lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231214124831.GX2513409@bill-the-cat>
Date:   Thu, 14 Dec 2023 07:48:31 -0500
From:   Tom Rini <trini@...sulko.com>
To:     Masahiro Yamada <masahiroy@...nel.org>
Cc:     Chen-Yu Tsai <wenst@...omium.org>,
        Geert Uytterhoeven <geert@...ux-m68k.org>,
        Laurent Pinchart <laurent.pinchart@...asonboard.com>,
        Simon Glass <sjg@...omium.org>,
        linux-arm-kernel@...ts.infradead.org,
        Ahmad Fatoum <a.fatoum@...gutronix.de>,
        U-Boot Mailing List <u-boot@...ts.denx.de>,
        Nicolas Schier <nicolas@...sle.eu>,
        Catalin Marinas <catalin.marinas@....com>,
        Jonathan Corbet <corbet@....net>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Terrell <terrelln@...com>, Will Deacon <will@...nel.org>,
        linux-doc@...r.kernel.org, linux-kbuild@...r.kernel.org,
        linux-kernel@...r.kernel.org, workflows@...r.kernel.org,
        Rob Herring <robh@...nel.org>
Subject: Re: [PATCH v9 2/2] arm64: boot: Support Flat Image Tree

On Thu, Dec 14, 2023 at 03:12:07PM +0900, Masahiro Yamada wrote:
> On Thu, Dec 14, 2023 at 1:03 PM Chen-Yu Tsai <wenst@...omium.org> wrote:
> >
> > On Sun, Dec 10, 2023 at 1:31 AM Geert Uytterhoeven <geert@...ux-m68k.org> wrote:
> > >
> > > Hi Laurent,
> > >
> > > On Sat, Dec 9, 2023 at 4:29 PM Laurent Pinchart
> > > <laurent.pinchart@...asonboard.com> wrote:
> > > > On Sat, Dec 09, 2023 at 10:13:59PM +0900, Chen-Yu Tsai wrote:
> > > > > On Thu, Dec 7, 2023 at 11:38 PM Laurent Pinchart
> > > > > <laurent.pinchart@...asonboard.com> wrote:
> > > > > > On Thu, Dec 07, 2023 at 10:27:23PM +0800, Chen-Yu Tsai wrote:
> > > > > > > On Sun, Dec 03, 2023 at 05:34:01PM +0200, Laurent Pinchart wrote:
> > > > > > > > On Fri, Dec 01, 2023 at 08:54:42PM -0700, Simon Glass wrote:
> > > > > > > > > Add a script which produces a Flat Image Tree (FIT), a single file
> > > > > > > > > containing the built kernel and associated devicetree files.
> > > > > > > > > Compression defaults to gzip which gives a good balance of size and
> > > > > > > > > performance.
> > > > > > > > >
> > > > > > > > > The files compress from about 86MB to 24MB using this approach.
> > > > > > > > >
> > > > > > > > > The FIT can be used by bootloaders which support it, such as U-Boot
> > > > > > > > > and Linuxboot. It permits automatic selection of the correct
> > > > > > > > > devicetree, matching the compatible string of the running board with
> > > > > > > > > the closest compatible string in the FIT. There is no need for
> > > > > > > > > filenames or other workarounds.
> > > > > > > > >
> > > > > > > > > Add a 'make image.fit' build target for arm64, as well. Use
> > > > > > > > > FIT_COMPRESSION to select a different algorithm.
> > > > > > > > >
> > > > > > > > > The FIT can be examined using 'dumpimage -l'.
> > > > > > > > >
> > > > > > > > > This features requires pylibfdt (use 'pip install libfdt'). It also
> > > > > > > > > requires compression utilities for the algorithm being used. Supported
> > > > > > > > > compression options are the same as the Image.xxx files. For now there
> > > > > > > > > is no way to change the compression other than by editing the rule for
> > > > > > > > > $(obj)/image.fit
> > > > > > > > >
> > > > > > > > > While FIT supports a ramdisk / initrd, no attempt is made to support
> > > > > > > > > this here, since it must be built separately from the Linux build.
> > > > > > > >
> > > > > > > > FIT images are very useful, so I think this is a very welcome addition
> > > > > > > > to the kernel build system. It can get tricky though: given the
> > > > > > > > versatile nature of FIT images, there can't be any
> > > > > > > > one-size-fits-them-all solution to build them, and striking the right
> > > > > > > > balance between what makes sense for the kernel and the features that
> > > > > > > > users may request will probably lead to bikeshedding. As we all love
> > > > > > > > bikeshedding, I thought I would start selfishly, with a personal use
> > > > > > > > case :-) This isn't a yak-shaving request though, I don't see any reason
> > > > > > > > to delay merging this series.
> > > > > > > >
> > > > > > > > Have you envisioned building FIT images with a subset of DTBs, or adding
> > > > > > > > DTBOs ? Both would be fairly trivial extensions to this script by
> > > > > > > > extending the supported command line arguments. It would perhaps be more
> > > > > > > > difficult to integrate in the kernel build system though. This leads me
> > > > > > > > to a second question: would you consider merging extensions to this
> > > > > > > > script if they are not used by the kernel build system, but meant for
> > > > > > > > users who manually invoke the script ? More generally, is the script
> > > > > > >
> > > > > > > We'd also be interested in some customization, though in a different way.
> > > > > > > We imagine having a rule file that says X compatible string should map
> > > > > > > to A base DTB, plus B and C DTBO for the configuration section. The base
> > > > > > > DTB would carry all common elements of some device, while the DTBOs
> > > > > > > carry all the possible second source components, like different display
> > > > > > > panels or MIPI cameras for instance. This could drastically reduce the
> > > > > > > size of FIT images in ChromeOS by deduplicating all the common stuff.
> > > > > >
> > > > > > Do you envision the "mapping" compatible string mapping to a config
> > > > > > section in the FIT image, that would bundle the base DTB and the DTBOs ?
> > > > >
> > > > > That's exactly the idea. The mapping compatible string could be untied
> > > > > from the base board's compatible string if needed (which we probably do).
> > > > >
> > > > > So something like:
> > > > >
> > > > > config {
> > > > >     config-1 {
> > > > >         compatible = "google,krane-sku0";
> > > > >         fdt = "krane-baseboard", "krane-sku0-overlay";
> > > > >     };
> > > > > };
> > > > >
> > > > > With "krane-sku0-overlay" being an overlay that holds the differences
> > > > > between the SKUs, in this case the display panel and MIPI camera (not
> > > > > upstreamed) that applies to SKU0 in particular.
> > > >
> > > > The kernel DT makefiles already contain information on what overlays to
> > > > apply to what base boards, in order to test the overlays and produce
> > > > "full" DTBs. Maybe that information could be leveraged to create the
> > > > configurations in the FIT image ?
> > >
> > > Although the "full" DTBs created may only be a subset of all possible
> > > combinations (I believe Rob just started with creating one "full" DTB
> > > for each overlay, cfr. the additions I made in commit a09c3e105a208580
> > > ("arm64: dts: renesas: Apply overlays to base dtbs")), that could
> > > definitely be a start.
> > >
> > > Now, since the kernel build system already creates "full" DTBs, does
> > > that mean that all of the base DTBs, overlays, and "full" DTBs will
> > > end up in the FIT image?
> >
> > I suppose we could add an option to the packing tool to be able to _not_
> > add the "full" DTBs if they can also be assembled with a base DTB and
> > overlays. Think of it as a firmware compatibility option: if the firmware
> > supports overlays, then you almost always want the deconstructed parts,
> > not the fully assembled ones. Vice versa.
> >
> > If we don't we could end up with two configurations that have the same
> > compatible string?
> 
> 
> Right.
> 
> We would end up with such situations because applying
> an overlay does not change the compatible string.
> 
> 
> 
> With this code in arch/arm64/boot/dts/ti/Makefile:
> 
> k3-am642-tqma64xxl-mbax4xxl-sdcard-dtbs := \
>       k3-am642-tqma64xxl-mbax4xxl.dtb k3-am64-tqma64xxl-mbax4xxl-sdcard.dtbo
> k3-am642-tqma64xxl-mbax4xxl-wlan-dtbs := \
>       k3-am642-tqma64xxl-mbax4xxl.dtb k3-am64-tqma64xxl-mbax4xxl-wlan.dtbo
> 
> 
> 
> 
> $ fdtdump  arch/arm64/boot/dts/ti/k3-am642-tqma64xxl-mbax4xxl-sdcard.dtb
> 2>/dev/null| head -n15 | tail -n2
>     model = "TQ-Systems TQMa64xxL SoM on MBax4xxL carrier board";
>     compatible = "tq,am642-tqma6442l-mbax4xxl", "tq,am642-tqma6442l",
> "ti,am642";
> 
> 
> $ fdtdump  arch/arm64/boot/dts/ti/k3-am642-tqma64xxl-mbax4xxl-wlan.dtb
> 2>/dev/null| head -n15 | tail -n2
>     model = "TQ-Systems TQMa64xxL SoM on MBax4xxL carrier board";
>     compatible = "tq,am642-tqma6442l-mbax4xxl", "tq,am642-tqma6442l",
> "ti,am642";
> 
> 
> 
> 
> 
> These two go into image.fit, but one of them is completely dead
> since there is no way to distinguish them.

