| Message ID | 1430760687-28505-12-git-send-email-sjg@chromium.org |
|---|---|
| State | Superseded |
| Delegated to: | Simon Glass |
| Headers | show |
Hi Simon, On Mon, May 4, 2015 at 12:31 PM, Simon Glass <sjg@chromium.org> wrote: > For secure boot systems it is common to have a read-only U-Boot which starts > the machine and jumps to a read-write U-Boot for actual booting the OS. This > allows the read-write U-Boot to be upgraded without risk of permanently > bricking the machine. In the event that the read-write U-Boot is corrupted, > the read-only U-Boot can detect this with a checksum and boot into a > recovery flow. > > To support this, add a way to detect when U-Boot is run from SPL as opposed > to some other method, such as booted directly (no SPL) or started from > another source (e.g. a primary U-Boot). This works by putting a special value > in r0. > > For now we rely on board-specific code to actually check the register and > set a flag. At some point this could be generalised, perhaps by using a spare > register and passing a flag to _main and/or board_init_f(). > > Signed-off-by: Simon Glass <sjg@chromium.org> > --- > > include/spl.h | 13 +++++++++++++ > 1 file changed, 13 insertions(+) Part of this patch seems to be missing. I don't see how these changes can accomplish what is described in the commit log. > diff --git a/include/spl.h b/include/spl.h > index b2e5bf7..cdd63a7 100644 > --- a/include/spl.h > +++ b/include/spl.h > @@ -11,6 +11,8 @@ > #include <linux/compiler.h> > #include <asm/spl.h> > > +/* Value in r0 indicates we booted from U-Boot */ > +#define SPL_RUNNING_FROM_UBOOT 0x13578642 > > /* Boot type */ > #define MMCSD_MODE_UNDEFINED 0 > @@ -82,4 +84,15 @@ int spl_load_image_ext_os(block_dev_desc_t *block_dev, int partition); > #ifdef CONFIG_SPL_BOARD_INIT > void spl_board_init(void); > #endif > + > +/** > + * spl_was_boot_source() - check if U-Boot booted from SPL > + * > + * This will normally be true, but if U-Boot jumps to second U-Boot, it will > + * be false. This should be implemented by board-specific code. > + * > + * @return true if U-Boot booted from SPL, else false > + */ > +bool spl_was_boot_source(void); > + > #endif > -- Thanks, -Joe
diff --git a/include/spl.h b/include/spl.h index b2e5bf7..cdd63a7 100644 --- a/include/spl.h +++ b/include/spl.h @@ -11,6 +11,8 @@ #include <linux/compiler.h> #include <asm/spl.h> +/* Value in r0 indicates we booted from U-Boot */ +#define SPL_RUNNING_FROM_UBOOT 0x13578642 /* Boot type */ #define MMCSD_MODE_UNDEFINED 0 @@ -82,4 +84,15 @@ int spl_load_image_ext_os(block_dev_desc_t *block_dev, int partition); #ifdef CONFIG_SPL_BOARD_INIT void spl_board_init(void); #endif + +/** + * spl_was_boot_source() - check if U-Boot booted from SPL + * + * This will normally be true, but if U-Boot jumps to second U-Boot, it will + * be false. This should be implemented by board-specific code. + * + * @return true if U-Boot booted from SPL, else false + */ +bool spl_was_boot_source(void); + #endif
For secure boot systems it is common to have a read-only U-Boot which starts the machine and jumps to a read-write U-Boot for actual booting the OS. This allows the read-write U-Boot to be upgraded without risk of permanently bricking the machine. In the event that the read-write U-Boot is corrupted, the read-only U-Boot can detect this with a checksum and boot into a recovery flow. To support this, add a way to detect when U-Boot is run from SPL as opposed to some other method, such as booted directly (no SPL) or started from another source (e.g. a primary U-Boot). This works by putting a special value in r0. For now we rely on board-specific code to actually check the register and set a flag. At some point this could be generalised, perhaps by using a spare register and passing a flag to _main and/or board_init_f(). Signed-off-by: Simon Glass <sjg@chromium.org> --- include/spl.h | 13 +++++++++++++ 1 file changed, 13 insertions(+)