Marrying U-Boot, UEFI and grub_UEFI_and_grub.pdf · Marrying U-Boot, UEFI and grub. About Me ......

Marrying U-Boot, UEFI and grub

About Me

• Alexander Graf

• KVM and QEMU developer for SUSE

• Server class PowerPC KVM port

• Nested SVM

• Founding member of SUSE ARM team

Booting on ARM

Boot ROM

Booting on ARM

Firmware FlashBoot ROM

Booting on ARM

Firmware FlashBoot ROM SD / USB / etc

Booting on ARM

custom extlinux vboot UEFI

Firmware, do not care

Ideal Distro boot flow

custom extlinux vboot UEFI

Ideal Distro boot flow

One protocol torule them all

UEFI boot flow

UEFI NVRAM

UEFI boot flow

UEFI NVRAM

sda2/foo.efi

mmc0/bar.efi

eth0/dhcp4

UEFI boot flow

sda2/foo.efi

mmc0/bar.efi

eth0/dhcp4

UEFI boot flow

sda2/foo.efi

mmc0/bar.efi

eth0/dhcp4

✗UEFI

UEFI boot flow

sda2/foo.efi

mmc0/bar.efi

eth0/dhcp4

✗UEFI

UEFI boot flow

sda2/foo.efi

mmc0/bar.efi

eth0/dhcp4

UEFI boot flow

Removable

NVRAMUEFI

UEFI boot flow

Removable

sda/ESP/efi/boot/bootaa64.efi

mmc0/ESP/efi/boot/bootaa64.efi

cd0/eltorito/efi/boot/bootaa64.efi

UEFI boot flow

Removable

UEFI boot flow

Removable

✗mmc0/ESP/efi/

boot/bootaa64.efiUEFI

UEFI boot flow

Removable

✗UEFI

UEFI boot flow

Removable

UEFI boot flow

Removable

✔bootaa64.efi

UEFI boot flow

bootaa64.efiUEFI

UEFI boot flow

bootaa64.efi

EFI Runtime Data

Console Boot Services

Runtime Services Tables

UEFI boot flow

bootaa64.efi

EFI Runtime Data

Console

Runtime Services Tables

Boot Services

UEFI boot flow

bootaa64.efiUEFI

Boot Services

UEFI boot flow

bootaa64.efiUEFI

Boot Services

UEFI boot flow

bootaa64.efiUEFI

Boot Services

UEFI boot flow

bootaa64.efiUEFI

Boot Services

UEFI boot flow

bootaa64.efi

✗✗UEFI

Boot Services

UEFI boot flowRuntime Services

NVRAMUEFI

UEFI boot flow advantages

UEFIbtrfs

ext4 extension 593

UEFIbtrfs

ext4 extension 593

U-Boot

EFI_STATUS EFIAPI GetNextMonotonicCount ( OUT UINT64 *Count ) { if (Count == NULL) { return EFI_INVALID_PARAMETER; }

*Count = gCurrentMonotonicCount++; return EFI_SUCCESS; }

static efi_status_t EFIAPI efi_get_next_monotonic_count(uint64_t *count) { static uint64_t mono = 0; EFI_ENTRY("%p", count); *count = mono++; return EFI_EXIT(EFI_SUCCESS); }

U-Boot

Black Boxes

U-Boot

Monolithic

U-Boot

coreBBB

U-Boot

coreBBB

OpenPlatform

U-Boot

coreBBB

OpenPlatform

$ grep -R ARM configs/ | wc -l

U-Boot

Foundation for black box modules Monolithic, GPL

Windows coding style Linux coding style

Built to fork Built to include

UEFI interfaces

u32 block_size u64 last_block char read_only

read_blocks() write_blocks()

UEFI interfaces

u8 mac_address[32] u8 ip_address[16] u8 media_present

transmit() receive()

U-Boot interfaces

ulong blksz u64 lba

char removable

blk_dread() blk_dwrite()

eth_get_ethaddr() net_send_packet()

eth_rx()

