[sonic-installer] Add dedicated SONiC-BMC U-Boot bootloader#4602
Open
william8545 wants to merge 6 commits into
Open
[sonic-installer] Add dedicated SONiC-BMC U-Boot bootloader#4602william8545 wants to merge 6 commits into
william8545 wants to merge 6 commits into
Conversation
SONiC-BMC runs U-Boot with a fixed two-slot ASPEED environment that the shared UbootBootloader mishandles. Add BmcUbootBootloader: Aboot-style boot contract (set-default wins, boot_once one-shot), exact slot match, per-slot FIPS, and platforms_asic verification. Detect via is_bmc() and guard UbootBootloader.detect() to exclude BMC. Signed-off-by: William Tsai <willtsai@nvidia.com>
…te set-fips echo Make BmcUbootBootloader the first entry in BOOTLOADERS so a BMC is never preempted by an accidental/stale /host/grub/grub.cfg. This is safe because BmcUbootBootloader.detect() is is_bmc(), which is False on every non-BMC platform, so probing it first cannot mis-select on non-BMC systems. Drop the duplicate 'Done' echo in set_fips(); the CLI already prints the user-facing success message. Add a regression test asserting BMC wins when both BMC and GRUB detectors return true. Signed-off-by: William Tsai <willtsai@nvidia.com>
…m; add tests verify_image_platform() returned True whenever the tar extraction of installer/platforms_asic failed, so a malformed/non-tar payload or one missing the manifest silently passed platform validation. Key the result on grep (p3) instead: compatible only when the running platform is explicitly listed. This fails closed on malformed/missing manifests while still accepting an early grep match where tar is then SIGPIPE'd (which would wrongly fail if keyed on tar's return code). Add unit tests for verify_image_platform (match / mismatch / fail-closed / SIGPIPE-match / non-file), fw_printenv read-failure handling, get_installed_images empty-slot skipping, and the only-populated-slot remove guard. Signed-off-by: William Tsai <willtsai@nvidia.com>
…mment Signed-off-by: William Tsai <willtsai@nvidia.com>
…-boot Signed-off-by: William Tsai <willtsai@nvidia.com>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
…fy flake8 E501 The single-line 'return ... or ... or ...' in get_next_image() was 128 characters, exceeding the 120-char limit enforced by the pre-commit flake8 check (Pretest Static Analysis). Wrap it across lines; behavior is unchanged. Signed-off-by: William Tsai <willtsai@nvidia.com>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
oleksandrivantsiv
approved these changes
Jun 11, 2026
This was referenced Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Address issue - #4548
What I did
Added a dedicated
BmcUbootBootloadersosonic-installermanages SONiC-BMC boot state correctly. SONiC-BMC platforms (ASPEED AST2700) run U-Boot with a two-slot environment, which the genericUbootBootloaderdoes not model — on a BMC it previously fell through to that generic handler and operated on the wrong environment variables.Specifically:
sonic_installer/bootloader/bmc_uboot.py(BmcUbootBootloader,NAME = 'bmc-uboot'), selected viautilities_common.chassis.is_bmc().BOOTLOADERSso a stray/host/grub/grub.cfgcannot preempt it, and guardedUbootBootloader.detect()to exclude BMC.list,set-default,set-next-boot,install,remove,cleanup,verify-next-image,set-fips/get-fips,binary-version, plus a BMC-specificverify_image_platform(fails closed).tests/installer_bootloader_bmc_uboot_test.py(12 tests).No change to
sonic_installer/main.py— the work is confined to the bootloader plugin and its test.How I did it
BmcUbootBootloadersubclassesOnieInstallerBootloaderand models the ASPEED AST2700 two-slot U-Boot environment:sonic_version_1sonic_version_2run sonic_image_1run sonic_image_2linuxargslinuxargs_oldEmpty slots are written/read as the marker
None(also acceptsNONE/empty, case-insensitively).set-defaultwrites the persistentboot_nextand clears the one-shotboot_once;set-next-bootwrites onlyboot_once.get_next_image()resolvesboot_oncefirst (it wins, matching U-Bootbootcmd), thenboot_next, and surfaces an empty/unrecognized selector as a raw string so a broken boot state stays visible rather than being masked.install_image()runs the image's own installer (bash <image>, which performs the slot rotation and setsboot_next) and then clears any staleboot_oncethat would otherwise shadow the new default.remove_image()repointsboot_once/boot_nextto the surviving slot before clearing the removed slot's version + auxiliary vars and deleting its rootfs; it refuses to remove the only populated slot.set-fips/get-fipsrewrite thesonic_fips=token in the target slot'slinuxargs/linuxargs_oldonly (per-slot isolation).verify_image_platform()mirrors the GRUB approach — extractsinstaller/platforms_asicfrom the image and matches the runningdevice_info.get_platform()withgrep -Fxq(whole-line). It fails closed: compatible only when grep matches, so a malformed/manifest-less payload is rejected rather than silently accepted.How to verify it
On a SONiC-BMC (ASPEED AST2700) board, the dedicated bootloader is auto-selected and the full command surface was exercised end-to-end, cross-checking the U-Boot environment (
fw_printenv) and, across real reboots,/proc/cmdline:sonic-installer list/verify-next-imagereflect the two-slot state.set-default <img>setsboot_nextand clearsboot_once;set-next-boot <img>sets a one-shotboot_oncethat U-Boot consumes on the next reboot and then reverts toboot_next.install <bmc.bin>rotates the new image into a slot and boots it after reboot.remove/cleanupclear the slot's vars, repoint the boot selectors, and delete the rootfs.set-fips/get-fipstogglesonic_fips=in the correct per-slot args.verify_image_platform;--skip-platform-checkoverrides it.Previous command output (if the output of a command-line utility has changed)
New command output (if the output of a command-line utility has changed)