Based loosely on the Linux kernel
Documentation/admin-guide/security-bugs.rst file, create a basic
security document for U-Boot. In sum, security issues should be
disclosed in public on the mailing list if at all possible as an initial
position.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The output of the sbi command has been changed since the last release of
the man-page. Update the example.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Fixes a crash during probing of sd card readers without medium present.
Seen with the device below but reported for many other devices.
idVendor 0x0bda Realtek Semiconductor Corp.
idProduct 0x0326 Card reader
bcdDevice 11.24
iManufacturer 1 Realtek
iProduct 2 USB3.0 Card Reader
iSerial 3 201404081410
Link: https://github.com/AsahiLinux/linux/issues/44
Link: https://lists.denx.de/pipermail/u-boot/2022-July/489717.html
Signed-off-by: Janne Grunau <j@jannau.net>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Marek Vasut <marex@denx.de>
Logitech Unifying Receiver 046d:c52b bcdDevice 12.10 seems
sensitive about the first Get Descriptor request. If there
are any other requests in the same microframe, the device
reports bogus data, first of the descriptor parts is not
sent to the host. Wait over one microframe duration before
issuing subsequent requests to avoid probe failure with
this device, since it can be used to connect USB keyboards.
Signed-off-by: Marek Vasut <marex@denx.de>
Tested-by: Janne Grunau <j@jannau.net>
The struct is only used to overlay the MMIO region, so the behavior is
the same. This obsoletes the Kconfig option for the number of ports.
Signed-off-by: Samuel Holland <samuel@sholland.org>
This patch updates Microchip MPFS Icicle Kit support. For now,
add Microchip QSPI driver and a small 4MB reservation is
made at the end of 32-bit DDR to provide some memory for
the HSS to use.
Signed-off-by: Padmarao Begari <padmarao.begari@microchip.com>
Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Rick Chen <rick@andestech.com>
Add QSPI NAND device node to the Microchip PolarFire SoC
Icicle kit device tree.
The Winbond NAND flash memory can be connected to the
Icicle Kit by using the Mikroe Flash 5 click board and
the Pi 3 Click shield.
Signed-off-by: Padmarao Begari <padmarao.begari@microchip.com>
Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Rick Chen <rick@andestech.com>
In the v2022.10 Icicle reference design, the seg registers have been
changed, resulting in a required change to the memory map.
A small 4MB reservation is made at the end of 32-bit DDR to provide some
memory for the HSS to use, so that it can cache its payload between
reboots of a specific context.
Co-developed-by: Conor Dooley <conor.dooley@microchip.com>
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Signed-off-by: Padmarao Begari <padmarao.begari@microchip.com>
Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Rick Chen <rick@andestech.com>
As PLICSW is used to trigger the software interrupt, we should rename
Andes PLIC configuration and file name to reflect the usage. This patch
also updates PLMT and PLICSW compatible strings to be consistent with
OpenSBI fdt driver.
Signed-off-by: Yu Chien Peter Lin <peterlin@andestech.com>
Reviewed-by: Rick Chen <rick@andestech.com>
It was noticed that while converting CONFIG_SPL_PAD_TO to Kconfig its
value for the MIPS MT762x/8x targets got not ported correctly. Its
default is not 0x10000 instead of 0x0. This patch fixes this issue.
Fixes: ca8a329a1b ("Convert CONFIG_SPL_PAD_TO et al to Kconfig")
Signed-off-by: Stefan Roese <sr@denx.de>
Cc: Ruben Winters <Ruben.Winters@gooiland-elektro.nl>
Cc: Weijie Gao <weijie.gao@mediatek.com>
Cc: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Cc: Tom Rini <trini@konsulko.com>
This converts the following to Kconfig:
CONFIG_SYS_MIPS_TIMER_REQ
Signed-off-by: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
CPU_CLOCK_RATE is just used once for CONFIG_SYS_MIPS_TIMER_FREQ
which is migrated to Kconfig in the next patch.
Signed-off-by: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
Resolve all uses of CONFIG_SYS_MHZ with the currently defined value.
Remove code which depends on CONFIG_SYS_MHZ but where no board configs
actually use that code.
Signed-off-by: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
This saves ~50K in the resulting u-boot.bin file which is important to
fit in the U-Boot partition defined in the flash layout of upstream Linux.
Signed-off-by: Cédric Le Goater <clg@kaod.org>
Add the needed bus mappings for the two main RTI memory ranges and
the required device tree nodes in the main domain.
Same as kernel commit 6dd8457dc20693e2ba9054c171499b22664fd4e7
Signed-off-by: Christian Gmeiner <christian.gmeiner@gmail.com>
On 64-bit platforms where int is 32-bit wide, the eeprom command
parse_numeric_param() routine truncates the memory address parameter to
the lower 32-bit. Make parse_numeric_param() return long to allow
read/write of addresses beyond the lower 4GB.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
So far the Calxeda machines were using the CONFIG_SYS_TIMER_* macros to
simply hardcode the address of the counter register of the SP804 timer.
