Currently the only way to run an EFI binary like GRUB2 is via the 'bootefi' command, which cannot be used in a verified boot scenario.
The obvious solution to this limitation is to add support for booting FIT images containing those EFI binaries.
The implementation relies on a new image type - IH_OS_EFI - which can be created by using 'os = "efi"' inside an ITS file:
/ { #address-cells = <1>;
images { efi-grub { description = "GRUB EFI"; data = /incbin/("bootarm.efi"); type = "kernel_noload"; arch = "arm"; os = "efi"; compression = "none"; load = <0x0>; entry = <0x0>; hash-1 { algo = "sha256"; }; }; };
configurations { default = "config-grub"; config-grub { kernel = "efi-grub"; signature-1 { algo = "sha256,rsa2048"; sign-images = "kernel"; }; }; }; };
The bootm command has been extended to handle the IH_OS_EFI images. To enable this feature, a new configuration option has been added: BOOTM_EFI
I tested the solution using the 'qemu_arm' board:
=> load scsi 0:1 ${kernel_addr_r} efi-image.fit => bootm ${kernel_addr_r}#config-grub
Changes in v5: * Update the definition of BOOTM_EFI: move content right after CMD_BOOTM, improve description and help text, fix dependency * Change the type of the 'addr' field inside 'env__efi_fit_tftp_file' dictionary from string to integer, currently tested on: sandbox, qemu_arm, qemu_arm64
Changes in v4: * Extend the python test to also run on real hardware, currently tested on qemu_arm
Changes in v3: * Rebase patches on Heinrich Schuchardt's patch series v3: efi_loader: prepare for FIT images https://lists.denx.de/pipermail/u-boot/2019-December/393677.html This fixes implicitly the sandbox issue 'phys_to_virt: Cannot map sandbox address' since efi_install_fdt() is now expecting a pointer to addressable memory instead of a physical address. * Get rid of 'EFI/BOOT/' prefix used in ITS samples * Add a python test to verify the implementation in sandbox environment
Changes in v2: * Rebase patches on Heinrich Schuchardt's patch series: efi_loader: prepare for FIT images https://lists.denx.de/pipermail/u-boot/2019-December/393192.html * Add sample configuration: doc/uImage.FIT/uefi.its * Update uefi documentation: doc/uefi/uefi.rst
Cristian Ciocaltea (5): image: Add IH_OS_EFI for EFI chain-load boot bootm: Add a bootm command for type IH_OS_EFI doc: Add sample uefi.its image description file doc: uefi.rst: Document launching UEFI binaries from FIT images test/py: Create a test for launching UEFI binaries from FIT images
cmd/Kconfig | 7 + common/bootm_os.c | 56 +++++ common/image-fit.c | 3 +- common/image.c | 1 + doc/uImage.FIT/uefi.its | 67 +++++ doc/uefi/uefi.rst | 34 +++ include/image.h | 1 + test/py/tests/test_efi_fit.py | 458 ++++++++++++++++++++++++++++++++++ 8 files changed, 626 insertions(+), 1 deletion(-) create mode 100644 doc/uImage.FIT/uefi.its create mode 100644 test/py/tests/test_efi_fit.py