UEFI interfaces

efi_loader

bootefi

U-Boot> load mmc 0:1 $kernel_addr_r Image

bootefi

U-Boot> load mmc 0:1 $kernel_addr_r Image reading Image 568320 bytes read in 165 ms (3.3 MiB/s)

bootefi

U-Boot> bootefi $kernel_addr_r $fdt_addr_r

bootefi

U-Boot> bootefi $kernel_addr_r $fdt_addr_r ## Starting EFI application at 0x01000000 … EFI stub: Booting Linux Kernel... EFI stub: UEFI Secure Boot is enabled. EFI stub: Using DTB from configuration table EFI stub: Exiting boot services and installing virtual address map...

bootefi

U-Boot> bootefi $kernel_addr_r $fdt_addr_r ## Starting EFI application at 0x01000000 … EFI stub: Booting Linux Kernel... EFI stub: UEFI Secure Boot is enabled. EFI stub: Using DTB from configuration table EFI stub: Exiting boot services and installing virtual address map...

bootefi

efi_loader

bootefi

efi_loader

bootefi

distro boot

boot_targets=mmc0 usb0 pxe dhcp

distro boot

extlinux

distro boot

extlinux

boot.script

distro boot

extlinux

boot.script

distro boot

Partition Table

distro boot

ESP $fdtfile

distro boot

$fdtfile

/dtb/current/

/boot/

/boot/dtb/

/boot/dtb/current/

distro boot

$fdtfile

efi/boot/bootaa64.efi

distro boot

$fdtfile

distro boot

$fdtfile

distro boot

$fdtfile

distro boot

ISO9660el torito

distro boot

ISO9660el torito el torito

Partition Table

distro boot

el torito el torito

Partition Table

distro boot

el torito

$fdtfile

el torito

distro boot

✔ ✔

distro boot

DHCP Distro Boot

distro boot

DHCP Distro Boot DHCP Server

distro boot

DHCP req

EFI & Arch VCI

distro boot

DHCP req

filename

EFI & Arch VCI

distro boot

DHCP req

DHCP ack

filename

EFI & Arch VCI

distro boot

DHCP req

DHCP ack

distro boot

✔ ✔ ✔

UEFI Tables

bootaa64.efi

EFI Runtime Data

Console Boot Services

Runtime Services

Tables

UEFI TablesTables

ACPI✗

UEFI TablesTables

ACPI✗

UEFI Tables

Tables

Missing Features

UEFI RTS

Missing Features

UEFI RTS

Missing Features

UEFI RTS

✗✗

Missing Features

bootefi

Missing Features

bootefi

Missing Features

bootefi

Missing Features

EFI Shell

Missing Features

EFI Shell

Missing Features

EFI Shell✗

Why?Department A Department B

Thank You

Further Information

https://events.opensuse.org/conference/oSC16/program/proposal/946

External Sourceshttps://commons.wikimedia.org/wiki/File:Raspberry_Pi_B%2B_illustration.svg

https://commons.wikimedia.org/wiki/File:Sd-card-1377140.svg

http://eu.mophie.com/shop/media/catalog/product/cache/3/small_image/270x330/9df78eab33525d08d6e5fb8d27136e95/u/s/usb-micro3-40-blk_usb-tip-detail_front-back_540px.jpg

https://commons.wikimedia.org/wiki/File:Circle-icons-submarine.svg

https://commons.wikimedia.org/wiki/File:150-8-DIP.jpg

https://commons.wikimedia.org/wiki/File:Hdd_icon.svg

https://commons.wikimedia.org/wiki/File:ARM_CPU_icon.svg

http://findicons.com/icon/177982/memory#

OSA Icons

Icons received from http://www.opensecurityarchitecture.org/cms/library/icon-library

emojione Icons

Icons received from http://www.opensecurityarchitecture.org/cms/library/icon-library

Other Icons

http://findicons.com/icon/download/234261/clock/128/png

http://findicons.com/icon/439269/button_power

https://fosdem.org/2017/schedule/event/grub_new_maintainers/attachments/slides/1768/export/events/attachments/grub_new_maintainers/slides/1768/slides.pdf

https://de.wikipedia.org/wiki/BeagleBoard#/media/File:Beagle_Board_big.jpg

https://thenounproject.com/term/folder-tree/27307/

https://commons.wikimedia.org/wiki/File:Crystal_Project_Hardware.png

http://findicons.com/icon/202613/folder_library

Other Icons

http://tumboy.tumblr.com/post/10052361836

http://findicons.com/icon/132807/b_leg_embossed

http://findicons.com/icon/237892/text_plain

http://findicons.com/icon/226957/package_games_board

Marrying U-Boot, UEFI and grub_UEFI_and_grub.pdf · Marrying U-Boot, UEFI and grub. About Me ......

Documents

Transcript of Marrying U-Boot, UEFI and grub_UEFI_and_grub.pdf · Marrying U-Boot, UEFI and grub. About Me ......

UEFI Secure Boot Customization - U.S. Department of Defense

UEFI Firmware Enhances Linux* Security and … Agenda • UEFI Considerations for Linux * • Secure Boot for the Enterprise System – From Insyde * • Ubuntu * UEFI/Secure Boot

Delivering a secure and fast boot experience with uefi

Intel Stratix 10 SoC UEFI Boot Loader User Guide · Figure 1. UEFI Boot Flow Overview. App App OS UEFI PEI & DXE (SSBL) Arm Trusted FW (FSBL) Configuration Mgmt FW SDM BootROM SDM

UEFI Secure Boot - James Bottomley's random Pages

Improving Platform Security with UEFI Secure Boot and UEFI ... · Improving Platform Security with UEFI Secure Boot and UEFI Variables UEFI Spring Plugfest –March 29-31, 2016 Presented

Advanced(x86:( - OpenSecurityTrainingopensecuritytraining.info/IntroBIOS_files/Day2_06_Advanced x86... · UEFI Secure Boot • DXE verifies non-embedded XROMs, DXE drivers, UEFI applications

Discover UEFI with U-Boot · 2020. 2. 18. · Support subset of UEFI specification – Embedded Base Boot Requirements (EBBR) Boot services Run time services Required elements according

Beyond DOS: The UEFI Shell –a Modern Pre-boot Application ...

Hacking Measured Boot and UEFI - DEF CON · Hacking Measured Boot and UEFI Dan Griffin JW Secure, Inc. ... •Screw the Linux community . State of UEFI •Not new •Full featured

UEFI Boot time optimization under Windows 7 - Intel · PDF fileBoot Loader. Boot Manager. Device, Bus, or Service Driver. UEFI Interfaces. EFI Driver Dispatcher. Architectural ...

256 10 SoC UEFI Boot Loader User Guide - Intel FPGA … 1 Intel ® Stratix 10 SoC UEFI Boot Loader User Guide 3 1.1 Boot Flow Overview 3 1.2 Recommended System Requirements ...

Best Practices for UEFI Secure Boot Guidelines

Beyond DOS: UEFI Modern Pre-boot Application Development Environment · · 2017-02-23Beyond DOS: UEFI Modern Pre-boot Application Development Environment EFIS003 Tim Lewis, Chief

BIOS TO UEFI WITH SECURE BOOT AND CSM · "UEFI" WITH "SECURE BOOT" AND "CSM" 2 ... have a "Master Boot Record" (MBR) 7 ... PowerPoint Presentation Author: testuser Created Date:

SFO17-201 Secure Boot on Arm systems...Arm TF (BLx stages) BL1 UEFI Driver UEFI App OS Loader UEFI Secure Boot Arm TBB App1 App2 App3 RoT ENGINEERS AND DEVICES WORKING TOGETHER Arm

SFO15-TR9: PSCI, ACPI (and UEFI to boot)

TPM, UEFI, Trusted Boot, Secure Boot

Locking Down the Endpoint with Measured Boot and UEFI

Windows 10 Features to Love or Hate...UEFI FIRMWARE Browsers Printing Hello UEFI V Desktop • Secure Boot • Early Launch Anti-Malware • Windows Trusted Boot • Measured Boot