[0/2] Import environment variables from FIT configuration

Message ID	20240702064834.9543-1-lukas.funke-oss@weidmueller.com
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: lukas.funke-oss@weidmueller.com To: u-boot@lists.denx.de Cc: Niko Mauno <niko.mauno@vaisala.com>, Lukas Funke <lukas.funke@weidmueller.com>, AKASHI Takahiro <akashi.tkhro@gmail.com>, Abdellatif El Khlifi <abdellatif.elkhlifi@arm.com>, Alexander Gendin <agendin@matrox.com>, Ashok Reddy Soma <ashok.reddy.soma@amd.com>, Emmanuel Di Fede <emmanuel.difede@cysec.com>, Heinrich Schuchardt <xypron.glpk@gmx.de>, Ilias Apalodimas <ilias.apalodimas@linaro.org>, Ivan Orlov <ivan.orlov@codethink.co.uk>, Joe Hershberger <joe.hershberger@ni.com>, Joshua Watt <jpewhacker@gmail.com>, Kever Yang <kever.yang@rock-chips.com>, Laurentiu Tudor <laurentiu.tudor@nxp.com>, Marek Vasut <marek.vasut+renesas@mailbox.org>, Michal Simek <michal.simek@amd.com>, Paul Barker <paul.barker.ct@bp.renesas.com>, Piotr Kubik <piotr.kubik@iopsys.eu>, Quentin Schulz <quentin.schulz@cherry.de>, Sean Anderson <seanga2@gmail.com>, Simon Glass <sjg@chromium.org>, Tom Rini <trini@konsulko.com>, Venkatesh Yadav Abbarapu <venkatesh.abbarapu@amd.com> Subject: [PATCH 0/2] Import environment variables from FIT configuration Date: Tue, 2 Jul 2024 08:48:32 +0200 Message-Id: <20240702064834.9543-1-lukas.funke-oss@weidmueller.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	Import environment variables from FIT configuration \| expand [0/2] Import environment variables from FIT configuration [1/2] env: Add function to import environment variables from FIT conf node [2/2] test: fit: Add test to check environment extraction from FIT conf node

Lukas Funke July 2, 2024, 6:48 a.m. UTC

From: Lukas Funke <lukas.funke@weidmueller.com>


This series enables U-Boot to import environment variables from the
selectd FIT configuration. One use-case is that the overall build process
enriches the FIT configuration node with dm-verity information which
should be injected into the kernel commandline. U-Boot will then read
these (possibly signed) environment variables and put them into the
actual Kernel commandline using variable replacement
(see CONFIG_BOOTARGS_SUBST).

Example:

Config:
CONFIG_BOOTARGS_SUBST=y
CONFIG_ENV_IMPORT_FIT_CONF=y

FIT:
    configurations {
        default = "conf-1";
            conf-1 {
                kernel = "kernel-1";
                fdt = "fdt-1";
                env,dm-verity-args = "dm-mod.create=...";
                env,bar = "someothervalue";
            };
    };

U-Boot cmdline:
=> env set bootargs="rootfstype=squashfs root=/dev/xyz ${dm-verity-args} ro"
=> boot

Kernel cmdline:
Kernel command line: rootfstype=squashfs ... dm-mod.create= ...



Lukas Funke (2):
  env: Add function to import environment variables from FIT conf node
  test: fit: Add test to check environment extraction from FIT conf node

 boot/image-fit.c          |  4 ++++
 configs/sandbox_defconfig |  1 +
 env/Kconfig               | 10 +++++++++
 env/common.c              | 28 ++++++++++++++++++++++++
 include/env.h             | 11 ++++++++++
 test/py/tests/test_fit.py | 45 +++++++++++++++++++++++++++++++++++++++
 6 files changed, 99 insertions(+)

