From: Fabian Pflug <f.pflug@pengutronix.de>
To: barebox@lists.infradead.org
Cc: Fabian Pflug <f.pflug@pengutronix.de>,
Ahmad Fatoum <a.fatoum@pengutronix.de>
Subject: [PATCH v5 4/4] bootm: introduce bootm.root_param variable
Date: Mon, 1 Dec 2025 08:21:00 +0100 [thread overview]
Message-ID: <20251201072452.1829564-5-f.pflug@pengutronix.de> (raw)
In-Reply-To: <20251201072452.1829564-1-f.pflug@pengutronix.de>
The bootm.root_param variable will be responsible for the root= part of
the kernel commandline if bootm.appendroot is set and a root device has
been selected.
root_param allows to replace the root=/dev/... with verity=/dev/..., which
is useful in a verified boot context, where you pass the root file
system to the initramfs, but do not want the kernel to be able to parse
and mount the rootfs. With renaming the root= to something different,
you make sure, that the kernel does not mount the rootfs.
Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
Reviewed-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
Add section in security about how to use the new function to prevent
linux from mounting the rootfs and motivation behind it.
Documentation/user/security.rst | 16 ++++++++++++++++
common/bootm.c | 20 ++++++++++++--------
include/bootm.h | 1 +
3 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/Documentation/user/security.rst b/Documentation/user/security.rst
index 357ea86a1d..5a23bd83ba 100644
--- a/Documentation/user/security.rst
+++ b/Documentation/user/security.rst
@@ -86,6 +86,22 @@ can be used to compile in well known development keys into the barebox binary.
The private keys for these keys can be found
`[here] <https://git.pengutronix.de/cgit/ptx-code-signing-dev>`__
+Prevent the kernel from booting the rootfs in verity boots
+----------------------------------------------------------
+
+In systems, where barebox loads an initramfs that setups a dm-verity rootfs and
+passes the location of the root file system on the kernel command-line, make
+sure not to use ``root=``!
+``root=`` is also interpreted by the kernel and can lead to the kernel mounting
+the rootfs without dm-verity, if the initramfs failed to load, e.g. due to
+different compression algorithm.
+
+The fail-safe alternative is to use a parameter name understood only by the
+initramfs (e.g. ``verity_root=``) in all bootloader scripts. If the
+``root=$dev`` is fixed up by barebox dynamically, the
+``$global.bootm.root_param`` variable can be used to customize the name of the
+parameter passed to Linux.
+
Disabling the shell
^^^^^^^^^^^^^^^^^^^
diff --git a/common/bootm.c b/common/bootm.c
index adc76eba64..8f52071ef2 100644
--- a/common/bootm.c
+++ b/common/bootm.c
@@ -70,6 +70,7 @@ void bootm_data_init_defaults(struct bootm_data *data)
data->initrd_file = getenv_nonempty("global.bootm.initrd");
}
data->root_dev = getenv_nonempty("global.bootm.root_dev");
+ data->root_param = getenv_nonempty("global.bootm.root_param");
data->verify = bootm_get_verify_mode();
data->appendroot = bootm_appendroot;
data->provide_machine_id = bootm_provide_machine_id;
@@ -89,6 +90,7 @@ void bootm_data_restore_defaults(const struct bootm_data *data)
globalvar_set("bootm.initrd", data->initrd_file);
}
globalvar_set("bootm.root_dev", data->root_dev);
+ globalvar_set("bootm.root_param", data->root_param);
bootm_set_verify_mode(data->verify);
bootm_appendroot = data->appendroot;
bootm_provide_machine_id = data->provide_machine_id;
@@ -854,14 +856,14 @@ int bootm_boot(struct bootm_data *bootm_data)
if (ret) {
if (!root_cdev)
- pr_err("no cdev found for %s, cannot set root= option\n",
- root_dev_name);
+ pr_err("no cdev found for %s, cannot set %s= option\n",
+ root_dev_name, bootm_data->root_param);
else if (!root_cdev->partuuid[0])
- pr_err("%s doesn't have a PARTUUID, cannot set root= option\n",
- root_dev_name);
+ pr_err("%s doesn't have a PARTUUID, cannot set %s= option\n",
+ root_dev_name, bootm_data->root_param);
else
- pr_err("could not determine root= from %s\n",
- root_dev_name);
+ pr_err("could not determine %s= from %s\n",
+ bootm_data->root_param, root_dev_name);
}
if (root_cdev)
@@ -875,10 +877,10 @@ int bootm_boot(struct bootm_data *bootm_data)
}
if (!root) {
- pr_err("Failed to append kernel cmdline parameter 'root='\n");
+ pr_err("Failed to append kernel cmdline parameter '%s='\n", bootm_data->root_param);
} else {
char *rootarg;
- rootarg = format_root_bootarg("root", root, rootopts);
+ rootarg = format_root_bootarg(bootm_data->root_param, root, rootopts);
pr_info("Adding \"%s\" to Kernel commandline\n", rootarg);
globalvar_add_simple("linux.bootargs.bootm.appendroot",
rootarg);
@@ -1121,6 +1123,7 @@ static int bootm_init(void)
