Google is committed to advancing racial equity for Black communities. See how.

Overview

A bootloader is a vendor-proprietary image responsible for bringing up the kernel on a device. It guards the device state and is responsible for initializing the Trusted Execution Environment and binding its root of trust. The bootloader also verifies the integrity of the boot and recovery partitions before moving execution to the kernel, and displays boot state warnings.

Boot operations

To start boot, the bootloader may directly flash a new image into an appropriate partition or use recovery to start the reflashing process used for an over-the-air (OTA) update. Some device manufacturers create multipart bootloaders and then combine them into a single bootloader.img file; at flash time, the bootloader extracts and flashes all individual bootloaders.

Example bootloader flow:

  1. The bootloader loads first and initializes memory.

  2. If A/B updates are used, the bootloader determines the current slot to boot.

  3. The bootloader determines if recovery mode should be booted (see Supporting updates).

  4. The bootloader loads the boot image, which contains the kernel and ramdisk images.

  5. The bootloader loads the kernel into memory as a self-executable compressed binary. The kernel then decompresses itself and starts executing into memory.

  6. The bootloader loads init, either from the ramdisk partition (on older devices) or from the system partition (on newer devices).

  7. From the system partition, init launches and mounts all other partitions (such as vendor, oem, and odm), and then starts executing code to start the device.

Kernel command line

Concatenate the kernel command line from the following locations:

  • Bootloader command line: set of static and dynamic parameters determined by the bootloader

  • Device Tree: from the chosen/bootargs node

  • defconfig: from CONFIG_CMDLINE

  • boot.img: from cmdline (for offsets and sized, refer to system/core/mkbootimg/bootimg.h

  • A canonical reboot or shutdown reason compliant with the Android Compatibility Definition Document as determined from the power management integrated circuit (PMIC), other hardware resources, and reboot magic arguments (LINUX_REBOOT_CMD_RESTART2) messaging. Syntax is:

    androidboot.bootreason=reason

Support for device trees and device tree overlays

The bootloader can support different configurations by identifying the device hardware/product revision then loading the correct set of device tree overlays.

Support for kernel address space layout randomization

To support randomizing the virtual address at which the kernel image is loaded (enabled by the RANDOMIZE_BASE kernel config), the bootloader must provide entropy by passing a random u64 value in the /chosen/kaslr-seed device tree node.

Support for verified boot

For details on using the bootloader to implement verified boot, see Verifying Boot.