Supporting latest Raspbian Distributions

Thanks, Amit. I’ve pulled the latest uberxmhf develop branch. I notice that the tree hasn’t had any commits in the last seven months. Since I last tried this less than seven months ago, and since I was unable to get it working then, I doubt much has changed. I will need your assistance in getting a working hypervisor on my Pi 3.

I’ve pulled the latest uberxmhf develop branch. I notice that the tree hasn’t had any commits in the last seven months
Since I last tried this less than seven months ago, and since I was unable to get it working then, I doubt much has change

There have been a few logical code fixes as well as documentation fixes as recently as Jan of this year for the Raspberry PI3 backend for überXMHF üobject collection as evidenced by the tree commit dates within the develop branch. Also cf. here: https://forums.uberspark.org/c/uberxmhf-uobject-collection/features

I will need your assistance in getting a working hypervisor on my Pi 3.

I would encourage you to follow the documentation to try and install the überXMHF üobject collection on the Raspberry Pi 3, We would like to get developers including yourself to be able to do this independently and without much support eventually. Your efforts would help us correct/polish the installation steps and/or documentation in the process. Of course, feel free to ask any questions you may have as you follow the current installation documentation within the relevant forum sections. e.g., https://forums.uberspark.org/c/uberxmhf-uobject-collection

Thanks!

Ah, you are referring to this commit:

I’ll try running it again on Monday. The Pi is in the office. :slight_smile:

A quick review of the referenced change shows that it removes a lot of dead code and adds a new feature to support hashing of data buffers. Also, I don’t see the code being called anywhere. The problem I was seeing last year was that the Pi would fail to boot, or do anything at all really, once I followed the instructions for adding in the hypervisor. The built kernel would work fine on the Pi by itself. The uxmhf would compile just fine. But when the two were combined into an image and loaded as one, just a black screen on Pi boot.

I’ll let you know how it goes on Monday.

I believe the fixes came as part of release v5.0 which also bought some of the protection mechanisms as opt-in features. See https://github.com/uberspark/uberxmhf/releases/tag/v5.0

Hello, Amit. I walked through the entire process again today for building and loading the hypervisor. It still hangs, but I did manage to get something off of the serial port this time. I tried to upload a 1MB image of the failure, as captured from my screen session, but the image uploader says I cannot upload a file larger than 4096KB… I’ll email you the file.

Ok, I am able to post to new threads but not to the existing one anymore, so here is a new thread on the topic.

I am finally able to boot the Pi. The issue turns out to be that the Raspbian I am using updates firmware for the Pi. The newer firmware appears to be incompatible with UXMHF in its current state. No idea what the firmware issue is, we could look into this. However, applying older firmware does allow me to proceed beyond the CPU 1 not detected issue. I am now having a different issue, related to secure boot. It seems that Raspbian has decided it is time to run a filesystem check on /boot, which has triggered a secure boot halt state. The specific snippet of log file follows:

[   18.390959] CPU: 0 PID: 227 Comm: iptables Tainted: G      D         4.4.50-v7+ #3
[   18.390962] Hardware name: BCM2709
[   18.390967] task: b9020000 ti: b91c6000 task.ti: b91c6000
[   18.390985] PC is at netlink_unicast+0xb8/0x258
[   18.390991] LR is at netlink_unicast+0x58/0x258
[   18.390999] pc : [<80507c98>]    lr : [<80507c38>]    psr: 20000013
[   18.390999] sp : b91c7cd0  ip : ba292628  fp : b91c7cfc
[   18.391003] r10: ba268900  r9 : 00000018  r8 : 000000e3
[   18.391009] r7 : ba2e4900  r6 : b91c7cd4  r5 : 00000000  r4 : 02080020
[   18.391014] r3 : 00000000  r2 : 000000e3  r1 : 024000c0  r0 : ba2e4900
[   18.391022] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   18.391029] Control: 10c5383d  Table: 3a28006a  DAC: 00000055
[   18.391034] Process iptables (pid: 227, stack limit = 0xb91c6210)
[   18.391039] Stack: (0xb91c7cd0 to 0xb91c8000)
[   18.391048] 7cc0:                                     00000002 00000000 ba02c400 ba268780
[   18.391060] 7ce0: ba02c400 ffffffa1 00000018 ba2e4900 b91c7d2c b91c7d00 8050831c 80507bec
[   18.391071] 7d00: 00000018 00000000 ba02c400 ba268780 7f086218 ba268900 00000000 00000000
[   18.391082] 7d20: b91c7d84 b91c7d30 7f085a10 80508260 8032db88 80069638 0000015c 808bb180
[   18.391093] 7d40: 00000000 b903c000 80149210 0000000a 7f086218 ba268900 00000000 ba1ff000
[   18.391104] 7d60: ba107c00 00000144 ba268900 00000000 00000000 ba268900 b91c7db4 b91c7d88
[   18.391115] 7d80: 80507d74 7f085644 00000008 7fffffff ba107c00 b91c7f4c ba107c00 00000000
[   18.391126] 7da0: 00000144 00000000 b91c7e14 b91c7db8 80508240 80507bec b91c7e50 b91c7dc4
[   18.391137] 7dc0: 0000000c b91c7e50 b91c7f4c 00000008 00000000 ba36a880 00000000 000000e3
[   18.391148] 7de0: 00000000 00000000 804bae38 b91c7f4c 00000000 00000000 ba6f8300 00000000
[   18.391159] 7e00: b91c7e30 00000000 b91c7e24 b91c7e18 804ba988 80507f0c b91c7f34 b91c7e28
[   18.391170] 7e20: 804bb070 804ba970 3b7f279f 00000000 80132004 bb786870 ffffffff b903c000
[   18.391181] 7e40: b903c4fc bb7b1f60 ba389264 ba389000 76c57008 00000144 80132578 00000054
[   18.391193] 7e60: 00000092 76d30000 76c57000 80130ffc 000990d0 b9020000 b91c7ea4 b91c7fb0
[   18.391203] 7e80: b9020000 0000080f 000990d0 ba2b9340 00000010 00000000 00000000 b91c7ea8
[   18.391214] 7ea0: 805bd3a8 80069638 ba25f318 00000200 00000000 00000200 00000000 804be7d0
[   18.391225] 7ec0: 00000004 00000000 00000800 00000008 800295c4 80869644 0000080f 805bd208
[   18.391236] 7ee0: 000990d0 b91c7fb0 7ed3a368 7ed3bc94 b91c7fac b91c7f00 800091e8 8017506c
[   18.391247] 7f00: b91c7f1c b91c7f10 8017506c 80174fd8 ba6f8300 00000000 7ed3b3a8 00000128
[   18.391258] 7f20: 8000fd28 b91c6000 b91c7f94 b91c7f38 804bbdc8 804bae9c 00000000 b91c7f48
[   18.391269] 7f40: 8017506c 00000000 fffffff7 b91c7e90 0000000c 00000001 00000000 00000000
[   18.391280] 7f60: b91c7e58 00000000 00000000 00000000 00000000 00000000 0040f538 00001000
[   18.391291] 7f80: 0040f538 00000003 b91c7fa4 b91c7f98 804bbe10 804bbd88 00000000 b91c7fa8
[   18.391302] 7fa0: 8000fb60 804bbe04 00001000 0040f538 00000003 7ed3b3a8 00000000 00000000
[   18.391313] 7fc0: 00001000 0040f538 00000003 00000128 7ed3bcb4 7ed3a368 7ed3bc94 7ed3b9ec
[   18.391324] 7fe0: 0000006c 7ed3a338 0001c4ec 76d76980 60000010 00000003 00000000 00000000
[   18.391347] [<80507c98>] (netlink_unicast) from [<8050831c>] (netlink_ack+0xc8/0x134)
[   18.391368] [<8050831c>] (netlink_ack) from [<7f085a10>] (nfnetlink_rcv+0x3d8/0x4d0 [nfnetlink])