globalvar_add_simple("bootm.image.loadaddr", NULL);
globalvar_add_simple("bootm.oftree", NULL);
globalvar_add_simple("bootm.root_dev", NULL);
+ globalvar_add_simple("bootm.root_param", "root");
globalvar_add_simple("bootm.tee", NULL);
globalvar_add_simple_bool("bootm.appendroot", &bootm_appendroot);
globalvar_add_simple_bool("bootm.earlycon", &bootm_earlycon);
@@ -1178,5 +1181,6 @@ BAREBOX_MAGICVAR(global.bootm.verbose, "bootm default verbosity level (0=quiet)"
BAREBOX_MAGICVAR(global.bootm.earlycon, "Add earlycon option to Kernel for early log output");
BAREBOX_MAGICVAR(global.bootm.appendroot, "Add root= option to Kernel to mount rootfs from the device the Kernel comes from (default, device can be overridden via global.bootm.root_dev)");
BAREBOX_MAGICVAR(global.bootm.root_dev, "bootm default root device (overrides default device in global.bootm.appendroot)");
+BAREBOX_MAGICVAR(global.bootm.root_param, "bootm root parameter name (normally 'root' for root=/dev/...)");
BAREBOX_MAGICVAR(global.bootm.provide_machine_id, "If true, append systemd.machine_id=$global.machine_id to Kernel command line");
BAREBOX_MAGICVAR(global.bootm.provide_hostname, "If true, append systemd.hostname=$global.hostname to Kernel command line");
diff --git a/include/bootm.h b/include/bootm.h
index b35deb25bf..14b2465500 100644
--- a/include/bootm.h
+++ b/include/bootm.h
@@ -19,6 +19,7 @@ struct bootm_data {
const char *oftree_file;
const char *tee_file;
const char *root_dev;
+ const char *root_param;
int verbose;
enum bootm_verify verify;
bool force;
--
2.47.3
prev parent reply other threads:[~2025-12-01 7:25 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-24 10:16 [PATCH] common: setting the root= command line parameter Fabian Pflug
2025-11-24 12:00 ` Ahmad Fatoum
2025-11-25 10:22 ` Fabian Pflug
2025-11-25 19:13 ` Ahmad Fatoum
2025-11-26 6:42 ` [PATCH 0/4] make the root= command line parameter variable Fabian Pflug
2025-11-26 6:42 ` [PATCH 1/4] block.h: renamed get_rootargs to get_root Fabian Pflug
2025-11-26 9:50 ` Ahmad Fatoum
2025-11-26 6:42 ` [PATCH 2/4] fs: split rootargs into root and options Fabian Pflug
2025-11-26 10:13 ` Ahmad Fatoum
2025-11-26 10:31 ` Ahmad Fatoum
2025-11-26 6:42 ` [PATCH 3/4] bootm: use new api to get kernel command line params Fabian Pflug
2025-11-26 10:25 ` Ahmad Fatoum
2025-11-26 11:29 ` Fabian Pflug
2025-11-26 11:33 ` Ahmad Fatoum
2025-11-26 6:42 ` [PATCH 4/4] bootm: introduce bootm.root_arg variable Fabian Pflug
2025-11-26 10:28 ` Ahmad Fatoum
2025-11-27 10:57 ` [PATCH v2 0/4] make the root= command line parameter variable Fabian Pflug
2025-11-27 10:57 ` [PATCH v2 1/4] block.h: renamed get_rootargs to get_root Fabian Pflug
2025-11-27 11:08 ` Ahmad Fatoum
2025-11-27 10:57 ` [PATCH v2 2/4] fs: split rootargs into root and options Fabian Pflug
2025-11-27 10:57 ` [PATCH v2 3/4] bootm: use new api to get kernel command line params Fabian Pflug
2025-11-27 10:57 ` [PATCH v2 4/4] bootm: introduce bootm.root_arg variable Fabian Pflug
2025-11-27 14:25 ` [PATCH v3 0/4] make the root= command line parameter variable Fabian Pflug
2025-11-27 14:25 ` [PATCH v3 1/4] block.h: renamed get_rootargs to get_root Fabian Pflug
2025-11-28 9:45 ` Ahmad Fatoum
2025-11-27 14:25 ` [PATCH v3 2/4] fs: split rootargs into root and options Fabian Pflug
2025-11-28 10:01 ` Ahmad Fatoum
2025-11-27 14:25 ` [PATCH v3 3/4] bootm: use new api to get kernel command line params Fabian Pflug
2025-11-28 10:04 ` Ahmad Fatoum
2025-11-27 14:25 ` [PATCH v3 4/4] bootm: introduce bootm.root_arg variable Fabian Pflug
2025-11-28 10:07 ` Ahmad Fatoum
2025-11-28 14:58 ` [PATCH v4 0/4] make the root= command line parameter variable Fabian Pflug
2025-11-28 14:59 ` [PATCH v4 1/4] block.h: renamed get_rootargs to get_root Fabian Pflug
2025-11-28 14:59 ` [PATCH 2/4] fs: split rootargs into root and options Fabian Pflug
2025-11-28 14:59 ` [PATCH v4 3/4] bootm: use new api to get kernel command line params Fabian Pflug
2025-11-28 14:59 ` [PATCH v4 4/4] bootm: introduce bootm.root_arg variable Fabian Pflug
2025-12-01 7:20 ` [PATCH v5 0/4] make the root= command line parameter variable Fabian Pflug
2025-12-01 7:20 ` [PATCH v5 1/4] block.h: renamed get_rootargs to get_root Fabian Pflug
2025-12-01 7:20 ` [PATCH v5 2/4] fs: split rootargs into root and options Fabian Pflug
2025-12-01 7:20 ` [PATCH v5 3/4] bootm: use new api to get kernel command line params Fabian Pflug
2025-12-01 7:21 ` Fabian Pflug [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251201072452.1829564-5-f.pflug@pengutronix.de \
--to=f.pflug@pengutronix.de \
--cc=a.fatoum@pengutronix.de \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox