fbpx
Wikipedia

Boot ROM

January 01, 1970

The boot ROM is a type of ROM that is used for booting a computer system.[1] There are two types: a mask boot ROM that cannot be changed afterwards and a boot EEPROM, which can contain an UEFI implementation.

Purpose edit

Upon power up, hardware usually starts uninitialized. To continue booting, the system may need to read a bootloader from some peripheral device. It is often easier to implement routines for reading from external storage devices in software than in hardware. A boot ROM provides a place to store this initial loading code, at a fixed location immediately available to the processor when execution starts.

Operation edit

The boot ROM is mapped into memory at a fixed location, and the processor is designed to start executing from this location after reset. Usually, it is placed on the same die as the CPU, but it can also be an external ROM chip, as is common in older systems.

The boot ROM will then initialize the hardware busses and peripherals needed to boot. In some cases the boot ROM is capable of initializing RAM, and in other cases it is up to the bootloader to do that.

At the end of the hardware initialization, the boot ROM will try to load a bootloader from external peripheral(s) (like an eMMC, a microSD card, an external EEPROM, and so on) or through specific protocol(s) on a bus for data transmission (like USB, UART, etc.).

In many systems on a chip, the peripherals or buses from which the boot ROM tries to load the bootloader (such as eMMC for embedded bootloader, or external EEPROM for UEFI implementation), and the order in which they are loaded, can be configured. This configuration can be done by blowing some electronic fuses inside the system on a chip to encode that information, or by having specific pins or jumpers of the system on a chip high or low.

Some boot ROMs are capable of checking the digital signature of the bootloader and will refuse to run the bootloader and stop the boot if the signature is not valid or has not been signed with an authorized key. With some boot ROMs the hash of the public key needed to verify the signatures is encoded in electronic fuses inside the system on a chip. Some system on a chip boot ROMs also support a Public key infrastructure and the hash of the certificate authority(CA) public key is encoded in the electronic fuses instead, and the boot ROM will then be able to check if the bootloader is signed by an authorized key by verifying that key with the CA public key (whose hash is encoded in the electronic fuses).[2][3]

That feature can then be used to implement security features or used as a hardware root of trust in a Chain of trust, but once configured, users are denied the freedom to replace the bootloader with the one they want. Because of this the feature has raised strong concerns from the free software community.[4]

Just before jumping to the bootloader, some systems on a chip also remove the boot ROM from the memory mapping, while others do not, making it possible to dump the boot ROM from later analysis.[3] If the boot ROM is still visible, bootloaders can also call the code of the boot ROM (which is sometimes documented).

Suspend to RAM edit

When a system on a chip enters suspend to RAM mode, in many cases, the processor is completely off while the RAM is put in self refresh mode. At resume, the boot ROM is executed again and many boot ROMs are able to detect that the system on a chip was in suspend to RAM and can resume by jumping directly to the kernel which then takes care of powering on again the peripherals which were off and restoring the state that the computer was in before.

Specific implementations edit

Allwinner edit

On many Allwinner System on a chip (A10, A20, A64), the boot ROM either waits for a bootloader to be loaded through USB (if a specific PIN is high) or tries to boot on several peripherals in a fixed order.[5]

Some Allwinner systems on a chip can verify the signature of the booloaders.[6] But most devices being manufactured are not configured for that. This has enabled free and open-source software to add support for many Allwinner systems on a chip and devices using them in bootloaders like U-Boot.[7]

Apple edit

On iOS devices, the boot ROM is called "SecureROM"[citation needed] It is a stripped-down version of iBoot. It provides a Device Firmware Upgrade (DFU) mechanism, which can be activated using a special key combination.[8]

NXP edit

The boot ROM of NXP systems on a chip support configuring the peripherals through specific pins of the system on a chip. On the I.MX6 family it also supports configuring the boot order through efuses.

The boot ROM of several NXP systems on a chip have many ways to load the first stage bootloader (from eMMC, microSD, USB, etc.).

Several NXP systems on a chip can be configured to verify the signature of the bootloaders. Many devices with such system on a chip were sold without that verification configured and on those devices users can install the bootloader they want, including several free and open-source software bootloaders like Das U-Boot[9] and Barebox.

Texas Instruments edit

The boot ROM of several Texas Instruments systems on a chip support configuring the peripherals through specific pins of the system on a chip.