Quentin Schulz July 2, 2024, 9:16 a.m. UTC | #1

Hi Lukas,

On 7/2/24 8:48 AM, lukas.funke-oss@weidmueller.com wrote:
> From: Lukas Funke <lukas.funke@weidmueller.com>
> 
> 
> This series enables U-Boot to import environment variables from the
> selectd FIT configuration. One use-case is that the overall build process
> enriches the FIT configuration node with dm-verity information which
> should be injected into the kernel commandline. U-Boot will then read
> these (possibly signed) environment variables and put them into the
> actual Kernel commandline using variable replacement
> (see CONFIG_BOOTARGS_SUBST).
> 
> Example:
> 
> Config:
> CONFIG_BOOTARGS_SUBST=y
> CONFIG_ENV_IMPORT_FIT_CONF=y
> 
> FIT:
>      configurations {
>          default = "conf-1";
>              conf-1 {
>                  kernel = "kernel-1";
>                  fdt = "fdt-1";
>                  env,dm-verity-args = "dm-mod.create=...";
>                  env,bar = "someothervalue";
>              };
>      };
> 
> U-Boot cmdline:
> => env set bootargs="rootfstype=squashfs root=/dev/xyz ${dm-verity-args} ro"
> => boot
> 
> Kernel cmdline:
> Kernel command line: rootfstype=squashfs ... dm-mod.create= ...
> 
> 

I think FIT supports storing U-Boot scripts and running those via 
`source` command (usually the file extension is .scr).

I do not know if there's support for automatically loading this .scr as 
part of a config node though, but if there isn't I guess it'd make more 
sense to support this case than to come up with yet another implementation?

What do you think?

Cheers,
Quentin

Lukas Funke July 2, 2024, 11:01 a.m. UTC | #2

Hi Quentin,

On 02.07.2024 11:16, Quentin Schulz wrote:
> Hi Lukas,
> 
> On 7/2/24 8:48 AM, lukas.funke-oss@weidmueller.com wrote:
>> From: Lukas Funke <lukas.funke@weidmueller.com>
>>
>>
>> This series enables U-Boot to import environment variables from the
>> selectd FIT configuration. One use-case is that the overall build process
>> enriches the FIT configuration node with dm-verity information which
>> should be injected into the kernel commandline. U-Boot will then read
>> these (possibly signed) environment variables and put them into the
>> actual Kernel commandline using variable replacement
>> (see CONFIG_BOOTARGS_SUBST).
>>
>> Example:
>>
>> Config:
>> CONFIG_BOOTARGS_SUBST=y
>> CONFIG_ENV_IMPORT_FIT_CONF=y
>>
>> FIT:
>>      configurations {
>>          default = "conf-1";
>>              conf-1 {
>>                  kernel = "kernel-1";
>>                  fdt = "fdt-1";
>>                  env,dm-verity-args = "dm-mod.create=...";
>>                  env,bar = "someothervalue";
>>              };
>>      };
>>
>> U-Boot cmdline:
>> => env set bootargs="rootfstype=squashfs root=/dev/xyz 
>> ${dm-verity-args} ro"
>> => boot
>>
>> Kernel cmdline:
>> Kernel command line: rootfstype=squashfs ... dm-mod.create= ...
>>
>>
> 
> I think FIT supports storing U-Boot scripts and running those via 
> `source` command (usually the file extension is .scr).
> 
> I do not know if there's support for automatically loading this .scr as 
> part of a config node though, but if there isn't I guess it'd make more 
> sense to support this case than to come up with yet another implementation?
> 
> What do you think?

I wasn't aware of this, thanks for pointing it out!

This patch was mainly inspired by the dm-vertiy use-case which requires 
just env-variables and no (complex) scripts.

There is currently no mechanism to source/run such scripts automatically.

How would you distinguish between scripts that should run automatically 
und scripts which are sourced by a specific board/shell-script 
implementation? I guess there are good reasons to not run such scripts 
per default. I would also change current behaviour. For env variables I 
see no harm.

Please let me know what you think.

