Currently the only way to run an EFI binary like GRUB2 is via the 'bootefi' command, which cannot be used in a verified boot scenario.
The obvious solution to this limitation is to add support for booting FIT images containing those EFI binaries. The implementation relies on a new image type - IH_OS_EFI - which can be created by using 'os = "efi"' inside an ITS file: / { #address-cells = <1>; images { efi-grub { description = "GRUB EFI"; data = /incbin/("EFI/BOOT/bootarm.efi"); type = "kernel_noload"; arch = "arm"; os = "efi"; compression = "none"; load = <0x0>; entry = <0x0>; hash-1 { algo = "sha256"; }; }; }; configurations { default = "config-grub"; config-grub { kernel = "efi-grub"; signature-1 { algo = "sha256,rsa2048"; sign-images = "kernel"; }; }; }; }; The bootm command has been extended to handle the IH_OS_EFI images. To enable this feature, a new configuration option has been added: BOOTM_EFI I tested the solution using the 'qemu_arm' board: => load scsi 0:1 ${kernel_addr_r} efi-image.fit => bootm ${kernel_addr_r}#config-grub Cristian Ciocaltea (2): image: Add IH_OS_EFI for EFI chain-load boot bootm: Add a bootm command for type IH_OS_EFI cmd/Kconfig | 9 ++++++++- cmd/bootefi.c | 2 +- common/bootm_os.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ common/image-fit.c | 3 ++- common/image.c | 1 + include/bootm.h | 2 ++ include/image.h | 1 + 7 files changed, 59 insertions(+), 3 deletions(-) -- 2.17.1 _______________________________________________ U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot