image_pdfimage_print

In the world of embedded systems, a Flattened Image Tree (FIT) is the standard way to package a bootable OS, typically bundling the kernel, a ramdisk, and the necessary devicetree (FDT) into a single, verifiable file. While convenient, this approach tightly couples the OS with its hardware description. But what if the OS and the devicetree could have independent lifecycles?

A new patch series introduces an enhancement to U-Boot’s Verified Boot for Embedded (VBE) flow that does just that, adding significant flexibility for system integrators and distributors.

The Challenge: Separate Lifecycles

For a Linux distribution aiming to support a wide range of hardware, it’s often desirable to separate the OS from the OEM-controlled devicetrees. This allows the OEM to update the devicetree to fix hardware-specific issues or enable new features without requiring a full OS update from the distro. Conversely, the OS can be updated without touching the OEM’s hardware configuration.

This series addresses this challenge by introducing a new boot method, CONFIG_BOOTMETH_VBE_ABREC_OS, which allows a devicetree to be loaded from a separate, “load-only” FIT before the main OS FIT is processed.

How It Works: A Two-Step Boot Process

The new VBE boot method orchestrates a two-step process, relying on a state file and enhancements to mkimage and the bootm command.

  1. State-Driven Boot Selection: The process starts by looking for a vbe-state file in the boot partition. This file, which is a simple devicetree blob, tells U-Boot which OS slot to boot next: A, B, or recovery. This maintains the robust A/B update scheme that VBE is known for.
  2. The OEM Devicetree FIT: After selecting a slot (e.g., slot ‘A’), U-Boot checks for an OEM-provided FIT, such as a/oem.fit. Thanks to a new --load-only option in mkimage, this FIT can be created to contain only devicetrees, without a kernel image.
  3. Restartable bootm: If an OEM FIT is found, U-Boot loads it using bootm. Since there’s no OS to boot, bootm simply loads the best-matching devicetree into memory and exits. The key innovation here is that the bootm process can now be restarted.
  4. Booting the OS: U-Boot then proceeds to load the main OS FIT (e.g., as specified in an extlinux.conf file). It calls bootm again, but this time with a flag indicating it’s a restart. This tells bootm to skip loading a devicetree from the OS FIT and instead use the one already loaded from the OEM FIT.

The end result is that the OS boots using the devicetree provided by the OEM, achieving a clean separation of concerns.

Under the Hood

This powerful new feature is enabled by a series of changes:

  • mkimage Enhancement: The mkimage tool can now create load-only FITs, which are essential for packaging the devicetrees separately.
  • PXE/Extlinux Integration: The PXE and extlinux boot methods have been updated to support restarting a boot sequence, allowing the devicetree to be preserved across the two bootm calls.
  • Refactoring and Cleanup: The series includes numerous cleanups, such as improving FIT information display and refactoring the PXE parsing logic for better maintainability.
  • Comprehensive Testing: A new set of unit tests for the VBE OS flow has been added for sandbox, ensuring the feature is robust and reliable.
  • Documentation: The new feature is accompanied by detailed documentation, which you can find in doc/develop/bootstd/vbe_os.rst.

This series is a great example of how U-Boot continues to evolve to meet the complex demands of modern embedded systems. By decoupling the OS and devicetree, it provides a more flexible and maintainable boot architecture for product developers and OEMs alike.

Author

  • Simon Glass is a primary author of U-Boot, with around 10K commits. He is maintainer of driver model and various other subsystems in U-Boot.

Leave a Reply

Your email address will not be published. Required fields are marked *