Cheers
  - Lukas

> 
> Cheers,
> Quentin

Quentin Schulz July 2, 2024, 11:37 a.m. UTC | #3

Hi Lukas,

On 7/2/24 1:01 PM, Lukas Funke wrote:
> Hi Quentin,
> 
> On 02.07.2024 11:16, Quentin Schulz wrote:
>> Hi Lukas,
>>
>> On 7/2/24 8:48 AM, lukas.funke-oss@weidmueller.com wrote:
>>> From: Lukas Funke <lukas.funke@weidmueller.com>
>>>
>>>
>>> This series enables U-Boot to import environment variables from the
>>> selectd FIT configuration. One use-case is that the overall build 
>>> process
>>> enriches the FIT configuration node with dm-verity information which
>>> should be injected into the kernel commandline. U-Boot will then read
>>> these (possibly signed) environment variables and put them into the
>>> actual Kernel commandline using variable replacement
>>> (see CONFIG_BOOTARGS_SUBST).
>>>
>>> Example:
>>>
>>> Config:
>>> CONFIG_BOOTARGS_SUBST=y
>>> CONFIG_ENV_IMPORT_FIT_CONF=y
>>>
>>> FIT:
>>>      configurations {
>>>          default = "conf-1";
>>>              conf-1 {
>>>                  kernel = "kernel-1";
>>>                  fdt = "fdt-1";
>>>                  env,dm-verity-args = "dm-mod.create=...";
>>>                  env,bar = "someothervalue";
>>>              };
>>>      };
>>>
>>> U-Boot cmdline:
>>> => env set bootargs="rootfstype=squashfs root=/dev/xyz 
>>> ${dm-verity-args} ro"
>>> => boot
>>>
>>> Kernel cmdline:
>>> Kernel command line: rootfstype=squashfs ... dm-mod.create= ...
>>>
>>>
>>
>> I think FIT supports storing U-Boot scripts and running those via 
>> `source` command (usually the file extension is .scr).
>>
>> I do not know if there's support for automatically loading this .scr 
>> as part of a config node though, but if there isn't I guess it'd make 
>> more sense to support this case than to come up with yet another 
>> implementation?
>>
>> What do you think?
> 
> I wasn't aware of this, thanks for pointing it out!
> 
> This patch was mainly inspired by the dm-vertiy use-case which requires 
> just env-variables and no (complex) scripts.
> 
> There is currently no mechanism to source/run such scripts automatically.
> 
> How would you distinguish between scripts that should run automatically 
> und scripts which are sourced by a specific board/shell-script 
> implementation? I guess there are good reasons to not run such scripts 

Scripts in conf would be automatically run? Scripts not in conf needs to 
be executed via `source` command for example?

Not sure what to do if you want a script linked to a conf but not run 
automatically though (and what would be the use-case?). I guess you 
could have a script automatically run (so in conf node) that sets a 
variable to know where to look for the other script that isn't 
automatically executed?

> per default. I would also change current behaviour. For env variables I 
> see no harm.
> 

If the env properties in the FIT image are part of the checksum and 
signature of the conf node, which is necessary for secure boot, I guess 
"no harm" fits the bill.

