Boot ROM

Last updated

The boot ROM is a type of ROM that is used for booting a computer system. [1] There are two types: a mask boot ROM that cannot be changed afterwards and a boot EEPROM, which can contain an UEFI implementation.

Contents

Purpose

Upon power up, hardware usually starts uninitialized. To continue booting, the system may need to read a bootloader from some peripheral device. It is often easier to implement routines for reading from external storage devices in software than in hardware. A boot ROM provides a place to store this initial loading code, at a fixed location immediately available to the processor when execution starts.

Operation

The boot ROM is mapped into memory at a fixed location, and the processor is designed to start executing from this location after reset. Usually, it is placed on the same die as the CPU, but it can also be an external ROM chip, as is common in older systems.

The boot ROM will then initialize the hardware busses and peripherals needed to boot. In some cases the boot ROM is capable of initializing RAM, and in other cases it is up to the bootloader to do that.

At the end of the hardware initialization, the boot ROM will try to load a bootloader from external peripheral(s) (like an eMMC, a microSD card, an external EEPROM, and so on) or through specific protocol(s) on a bus for data transmission (like USB, UART, etc.).

In many systems on a chip, the peripherals or buses from which the boot ROM tries to load the bootloader (such as eMMC for embedded bootloader, or external EEPROM for UEFI implementation), and the order in which they are loaded, can be configured. This configuration can be done by blowing some electronic fuses inside the system on a chip to encode that information, or by having specific pins or jumpers of the system on a chip high or low.

Some boot ROMs are capable of checking the digital signature of the bootloader and will refuse to run the bootloader and stop the boot if the signature is not valid or has not been signed with an authorized key. With some boot ROMs the hash of the public key needed to verify the signatures is encoded in electronic fuses inside the system on a chip. Some system on a chip boot ROMs also support a Public key infrastructure and the hash of the certificate authority(CA) public key is encoded in the electronic fuses instead, and the boot ROM will then be able to check if the bootloader is signed by an authorized key by verifying that key with the CA public key (whose hash is encoded in the electronic fuses). [2] [3]

That feature can then be used to implement security features or used as a hardware root of trust in a Chain of trust, but once configured, users are denied the freedom to replace the bootloader with the one they want. Because of this the feature has raised strong concerns from the free software community. [4]

Just before jumping to the bootloader, some systems on a chip also remove the boot ROM from the memory mapping, while others do not, making it possible to dump the boot ROM from later analysis. [3] If the boot ROM is still visible, bootloaders can also call the code of the boot ROM (which is sometimes documented).

Suspend to RAM

When a system on a chip enters suspend to RAM mode, in many cases, the processor is completely off while the RAM is put in self refresh mode. At resume, the boot ROM is executed again and many boot ROMs are able to detect that the system on a chip was in suspend to RAM and can resume by jumping directly to the kernel which then takes care of powering on again the peripherals which were off and restoring the state that the computer was in before.

Specific implementations

Allwinner

On many Allwinner System on a chip (A10, A20, A64), the boot ROM either waits for a bootloader to be loaded through USB (if a specific PIN is high) or tries to boot on several peripherals in a fixed order. [5]

Some Allwinner systems on a chip can verify the signature of the booloaders. [6] But most devices being manufactured are not configured for that. This has enabled free and open-source software to add support for many Allwinner systems on a chip and devices using them in bootloaders like U-Boot. [7]

Apple

On iOS devices, the boot ROM is called "SecureROM"[ citation needed ] It is a stripped-down version of iBoot. It provides a Device Firmware Upgrade (DFU) mechanism, which can be activated using a special key combination. [8]

NXP

The boot ROM of NXP systems on a chip support configuring the peripherals through specific pins of the system on a chip. On the I.MX6 family it also supports configuring the boot order through efuses.

The boot ROM of several NXP systems on a chip have many ways to load the first stage bootloader (from eMMC, microSD, USB, etc.).

Several NXP systems on a chip can be configured to verify the signature of the bootloaders. Many devices with such system on a chip were sold without that verification configured and on those devices users can install the bootloader they want, including several free and open-source software bootloaders like Das U-Boot [9] and Barebox.

Texas Instruments

The boot ROM of several Texas Instruments systems on a chip support configuring the peripherals through specific pins of the system on a chip.

