diff mbox series

fdt_support.c: Allow late kernel cmdline modification

Message ID 20210222191851.8009-1-niko.mauno@vaisala.com
State New
Delegated to: Tom Rini
Headers show
Series fdt_support.c: Allow late kernel cmdline modification | expand

Commit Message

Niko Mauno Feb. 22, 2021, 7:18 p.m. UTC
By declaring board-specific board_fdt_chosen_bootargs() the kernel
command line arguments can be adjusted before injecting to flat dt
chosen node.

Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
---
 common/fdt_support.c  | 12 +++++++++++-
 include/fdt_support.h | 10 ++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

Comments

Tom Rini Feb. 22, 2021, 8:21 p.m. UTC | #1
On Mon, Feb 22, 2021 at 07:18:51PM +0000, Niko Mauno wrote:

> By declaring board-specific board_fdt_chosen_bootargs() the kernel
> command line arguments can be adjusted before injecting to flat dt
> chosen node.
> 
> Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
> ---
>  common/fdt_support.c  | 12 +++++++++++-
>  include/fdt_support.h | 10 ++++++++++
>  2 files changed, 21 insertions(+), 1 deletion(-)
> 
> diff --git a/common/fdt_support.c b/common/fdt_support.c
> index 08d540bfc8..4379507e30 100644
> --- a/common/fdt_support.c
> +++ b/common/fdt_support.c
> @@ -269,6 +269,15 @@ int fdt_initrd(void *fdt, ulong initrd_start, ulong initrd_end)
>  	return 0;
>  }
>  
> +/**
> + * board_fdt_chosen_bootargs - boards may override this function to use
> + *                             alternative kernel command line arguments
> + */
> +__weak char *board_fdt_chosen_bootargs(void)
> +{
> +	return env_get("bootargs");
> +}
> +
>  int fdt_chosen(void *fdt)
>  {
>  	int   nodeoffset;
> @@ -286,7 +295,8 @@ int fdt_chosen(void *fdt)
>  	if (nodeoffset < 0)
>  		return nodeoffset;
>  
> -	str = env_get("bootargs");
> +	str = board_fdt_chosen_bootargs();
> +
>  	if (str) {
>  		err = fdt_setprop(fdt, nodeoffset, "bootargs", str,
>  				  strlen(str) + 1);

What's this look like in practice?  I'm very wary about changing "set
bootargs to what you pass to the kernel" logic that's been there for
forever and a constant of every platform.  Thanks!
Niko Mauno Feb. 23, 2021, 6:33 a.m. UTC | #2
On 2/22/21 10:21 PM, Tom Rini wrote:
> On Mon, Feb 22, 2021 at 07:18:51PM +0000, Niko Mauno wrote:
> 
>> By declaring board-specific board_fdt_chosen_bootargs() the kernel
>> command line arguments can be adjusted before injecting to flat dt
>> chosen node.
>>
>> Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
>> ---
>>   common/fdt_support.c  | 12 +++++++++++-
>>   include/fdt_support.h | 10 ++++++++++
>>   2 files changed, 21 insertions(+), 1 deletion(-)
>>
>> diff --git a/common/fdt_support.c b/common/fdt_support.c
>> index 08d540bfc8..4379507e30 100644
>> --- a/common/fdt_support.c
>> +++ b/common/fdt_support.c
>> @@ -269,6 +269,15 @@ int fdt_initrd(void *fdt, ulong initrd_start, ulong initrd_end)
>>   	return 0;
>>   }
>>   
>> +/**
>> + * board_fdt_chosen_bootargs - boards may override this function to use
>> + *                             alternative kernel command line arguments
>> + */
>> +__weak char *board_fdt_chosen_bootargs(void)
>> +{
>> +	return env_get("bootargs");
>> +}
>> +
>>   int fdt_chosen(void *fdt)
>>   {
>>   	int   nodeoffset;
>> @@ -286,7 +295,8 @@ int fdt_chosen(void *fdt)
>>   	if (nodeoffset < 0)
>>   		return nodeoffset;
>>   
>> -	str = env_get("bootargs");
>> +	str = board_fdt_chosen_bootargs();
>> +
>>   	if (str) {
>>   		err = fdt_setprop(fdt, nodeoffset, "bootargs", str,
>>   				  strlen(str) + 1);
> 
> What's this look like in practice?  I'm very wary about changing "set
> bootargs to what you pass to the kernel" logic that's been there for
> forever and a constant of every platform.  Thanks!
> 
Hi Tom,

    Effectively this change as such should introduce no changes to 
prevalent "bootargs" logic when an overriding 
board_fdt_chosen_bootargs() is not defined. Our motivation for proposing 
this change is that it provides us with a means to introduce an entry 
point where we can append rootfs specific dm-verity kernel command line 
metrics (such as described in 
https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html) 
by reading a property from within a kernel tier FIT image header, in 
order to facilitate secure boot process all the way to root filesystem.

