Re: [U-Boot] Booting a second stage Bootloader in FIT image
HI !
I think I found a solution. I have created a new cmd in cmd_bootm file and I just loaded the loadable images. Now I am able to boot the second stage bootloader(or any application).
Thanks, Harsha
From: KJ H. Kiran Sent: Monday, August 03, 2015 5:34 PM To: 'sjg@chromium.org'; 'sjg@google.com'; u-boot@lists.denx.de Subject: RE: Booting a second stage Bootloader in FIT image
Hi Simon,
I am implementing the secure u-boot for our custom board and have a question with the current implementation of secure framework with u-boot loading the "loadables" images.
I got the latest 2015.07 mainline branch and am trying to load a bootloader( FIT format) from already loaded bootloader !
First stage--------------> 2nd stage -------------------> OS FIT (MLO,u-boot) (u-boot.bin) (kernel, RFS,DTB)
I created an .its file just to boot a 2nd stage bootloader
/dts-v1/;
/ { description = "ABB Measurement Product images"; #address-cells = <1>;
images { u-boot@1 { data = /incbin/("u-boot.bin"); type = "u-boot"; arch = "arm"; compression = "none"; load = <0x82000000>; entry = <0x82000000>; hash@1 { algo = "sha1"; }; };
}; configurations { default = "2100000@xx"; 2100000@xx { description = "2nd stage BL"; u-boot = "u-boot@1"; loadables = "u-boot@1" signature@1 { algo = "sha1,rsa2048"; key-name-hint = "dev"; sign-images = "u-boot"; }; };
};
};
I am able to load it on my device and successfully verify the signature. How ever the bootm command is trying to find an os image every time. I have looked at the cmd_bootm.c file and looks like it checks for the valid os image for booting.
I think it would be good if a special case in bootm is introduced which can just load the "loadable" images independent of the kernel image. This will allow the users to support multiple image scenario without any depencies. I think a separate command is necessary which can verify a signature and just load the "loadable" images in the required memory addresses.
Is there a way kernel images loading can be ignored in bootm ?
Testing:
I tried to load my bootloader fit image and run it with bootm $loadaddr:u-boot command U-Boot# bootm $loadaddr:u-boot ## Loading kernel from FIT Image at 82800000 ... Trying 'u-boot' kernel subimage Description: unavailable Created: 2015-08-03 21:45:12 UTC Type: Standalone Program Compression: uncompressed Data Start: 0x828000b4 Data Size: 385283 Bytes = 376.3 KiB Architecture: ARM Load Address: 0x82000000 Entry Point: 0x82000000 Hash algo: sha1 Hash value: d44663a203a151fe52c93029ec1fecee0d30192a Verifying Hash Integrity ... sha1+ OK No Unknown OS ARM Kernel Image Image ERROR: can't get kernel image!
If I use the bootm $loadaddr#configuration command it tries to run the kernel image and it crashes but loads my required image at the memory address.
Thanks, [cid:image002.png@01CFF360.603F39C0]
Harsha Kiran KJ Software engineer II ABB Inc. 7051 Industrial Boulevard 74006, Bartlesville, Oklahoma, UNITED STATES Phone: +1 9183384851 Mobile: +1 4053854043 email: kmailto:ricardo.andujar@us.abb.comj.h.kiran@us.abb.com
Hi Harsha,
On 4 August 2015 at 10:53, KJ H. Kiran kj.h.kiran@us.abb.com wrote:
HI !
I think I found a solution. I have created a new cmd in cmd_bootm file and I just loaded the loadable images. Now I am able to boot the second stage bootloader(or any application).
OK that is good. If you have figured out a good solution please send a patch to the mailing list. The loadable support was added recently and should support verified boot if you use the configuration approach.
Thanks,
Harsha
From: KJ H. Kiran Sent: Monday, August 03, 2015 5:34 PM To: 'sjg@chromium.org'; 'sjg@google.com'; u-boot@lists.denx.de Subject: RE: Booting a second stage Bootloader in FIT image
Hi Simon,
I am implementing the secure u-boot for our custom board and have a question with the current implementation of secure framework with u-boot loading the “loadables” images.
I got the latest 2015.07 mainline branch and am trying to load a bootloader( FIT format) from already loaded bootloader !
First stage--------------> 2nd stage -------------------> OS FIT
(MLO,u-boot) (u-boot.bin) (kernel, RFS,DTB)
I created an .its file just to boot a 2nd stage bootloader
/dts-v1/;
/ {
description = "ABB Measurement Product images"; #address-cells = <1>; images { u-boot@1 { data = /incbin/("u-boot.bin"); type = "u-boot"; arch = "arm"; compression = "none"; load = <0x82000000>; entry = <0x82000000>; hash@1 { algo = "sha1"; }; }; }; configurations { default = "2100000@xx"; 2100000@xx { description = "2nd stageBL";
u-boot = "u-boot@1"; loadables =“u-boot@1”
signature@1 { algo ="sha1,rsa2048";
key-name-hint ="dev";
sign-images ="u-boot";
}; }; };};
I am able to load it on my device and successfully verify the signature. How ever the bootm command is trying to find an os image every time. I have looked at the cmd_bootm.c file and looks like it checks for the valid os image for booting.
I think it would be good if a special case in bootm is introduced which can just load the “loadable” images independent of the kernel image. This will allow the users to support multiple image scenario without any depencies. I think a separate command is necessary which can verify a signature and just load the “loadable” images in the required memory addresses.
Is there a way kernel images loading can be ignored in bootm ?
Testing:
I tried to load my bootloader fit image and run it with bootm $loadaddr:u-boot command
U-Boot# bootm $loadaddr:u-boot
## Loading kernel from FIT Image at 82800000 ...
Trying 'u-boot' kernel subimage
Description: unavailable Created: 2015-08-03 21:45:12 UTC Type: Standalone Program Compression: uncompressed Data Start: 0x828000b4 Data Size: 385283 Bytes = 376.3 KiB Architecture: ARM Load Address: 0x82000000 Entry Point: 0x82000000 Hash algo: sha1 Hash value: d44663a203a151fe52c93029ec1fecee0d30192aVerifying Hash Integrity ... sha1+ OK
No Unknown OS ARM Kernel Image Image
ERROR: can't get kernel image!
If I use the bootm $loadaddr#configuration command it tries to run the kernel image and it crashes but loads my required image at the memory address.
Regards, Simon
participants (2)
-
KJ H. Kiran -
Simon Glass