| Message ID | 1431522151-20245-3-git-send-email-sjg@chromium.org |
|---|---|
| State | Accepted |
| Delegated to: | Simon Glass |
| Headers | show |
On 13 May 2015 at 07:02, Simon Glass <sjg@chromium.org> wrote: > For secure boot systems it is common to have a read-only U-Boot which starts > the machine and jumps to a read-write U-Boot for actual booting the OS. This > allows the read-write U-Boot to be upgraded without risk of permanently > bricking the machine. In the event that the read-write U-Boot is corrupted, > the read-only U-Boot can detect this with a checksum and boot into a > recovery flow. > > To support this, add a way to detect when U-Boot is run from SPL as opposed > to some other method, such as booted directly (no SPL) or started from > another source (e.g. a primary U-Boot). This works by putting a special value > in r0. > > For now we rely on board-specific code to actually check the register and > set a flag. At some point this could be generalised, perhaps by using a spare > register and passing a flag to _main and/or board_init_f(). > > This commit does not implement any feature, but merely provides the API for > boards to implement. > > Signed-off-by: Simon Glass <sjg@chromium.org> > --- > > Changes in v2: > - Clarify that this commit provides only the API, not the implementation > - Rename constant to UBOOT_NOT_LOADED_FROM_SPL > > include/spl.h | 13 +++++++++++++ > 1 file changed, 13 insertions(+) Applied to u-boot-dm.
diff --git a/include/spl.h b/include/spl.h index b2e5bf7..d19940f 100644 --- a/include/spl.h +++ b/include/spl.h @@ -11,6 +11,8 @@ #include <linux/compiler.h> #include <asm/spl.h> +/* Value in r0 indicates we booted from U-Boot */ +#define UBOOT_NOT_LOADED_FROM_SPL 0x13578642 /* Boot type */ #define MMCSD_MODE_UNDEFINED 0 @@ -82,4 +84,15 @@ int spl_load_image_ext_os(block_dev_desc_t *block_dev, int partition); #ifdef CONFIG_SPL_BOARD_INIT void spl_board_init(void); #endif + +/** + * spl_was_boot_source() - check if U-Boot booted from SPL + * + * This will normally be true, but if U-Boot jumps to second U-Boot, it will + * be false. This should be implemented by board-specific code. + * + * @return true if U-Boot booted from SPL, else false + */ +bool spl_was_boot_source(void); + #endif
For secure boot systems it is common to have a read-only U-Boot which starts the machine and jumps to a read-write U-Boot for actual booting the OS. This allows the read-write U-Boot to be upgraded without risk of permanently bricking the machine. In the event that the read-write U-Boot is corrupted, the read-only U-Boot can detect this with a checksum and boot into a recovery flow. To support this, add a way to detect when U-Boot is run from SPL as opposed to some other method, such as booted directly (no SPL) or started from another source (e.g. a primary U-Boot). This works by putting a special value in r0. For now we rely on board-specific code to actually check the register and set a flag. At some point this could be generalised, perhaps by using a spare register and passing a flag to _main and/or board_init_f(). This commit does not implement any feature, but merely provides the API for boards to implement. Signed-off-by: Simon Glass <sjg@chromium.org> --- Changes in v2: - Clarify that this commit provides only the API, not the implementation - Rename constant to UBOOT_NOT_LOADED_FROM_SPL include/spl.h | 13 +++++++++++++ 1 file changed, 13 insertions(+)