1# GBL OS Configuration EFI Protocol 2 3This document defines an EFI protocol for GBL which allows the device to 4apply runtime fixups to data passed into the OS. 5 6## GBL_EFI_OS_CONFIGURATION_PROTOCOL 7 8### Summary 9 10This protocol provides a mechanism for the EFI firmware to build and update OS 11configuration data: 12 13* device tree (select components to build the final one) 14* kernel commandline (append fixups) 15* bootconfig (append fixups) 16 17GBL will load and verify the base data from disk, and then call these protocol 18functions to give the firmware a chance to construct and adjust the data as needed 19for the particular device. Device tree fixup is handled by `EFI_DT_FIXUP` protocol. 20 21If no runtime modifications are necessary, this protocol may be left 22unimplemented. 23 24### GUID 25 26```c 27// {dda0d135-aa5b-42ff-85ac-e3ad6efb4619} 28#define GBL_EFI_OS_CONFIGURATION_PROTOCOL_GUID \ 29 { \ 30 0xdda0d135, 0xaa5b, 0x42ff, { \ 31 0x85, 0xac, 0xe3, 0xad, 0x6e, 0xfb, 0x46, 0x19 \ 32 } \ 33 } 34``` 35 36### Revision Number 37 38Note: revision 0 means the protocol is not yet stable and may change in 39backwards-incompatible ways. 40 41```c 42#define GBL_EFI_OS_CONFIGURATION_PROTOCOL_REVISION 0x00000000 43``` 44 45### Protocol Interface Structure 46 47```c 48typedef struct _GBL_EFI_OS_CONFIGURATION_PROTOCOL { 49 UINT64 Revision; 50 GBL_EFI_FIXUP_KERNEL_COMMAND_LINE FixupKernelCommandline; 51 GBL_EFI_FIXUP_BOOTCONFIG FixupBootConfig; 52 GBL_EFI_SELECT_DEVICE_TREES SelectDeviceTrees; 53 GBL_EFI_FIXUP_ZBI FixupZbi; 54} GBL_EFI_OS_CONFIGURATION_PROTOCOL; 55``` 56 57### Parameters 58 59#### Revision 60The revision to which the `GBL_EFI_OS_CONFIGURATION_PROTOCOL` adheres. All 61future revisions must be backwards compatible. If a future version is not 62backwards compatible, a different GUID must be used. 63 64#### FixupKernelCommandline 65Applies kernel commandline fixups. See 66[`FixupKernelCommandline()`](#FixupKernelCommandline). 67 68#### FixupBootConfig 69Applies bootconfig fixups. See [`FixupBootConfig()`](#FixupBootConfig). 70 71#### SelectDeviceTrees 72Select components such as base device tree, overlays to build the final device tree. 73See [`SelectDeviceTrees()`](#SelectDeviceTrees). 74 75#### FixupZbi 76Applies ZBI fixups (Fuchsia kernels only). See [`FixupZbi()`](#FixupZbi). 77 78## GBL_EFI_OS_CONFIGURATION_PROTOCOL.FixupKernelCommandline() {#FixupKernelCommandline} 79 80### Summary 81 82Provides runtime fixups to the kernel command line. 83 84### Prototype 85 86```c 87typedef EFI_STATUS (EFIAPI *GBL_EFI_FIXUP_KERNEL_COMMAND_LINE)( 88 IN GBL_EFI_OS_CONFIGURATION_PROTOCOL *This, 89 IN CONST CHAR8 *CommandLine, 90 OUT CHAR8 *Fixup, 91 IN OUT UINTN *FixupBufferSize 92 ); 93``` 94 95### Parameters 96 97Ownership of all the parameters is loaned only for the duration of the function call, and 98must not be retained by the protocol after returning. 99 100#### This 101A pointer to the `GBL_EFI_OS_CONFIGURATION_PROTOCOL` instance. 102 103#### CommandLine [in] 104A pointer to the ASCII nul-terminated command line built by GBL. 105 106#### Fixup [out] 107Pointer to a pre-allocated buffer to store the generated command line fixup. 108GBL verifies and appends provided data into the final command line. FW may 109leave this unchanged if no fixup is required. 110 111The FW implementation can generate a fixup with the following restrictions: 112* on return, the data must be valid ASCII encoding with nul termination 113* the data and termination byte must never exceed the provided `FixupBufferSize` 114* no libavb arguments may be provided (see Security below) 115 116#### FixupBufferSize [in, out] 117On function call, this points to the fixup buffer size provided by `Fixup`. The 118implementation is free to provide fixup data up to this size, including the 119termination byte. 120 121If the buffer is not large enough to fit the fixups, the function should update 122`FixupBufferSize` with the required size and return `EFI_BUFFER_TOO_SMALL`; 123GBL will then allocate a larger buffer, discard all modifications and repeat 124the `FixupKernelCommandline` call. 125 126`FixupBufferSize` does not need to be updated on success, GBL will determine the 127fixup command line data size via the nul terminator. 