[   18.391386] [<7f085a10>] (nfnetlink_rcv [nfnetlink]) from [<80507d74>] (netlink_unicast+0x194/0x258)
[   18.391398] [<80507d74>] (netlink_unicast) from [<80508240>] (netlink_sendmsg+0x340/0x354)
[   18.391418] [<80508240>] (netlink_sendmsg) from [<804ba988>] (sock_sendmsg+0x24/0x34)
[   18.391436] [<804ba988>] (sock_sendmsg) from [<804bb070>] (___sys_sendmsg+0x1e0/0x1e8)
[   18.391452] [<804bb070>] (___sys_sendmsg) from [<804bbdc8>] (__sys_sendmsg+0x4c/0x7c)
[   18.391469] [<804bbdc8>] (__sys_sendmsg) from [<804bbe10>] (SyS_sendmsg+0x18/0x1c)
[   18.391488] [<804bbe10>] (SyS_sendmsg) from [<8000fb60>] (ret_fast_syscall+0x0/0x1c)
[   18.391502] Code: ebffff40 e3500001 1a00005c e1a02008 (e5d510f1) 
[   18.391522] ---[ end trace 81ebe52ae8b060a5 ]---
[   18.469364] Unable to handle kernel NULL pointer dereference at virtual address 000000f1
[   18.469371] pgd = b9198000
[   18.469398] [000000f1] *pgd=39070831, *pte=00000000, *ppte=00000000
[   18.469411] Internal error: Oops: 17 [#9] SMP ARM
[   18.469449] Modules linked in: nf_conntrack_netbios_ns nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack nfnetlink i2c_dev ip_tables x_tables ipv6
[   18.469463] CPU: 0 PID: 231 Comm: iptables-restor Tainted: G      D         4.4.50-v7+ #3
[   18.469467] Hardware name: BCM2709
[   18.469472] task: b9023f40 ti: b9052000 task.ti: b9052000
[   18.469492] PC is at netlink_unicast+0xb8/0x258
[   18.469499] LR is at netlink_unicast+0x58/0x258
[   18.469507] pc : [<80507c98>]    lr : [<80507c38>]    psr: 20000013
[   18.469507] sp : b9053cd0  ip : ba292f28  fp : b9053cfc
[   18.469512] r10: ba2689c0  r9 : 00000018  r8 : 000000e7
[   18.469517] r7 : ba3863c0  r6 : b9053cd4  r5 : 00000000  r4 : 02080020
[   18.469523] r3 : 00000000  r2 : 000000e7  r1 : 024000c0  r0 : ba3863c0
[   18.469532] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   18.469539] Control: 10c5383d  Table: 3919806a  DAC: 00000055
[   18.469544] Process iptables-restor (pid: 231, stack limit = 0xb9052210)
[   18.469549] Stack: (0xb9053cd0 to 0xb9054000)
[   18.469558] 3cc0:                                     00000002 00000000 ba1da800 ba268b40
[   18.469570] 3ce0: ba1da800 ffffffa1 00000018 ba3863c0 b9053d2c b9053d00 8050831c 80507bec
[   18.469581] 3d00: 00000018 00000000 ba1da800 ba268b40 7f086218 ba2689c0 00000000 00000000
[   18.469592] 3d20: b9053d84 b9053d30 7f085a10 80508260 8032db88 80069638 000001cc 808bb180
[   18.469603] 3d40: 00000000 ba38e000 80149210 0000000a 7f086218 ba2689c0 00000000 ba1ff000
[   18.469614] 3d60: ba107c00 0000030c ba2689c0 00000000 00000000 ba2689c0 b9053db4 b9053d88
[   18.469626] 3d80: 80507d74 7f085644 00000008 7fffffff ba107c00 b9053f4c ba107c00 00000000
[   18.469638] 3da0: 0000030c 00000000 b9053e14 b9053db8 80508240 80507bec b9053e50 b9053dc4
[   18.469649] 3dc0: 0000000c b9053e50 b9053f4c 00000008 00000000 ba36a280 00000000 000000e7
[   18.469661] 3de0: 00000000 00000000 804bae38 b9053f4c 00000000 00000000 ba6f8300 00000000
[   18.469672] 3e00: b9053e30 00000000 b9053e24 b9053e18 804ba988 80507f0c b9053f34 b9053e28
[   18.469683] 3e20: 804bb070 804ba970 00000008 00000000 f300080e 80441f24 b9053e5c b9053e48
[   18.469695] 3e40: b9053e5c b9053e50 80016930 b9041000 76c73008 0000030c 8031fa14 ba229e00
[   18.469706] 3e60: 80864100 ffff9203 b9053eac 80130ffc 7ebf7d78 b9023f40 b9053ea4 b9053fb0
[   18.469717] 3e80: b9023f40 00000817 7ebf7d78 ba2b81c0 00000010 00000000 00000000 b9053ea8
[   18.469728] 3ea0: 805bd3a8 80069638 80071ccc 00000200 00000000 00000200 00000000 804be7d0
