 2021 at 13:18, Mark Kettenis > wrote: > > > > > > > > > > > > > From: Moiz Imtiaz > > > > > > > Date: Sat, 11 Sep 2021 23:19:05 +0500 > > > > > > > > > > > > > > Hi Simon, > > > > > > > > > > > > > > Thanks for the reply. I already followed the steps > mentioned in > > > > > > > "doc/uImage.FIT/beaglebone_vboot.txt". > > > > > > > > > > > > > > >I wonder if rpi is not using the devicetree compiled with > U-Boot, but > > > > > > > instead one provided by the earlier-stage firmware? > > > > > > > > > > > > > > Not sure, but seems like this is the case. I checked and > there isn't any > > > > > > > dtb or dts for rpi4 (bcm2711-rpi-4-b) in arc/arm/dts in > u-boot. I tried to > > > > > > > add the dtb and other dts dtsi > > > > > > > > files > > > > > > > > from the raspberry pi Linux and compile them with > CONFIG_OF_SEPARATE and > > > > > > > CONFIG_OF_EMBED (one at a time) *but it couldn't even boot > the U-Boot and > > > > > > > it would just give a blank screen*. I wonder why there isn't > any device > > > > > > > tree in the U-boot repo for RPI4. Is U-boot control FDT not > supported by > > > > > > > RPI4? > > > > > > > > > > > > The issue with the rpi4 is that the addresses of devices move > around > > > > > > based on the version of the Raspberry Pi firmware you're > using. And > > > > > > possibly on the amount of memory on the board as well. So > U-Boot > > > > > > pretty much has to use the device tree passed by the firmware > since > > > > > > the device tree in the U-Boot tree would be wrong for many > > > > > > combinations of firmware and hardware. > > > > > > > > > > > > Simon, this sort of thing is exactly the reason why I think > the idea > > > > > > of having all U-Boot configuration information in a single > device tree > > > > > > with the hardware description doesn't work everywhere. > > > > > > > > > > >From my reading of this thread, it rather reinforces the need > to > > > > > provide a way to give U-Boot the config it needs, in the > devicetree. > > > > > > > > As long as that configuration is optional, yes, maybe. > > > > > > > > > It seems that rpi is actually OK in this regard. If you think > about > > > > > it, it would be pretty hopeless if first-stage firmware assumed > that > > > > > it could provide a devicetree to whatever is next. > > > > > > > > Not hopeless. If that device tree provides a hardware description > > > > that is complete enough to boot Linux, it should be good enough to > run > > > > U-Boot. > > > > > > Not in general. I hope I have covered this in enormous detail in the > > > devicetree patch. But if you don't need verified boot, SPL or some > > > other feature that needs config, then perhaps you will get away with > > > it. > > > > Wait, why does SPL _need_ it? If something provides us with a device > > tree, we don't need u-boot,dm-spl as that's used to filter nodes in to > a > > smaller DT to use. > > Yes, although if the filtering is not done I am not sure what SPL > would do. In fact we don't have a way to provide two DTs (SPL, U-Boot > proper) from a prior boot stage at present. > > > Dealing with u-boot,dm-pre-reloc could be trickier, > > but means whatever loaded us needs to have enabled any early clocks we > > need. But even then, it's just going to be output related? And some > > "was already configured" path could be used. > > My point is that ignoring U-Boot's devicetree requirements doesn't > work in general. It may work in specific cases. It cannot work for > verified boot of course. > > Regards, > Simon