The boot ROM of several Texas Instruments systems on a chip have many ways to load the first stage bootloader (which is called MLO in the systems on a chip reference manuals):

On the OMAP36xx system on a chip, the boot ROM looks for the first stage bootloader at the sectors 0x0 and 0x20000 (128KB), [10] and on the AM3358 system on a chip, [11] it additionally looks at 0x40000 (256KiB) and 0x60000 (384KiB). In both cases its maximum size is 128KiB. This is because the (first stage) bootloader is loaded in an SRAM that is inside the system on a chip.

The OMAP and AM335x systems on a chip can be configured to verify the signature of the booloaders. Many devices with such system on a chip were sold without verification configured and on those devices users can install the bootloader they want, including several free and open-source software bootloaders like Das U-Boot [12] and Coreboot [13] and Barebox.

STMicro STM32

STMicro STM32 family microcontrollers have built-in on-chip ROM (also referred as "built-in bootloader") [14] to facilitate empty system flashing. Certain pin combinations or sometimes efuses and/or empty flash checks force the chip to boot from ROM instead of the firmware in main flash. This allows empty chips to be flashed without resorting to hardware programming interfaces. Technically this ROM is stored in a dedicated area of the flash array and programmed by STMicro during production. Most STM32 microcontrollers can at least be flashed over UART, some support USB and eventually other interfaces like e.g. I2C, SPI, or CAN. The Cortex-M CPU core normally fetches vectors from the well-known addresses 0x00000000 (initial stack pointer value) and 0x00000004 (initial program counter value). However pins and/or fuses define which memory is mapped at these addresses. Built-in boot ROM is one of the mapping options, another would typically be main firmware in flash. In this case, firmware is supposed to do all the jobs boot ROMs do; part of the firmware could act as a bootloader similar to ST's boot ROM. Hardware could provide read-only enforcement on the boot area, turning it into a user-provided version of boot ROM.

Security

Apple

On devices running iOS, boot ROM exploits (like Limera1n[ citation needed ] and checkm8[ citation needed ]) are sometimes used for iOS jailbreaking. The advantage for people wanting to jailbreak their devices over exploits that affect iOS is that since the boot ROM cannot be modified—and that devices running iOS do not have fuses to append code to the boot ROM, Apple cannot fix the vulnerability on existing devices.

Nvidia Tegra

The boot ROM of the Tegra SoC of Nvidia (used by the Nintendo Switch) contained a vulnerability which made it possible for users to run the bootloader they want. [15] [16]

See also

Related Research Articles

<span class="mw-page-title-main">BIOS</span> Firmware for hardware initialization and OS runtime services

In computing, BIOS is firmware used to provide runtime services for operating systems and programs and to perform hardware initialization during the booting process. The BIOS firmware comes pre-installed on an IBM PC or IBM PC compatible's system board and exists in some UEFI-based systems to maintain compatibility with operating systems that do not support UEFI native operation. The name originates from the Basic Input/Output System used in the CP/M operating system in 1975. The BIOS originally proprietary to the IBM PC has been reverse engineered by some companies looking to create compatible systems. The interface of that original system serves as a de facto standard.

<span class="mw-page-title-main">Motherboard</span> Main printed circuit board (PCB) for a computing device

A motherboard is the main printed circuit board (PCB) in general-purpose computers and other expandable systems. It holds and allows communication between many of the crucial electronic components of a system, such as the central processing unit (CPU) and memory, and provides connectors for other peripherals. Unlike a backplane, a motherboard usually contains significant sub-systems, such as the central processor, the chipset's input/output and memory controllers, interface connectors, and other components integrated for general use.

<span class="mw-page-title-main">Microcontroller</span> Small computer on a single integrated circuit

A microcontroller or microcontroller unit (MCU) is a small computer on a single integrated circuit. A microcontroller contains one or more CPUs along with memory and programmable input/output peripherals. Program memory in the form of ferroelectric RAM, NOR flash or OTP ROM is also often included on chip, as well as a small amount of RAM. Microcontrollers are designed for embedded applications, in contrast to the microprocessors used in personal computers or other general purpose applications consisting of various discrete chips.