I'd asked Rob about the problem of multiple platforms that don't have a
unique compatible string, and never did quite conclude if the spec needs
to spell out one way or another if they really need to be unique.
There's some valid use cases where you might not, but then there's cases
like the above where that really seems like a dts bug (and those
platforms should have their dts* files reworked to be like other
carrier+som+different peripherals and likely be
tq,am642-tqma6442l-mbax4xxl-wlan and so on).

> 
> 
> $ fdtdump  arch/arm64/boot/image.fit
> 
>         ...
> 
>         conf-10 {
>             compatible = "tq,am642-tqma6442l-mbax4xxl",
> "tq,am642-tqma6442l", "ti,am642";
>             description = "TQ-Systems TQMa64xxL SoM on MBax4xxL carrier board";
>             fdt = "fdt-10";
>             kernel = "kernel";
>         };
> 
>         ...
> 
>         conf-25 {
>             compatible = "tq,am642-tqma6442l-mbax4xxl",
> "tq,am642-tqma6442l", "ti,am642";
>             description = "TQ-Systems TQMa64xxL SoM on MBax4xxL carrier board";
>             fdt = "fdt-25";
>             kernel = "kernel";
>         };
> 
> 
> 
> 
> 
> I agree with Chen-Yu.

> FIT should not include full DTBs.
> 
> Bootloaders should assemble the final DTB
> from base and overlays on-the-fly.

I think we need to think about that more because both FIT and UKI try
and solve the problem of a single verifiyable (in the various security /
secure boot meanings of the word) image. So saying "but not DTBs" will I
believe become "let the distribution people worry about it".

Or am I misunderstanding your comment, and this is only in the context
of real or quasi overlays?

-- 
Tom

Download attachment "signature.asc" of type "application/pgp-signature" (660 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