-Niko
Tom Rini Feb. 24, 2021, 1:51 p.m. UTC | #3
On Tue, Feb 23, 2021 at 08:33:36AM +0200, Niko Mauno wrote:
> On 2/22/21 10:21 PM, Tom Rini wrote:
> > On Mon, Feb 22, 2021 at 07:18:51PM +0000, Niko Mauno wrote:
> > 
> > > By declaring board-specific board_fdt_chosen_bootargs() the kernel
> > > command line arguments can be adjusted before injecting to flat dt
> > > chosen node.
> > > 
> > > Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
> > > ---
> > >   common/fdt_support.c  | 12 +++++++++++-
> > >   include/fdt_support.h | 10 ++++++++++
> > >   2 files changed, 21 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/common/fdt_support.c b/common/fdt_support.c
> > > index 08d540bfc8..4379507e30 100644
> > > --- a/common/fdt_support.c
> > > +++ b/common/fdt_support.c
> > > @@ -269,6 +269,15 @@ int fdt_initrd(void *fdt, ulong initrd_start, ulong initrd_end)
> > >   	return 0;
> > >   }
> > > +/**
> > > + * board_fdt_chosen_bootargs - boards may override this function to use
> > > + *                             alternative kernel command line arguments
> > > + */
> > > +__weak char *board_fdt_chosen_bootargs(void)
> > > +{
> > > +	return env_get("bootargs");
> > > +}
> > > +
> > >   int fdt_chosen(void *fdt)
> > >   {
> > >   	int   nodeoffset;
> > > @@ -286,7 +295,8 @@ int fdt_chosen(void *fdt)
> > >   	if (nodeoffset < 0)
> > >   		return nodeoffset;
> > > -	str = env_get("bootargs");
> > > +	str = board_fdt_chosen_bootargs();
> > > +
> > >   	if (str) {
> > >   		err = fdt_setprop(fdt, nodeoffset, "bootargs", str,
> > >   				  strlen(str) + 1);
> > 
> > What's this look like in practice?  I'm very wary about changing "set
> > bootargs to what you pass to the kernel" logic that's been there for
> > forever and a constant of every platform.  Thanks!
> > 
> Hi Tom,
> 
>    Effectively this change as such should introduce no changes to prevalent
> "bootargs" logic when an overriding board_fdt_chosen_bootargs() is not
> defined. Our motivation for proposing this change is that it provides us
> with a means to introduce an entry point where we can append rootfs specific
> dm-verity kernel command line metrics (such as described in
> https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html)
> by reading a property from within a kernel tier FIT image header, in order
> to facilitate secure boot process all the way to root filesystem.

Right.  But what does that logic look like, and why must it be done in
C?  People have used dm-verity with U-Boot for ages, for example.
Niko Mauno Feb. 25, 2021, 4:09 p.m. UTC | #4
On 2/24/21 3:51 PM, Tom Rini wrote:
> On Tue, Feb 23, 2021 at 08:33:36AM +0200, Niko Mauno wrote:
>> On 2/22/21 10:21 PM, Tom Rini wrote:
>>> On Mon, Feb 22, 2021 at 07:18:51PM +0000, Niko Mauno wrote:
>>>
>>>> By declaring board-specific board_fdt_chosen_bootargs() the kernel
>>>> command line arguments can be adjusted before injecting to flat dt
>>>> chosen node.
>>>>
>>>> Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
>>>> ---
>>>>    common/fdt_support.c  | 12 +++++++++++-
>>>>    include/fdt_support.h | 10 ++++++++++
>>>>    2 files changed, 21 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/common/fdt_support.c b/common/fdt_support.c
>>>> index 08d540bfc8..4379507e30 100644
>>>> --- a/common/fdt_support.c
>>>> +++ b/common/fdt_support.c
>>>> @@ -269,6 +269,15 @@ int fdt_initrd(void *fdt, ulong initrd_start, ulong initrd_end)
>>>>    	return 0;
>>>>    }
>>>> +/**
>>>> + * board_fdt_chosen_bootargs - boards may override this function to use
>>>> + *                             alternative kernel command line arguments
>>>> + */
>>>> +__weak char *board_fdt_chosen_bootargs(void)
>>>> +{
>>>> +	return env_get("bootargs");
>>>> +}
>>>> +
>>>>    int fdt_chosen(void *fdt)
>>>>    {
>>>>    	int   nodeoffset;
>>>> @@ -286,7 +295,8 @@ int fdt_chosen(void *fdt)
>>>>    	if (nodeoffset < 0)
>>>>    		return nodeoffset;
>>>> -	str = env_get("bootargs");
>>>> +	str = board_fdt_chosen_bootargs();
>>>> +
>>>>    	if (str) {
>>>>    		err = fdt_setprop(fdt, nodeoffset, "bootargs", str,
>>>>    				  strlen(str) + 1);
>>>
>>> What's this look like in practice?  I'm very wary about changing "set
>>> bootargs to what you pass to the kernel" logic that's been there for
>>> forever and a constant of every platform.  Thanks!
>>>
>> Hi Tom,
>>
>>     Effectively this change as such should introduce no changes to prevalent
>> "bootargs" logic when an overriding board_fdt_chosen_bootargs() is not
>> defined. Our motivation for proposing this change is that it provides us
>> with a means to introduce an entry point where we can append rootfs specific
>> dm-verity kernel command line metrics (such as described in
>> https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/verity.html)
>> by reading a property from within a kernel tier FIT image header, in order
>> to facilitate secure boot process all the way to root filesystem.
> 
> Right.  But what does that logic look like, and why must it be done in
> C?  People have used dm-verity with U-Boot for ages, for example.
> 