[   18.469739] 3ec0: 00000004 ba6f8300 b9053ef4 b9053ed8 800295c4 800d99fc 00000004 ba107c00
[   18.469750] 3ee0: 00000000 ba107c00 b9053f04 b9053ef8 805bc4d4 80029540 b9053f2c 8017506c
[   18.469761] 3f00: b9053f1c b9053f10 8017506c 80174fd8 ba6f8300 00000000 7ebf8dd0 00000128
[   18.469772] 3f20: 8000fd28 b9052000 b9053f94 b9053f38 804bbdc8 804bae9c 00000000 b9053f48
[   18.469783] 3f40: 8017506c 00000000 fffffff7 b9053e90 0000000c 00000001 00000000 00000000
[   18.469794] 3f60: b9053e58 00000000 00000000 00000000 00000000 00000000 01cafa60 00001000
[   18.469806] 3f80: 01cafa60 00000003 b9053fa4 b9053f98 804bbe10 804bbd88 00000000 b9053fa8
[   18.469817] 3fa0: 8000fb60 804bbe04 00001000 01cafa60 00000003 7ebf8dd0 00000000 00000000
[   18.469828] 3fc0: 00001000 01cafa60 00000003 00000128 7ebfbcac 7ebf7d90 7ebfbc8c 7ebf9414
[   18.469839] 3fe0: 0000006c 7ebf7d60 0001c4ec 76d92980 60000010 00000003 00000000 00000000
[   18.469863] [<80507c98>] (netlink_unicast) from [<8050831c>] (netlink_ack+0xc8/0x134)
[   18.469884] [<8050831c>] (netlink_ack) from [<7f085a10>] (nfnetlink_rcv+0x3d8/0x4d0 [nfnetlink])
[   18.469902] [<7f085a10>] (nfnetlink_rcv [nfnetlink]) from [<80507d74>] (netlink_unicast+0x194/0x258)
[   18.469914] [<80507d74>] (netlink_unicast) from [<80508240>] (netlink_sendmsg+0x340/0x354)
[   18.469936] [<80508240>] (netlink_sendmsg) from [<804ba988>] (sock_sendmsg+0x24/0x34)
[   18.469954] [<804ba988>] (sock_sendmsg) from [<804bb070>] (___sys_sendmsg+0x1e0/0x1e8)
[   18.469972] [<804bb070>] (___sys_sendmsg) from [<804bbdc8>] (__sys_sendmsg+0x4c/0x7c)
[   18.469989] [<804bbdc8>] (__sys_sendmsg) from [<804bbe10>] (SyS_sendmsg+0x18/0x1c)
[   18.470010] [<804bbe10>] (SyS_sendmsg) from [<8000fb60>] (ret_fast_syscall+0x0/0x1c)
[   18.470026] Code: ebffff40 e3500001 1a00005c e1a02008 (e5d510f1) 
[   18.470159] ---[ end trace 81ebe52ae8b060a6 ]---
[   24.177413] systemd-journald[129]: Received request to flush runtime journal from PID 1
[  OK  ] Started Show Plymouth Boot Screen.
[  OK  ] Reached target Paths.
[  OK  ] Reached target Local Encrypted Volumes.
[  OK  ] Started Forward Password Requests to Plymouth Directory Watch.
[   26.023099] input: Apple Inc. Apple Keyboard as /devices/platform/soc/3f980000.usb/usb1/1-1/1-1.3/1-1.3.2/1-1.3.2:1.0/0003:05AC:024F.0002/input/input1
[   26.141105] apple 0003:05AC:024F.0002: input,hidraw1: USB HID v1.11 Keyboard [Apple Inc. Apple Keyboard] on usb-3f980000.usb-1.3.2/input0
[   26.246614] input: Apple Inc. Apple Keyboard as /devices/platform/soc/3f980000.usb/usb1/1-1/1-1.3/1-1.3.2/1-1.3.2:1.1/0003:05AC:024F.0003/input/input2
[   26.480157] apple 0003:05AC:024F.0003: input,hidraw2: USB HID v1.11 Device [Apple Inc. Apple Keyboard] on usb-3f980000.usb-1.3.2/input1
[   26.859829] bcm2835-wdt 3f100000.watchdog: Broadcom BCM2835 watchdog timer
[   27.132399] gpiomem-bcm2835 3f200000.gpiomem: Initialised: Registers at 0x3f200000
[  OK  ] Found device /dev/ttyS0.
[  OK  ] Found device /dev/disk/by-partuuid/093bedcc-01.
[   27.934558] usbcore: registered new interface driver brcmfmac
[   28.261170] brcmfmac: brcmf_c_preinit_dcmds: Firmware version = wl0: Oct 23 2017 03:55:53 version 7.45.98.38 (r674442 CY) FWID 01-e58d219f
         Starting File System Check on /dev/disk/by-partuuid/093bedcc-01...
[   28.382700] brcmfmac: brcmf_cfg80211_reg_notifier: not a ISO3166 code
[  OK  ] Started File System Check on /dev/disk/by-partuuid/093bedcc-01.
         Mounting /boot...
secboot_handle_sdhost_access: cmdop=24(0x00000018), SDCMD=0x00008098; arg=8192. Halting!

