[PATCH 7/7] efi: payload: add options for FDT force and initrd direct install

Ahmad Fatoum a.fatoum at pengutronix.de
Fri Sep 5 12:18:56 PDT 2025 

Hi,

On 9/5/25 12:30 AM, anis chali wrote:
> 
> Hello Ahmad,
> 
>>> ---
>>>  efi/Kconfig | 17 +++++++++++++++++
>>>  1 file changed, 17 insertions(+)
>>>
>> diff --git a/efi/Kconfig b/efi/Kconfig
>>> index 84f670fd23d3..c3811574920d 100644
>>> --- a/efi/Kconfig
>>> +++ b/efi/Kconfig
>>> @@ -50,4 +50,21 @@ config EFI_PAYLOAD_DEFAULT_PATH
>>>  
>>>  endif
>>>  
>>> +config EFI_FDT_FORCE
>>> +	bool "Force EFI provided FDT"
>>> +	default n
>>>
>>
>> n is the default
>>
>> +	help
>>> +	  with this options we keep the fdt passed by EFI in the
>>> +	  system configuration table, EFI has to suppot FDT otherwise
>>> +	  an empty fdt will be generated when linux boots by efi.
>>>
>>
>> These things should be runtime configurable and not in Kconfig.
>> Why can't you take a user-supplied FDT if there is one and otherwise
>> fall back to of_get_fixed_tree_for_boot() as fallback?
> 
> The reason why I ignore a user supplied fdt is the secure boot, in that case
> I only accept a signed fit image fdt or keep the efi supplied fdt which is
> already in the configuration tables so we can trust it, it is probably signed
> and verified by efi.

There's CONFIG_BOOTM_FORCE_SIGNED_IMAGES that should be used to disallow
booting unsigned images. If that option is disabled, we should give the
user the runtime choice to select which initrd and which device tree to use.

> concerning the of_get_fixed_tree_for_boot, I think we can not
> use it at least for now because, maybe I'm wrong but we didn't implement any code
> to tell barebox to use efi.dtb, we only implemented code to extract the fdt from
> configuration tables and write to /efi.dtb.

Ah, that's correct of course. Maybe we should just register the EFI dtb
as the barebox device tree... We will need to avoid things like
detecting the memory banks, but apart from that it would be useful to
e.g. probe drivers that are not exposed by the EFI firmware.

Anyways, even without that, of_get_fixed_tree_for_boot() should still be
used, so the user can specify a device tree.

>> +config EFI_INITRD_INSTALL
>>> +	bool "Install the initramfs by barebox"
>>> +	default n
>>> +	help
>>> +	  with this option barebox will install the initrd to the
>>> +	  system configuration table, same as what kernel do after
>>> +	  calling read file2 boot services, in this case the initrd
>>> +	  will be read directly by the kernel as an initramfs.
>>>
>>
>> Same thing, why can't we check for data->initrd and use that?
> to answer your question, the same reason as for fdt, in case of secure boot
> we ignore user supplied initrd. I think booti or bootm do the same thing, in
> secure boot mode they ignore overrides.

Maybe I am missing the big picture here, please apply the review
feedback so far and send a v2, then we can look into this again.

> concerning the EFI_INITRD_INSTALL, it is an option to early install the initrd 
> in barebox, instead of exposing a boot service protocol to linux, then linux calls back
> to barebox to get the initrd data and after that installing it to the system configuration
> data, I added this code in the begining to debug and after that I implemented as what did by grub2, u-boot...etc.

I am not familiar with the EFI protocols. I will read up on it and
compare for v2.

Thanks for your patches!
Ahmad

> 
> Thank you for your support, 
> 
> cheers
> Anis C.
> 

-- 
Pengutronix e.K.                  |                             |
Steuerwalder Str. 21              | http://www.pengutronix.de/  |
31137 Hildesheim, Germany         | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686  | Fax:   +49-5121-206917-5555 |

More information about the barebox mailing list