<span class="mw-page-title-main">Booting</span> Process of starting a computer

In computing, booting is the process of starting a computer as initiated via hardware such as a button or by a software command. After it is switched on, a computer's central processing unit (CPU) has no software in its main memory, so some process must load software into memory before it can be executed. This may be done by hardware or firmware in the CPU, or by a separate processor in the computer system.

<span class="mw-page-title-main">Firmware</span> Low-level computer software

In computing, firmware is a specific class of computer software that provides the low-level control for a device's specific hardware. Firmware, such as the BIOS of a personal computer, may contain basic functions of a device, and may provide hardware abstraction services to higher-level software such as operating systems. For less complex devices, firmware may act as the device's complete operating system, performing all control, monitoring and data manipulation functions. Typical examples of devices containing firmware are embedded systems, home and personal-use appliances, computers, and computer peripherals.

<span class="mw-page-title-main">AVR microcontrollers</span> Family of microcontrollers

AVR is a family of microcontrollers developed since 1996 by Atmel, acquired by Microchip Technology in 2016. These are modified Harvard architecture 8-bit RISC single-chip microcontrollers. AVR was one of the first microcontroller families to use on-chip flash memory for program storage, as opposed to one-time programmable ROM, EPROM, or EEPROM used by other microcontrollers at the time.

<span class="mw-page-title-main">PIC microcontrollers</span> Line of single-chip microprocessors from Microchip Technology

PIC is a family of microcontrollers made by Microchip Technology, derived from the PIC1650 originally developed by General Instrument's Microelectronics Division. The name PIC initially referred to Peripheral Interface Controller, and is currently expanded as Programmable Intelligent Computer. The first parts of the family were available in 1976; by 2013 the company had shipped more than twelve billion individual parts, used in a wide variety of embedded systems.

<span class="mw-page-title-main">TI MSP430</span>

The MSP430 is a mixed-signal microcontroller family from Texas Instruments, first introduced on 14 February 1992. Built around a 16-bit CPU, the MSP430 was designed for use with low power consumption embedded applications and for low cost.

<span class="mw-page-title-main">Das U-Boot</span> Open-source, primary boot the devices operating system kernel

Das U-Boot is an open-source boot loader used in embedded devices to perform various low-level hardware initialization tasks and boot the device's operating system kernel. It is available for a number of computer architectures, including 68k, ARM, Blackfin, MicroBlaze, MIPS, Nios, SuperH, PPC, RISC-V and x86.

<span class="mw-page-title-main">DataFlash</span> Flash memory

DataFlash is a low pin-count serial interface for flash memory. It was developed as an Atmel proprietary interface, compatible with the SPI standard. In October 2012, the AT45 series DataFlash product lines, related intellectual property, and supporting employee teams were purchased by Adesto Technologies.

Flashrom is a software utility published under an open source license that can detect, read, verify, erase, or write EEPROMs using interfaces such as the Low Pin Count (LPC), FWH, parallel, and Serial Peripheral Interface (SPI). It can be used to flash firmware images such as BIOS or coreboot, or to backup existing firmware.

<span class="mw-page-title-main">BeagleBoard</span> Single board computer

The BeagleBoard is a low-power open-source single-board computer produced by Texas Instruments in association with Digi-Key and Newark element14. The BeagleBoard was also designed with open source software development in mind, and as a way of demonstrating the Texas Instrument's OMAP3530 system-on-a-chip. The board was developed by a small team of engineers as an educational board that could be used in colleges around the world to teach open source hardware and software capabilities. It is also sold to the public under the Creative Commons share-alike license. The board was designed using Cadence OrCAD for schematics and Cadence Allegro for PCB manufacturing; no simulation software was used.

<span class="mw-page-title-main">Read-only memory</span> Electronic memory that cannot be changed

Read-only memory (ROM) is a type of non-volatile memory used in computers and other electronic devices. Data stored in ROM cannot be electronically modified after the manufacture of the memory device. Read-only memory is useful for storing software that is rarely changed during the life of the system, also known as firmware. Software applications for programmable devices can be distributed as plug-in cartridges containing ROM.

A debug port is a diagnostic interface included in an electronic system or integrated circuit to aid design, fabrication, development, bootstrapping, configuration, debugging, and post-sale in-system programming. In general terms, a debug port is not necessary for end-use function and is often hidden or disabled in finished products.

