I want to make a bootable emergency USB-stick that automatically repartitions my system and unpacks a rootfs to the hard disk, installs the bootloader, etc.
I compiled my own kernel and created my own initrd with various scripts.
this works very well. only booting from an USB-stick causes problems when secureboot is active.
to work around the problem I took an official Ubuntu livecd and copied all the content like isolinux/ EFI/* and so on, I changed all grub-configuration-boot-entrys to my kernel and my initrd. So I think the bootloader should be secureboot capable.
i set the following parameters in grub.cfg and built a new iso:
set check_signatures=no
if secureboot is disabled, the system boots correctly.
if secureboot is active, the bootloader can be loaded. so the secureboot is done? but then the process aborts with the following error:
invalid signature: /boot/bzImage
although set check_signatures=no is set.
Does anyone have an idea?
Is there no other way than to sign my kernel and distribute the keys across all systems? - can I distribute the key via ssh without direct access to the hardware?
problem solved with signed-shim bootloader, free to download
Related
I am building a trusted execution environment on IMX6Q with a Linux Yocto version in the untrusted processor mode. When I switch to non-secure for the first time after reset to load the linux kernel, I get flooded with data and prefetch abort exceptions after I jump to the kernels bootloader.It also seems like, that those exceptions occur as soon as the MMU is switched on.
Booting the Kernel without changing to non-secure state works fine.
Is it possible, that the control bits of the non-secure copy of the first-stage page tables are written with the NS-Bit cleared which causes the MMU to refuse any access to those regions ?
Where can I find the startup code that is setting up the page tables in the Yocto-BSP for IMX6Q ?
How can I debug the Linux Bootloader?
Is it possible to simply change source code of the bootloader in the build-directory of the BSP and rebuild the image?
Thanks in advance,
Paul
How can I debug the Linux Bootloader?
Yes, you can with beautiful printf/puts... BTW if you want to really debug with jtag in early stages of uboot you can refer to this NXP forum post
Is it possible to simply change source code of the bootloader in the build-directory of the BSP and rebuild the image?
You can easily work with the git directory of u-boot in your workbuild/tmp/work/.. dir
Modify what you need
compile it with bitbake -f -c compile u-boot-imx
Deploy it with bitbake -f -c deploy u-boot-imx
At the end your new u-boot will be placed in usual workbuild/tmp/deploy/images/...
EDIT: As stated in the comments, the question seems too broad to answer, so I'll leave the explanation of the problem and the questions, because they haven't changed, but I have changed the title (it doesn't seem good yet, but it's better than before) so they are more in tune.
What lead me to the question
I want to compile OpenWRT for my board. At the moment I am compiling it to a beagle bone black, and it's quite straight forward since there are tutorials available for that, but it got me thinking. How would I build it for a completely bare board? Like it or not BBB comes with u-boot and a version of linux (Amstrong if I'm not mistaken) so when I build OpenWRT for it maybe many things have already been taken care of for me.
I know that I need to first set up the board to boot from somehere, then it must have the bootloader and finally the kernel (there is the SPL and all that, but ok, let' leave it aside for now).
Hypothetical system
Let's imagine I have a hardware similar to the beaglebone, except it has a dipswitch connected to the boot pins in order to select from where I'm going to boot my device from. Imagine I have set it to boot from ethernet, which means that on startup a bootloader located in ROM will receive a binary file and store it in flash, all that via TFTP.
The questions
At this point I imagine that the binary file given via TFTP is the bootloader, am I right?
So after that I'd need to give the bootloader the kernel?
Does this mean that it is a 2 step process? First load the bootloader an dthen the kernel?
Is it possible to compile both at the same time and load it into the microprocessor?
Does OpenWRT build u-boot as well or do I need to compile it separately? I know it downloads the kernel and compiles it.
How would I build this for production? Imagining that I have to build u-boot and openwrt separately, would I create a script that compiles both and then does the entire process of downloading it into the microprocessor?
Is it possible to pre-configure the kernel so that it doesn't need to be configured after the code is downloaded? I mean, for example, compile it with initialization scripts instead of connecting to the device and configuring this. Is it possible or do I have to connect to the board and configure it manually?
PS: Sorry for such basic questions, but it's my first time compiling the kernel for real, and I've only worked with microcontrollers and RTOSs at most
Let's try to answer the queries one by one
At this point I imagine that the binary file given via TFTP is the bootloader, am I right?
No, It should be the firmware(kernel+HLOS). TFTP is available in uboot or only after SBL(Secondary boot loader) is loaded into memory.
So after that I'd need to give the bootloader the kernel?
bootloader needs to be present in the memory and if required it can get the firmware from ethernet, This can be simply done by changing the uboot env(bootcmd), can also be configured at compile time.