This method is deprecated and scheduled for removal.
Use the newly introduced SP804 DM_TIMER driver to provide timer
functionality on Highbank and Midway machines. The base address and base
frequency are taken from the devicetree.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The DT used for Calxeda Highbank and Midway systems exposes a "system
registers" block, modeled as a DT subnode.
This includes several clocks, including the two fixed clocks for the
main oscillator and timer.
So far U-Boot was ignorant of this special construct (a "clocks" node
within the "hb-sregs" node), as it didn't need the PLL clocks in there.
But that also meant we lost the fixed clocks, which form the base for
the UART baudrate generator and also the SP804 timer.
To allow the generic PL011 and SP804 driver to read the clock rate,
add a simple bus driver, which triggers the DT node discovery inside this
special node. As we only care about the fixed clocks (we don't have
drivers for the PLLs anyway), just ignore the address translation (for
now).
The binding is described in bindings/arm/calxeda/hb-sregs.yaml, the DT
snippet in question looks like:
=======================
sregs@fff3c000 {
compatible = "calxeda,hb-sregs";
reg = <0xfff3c000 0x1000>;
clocks {
#address-cells = <1>;
#size-cells = <0>;
osc: oscillator {
#clock-cells = <0>;
compatible = "fixed-clock";
clock-frequency = <33333000>;
};
....
};
};
=======================
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The "Arm Ltd. Dual-Timer Module (SP804)" is a simple 32-bit count-down
timer IP with interrupt functionality, and is used in some SoCs from
various vendors.
Add a simple DM compliant timer driver, to allow users of the SP804 to
switch to DM_TIMER.
This relies on the input clock to be accessible via the DM clock
framework, which should be fine as we probably look at fixed-clock's
here anyway.
We re-program the control register in the probe() function, but keep
the divider in place, in case this has been set to something on purpose
before.
The TRM for the timer IP can be found here:
https://developer.arm.com/documentation/ddi0271/latest
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Currently our semihosting trap function is somewhat fragile: we rely
on the current compiler behaviour to assign the second inline assembly
argument to the next free register (r1/x1), which happens to be the
"addr" argument to the smh_trap() function (per the calling convention).
I guess this is also the reason for the noinline attribute.
Make it explicit what we want: the "addr" argument needs to go into r1,
so we add another register variable. This allows to drop the "noinline"
attribute, so now the compiler beautifully inlines just the trap
instruction directly into the calling function.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Commit f4b540e25c5c("arm: smh: Fix uninitialized parameters with newer
GCCs") added a memory clobber to the semihosting inline assembly trap
calls, to avoid too eager GCC optimisation: when passing a pointer, newer
compilers couldn't be bothered to actually fill in the structure that it
pointed to, as this data would seemingly never be used (at least from the
compiler's point of view).
But instead of the memory clobber we need to tell the compiler that we are
passing an *array* instead of some generic pointer, this forces the
compiler to actually populate the data structure.
This involves some rather hideous cast, which is best hidden in a macro.
But regardless of that, we actually need the memory clobber, but for two
different reasons: explain them in comments.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
The ARM semihosting interface uses different trap instructions for
different architectures and instruction sets. So far we were using
AArch64 and ARMv7-M, and had an untested v7-A entry. The latter does
not work when building for Thumb, as can be verified by using
qemu_arm_defconfig, then enabling SEMIHOSTING and SYS_THUMB_BUILD:
==========
{standard input}:35: Error: invalid swi expression
{standard input}:35: Error: value of 1193046 too large for field of 2 bytes at 0
==========
Fix this by providing the recommended instruction[1] for Thumb, and
using the ARM instruction only when not building for Thumb. This also
removes some comment, as QEMU for ARM allows to now test this case.
Also use the opportunity to clean up the inline assembly, and just define
the actual trap instruction inside #ifdef's, to improve readability.
[1] https://developer.arm.com/documentation/dui0471/g/Semihosting/The-semihosting-interface?lang=en
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Currently, we must call cyclic_init() at some point before
cyclic_register() becomes possible. That turns out to be somewhat
awkward, especially with SPL, and has resulted in a watchdog callback
not being registered, thus causing the board to prematurely reset.
We already rely on gd->cyclic reliably being set to NULL by the asm
code that clears all of gd. Now that the cyclic list is a hlist, and
thus an empty list is represented by a NULL head pointer, and struct
cyclic_drv has no other members, we can just as well drop a level of
indirection and put the hlist_head directly in struct
global_data. This doesn't increase the size of struct global_data,
gets rid of an early malloc(), and generates slightly smaller code.