<span class="mw-page-title-main">Allwinner A1X</span>

The Allwinner A1X is a family of single-core SoC devices designed by Allwinner Technology from Zhuhai, China. Currently the family consists of the A10, A13, A10s and A12. The SoCs incorporate the ARM Cortex-A8 as their main processor and the Mali 400 as the GPU.

<span class="mw-page-title-main">NXP LPC</span> Family of 32-bit microcontroller integrated circuits

LPC is a family of 32-bit microcontroller integrated circuits by NXP Semiconductors. The LPC chips are grouped into related series that are based around the same 32-bit ARM processor core, such as the Cortex-M4F, Cortex-M3, Cortex-M0+, or Cortex-M0. Internally, each microcontroller consists of the processor core, static RAM memory, flash memory, debugging interface, and various peripherals. The earliest LPC series were based on the Intel 8-bit 80C51 core. As of February 2011, NXP had shipped over one billion ARM processor-based chips.

Samsung Knox is a proprietary security and management framework pre-installed on most Samsung mobile devices. Its primary purpose is to provide organizations with a toolset for managing work devices, such as employee mobile phones or interactive kiosks. Samsung Galaxy hardware, as well as software such as Secure Folder and Samsung Wallet, make use of the Knox framework.

<span class="mw-page-title-main">Banana Pi</span>

Banana Pi is a line of single-board computers produced by the Chinese company Shenzhen SINOVOIP Co., Ltd., its spin-off Guangdong BiPai Technology Co., Ltd. and supported by Hon Hai Technology (Foxconn).

<span class="mw-page-title-main">Arduino Uno</span> Microcontroller board

The Arduino Uno is an open-source microcontroller board based on the Microchip ATmega328P microcontroller (MCU) and developed by Arduino.cc and initially released in 2010. The microcontroller board is equipped with sets of digital and analog input/output (I/O) pins that may be interfaced to various expansion boards (shields) and other circuits. The board has 14 digital I/O pins, 6 analog I/O pins, and is programmable with the Arduino IDE, via a type B USB cable. It can be powered by a USB cable or a barrel connector that accepts voltages between 7 and 20 volts, such as a rectangular 9-volt battery. It has the same microcontroller as the Arduino Nano board, and the same headers as the Leonardo board. The hardware reference design is distributed under a Creative Commons Attribution Share-Alike 2.5 license and is available on the Arduino website. Layout and production files for some versions of the hardware are also available.

<span class="mw-page-title-main">RP2040</span> ARM-architecture microcontroller by the Raspberry Pi Foundation

RP2040 is a 32-bit dual ARM Cortex-M0+ microcontroller integrated circuit by Raspberry Pi Ltd. In January 2021, it was released as part of the Raspberry Pi Pico board.

References

  1. Bin, Niu; Dejian, Li; Zhangjian, LU; Lixin, Yang; Zhihua, Bai; Longlong, He; Sheng, Liu (August 2020). "Research and design of Bootrom supporting secure boot mode". 2020 International Symposium on Computer Engineering and Intelligent Communications (ISCEIC). pp. 5–8. doi:10.1109/ISCEIC51027.2020.00009. ISBN   978-1-7281-8171-4. S2CID   231714880.
  2. Secure boot (Mk II)
  3. 1 2 Emulating Exynos 4210 BootROM in QEMU, 7 March 2018
  4. Single-board computers
  5. BROM linux-sunxi article
  6. SID Register Guide article on the linux-sunxi wiki
  7. U-Boot page on linux-sunxi wiki
  8. Todesco, Luca. "The One Weird Trick SecureROM Hates" (PDF). Archived (PDF) from the original on 2019-11-08.
  9. imx6.txt
  10. OMAP36xx reference manual (swpu177aa.pdf), 26.4.7.6 MMC/SD Cards
  11. AM3358 reference manual (spruh73p.pdf), 26.1.8.5 MMC / SD Cards.
  12. README.omap3
  13. Beaglebone Black
  14. AN2606 Application note (PDF)
  15. "Hackers find an 'unpatchable' way to breach the Nintendo Switch". Engadget . Archived from the original on 2020-11-09. Retrieved 2021-09-30.
  16. Vulnerability Disclosure: Fusée Gelée, 28 October 2021
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.