The boot ROM of several Texas Instruments systems on a chip have many ways to load the first stage bootloader (which is called MLO in the systems on a chip reference manuals):

  • It can be loaded from various storage devices (MMC/SD/eMMC, NAND, etc.).
  • With MMC/SD/eMMC, it can be loaded directly from card sectors (called RAW mode in the manual) or from a FAT12/16/32 partition.
  • It can also be loaded from USB or UART.

On the OMAP36xx system on a chip, the boot ROM looks for the first stage bootloader at the sectors 0x0 and 0x20000 (128KB),[10] and on the AM3358 system on a chip,[11] it additionally looks at 0x40000 (256KiB) and 0x60000 (384KiB). In both cases its maximum size is 128KiB. This is because the (first stage) bootloader is loaded in an SRAM that is inside the system on a chip.

The OMAP and AM335x systems on a chip can be configured to verify the signature of the booloaders. Many devices with such system on a chip were sold without verification configured and on those devices users can install the bootloader they want, including several free and open-source software bootloaders like Das U-Boot[12] and Coreboot[13] and Barebox.

STMicro STM32 edit

STMicro STM32 family microcontrollers have built-in on-chip ROM (also referred as "built-in bootloader") [14] to facilitate empty system flashing. Certain pin combinations or sometimes efuses and/or empty flash checks force the chip to boot from ROM instead of the firmware in main flash. This allows empty chips to be flashed without resorting to hardware programming interfaces. Technically this ROM is stored in a dedicated area of the flash array and programmed by STMicro during production. Most STM32 microcontrollers can at least be flashed over UART, some support USB and eventually other interfaces like e.g. I2C, SPI, or CAN. The Cortex-M CPU core normally fetches vectors from the well-known addresses 0x00000000 (initial stack pointer value) and 0x00000004 (initial program counter value). However pins and/or fuses define which memory is mapped at these addresses. Built-in boot ROM is one of the mapping options, another would typically be main firmware in flash. In this case, firmware is supposed to do all the jobs boot ROMs do; part of the firmware could act as a bootloader similar to ST's boot ROM. Hardware could provide read-only enforcement on the boot area, turning it into a user-provided version of boot ROM.

Security edit

Apple edit

On devices running iOS, boot ROM exploits (like Limera1n[citation needed] and checkm8[citation needed]) are sometimes used for iOS jailbreaking. The advantage for people wanting to jailbreak their devices over exploits that affect iOS is that since the boot ROM cannot be modified—and that devices running iOS do not have fuses to append code to the boot ROM, Apple cannot fix the vulnerability on existing devices.

Nvidia Tegra edit

The boot ROM of the Tegra SoC of Nvidia (used by the Nintendo Switch) contained a vulnerability which made it possible for users to run the bootloader they want.[15][16]

See also edit

References edit

  1. ^ Bin, Niu; Dejian, Li; Zhangjian, LU; Lixin, Yang; Zhihua, Bai; Longlong, He; Sheng, Liu (August 2020). "Research and design of Bootrom supporting secure boot mode". 2020 International Symposium on Computer Engineering and Intelligent Communications (ISCEIC). pp. 5–8. doi:10.1109/ISCEIC51027.2020.00009. ISBN 978-1-7281-8171-4. S2CID 231714880.
  2. ^ Secure boot (Mk II)
  3. ^ a b Emulating Exynos 4210 BootROM in QEMU, 7 March 2018
  4. ^ Single-board computers
  5. ^ BROM linux-sunxi article
  6. ^ SID Register Guide article on the linux-sunxi wiki
  7. ^ U-Boot page on linux-sunxi wiki
  8. ^ Todesco, Luca. "The One Weird Trick SecureROM Hates" (PDF). (PDF) from the original on 2019-11-08.
  9. ^ imx6.txt
  10. ^ OMAP36xx reference manual (swpu177aa.pdf), 26.4.7.6 MMC/SD Cards
  11. ^ AM3358 reference manual (spruh73p.pdf), 26.1.8.5 MMC / SD Cards.
  12. ^ README.omap3
  13. ^ Beaglebone Black
  14. ^ AN2606 Application note (PDF)
  15. ^ "Hackers find an 'unpatchable' way to breach the Nintendo Switch". Engadget. 24 April 2018. from the original on 2020-11-09. Retrieved 2021-09-30.
  16. ^ Vulnerability Disclosure: Fusée Gelée, 28 October 2021

