On Sun, Nov 27, 2016 at 07:30:07PM -0500, Charlotte Plusplus wrote:
[...] With the amount of flash we have, sharing the kernel and initrd doesn't seem like a bad idea.
The problem is if a bad kernel or initrd is flashed then there is no way to recover without hardware intervention. Having a truly minimal recovery kernel with USB and a spiflash writer makes it possible to boot into some sort of mode to reocver from that failure.
For both root of trust as well as reliability concerns, the recovery image at the top of the SPI flash should be read-only with the BP bits and the WP# pin enabled. That way hardware is required to really mess it up.
I don't know about you, but once I have a minimal working kernel or a coreboot fallback, I never really update them. So having no way to recover them without hardware intervention is fine. The kernel I may recompile, patch, etc would be somewhere else.
The job of this minimal kernel and initrd would just be to kexec the other kernel, and let you recover coreboot if needed.
Having both of them write protected is just fine, if the cmdline used for the kexec is be read from another part of the spi for when you have to add some kernel parameters
On Sun, Nov 27, 2016 at 8:09 PM, Trammell Hudson hudson@trmm.net wrote:
On Sun, Nov 27, 2016 at 07:30:07PM -0500, Charlotte Plusplus wrote:
[...] With the amount of flash we have, sharing the kernel and initrd doesn't seem like a bad idea.
The problem is if a bad kernel or initrd is flashed then there is no way to recover without hardware intervention. Having a truly minimal recovery kernel with USB and a spiflash writer makes it possible to boot into some sort of mode to reocver from that failure.
For both root of trust as well as reliability concerns, the recovery image at the top of the SPI flash should be read-only with the BP bits and the WP# pin enabled. That way hardware is required to really mess it up.
-- Trammell
-
Charlotte Plusplus -
Trammell Hudson