Cheers,
Quentin

Lukas Funke July 2, 2024, 12:58 p.m. UTC | #4

Hi Quentin,

On 02.07.2024 13:37, Quentin Schulz wrote:
> Hi Lukas,
> 
> On 7/2/24 1:01 PM, Lukas Funke wrote:
>> Hi Quentin,
>>
>> On 02.07.2024 11:16, Quentin Schulz wrote:
>>> Hi Lukas,
>>>
>>> On 7/2/24 8:48 AM, lukas.funke-oss@weidmueller.com wrote:
>>>> From: Lukas Funke <lukas.funke@weidmueller.com>
>>>>
>>>>
>>>> This series enables U-Boot to import environment variables from the
>>>> selectd FIT configuration. One use-case is that the overall build 
>>>> process
>>>> enriches the FIT configuration node with dm-verity information which
>>>> should be injected into the kernel commandline. U-Boot will then read
>>>> these (possibly signed) environment variables and put them into the
>>>> actual Kernel commandline using variable replacement
>>>> (see CONFIG_BOOTARGS_SUBST).
>>>>
>>>> Example:
>>>>
>>>> Config:
>>>> CONFIG_BOOTARGS_SUBST=y
>>>> CONFIG_ENV_IMPORT_FIT_CONF=y
>>>>
>>>> FIT:
>>>>      configurations {
>>>>          default = "conf-1";
>>>>              conf-1 {
>>>>                  kernel = "kernel-1";
>>>>                  fdt = "fdt-1";
>>>>                  env,dm-verity-args = "dm-mod.create=...";
>>>>                  env,bar = "someothervalue";
>>>>              };
>>>>      };
>>>>
>>>> U-Boot cmdline:
>>>> => env set bootargs="rootfstype=squashfs root=/dev/xyz 
>>>> ${dm-verity-args} ro"
>>>> => boot
>>>>
>>>> Kernel cmdline:
>>>> Kernel command line: rootfstype=squashfs ... dm-mod.create= ...
>>>>
>>>>
>>>
>>> I think FIT supports storing U-Boot scripts and running those via 
>>> `source` command (usually the file extension is .scr).
>>>
>>> I do not know if there's support for automatically loading this .scr 
>>> as part of a config node though, but if there isn't I guess it'd make 
>>> more sense to support this case than to come up with yet another 
>>> implementation?
>>>
>>> What do you think?
>>
>> I wasn't aware of this, thanks for pointing it out!
>>
>> This patch was mainly inspired by the dm-vertiy use-case which 
>> requires just env-variables and no (complex) scripts.
>>
>> There is currently no mechanism to source/run such scripts automatically.
>>
>> How would you distinguish between scripts that should run 
>> automatically und scripts which are sourced by a specific 
>> board/shell-script implementation? I guess there are good reasons to 
>> not run such scripts 
> 
> Scripts in conf would be automatically run? Scripts not in conf needs to 
> be executed via `source` command for example?
> 
> Not sure what to do if you want a script linked to a conf but not run 
> automatically though (and what would be the use-case?). I guess you 
> could have a script automatically run (so in conf node) that sets a 
> variable to know where to look for the other script that isn't 
> automatically executed?

Sounds like yet another level of indirection. Not sure if this a good or 
a bad thing, but makes things definitely more complicated.

> 
>> per default. I would also change current behaviour. For env variables 
>> I see no harm.
>>
> 
> If the env properties in the FIT image are part of the checksum and 
> signature of the conf node, which is necessary for secure boot, I guess 
> "no harm" fits the bill.