128 129### Description 130 131GBL will call this function after loading and verifying the base kernel command 132line, to give the device an opportunity to supply some of the runtime fixups. 133 134Since the device tree selection affects the base kernel command line, GBL will 135call `SelectDeviceTrees` first before calling `FixupKernelCommandline`. 136 137#### Security 138 139To ensure the integrity of verified boot data, this protocol will not be 140allowed to append any command line parameters provided by 141[libavb](https://source.android.com/docs/security/features/verifiedboot/avb). 142If any of these parameters are provided, GBL will treat this as a failed boot 143attempt: 144* `androidboot.veritymode*` 145* `androidboot.vbmeta*` 146* `dm` 147* `root` 148 149Additionally, all data used to apply fixups to the command line must be trusted. 150In particular, if the protocol loads any data from non-secure storage, it should 151verify that data before use. 152 153#### Status Codes Returned 154 155| | | 156| ----------------------- | ----------------------------------------------------------------------------------- | 157| `EFI_SUCCESS` | Command line fixup provided. | 158| `EFI_INVALID_PARAMETER` | A parameter is invalid. | 159| `EFI_BUFFER_TOO_SMALL` | The buffer is too small; `FixupBufferSize` has been updated with the required size. | 160| `EFI_DEVICE_ERROR` | Internal error while providing the command line fixup. | 161 162## GBL_EFI_OS_CONFIGURATION_PROTOCOL.FixupBootConfig() {#FixupBootConfig} 163 164### Summary 165 166Provides runtime fixups to the bootconfig. 167 168### Prototype 169 170```c 171typedef EFI_STATUS (EFIAPI *GBL_EFI_FIXUP_BOOTCONFIG)( 172 IN GBL_EFI_OS_CONFIGURATION_PROTOCOL *This, 173 IN CONST CHAR8 *BootConfig, 174 IN UINTN BootConfigSize, 175 OUT CHAR8 *Fixup, 176 IN OUT UINTN *FixupBufferSize 177 ); 178``` 179 180### Parameters 181 182Ownership of all the parameters is loaned only for the duration of the function call, and 183must not be retained by the protocol after returning. 184 185#### This 186A pointer to the `GBL_EFI_OS_CONFIGURATION_PROTOCOL` instance. 187 188#### BootConfig [in] 189Pointer to the bootconfig built by GBL. Trailing data isn't provided. 190 191#### BootConfigSize [in] 192Size of the bootconfig built by GBL. 193 194#### Fixup [out] 195Pointer to a pre-allocated buffer to store the generated bootconfig fixup. 196GBL verifies and appends provided data into the final bootconfig. FW may 197leave this unchanged if no fixup is required. `FixupBufferSize` must be 198updated to `0` in this case. 199 200The FW implementation can generate a fixup with the following restrictions: 201* on return, the data must be valid bootconfig (trailer is optional) 202* the data must never exceed the provided `FixupBufferSize` 203* no libavb arguments may be provided (see Security below) 204 205#### FixupBufferSize [in, out] 206On function call, this points to the fixup buffer size provided by `Fixup`. The 207implementation is free to provide fixup data up to this size. 208 209If the buffer is not large enough to fit the fixups, the function should update 210`FixupBufferSize` with the required size and return `EFI_BUFFER_TOO_SMALL`; 211GBL will then allocate a larger buffer, discard all modifications and repeat 212the `FixupBootConfig` call. 213 214`FixupBufferSize` must be updated on success to let GBL determine the fixup command line data size. 215 216### Description 217 218[Bootconfig](https://source.android.com/docs/core/architecture/bootloader/implementing-bootconfig) 219is very similar to the kernel command line, but the format is slightly 220different, and the contents are intended for user space consumption rather than 221kernel. 