2021-03-15 05:11:20 +00:00
|
|
|
.. SPDX-License-Identifier: GPL-2.0+
|
|
|
|
.. Copyright 2020 Google LLC
|
|
|
|
.. sectionauthor:: Simon Glass <sjg@chromium.org>
|
2020-09-05 20:50:53 +00:00
|
|
|
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2021-03-15 05:11:20 +00:00
|
|
|
Running U-Boot with Chromium OS verified boot
|
|
|
|
=============================================
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2021-03-15 05:11:20 +00:00
|
|
|
To obtain::
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2021-03-15 05:11:20 +00:00
|
|
|
git clone https://github.com/sjg20/u-boot.git
|
2019-01-31 03:51:20 +00:00
|
|
|
cd u-boot
|
|
|
|
git checkout cros-master
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-07-10 17:04:13 +00:00
|
|
|
cd ..
|
|
|
|
git clone https://chromium.googlesource.com/chromiumos/platform/vboot_reference
|
|
|
|
cd vboot_reference
|
|
|
|
git checkout 45964294
|
|
|
|
# futility: updater: Correct output version for Snow
|
|
|
|
|
2021-03-15 05:11:20 +00:00
|
|
|
To build for sandbox::
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
UB=/tmp/b/chromeos_sandbox # U-Boot build directory
|
2019-07-10 17:04:13 +00:00
|
|
|
cd u-boot
|
|
|
|
make O=$UB chromeos_sandbox_defconfig
|
|
|
|
make O=$UB -j20 -s VBOOT_SOURCE=/path/to/vboot_reference \
|
2021-03-15 05:11:20 +00:00
|
|
|
MAKEFLAGS_VBOOT=DEBUG=1 QUIET=1
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Replace sandbox with another supported target.
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
This produces $UB/image.bin which contains the firmware binaries in a SPI
|
|
|
|
flash image.
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2021-03-15 05:11:20 +00:00
|
|
|
To run on sandbox::
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2021-03-15 05:11:20 +00:00
|
|
|
CROS=~/cosarm
|
|
|
|
IMG=$CROS/src/build/images/coral/latest/chromiumos_image.bin
|
2019-01-31 03:51:20 +00:00
|
|
|
$UB/tpl/u-boot-tpl -d $UB/u-boot.dtb.out \
|
2021-03-15 05:11:20 +00:00
|
|
|
-L6 -c "host bind 0 $IMG; vboot go auto" \
|
|
|
|
-l -w -s state.dtb -r -n -m $UB/ram
|
|
|
|
|
|
|
|
$UB/tpl/u-boot-tpl -d $UB/u-boot.dtb.out -L6 -l \
|
|
|
|
-c "host bind 0 $IMG; vboot go auto" -w -s $UB/state.dtb -r -n -m $UB/mem
|
|
|
|
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
To run on other boards:
|
2021-03-15 05:11:20 +00:00
|
|
|
|
|
|
|
- Install image.bin in the SPI flash of your device
|
|
|
|
- Boot your system
|
2017-05-31 23:57:24 +00:00
|
|
|
|
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Sandbox
|
|
|
|
-------
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Most Chromium OS development with U-Boot is undertaken using sandbox. There is
|
|
|
|
a sandbox target available (chromeos_sandbox) which allows running U-Boot on
|
|
|
|
a Linux machine completion with emulations of the display, TPM, disk, etc.
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Running sandbox starts TPL, which contains the first phase of vboot, providing
|
|
|
|
a device tree and binding a Chromium OS disk image for use to find kernels
|
|
|
|
(any Chromium OS image will do). It also saves driver state between U-Boot
|
|
|
|
phases into state.dtb and will automatically ensure that memory is shared
|
|
|
|
between all phases. TPL will jump to SPL and then on to U-Boot proper.
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2021-03-15 05:11:20 +00:00
|
|
|
It is possible to run with debugging on, e.g.::
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
gdb --args $UB/tpl/u-boot-tpl -d ....
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Breakpoints can be set in any U-Boot phase. Overall this is a good debugging
|
|
|
|
environment for new verified-boot features.
|
2017-05-31 23:57:24 +00:00
|
|
|
|
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Samus
|
|
|
|
-----
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Basic support is available for samus, using the chromeos_samus target. If you
|
2021-03-15 05:11:20 +00:00
|
|
|
have an em100, use::
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
sudo em100 -s -c W25Q128FW -d $UB/image.bin -t -r
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
to write the image and then boot samus (Power-Refresh).
|
2017-05-31 23:57:24 +00:00
|
|
|
|
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Boot flow
|
|
|
|
---------
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Verified boot starts in TPL, which selects the A or B SPL, which in turn selects
|
|
|
|
the A or B U-Boot. Then this jumps to the selected kernel. If anything goes
|
|
|
|
wrong, the device reboots and the recovery SPL and U-Boot are used instead.