As you can see, the filesystem check is logged moments before the halt. Having read the secure boot code before, I recognize this as the expected behavior of the secure boot code, which is that ANY accesses to /boot are not tolerated, even when it makes sense as it does here. The OS is compelled to check the filesystem after so many mounts. I think I may be able to work around this by forcing a filesystem check outside of raspbian, by running the check from my development host. I’ll update this with my findings.

Success! I had to explicitly define /boot as read-only in /etc/fstab. After doing this, I am able to successfully boot the Pi.

         Starting Check for v3d driver...
         Starting Check for Raspberry Pi EEPROM updates...
         Starting LSB: Switch to ondemand cpu governor (unless shift key is pressed)...
[  OK  ] Started D-Bus System Message Bus.
         Starting WPA supplicant...
         Starting Login Service...
[  OK  ] Started triggerhappy global hotkey daemon.
[  OK  ] Started System Logging Service.
[  OK  ] Started rng-tools.service.
[  OK  ] Started dhcpcd on all interfaces.
[  OK  ] Started Check for v3d driver.
[  OK  ] Started Check for Raspberry Pi EEPROM updates.
         Starting Authorization Manager...
         Starting Load/Save RF Kill Switch Status...
[   36.537111] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
[   36.537124] brcmfmac: power management disabled
[  OK  ] Started WPA supplicant.
[  OK  ] Started Login Service.
[   37.024430] Adding 102396k swap on /var/swap.  Priority:-1 extents:1 across:102396k SSFS
[   37.038890] cfg80211: Regulatory domain changed to country: US
[   37.038904] cfg80211:  DFS Master region: FCC
[   37.038904] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   37.038921] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 3000 mBm), (N/A)
[   37.038933] cfg80211:   (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2300 mBm), (N/A)
[   37.038942] cfg80211:   (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (N/A, 2300 mBm), (0 s)
[   37.038949] cfg80211:   (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2300 mBm), (0 s)
[   37.038956] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 3000 mBm), (N/A)
[   37.038963] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
[   37.624047] smsc95xx 1-1.1:1.0 eth0: hardware isn't capable of remote wakeup
[  OK  ] Reached target Network.
         Starting OpenBSD Secure Shell server...
[   37.734679] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
         Starting Permit User Sessions...
[   38.001714] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
         Starting /etc/rc.local Compatibility...
         Starting Fail2Ban Service...
[  OK  ] Started Load/Save RF Kill Switch Status.
[  OK  ] Started LSB: Switch to ondemand cpu governor (unless shift key is pressed).
[  OK  ] Started dphys-swapfile - set up, mount/unmount, and delete a swap file.
[  OK  ] Started Permit User Sessions.
[  OK  ] Started /etc/rc.local Compatibility.
[  OK  ] Started Fail2Ban Service.
[  OK  ] Started Authorization Manager.
         Starting Hold until boot process finishes up...
         Starting Light Display Manager...
[  OK  ] Started OpenBSD Secure Shell server.