To my current knowledge the configuration node itself is signed. Thus, 
all env-properties are signed. Please correct me if I'm wrong.

> 
> Cheers,
> Quentin

Quentin Schulz July 2, 2024, 1:05 p.m. UTC | #5

Hi Lukas,

On 7/2/24 2:58 PM, Lukas Funke wrote:
> Hi Quentin,
> 
> On 02.07.2024 13:37, Quentin Schulz wrote:
>> Hi Lukas,
>>
>> On 7/2/24 1:01 PM, Lukas Funke wrote:
>>> Hi Quentin,
>>>
>>> On 02.07.2024 11:16, Quentin Schulz wrote:
>>>> Hi Lukas,
>>>>
>>>> On 7/2/24 8:48 AM, lukas.funke-oss@weidmueller.com wrote:
>>>>> From: Lukas Funke <lukas.funke@weidmueller.com>
>>>>>
>>>>>
>>>>> This series enables U-Boot to import environment variables from the
>>>>> selectd FIT configuration. One use-case is that the overall build 
>>>>> process
>>>>> enriches the FIT configuration node with dm-verity information which
>>>>> should be injected into the kernel commandline. U-Boot will then read
>>>>> these (possibly signed) environment variables and put them into the
>>>>> actual Kernel commandline using variable replacement
>>>>> (see CONFIG_BOOTARGS_SUBST).
>>>>>
>>>>> Example:
>>>>>
>>>>> Config:
>>>>> CONFIG_BOOTARGS_SUBST=y
>>>>> CONFIG_ENV_IMPORT_FIT_CONF=y
>>>>>
>>>>> FIT:
>>>>>      configurations {
>>>>>          default = "conf-1";
>>>>>              conf-1 {
>>>>>                  kernel = "kernel-1";
>>>>>                  fdt = "fdt-1";
>>>>>                  env,dm-verity-args = "dm-mod.create=...";
>>>>>                  env,bar = "someothervalue";
>>>>>              };
>>>>>      };
>>>>>
>>>>> U-Boot cmdline:
>>>>> => env set bootargs="rootfstype=squashfs root=/dev/xyz 
>>>>> ${dm-verity-args} ro"
>>>>> => boot
>>>>>
>>>>> Kernel cmdline:
>>>>> Kernel command line: rootfstype=squashfs ... dm-mod.create= ...
>>>>>
>>>>>
>>>>
>>>> I think FIT supports storing U-Boot scripts and running those via 
>>>> `source` command (usually the file extension is .scr).
>>>>
>>>> I do not know if there's support for automatically loading this .scr 
>>>> as part of a config node though, but if there isn't I guess it'd 
>>>> make more sense to support this case than to come up with yet 
>>>> another implementation?
>>>>
>>>> What do you think?
>>>
>>> I wasn't aware of this, thanks for pointing it out!
>>>
>>> This patch was mainly inspired by the dm-vertiy use-case which 
>>> requires just env-variables and no (complex) scripts.
>>>
>>> There is currently no mechanism to source/run such scripts 
>>> automatically.
>>>
>>> How would you distinguish between scripts that should run 
>>> automatically und scripts which are sourced by a specific 
>>> board/shell-script implementation? I guess there are good reasons to 
>>> not run such scripts 
>>
>> Scripts in conf would be automatically run? Scripts not in conf needs 
>> to be executed via `source` command for example?
>>
>> Not sure what to do if you want a script linked to a conf but not run 
>> automatically though (and what would be the use-case?). I guess you 
>> could have a script automatically run (so in conf node) that sets a 
>> variable to know where to look for the other script that isn't 
>> automatically executed?
> 
> Sounds like yet another level of indirection. Not sure if this a good or 
> a bad thing, but makes things definitely more complicated.
> 