Our build time implementation injects rootfs specific dm-verity metrics 
in FIT conf node property, effectively coupling the particular (kernel 
tier) FIT image and particular rootfs image containing trailing verity 
hash tree.

Below is a sample of such conf node - please note also that the two 
'${rootdev}' placeholder strings in the injected property are replaced 
with device node path to 'active' rootfs (in a dual bank scheme where 
the 'active' rootfs bank is resolved runtime).

     configurations {
         default = "conf-c";
         conf-c {
             description = "Linux kernel and FDT blob";
             kernel = "kernel";
             fdt = "fdt-c";
             vaisala,dm-verity-args = "dm-mod.create="dm-verity, 
ec077aa7-78e5-43b7-9605-0d7f72fc65b9, , ro,  0 136220 verity 1 
${rootdev} ${rootdev} 1024 4096 68110 17028 sha256 
2dcd25db0f5b94603843316e5a16ca7717585802bf9a3fbced1443d7f83ec5f6 
fec6bf67513d044bc704c63e37508b223d75867842ac828ba0147c6080578698 1 
restart_on_corruption" root=/dev/dm-0 ro";
             signature {
                 ...
             };
         };

In the boot flow the FIT needs to be signature verified and is processed 
only after boot command has been issued. Resorting to u-boot scripting 
means it would require parsing FIT twice and do all verifications twice. 
Using C avoids this redundancy.

The command line approach is supported since Linux kernel version 5.1 
onwards (CONFIG_DM_INIT), and it avoids us the need to bundle a 
"trampoline" initramfs with Linux kernel for issuing veritysetup and 
mount commands. The bundling approach struck as more time consuming and 
also more cumbersome on Yocto to build for various different image types 
in same build, and introduces additional booting overhead on target.

Related to existing dm-verity support in U-Boot, I observed there is 
Android Verified Boot 2.0 code which seemed to resort to appending the 
kernel command line, which lead us to propose this change which would 
allow us to perform the picking of the property from the FIT image, 
processing it and appending it to our default "bootargs" in a board 
specific function.

-Niko
diff mbox series

Patch

diff --git a/common/fdt_support.c b/common/fdt_support.c
index 08d540bfc8..4379507e30 100644
--- a/common/fdt_support.c
+++ b/common/fdt_support.c
@@ -269,6 +269,15 @@  int fdt_initrd(void *fdt, ulong initrd_start, ulong initrd_end)
 	return 0;
 }
 
+/**
+ * board_fdt_chosen_bootargs - boards may override this function to use
+ *                             alternative kernel command line arguments
+ */
+__weak char *board_fdt_chosen_bootargs(void)
+{
+	return env_get("bootargs");
+}
+
 int fdt_chosen(void *fdt)
 {
 	int   nodeoffset;
@@ -286,7 +295,8 @@  int fdt_chosen(void *fdt)
 	if (nodeoffset < 0)
 		return nodeoffset;
 
-	str = env_get("bootargs");
+	str = board_fdt_chosen_bootargs();
+
 	if (str) {
 		err = fdt_setprop(fdt, nodeoffset, "bootargs", str,
 				  strlen(str) + 1);
diff --git a/include/fdt_support.h b/include/fdt_support.h
index 46eb1dbbb2..e2a4689cd8 100644
--- a/include/fdt_support.h
+++ b/include/fdt_support.h
@@ -185,6 +185,16 @@  int fdt_find_or_add_subnode(void *fdt, int parentoffset, const char *name);
  */
 int ft_board_setup(void *blob, struct bd_info *bd);
 
+/**
+ * board_fdt_chosen_bootargs() - Arbitrarily amend fdt kernel command line
+ *
+ * This is used for late modification of kernel command line arguments just
+ * before they are added into the /chosen node in flat device tree.
+ *
+ * @return: pointer to kernel command line arguments in memory
+ */
+char *board_fdt_chosen_bootargs(void);
+
 /*
  * The keystone2 SOC requires all 32 bit aliased addresses to be converted
  * to their 36 physical format. This has to happen after all fdt nodes