Raspbian GNU/Linux 10 raspberrypi ttyS0

raspberrypi login: pi
Password: 
Last login: Mon Mar  9 14:39:30 EDT 2020 on tty1
Linux raspberrypi 4.4.50-v7+ #3 SMP Wed Jun 27 21:25:26 EDT 2018 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
[   63.249154] fuse init (API version 7.23)
  `.::///+:/-.        --///+//-:``    pi@raspberrypi 
 `+oooooooooooo:   `+oooooooooooo:    -------------- 
  /oooo++//ooooo:  ooooo+//+ooooo.    OS: Raspbian GNU/Linux 10 (buster) armv7l 
  `+ooooooo:-:oo-  +o+::/ooooooo:     Host: Raspberry Pi 3 Model B Rev 1.2 
   `:oooooooo+``    `.oooooooo+-      Kernel: 4.4.50-v7+ 
     `:++ooo/.        :+ooo+/.`       Uptime: 1 min 
        ...`  `.----.` ``..           Packages: 1990 (dpkg) 
     .::::-``:::::::::.`-:::-`        Shell: fish 3.0.2 
    -:::-`   .:::::::-`  `-:::-       Terminal: /dev/ttyS0 
   `::.  `.--.`  `` `.---.``.::`      CPU: BCM2709 (1) @ 1.200GHz 
       .::::::::`  -::::::::` `       Memory: 81MiB / 929MiB 
 .::` .:::::::::- `::::::::::``::.
-:::` ::::::::::.  ::::::::::.`:::-                           
::::  -::::::::.   `-::::::::  ::::
-::-   .-:::-.``....``.-::-.   -::-
 .. ``       .::::::::.     `..`..
   -:::-`   -::::::::::`  .:::::`
   :::::::` -::::::::::` :::::::.
   .:::::::  -::::::::. ::::::::
    `-:::::`   ..--.`   ::::::.
      `...`  `...--..`  `...`
            .::::::::::
             `.-::::-`

The mind is its own place, and in itself
Can make a Heav'n of Hell, a Hell of Heav'n.
                -- John Milton
 I  ~  ping www.google.com                     Tue 10 Mar 2020 01:11:00 PM EDT
PING www.google.com (172.217.164.132) 56(84) bytes of data.
64 bytes from iad30s24-in-f4.1e100.net (172.217.164.132): icmp_seq=1 ttl=50 time=32.1 ms
64 bytes from iad30s24-in-f4.1e100.net (172.217.164.132): icmp_seq=2 ttl=50 time=36.1 ms
64 bytes from iad30s24-in-f4.1e100.net (172.217.164.132): icmp_seq=3 ttl=50 time=35.7 ms
^C
--- www.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 32.144/34.650/36.082/1.778 ms
 I  ~                                   5.3s  Tue 10 Mar 2020 01:11:15 PM EDT

Using the boot files from Dio’s Pi, I have been able to build my own 4.4.50 Raspbian kernel, build the hypervisor, and deploy/boot from it. Along the way, I discovered:

  • The hypervisor will only boot with old Raspbian firmware in /boot
  • The hypervisor will only boot with Raspbian kernel 4.4.50
  • The hypervisor will fail secure boot if /boot is not made read-only at mount time in /etc/fstab

Aside from these issues, you may use the latest Raspbian image, but will have to remove/replace all files in /boot with a working /boot package from a version of Raspbian that is about four years old.

One more discovery so far, apparently I no longer have control over iptables firewall rules. Any attempt to view iptables rules causes crashes in the tooling. (SIGSEGV)

Thanks David,

This is very useful stuff!

I am traveling at the moment, but have consolidated all related discussion under this thread.
Just a few quick clarifications in an attempt to summarize your findings:

  • Which branch/HEAD are you using for your tests?
  • What are your build configure options? It does seem like you are using --enable-secboot from your description
  • Which Raspbian image/distribution are you using for your tests?
  • Which Raspbian image/distribution did you use to replace files in the /boot partition for a successful boot?

Hello, Amit. I am using branch rpi-4.4.y from the Raspbian kernel tree. I have check in my configuration for my build, but basically it’s the default config for the bcm2709, with a couple of changes to support a loadable UART module for the PL011. No other changes. I am actually using the latest full binary of Raspbian, dated February 2020. The files on /boot come from Dio’s working image file, some four years old it seems. After copying over his boot files, which include the older firmware .dat and .elf files, I am able to build my own hypervisor using the documented procedure and place my built modules at /lib/modules and the rpi image at /boot. It just works after that. :wink:

I just went back and looked at your build guide, and no, I am not using the option --enable-secboot flag during configure. It must be the default?

Thanks for the details David.

Which branch/HEAD are you using for your tests?

I actually meant which branch/HEAD are you using from the uberspark/uberxmhf.git repository.

I am not using the option --enable-secboot flag during configure. It must be the default?

This should not be the default on the current develop/HEAD branch of uberspark/uberxmhf.git