January 01, 1970
boot, boot, type, that, used, booting, computer, system, there, types, mask, boot, that, cannot, changed, afterwards, boot, eeprom, which, contain, uefi, implementation, contents, purpose, operation, suspend, specific, implementations, allwinner, apple, texas,. The boot ROM is a type of ROM that is used for booting a computer system 1 There are two types a mask boot ROM that cannot be changed afterwards and a boot EEPROM which can contain an UEFI implementation Contents 1 Purpose 2 Operation 3 Suspend to RAM 4 Specific implementations 4 1 Allwinner 4 2 Apple 4 3 NXP 4 4 Texas Instruments 4 5 STMicro STM32 5 Security 5 1 Apple 5 2 Nvidia Tegra 6 See also 7 ReferencesPurpose editUpon power up hardware usually starts uninitialized To continue booting the system may need to read a bootloader from some peripheral device It is often easier to implement routines for reading from external storage devices in software than in hardware A boot ROM provides a place to store this initial loading code at a fixed location immediately available to the processor when execution starts Operation editThis section needs additional citations for verification Please help improve this article by adding citations to reliable sources in this section Unsourced material may be challenged and removed October 2022 Learn how and when to remove this message The boot ROM is mapped into memory at a fixed location and the processor is designed to start executing from this location after reset Usually it is placed on the same die as the CPU but it can also be an external ROM chip as is common in older systems The boot ROM will then initialize the hardware busses and peripherals needed to boot In some cases the boot ROM is capable of initializing RAM and in other cases it is up to the bootloader to do that At the end of the hardware initialization the boot ROM will try to load a bootloader from external peripheral s like an eMMC a microSD card an external EEPROM and so on or through specific protocol s on a bus for data transmission like USB UART etc In many systems on a chip the peripherals or buses from which the boot ROM tries to load the bootloader such as eMMC for embedded bootloader or external EEPROM for UEFI implementation and the order in which they are loaded can be configured This configuration can be done by blowing some electronic fuses inside the system on a chip to encode that information or by having specific pins or jumpers of the system on a chip high or low Some boot ROMs are capable of checking the digital signature of the bootloader and will refuse to run the bootloader and stop the boot if the signature is not valid or has not been signed with an authorized key With some boot ROMs the hash of the public key needed to verify the signatures is encoded in electronic fuses inside the system on a chip Some system on a chip boot ROMs also support a Public key infrastructure and the hash of the certificate authority CA public key is encoded in the electronic fuses instead and the boot ROM will then be able to check if the bootloader is signed by an authorized key by verifying that key with the CA public key whose hash is encoded in the electronic fuses 2 3 That feature can then be used to implement security features or used as a hardware root of trust in a Chain of trust but once configured users are denied the freedom to replace the bootloader with the one they want Because of this the feature has raised strong concerns from the free software community 4 Just before jumping to the bootloader some systems on a chip also remove the boot ROM from the memory mapping while others do not making it possible to dump the boot ROM from later analysis 3 If the boot ROM is still visible bootloaders can also call the code of the boot ROM which is sometimes documented Suspend to RAM editWhen a system on a chip enters suspend to RAM mode in many cases the processor is completely off while the RAM is put in self refresh mode At resume the boot ROM is executed again and many boot ROMs are able to detect that the system on a chip was in suspend to RAM and can resume by jumping directly to the kernel which then takes care of powering on again the peripherals which were off and restoring the state that the computer was in before Specific implementations editAllwinner edit On many Allwinner System on a chip A10 A20 A64 the boot ROM either waits for a bootloader to be loaded through USB if a specific PIN is high or tries to boot on several peripherals in a fixed order 5 Some Allwinner systems on a chip can verify the signature of the booloaders 6 But most devices being manufactured are not configured for that This has enabled free and open source software to add support for many Allwinner systems on a chip and devices using them in bootloaders like U Boot 7 Apple edit On iOS devices the boot ROM is called SecureROM citation needed It is a stripped down version of iBoot It provides a Device Firmware Upgrade DFU mechanism which can be activated using a special key