Does this mean that it is a 2 step process? First load the bootloader an dthen the kernel?
Yes, bootloader needs to be loaded earlier, but if you designing a custom board, you can combine the images in a big file and then flash/load that file at once.
Is it possible to compile both at the same time and load it into the microprocessor?
Does OpenWRT build u-boot as well or do I need to compile it separately? I know it downloads the kernel and compiles it.
Yes, Openwrt is very flexible and it compiling uboot, kernel, userspace package at once and create a desired image(based upon user configuration).
How would I build this for production? Imagining that I have to build u-boot and openwrt separately, would I create a script that compiles both and then does the entire process of downloading it into the microprocessor?
You can configure the openwrt to generate the appropriate image(based upon the flash and system requirement) and then flash that image in production(so, simple).
Is it possible to pre-configure the kernel so that it doesn't need to be configured after the code is downloaded? I mean, for example, compile it with initialization scripts instead of connecting to the device and configuring this. Is it possible or do I have to connect to the board and configure it manually?
Yes, use make kernel_menuconfig to configure the kernel parameter at compile time.
Hope, I have answered all the queries!!!
I have a u-boot which copies a multiimage (Linux kernel+rootfs+dts) from a serial FLASH to the DDR. The device is remotely powered. The device requires fail safe remote firmware upgrade which survives power failure. I always keep two images on the FLASH. While I write a new firmware to the FLASH there is always another, older, firmware image on the FLASH. U-boot after power up shall boot the most recent firmware.
Boot time is important, but not critical. For example, I thought to let u-boot to boot the first "valid" image. A Linux application would decide if a reboot is required and modify u-boot environment.
I can patch u-boot - add a command which finds the most recent firmware on the FLASH. I would expect that somebody somewhere already solved this problem and likely better than me. Is there a patch/script for u-boot which allows to automatically choose the latest firmware based on some metadata?
Any other approaches to the problem?
Yes.
Use Uboot's bootcount feature.
It increments every boot retry. and is supposed to be cleared by an application on the filesystem after the kernel was booted.
If it reached a a threshold. you can then boot another image from uboot.
I am compiling my own Linux kernel and userland tools for a PXE environment meant for cloning and reimaging. Right now, I'm sticking to a specific kernel version and using preconfigured .config's for building the Linux kernel.
I need to change from using preconfigured .config's to automatically generating the default configuration for the specified architecture, and then enabling all ethernet, ATA, SATA, and SCSI drivers.
The reason I want to do this is:
Updating the kernel means updating the preconfigured .config's, which takes too much time to manually do. The way I'm doing it now is using menuconfig, enabling the options I need, and saving the resulting .config to my repository.
I know the kernel I'm building is missing some drivers because I've encountered some PC's that were not able to mount the NFS share because Linux could not find an ethernet device (which I've verified by booting an Ubuntu CD, which did find the ethernet device). I want an automated way of building any Linux kernel version that will guarantee that ALL drivers I need are pulled in.
Using a distribution's configuration pulls in too many unnecessary drivers and features for my purposes. It lengthens the kernel build time from 10-15 mintues to an hour or more, and the resulting image is too big.
Does anyone know how to write a Bash script to accomplish this?
Have you considered using a text editor to modify the .config file.
Then you can modify it using search and replace.
Plus, there are other choices for configuring the kernel than the menu-driven "menuconfig".
Is it possible to mount a ISO image from USB disk and to use it as a filesystem at boot time(with grub)? I ask it because I would like to put the kernel linux image and an ISO to be used as a filesystem(with fedora bootstrap) into an USB disk(without creating new partitions, etc.), as it is possible to do by using Qemu, for example.
Qemu is a virtualization/emulation environment. Grub is a bootloader, designed to get a kernel loaded into memory and start it executing. Neither program is directly related to your question, although you could certainly use Qemu to execute a VM that uses Grub to start Linux to do what you want.
Modern Linux distributions create an initrd, which the bootloader puts into memory for the kernel to use as its initial root file system. The initrd does things like loading the modules necessary to access the hard disks where the real root file system lives. In your case, you should look at having the initrd find your ISO, mount it, and use it as the root.
The contents of initrd vary based on what distro you're using. I'd grab a livecd from somewhere, dump its initrd's contents with zcat /boot/initrd-2.6.whatever.img | cpio -id, and check out what it's doing. Look for the init file, which will be the first user-space process run by the kernel.
Grub's loopback feature should allow you to boot a kernel and initrd from within an ISO image. Unfortunately, there's no way to allow the kernel to mount a loopback device as the root filesystem, so I think you're out of luck.