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
More details are available here:
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
https://www.chromium.org/chromium-os/chromiumos-design-docs/firmware-boot-and-recovery
|
2017-05-31 23:57:24 +00:00
|
|
|
|
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
New uclasses
|
|
|
|
------------
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Several uclasses are provided in cros/:
|
2017-05-31 23:57:36 +00:00
|
|
|
|
2021-03-15 05:11:20 +00:00
|
|
|
UCLASS_CROS_AUX_FW
|
|
|
|
Chrome OS auxiliary firmware
|
|
|
|
|
|
|
|
UCLASS_CROS_FWSTORE
|
|
|
|
Chrome OS firmware storage
|
|
|
|
|
|
|
|
UCLASS_CROS_NVDATA
|
|
|
|
Chrome OS non-volatile data device
|
|
|
|
|
|
|
|
UCLASS_CROS_VBOOT_EC
|
|
|
|
Chrome OS vboot EC operations
|
|
|
|
|
|
|
|
UCLASS_CROS_VBOOT_FLAG
|
|
|
|
Chrome OS verified boot flag
|
2017-05-31 23:57:36 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
The existing UCLASS_CROS_EC is also used.
|
2017-05-31 23:57:36 +00:00
|
|
|
|
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Commands
|
|
|
|
--------
|
2017-05-31 23:57:36 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
A new 'vboot' command is provided to run particular vboot stages. The most
|
|
|
|
useful command is 'vboot go auto', which continues where the last stage left
|
|
|
|
off.
|
2017-05-31 23:57:36 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Note that TPL and SPL do not supports commands as yet, so the vboot code is
|
|
|
|
called directly from the SPL boot devices (BOOT_DEVICE_CROS_VBOOT). See
|
|
|
|
cros_load_image_tpl() and cros_load_image_spl() which both call
|
|
|
|
vboot_run_auto().
|
2017-05-31 23:57:36 +00:00
|
|
|
|
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Config options
|
|
|
|
--------------
|
2017-05-31 23:57:36 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
The main option is CONFIG_CHROMEOS, which enables a wide array of other options
|
|
|
|
so that the required features are present.
|
2017-05-31 23:57:36 +00:00
|
|
|
|
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Device-tree config
|
|
|
|
------------------
|
2017-05-31 23:57:36 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Various options are available which control the operation of verified boot.
|
|
|
|
See cros/dts/bindings/config.txt for details. Most config is handled at run-
|
|
|
|
time, although build-time config (with Kconfig) could also be added fairly
|
|
|
|
easily.
|
2017-05-31 23:57:36 +00:00
|
|
|
|
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Porting to other hardware
|
|
|
|
-------------------------
|
2017-05-31 23:57:36 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
A basic port to samus (Chromebook Pixel 2015) is in a basic working state,
|
|
|
|
using the chromeos_samus target. Patches will likely be forthcoming in early
|
|
|
|
2019. Ports to an ARM board and coreboot (for x86 Chromebooks) are in the
|
|
|
|
dreaming state.
|
2017-05-31 23:57:36 +00:00
|
|
|
|
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Tests
|
|
|
|
-----
|
2017-05-31 23:57:36 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
Chromium OS firmware has a very limited set of tests. The tests that originally
|
|
|
|
existed in U-Boot were not brought over to coreboot or depthcharge.
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
The U-Boot tests ('make check') do operate, but at present there are no
|
|
|
|
Chromium OS tests available. These will hopefully come together over time. Of
|
|
|
|
course the above sandbox feature provides a sort of functional test and can
|
2020-09-05 20:50:52 +00:00
|
|
|
detect problems that affect the flow or particular vboot features.
|
2017-05-31 23:57:24 +00:00
|
|
|
|
|
|
|
|
2020-09-05 20:50:53 +00:00
|
|
|
U-Boot without Chromium OS verified boot
|
|
|
|
----------------------------------------
|
|
|
|
|
2021-03-15 05:11:20 +00:00
|
|
|
The following script can be used to boot a Chrome OS image on coral::
|
2020-09-05 20:50:53 +00:00
|
|
|
|
|
|
|
# Read the image header and obtain the address of the kernel
|
|
|
|
# The offset 4f0 is defined by verified boot and may change for other
|
|
|
|
# Chromebooks
|
|
|
|
read mmc 2:2 100000 0 80; setexpr loader *001004f0;
|
|
|
|
|
|
|
|
# Get the kernel size and calculate the number of blocks (0x200 bytes each)
|
|
|
|
setexpr size *00100518; setexpr blocks $size / 200;
|
|
|
|
|
|
|
|
# Read the full kernel and calculate the address of the setup block
|
|
|
|
read mmc 2:2 100000 80 $blocks; setexpr setup $loader - 1000;
|
|
|
|
|
|
|
|
# Locate the command line
|
|
|
|
setexpr cmdline $loader - 2000;
|
|
|
|
|
|
|
|
# Start the zboot process with the loaded kernel, setup block and cmdline
|
|
|
|
zboot start 100000 0 0 0 $setup $cmdline;
|
|
|
|
|
|
|
|
# Load the kernel, fix up the 'setup' block, dump information
|
|
|
|
zboot load; zboot setup; zboot dump
|
|
|
|
|
|
|
|
# Boot into Chrome OS
|
|
|
|
zboot go
|
|
|
|
|
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
TO DO
|
|
|
|
-----
|
2017-05-31 23:57:24 +00:00
|
|
|
|
2020-09-05 20:50:52 +00:00
|
|
|
Get the full ACPI tables working with Coral
|
2017-05-31 23:57:24 +00:00
|
|
|
|
|
|
|
|
2019-01-31 03:51:20 +00:00
|
|
|
7 October 2018
|