222 223This protocol only needs to provide the bootconfig parameters, GBL will automatically update 224the bootconfig trailer metadata afterwards. 225 226#### Security 227 228This function's security guidelines are exactly identical to 229[`FixupKernelCommandline`](#FixupKernelCommandline); see those docs for details. 230 231#### Status Codes Returned 232 233This function's status return codes are exactly identical to 234[`FixupKernelCommandline`](#FixupKernelCommandline); see those docs for details. 235 236## GBL_EFI_OS_CONFIGURATION_PROTOCOL.SelectDeviceTrees() {#SelectDeviceTrees} 237 238### Summary 239 240Inspects device trees and overlays loaded by GBL to determine which ones to use. 241 242### Prototype 243 244```c 245typedef enum { 246 BOOT, 247 VENDOR_BOOT, 248 DTBO, 249 DTB 250} GBL_EFI_DEVICE_TREE_SOURCE; 251 252typedef struct { 253 // GBL_EFI_DEVICE_TREE_SOURCE 254 UINT32 Source; 255 // values are zeroed and must not be used in case of BOOT / VENDOR_BOOT source 256 UINT32 Id; 257 UINT32 Rev; 258 UINT32 Custom[4]; 259 // make sure GblDeviceTreeMetadata size is 8-bytes aligned. Also reserved for 260 // the future cases 261 UINT32 Reserved; 262} GBL_EFI_DEVICE_TREE_METADATA; 263 264typedef struct { 265 GBL_EFI_DEVICE_TREE_METADATA Metadata; 266 // base device tree / overlay buffer (guaranteed to be 8-bytes aligned), 267 // cannot be NULL. Device tree size can be identified by the header totalsize field. 268 CONST VOID *DeviceTree; 269 // Indicates whether this device tree (or overlay) must be included in the 270 // final device tree. Set to true by a FW if this component must be used 271 BOOLEAN Selected; 272} GBL_EFI_VERIFIED_DEVICE_TREE; 273 274typedef EFI_STATUS (EFIAPI *GBL_EFI_SELECT_DEVICE_TREES)( 275 IN GBL_EFI_OS_CONFIGURATION_PROTOCOL *This, 276 IN OUT GBL_EFI_VERIFIED_DEVICE_TREE *DeviceTrees, 277 IN UINTN NumDeviceTrees 278 ); 279``` 280 281### Parameters 282 283Ownership of all the parameters is loaned only for the duration of the function call, and 284must not be retained by the protocol after returning. 285 286#### This 287A pointer to the `GBL_EFI_OS_CONFIGURATION_PROTOCOL` instance. 288 289#### DeviceTrees [in, out] 290 291Pointer to an array of base device trees and overlays for selection. Base device trees and 292overlays are differentiated by the `GBL_EFI_DEVICE_TREE_METADATA.Source` field (`BOOT`, 293`VENDOR_BOOT`, `DTB` for base device trees, and `DTBO` for overlays). 294 295Selection is made by setting `GBL_EFI_VERIFIED_DEVICE_TREE.Selected` to `TRUE`. Selecting 296multiple or zero base device trees will cause GBL to fail to boot. Selecting multiple or 297zero overlays are supported. 298 299#### NumDeviceTrees [in] 300 301The number of base device trees and overlays in the `DeviceTrees` array. 302 303### Description 304 305Android build artifacts provide multiple base device trees and overlays from the `boot`, 306`vendor_boot`, `dtb`, and `dtbo` partitions. These artifacts are reused across multiple SoCs, 307so the firmware typically selects a base device tree and overlays to construct the final tree. 308This method enables selection based on the loaded content. 309 310Only one base device tree and multiple overlays (no overlays is also allowed) can be selected. 311If more than one or no base device trees are selected, GBL will fail to boot. 312 313### Status Codes Returned 314 315| | | 316| ----------------------- | ----------------------------------------------------------------------- | 317| `EFI_SUCCESS` | Base device tree, overlays has been selected. | 318| `EFI_INVALID_PARAMETER` | A parameter is invalid. For example, incorrect device trees, alignment. | 319 320## GBL_EFI_OS_CONFIGURATION_PROTOCOL.FixupZbi() {#FixupZbi} 321 322TODO(b/353272981) 323