Yes, but this isn't an indirection the project has to support. We 
currently support scripts that are in the images node to source. We 
would need to support automatically running the script if it's in a conf 
node and that'd be it.

To be clear, I am not blocking this (and I don't have any veto power 
anyway :) ), just wanted to raise that something else already exists and 
could be extended to fit your usecase.

Cheers,
Quentin

Lukas Funke July 3, 2024, 8:29 a.m. UTC | #6

Hi Quentin,

On 02.07.2024 15:05, Quentin Schulz wrote:
> Hi Lukas,
> 
> On 7/2/24 2:58 PM, Lukas Funke wrote:
>> Hi Quentin,
>>
>> On 02.07.2024 13:37, Quentin Schulz wrote:
>>> Hi Lukas,
>>>
>>> On 7/2/24 1:01 PM, Lukas Funke wrote:
>>>> Hi Quentin,
>>>>
>>>> On 02.07.2024 11:16, Quentin Schulz wrote:
>>>>> Hi Lukas,
>>>>>
>>>>> On 7/2/24 8:48 AM, lukas.funke-oss@weidmueller.com wrote:
>>>>>> From: Lukas Funke <lukas.funke@weidmueller.com>
>>>>>>
>>>>>>
>>>>>> This series enables U-Boot to import environment variables from the
>>>>>> selectd FIT configuration. One use-case is that the overall build 
>>>>>> process
>>>>>> enriches the FIT configuration node with dm-verity information which
>>>>>> should be injected into the kernel commandline. U-Boot will then read
>>>>>> these (possibly signed) environment variables and put them into the
>>>>>> actual Kernel commandline using variable replacement
>>>>>> (see CONFIG_BOOTARGS_SUBST).
>>>>>>
>>>>>> Example:
>>>>>>
>>>>>> Config:
>>>>>> CONFIG_BOOTARGS_SUBST=y
>>>>>> CONFIG_ENV_IMPORT_FIT_CONF=y
>>>>>>
>>>>>> FIT:
>>>>>>      configurations {
>>>>>>          default = "conf-1";
>>>>>>              conf-1 {
>>>>>>                  kernel = "kernel-1";
>>>>>>                  fdt = "fdt-1";
>>>>>>                  env,dm-verity-args = "dm-mod.create=...";
>>>>>>                  env,bar = "someothervalue";
>>>>>>              };
>>>>>>      };
>>>>>>
>>>>>> U-Boot cmdline:
>>>>>> => env set bootargs="rootfstype=squashfs root=/dev/xyz 
>>>>>> ${dm-verity-args} ro"
>>>>>> => boot
>>>>>>
>>>>>> Kernel cmdline:
>>>>>> Kernel command line: rootfstype=squashfs ... dm-mod.create= ...
>>>>>>
>>>>>>
>>>>>
>>>>> I think FIT supports storing U-Boot scripts and running those via 
>>>>> `source` command (usually the file extension is .scr).
>>>>>
>>>>> I do not know if there's support for automatically loading this 
>>>>> .scr as part of a config node though, but if there isn't I guess 
>>>>> it'd make more sense to support this case than to come up with yet 
>>>>> another implementation?
>>>>>
>>>>> What do you think?
>>>>
>>>> I wasn't aware of this, thanks for pointing it out!
>>>>
>>>> This patch was mainly inspired by the dm-vertiy use-case which 
>>>> requires just env-variables and no (complex) scripts.
>>>>
>>>> There is currently no mechanism to source/run such scripts 
>>>> automatically.
>>>>
>>>> How would you distinguish between scripts that should run 
>>>> automatically und scripts which are sourced by a specific 
>>>> board/shell-script implementation? I guess there are good reasons to 
>>>> not run such scripts 
>>>
>>> Scripts in conf would be automatically run? Scripts not in conf needs 
>>> to be executed via `source` command for example?
>>>
>>> Not sure what to do if you want a script linked to a conf but not run 
>>> automatically though (and what would be the use-case?). I guess you 
>>> could have a script automatically run (so in conf node) that sets a 
>>> variable to know where to look for the other script that isn't 
>>> automatically executed?
>>
>> Sounds like yet another level of indirection. Not sure if this a good 
>> or a bad thing, but makes things definitely more complicated.
>>
> 
> Yes, but this isn't an indirection the project has to support. We 
> currently support scripts that are in the images node to source. We 
> would need to support automatically running the script if it's in a conf 
> node and that'd be it.
> 
> To be clear, I am not blocking this (and I don't have any veto power 
> anyway :) ), just wanted to raise that something else already exists and 
> could be extended to fit your usecase.

Thanks for the clarification, I appreciate your input.

Yeah, I guess it works somehow using the current 'source'-cmd approach. 
Yocto even supports the integration of a U-Boot environment into the 
kernel FIT-image. However, I think the integration for some dm-vertiy 
env variables is quite cumbersome using this approach. I'd rather prefer 
to have the variables directly in the fit-configuration since they have 
no script character. But this might just be personal preference.

> 
> Cheers,
> Quentin

Simon Glass Nov. 2, 2024, 5:36 p.m. UTC | #7

Hi Lukas,

On Wed, 3 Jul 2024 at 02:29, Lukas Funke
<lukas.funke-oss@weidmueller.com> wrote:
>
> Hi Quentin,
>
> On 02.07.2024 15:05, Quentin Schulz wrote:
> > Hi Lukas,
> >
> > On 7/2/24 2:58 PM, Lukas Funke wrote:
> >> Hi Quentin,
> >>
> >> On 02.07.2024 13:37, Quentin Schulz wrote:
> >>> Hi Lukas,
> >>>
> >>> On 7/2/24 1:01 PM, Lukas Funke wrote:
> >>>> Hi Quentin,
> >>>>
> >>>> On 02.07.2024 11:16, Quentin Schulz wrote:
> >>>>> Hi Lukas,
> >>>>>
> >>>>> On 7/2/24 8:48 AM, lukas.funke-oss@weidmueller.com wrote:
> >>>>>> From: Lukas Funke <lukas.funke@weidmueller.com>
> >>>>>>
> >>>>>>
> >>>>>> This series enables U-Boot to import environment variables from the
> >>>>>> selectd FIT configuration. One use-case is that the overall build
> >>>>>> process
> >>>>>> enriches the FIT configuration node with dm-verity information which
> >>>>>> should be injected into the kernel commandline. U-Boot will then read
> >>>>>> these (possibly signed) environment variables and put them into the
> >>>>>> actual Kernel commandline using variable replacement
> >>>>>> (see CONFIG_BOOTARGS_SUBST).
> >>>>>>
> >>>>>> Example:
> >>>>>>
> >>>>>> Config:
> >>>>>> CONFIG_BOOTARGS_SUBST=y
> >>>>>> CONFIG_ENV_IMPORT_FIT_CONF=y
> >>>>>>
> >>>>>> FIT:
> >>>>>>      configurations {
> >>>>>>          default = "conf-1";
> >>>>>>              conf-1 {
> >>>>>>                  kernel = "kernel-1";
> >>>>>>                  fdt = "fdt-1";
> >>>>>>                  env,dm-verity-args = "dm-mod.create=...";
> >>>>>>                  env,bar = "someothervalue";
> >>>>>>              };
> >>>>>>      };
> >>>>>>
> >>>>>> U-Boot cmdline:
> >>>>>> => env set bootargs="rootfstype=squashfs root=/dev/xyz
> >>>>>> ${dm-verity-args} ro"
> >>>>>> => boot
> >>>>>>
> >>>>>> Kernel cmdline:
> >>>>>> Kernel command line: rootfstype=squashfs ... dm-mod.create= ...
> >>>>>>
> >>>>>>
> >>>>>
> >>>>> I think FIT supports storing U-Boot scripts and running those via
> >>>>> `source` command (usually the file extension is .scr).
> >>>>>
> >>>>> I do not know if there's support for automatically loading this
> >>>>> .scr as part of a config node though, but if there isn't I guess
> >>>>> it'd make more sense to support this case than to come up with yet
> >>>>> another implementation?
> >>>>>
> >>>>> What do you think?
> >>>>
> >>>> I wasn't aware of this, thanks for pointing it out!
> >>>>
> >>>> This patch was mainly inspired by the dm-vertiy use-case which
> >>>> requires just env-variables and no (complex) scripts.
> >>>>
> >>>> There is currently no mechanism to source/run such scripts
> >>>> automatically.
> >>>>
> >>>> How would you distinguish between scripts that should run
> >>>> automatically und scripts which are sourced by a specific
> >>>> board/shell-script implementation? I guess there are good reasons to
> >>>> not run such scripts
> >>>
> >>> Scripts in conf would be automatically run? Scripts not in conf needs
> >>> to be executed via `source` command for example?
> >>>
> >>> Not sure what to do if you want a script linked to a conf but not run
> >>> automatically though (and what would be the use-case?). I guess you
> >>> could have a script automatically run (so in conf node) that sets a
> >>> variable to know where to look for the other script that isn't
> >>> automatically executed?
> >>
> >> Sounds like yet another level of indirection. Not sure if this a good
> >> or a bad thing, but makes things definitely more complicated.
> >>
> >
> > Yes, but this isn't an indirection the project has to support. We
> > currently support scripts that are in the images node to source. We
> > would need to support automatically running the script if it's in a conf
> > node and that'd be it.
> >
> > To be clear, I am not blocking this (and I don't have any veto power
> > anyway :) ), just wanted to raise that something else already exists and
> > could be extended to fit your usecase.
>
> Thanks for the clarification, I appreciate your input.
>
> Yeah, I guess it works somehow using the current 'source'-cmd approach.
> Yocto even supports the integration of a U-Boot environment into the
> kernel FIT-image. However, I think the integration for some dm-vertiy
> env variables is quite cumbersome using this approach. I'd rather prefer
> to have the variables directly in the fit-configuration since they have
> no script character. But this might just be personal preference.

This ended up in my queue.

Is this used with boot scripts? We are trying to move boards to
bootstd and get rid of the scripts, for common cases.

If you are wanting to specify the verity hash, I think it would be
better to add that information. VBE[1] has the concept of 'OS
requests' - see static bootmeth_vbe_ft_fixup() for the implementation.

Here it seems we have a request for the verity hash? So can we add it
that way? Are there any other features you are needed?

Using environment variables seems a bit ad-hoc to me.

Regards,
Simon

[1] https://docs.u-boot.org/en/latest/develop/vbe.html

[0/2] Import environment variables from FIT configuration

Message

Comments