****************
Firmware: U-Boot
****************

U-boot can be configured to support the EBBR specification. This can be
enabled by enabling both `CONFIG_EFI_LOADER` and
`CONFIG_EFI_EBBR_2_0_CONFORMANCE`.

As UEFI Secure Boot is optional in EBBR, that has to be activated seperatly with
`CONFIG_EFI_SECURE_BOOT`

.. graphviz:: bootflow-uboot.dot

UEFI Secure Boot
================

CoreOS build system bundle all the needed public key for secure boot inside the
u-boot binary at buildtime. UEFI variables needed by secure boot are not allowed
to be changed at runtime.

Device tree handling
====================

As per the EBBR specification, the firmware is responsible to provide a basic
device tree to the kernel.

This means that we have to build u-boot with an embedded device tree. On a
machine configuration, this mean settings the `UBOOT_BUILDENV_DEVICE_TREE`
variables.

The kernel can then override the built-in device-tree to use another.

.. important::

   The `compatible` field of the device-tree embedded inside `u-boot` has to
   match with the one used inside the kernel. This allow us to automatically
   load the right `device-tree` inside the unified kernel image (UKI).


Features to implement per machine
=================================

The u-boot provided by CoreOS should implement the following features for each
supported machine:

DT Fixup
--------

An EFI application like a UKI can overwrite the built-in device tree with a
custom one. The DT Fixup Protocol allow an application to ask the firmware to
some runtime fix to the new device tree, like enabling or removing node.

This can be used to pass dynamic information stored inside a "board descriptor"
eeprom or CPLD to the Kernel.