combination 8 NXP edit The boot ROM of NXP systems on a chip support configuring the peripherals through specific pins of the system on a chip On the I MX6 family it also supports configuring the boot order through efuses The boot ROM of several NXP systems on a chip have many ways to load the first stage bootloader from eMMC microSD USB etc Several NXP systems on a chip can be configured to verify the signature of the bootloaders Many devices with such system on a chip were sold without that verification configured and on those devices users can install the bootloader they want including several free and open source software bootloaders like Das U Boot 9 and Barebox Texas Instruments edit The boot ROM of several Texas Instruments systems on a chip support configuring the peripherals through specific pins of the system on a chip The boot ROM of several Texas Instruments systems on a chip have many ways to load the first stage bootloader which is called MLO in the systems on a chip reference manuals It can be loaded from various storage devices MMC SD eMMC NAND etc With MMC SD eMMC it can be loaded directly from card sectors called RAW mode in the manual or from a FAT12 16 32 partition It can also be loaded from USB or UART On the OMAP36xx system on a chip the boot ROM looks for the first stage bootloader at the sectors 0x0 and 0x20000 128KB 10 and on the AM3358 system on a chip 11 it additionally looks at 0x40000 256KiB and 0x60000 384KiB In both cases its maximum size is 128KiB This is because the first stage bootloader is loaded in an SRAM that is inside the system on a chip The OMAP and AM335x systems on a chip can be configured to verify the signature of the booloaders Many devices with such system on a chip were sold without verification configured and on those devices users can install the bootloader they want including several free and open source software bootloaders like Das U Boot 12 and Coreboot 13 and Barebox STMicro STM32 edit STMicro STM32 family microcontrollers have built in on chip ROM also referred as built in bootloader 14 to facilitate empty system flashing Certain pin combinations or sometimes efuses and or empty flash checks force the chip to boot from ROM instead of the firmware in main flash This allows empty chips to be flashed without resorting to hardware programming interfaces Technically this ROM is stored in a dedicated area of the flash array and programmed by STMicro during production Most STM32 microcontrollers can at least be flashed over UART some support USB and eventually other interfaces like e g I2C SPI or CAN The Cortex M CPU core normally fetches vectors from the well known addresses 0x00000000 initial stack pointer value and 0x00000004 initial program counter value However pins and or fuses define which memory is mapped at these addresses Built in boot ROM is one of the mapping options another would typically be main firmware in flash In this case firmware is supposed to do all the jobs boot ROMs do part of the firmware could act as a bootloader similar to ST s boot ROM Hardware could provide read only enforcement on the boot area turning it into a user provided version of boot ROM Security editApple edit On devices running iOS boot ROM exploits like Limera1n citation needed and checkm8 citation needed are sometimes used for iOS jailbreaking The advantage for people wanting to jailbreak their devices over exploits that affect iOS is that since the boot ROM cannot be modified and that devices running iOS do not have fuses to append code to the boot ROM Apple cannot fix the vulnerability on existing devices Nvidia Tegra edit The boot ROM of the Tegra SoC of Nvidia used by the Nintendo Switch contained a vulnerability which made it possible for users to run the bootloader they want 15 16 See also editBooting process of Android devices ROM image BootX Apple References edit Bin Niu Dejian Li Zhangjian LU Lixin Yang Zhihua Bai Longlong He Sheng Liu August 2020 Research and design of Bootrom supporting secure boot mode 2020 International Symposium on Computer Engineering and Intelligent Communications ISCEIC pp 5 8 doi 10 1109 ISCEIC51027 2020 00009 ISBN 978 1 7281 8171 4 S2CID 231714880 Secure boot Mk II a b Emulating Exynos 4210 BootROM in QEMU 7 March 2018 Single board computers BROM linux sunxi article SID Register Guide article on the linux sunxi wiki U Boot page on linux sunxi wiki Todesco Luca The One Weird Trick SecureROM Hates PDF Archived PDF from the original on 2019 11 08 imx6 txt OMAP36xx reference manual swpu177aa pdf 26 4 7 6 MMC SD Cards AM3358 reference manual spruh73p pdf 26 1 8 5 MMC SD Cards README omap3 Beaglebone Black AN2606 Application note PDF Hackers find an unpatchable way to breach the Nintendo Switch Engadget 24 April 2018 Archived from the original on 2020 11 09 Retrieved 2021 09 30 Vulnerability Disclosure Fusee Gelee 28 October 2021 Retrieved from https en wikipedia org w index php title Boot ROM amp oldid 1224012789, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.