But primarily, this avoids having to call cyclic_init() early; the cyclic
infrastructure is simply ready to register callbacks as soon as we
enter C code.
We can still end up with schedule() being called from asm very early,
so we still need to check that gd itself has been properly initialized
[*], but once it has, gd->cyclic_list is perfectly fine to access, and
will just be an empty list.
As for cyclic_uninit(), it was never really the opposite of
cyclic_init() since it didn't free the struct cyclic_drv nor set
gd->cyclic to NULL. Rename it to cyclic_unregister_all() and use that
in test/, and also insert a call at the end of the board_init_f
sequence so that gd->cyclic_list is a fresh empty list before we enter
board_init_r().
A small piece of ugliness is that I had to add a cast in
cyclic_get_list() to silence a "discards 'volatile' qualifier"
warning, but that is completely equivalent to the existing handling of
the uclass_root_s list_head member.
[*] I'm not really sure where we guarantee that the register used for
gd contains 0 until it gets explicitly initialized, but that must be
the case, otherwise testing gd for being NULL would not make much sense.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Stefan Roese <sr@denx.de>
Tested-by: Stefan Roese <sr@denx.de>
Tested-by: Tim Harvey <tharvey@gateworks.com> # imx8mm-venice-*
A hlist is headed by just a single pointer, so can only be traversed
forwards, and insertions can only happen at the head (or before/after
an existing list member). But each list node still consists of two
pointers, so arbitrary elements can still be removed in O(1).
This is precisely what we need for the cyclic_list - we never need to
traverse it backwards, and the order the callbacks appear in the list
should really not matter.
One advantage, and the main reason for doing this switch, is that an
empty list is represented by a NULL head pointer, so unlike a
list_head, it does not need separate C code to initialize - a
memset(,0,) of the containing structure is sufficient.
This is mostly mechanical:
- The iterators are updated with an h prefix, and the type of the
temporary variable changed to struct hlist_node*.
- Adding/removing is now just hlist_add_head (and not tail) and
hlist_del().
- struct members and function return values updated.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Stefan Roese <sr@denx.de>
Tested-by: Stefan Roese <sr@denx.de>
Tested-by: Tim Harvey <tharvey@gateworks.com> # imx8mm-venice-*
All the way back in 2013, the linux kernel updated the four
hlist_for_each_entry* iterators to require one less auxiliary
variable:
commit b67bfe0d42cac56c512dd5da4b1b347a23f4b70a
Author: Sasha Levin <sasha.levin@oracle.com>
Date: Wed Feb 27 17:06:00 2013 -0800
hlist: drop the node parameter from iterators
Currently, there is only one "user" of any of these, namely in
fs/ubifs/super.c, but that actually uses the "new-style" form, and
is (obviously, or it wouldn't have built) inside #ifndef __UBOOT__.
Before adding actual users of these, import the version as of linux
v6.1-rc1, including the hlist_entry_safe() helper used by the new
versions.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Stefan Roese <sr@denx.de>
Tested-by: Stefan Roese <sr@denx.de>
Tested-by: Tim Harvey <tharvey@gateworks.com> # imx8mm-venice-*
We're already relying on gd->cyclic being NULL before cyclic_init() is
called - i.e., we're relying on all of gd being zeroed before entering
any C code. And when we do populate gd->cyclic, its ->cyclic_ready
member is automatically set to true. So we can actually just rely on
testing gd->cyclic itself.
The only wrinkle is that cyclic_uninit() actually did set
->cyclic_ready to false. However, since it doesn't free gd->cyclic,
the cyclic infrastructure is actually still ready (i.e., the list_head
is properly initialized as an empty list).
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Stefan Roese <sr@denx.de>
Tested-by: Stefan Roese <sr@denx.de>
Tested-by: Tim Harvey <tharvey@gateworks.com> # imx8mm-venice-*
As a preparation for future patches, use a flag in gd->flags rather
than a separate member in (the singleton) struct cyclic_drv to keep
track of whether we're already inside cyclic_run().
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Stefan Roese <sr@denx.de>
Tested-by: Stefan Roese <sr@denx.de>
Tested-by: Tim Harvey <tharvey@gateworks.com> # imx8mm-venice-*
To quote the author:
The patchset adds support for the FWU Multi Bank Update[1]
feature. Certain aspects of the Dependable Boot[2] specification have
also been implemented.
The FWU multi bank update feature is used for supporting multiple
sets(also called banks) of firmware image(s), allowing the platform to
boot from a different bank, in case it fails to boot from the active
bank. This functionality is supported by keeping the relevant
information in a structure called metadata, which provides information
on the images. Among other parameters, the metadata structure contains
information on the currect active bank that is being used to boot
image(s).
Functionality is being added to work with the UEFI capsule driver in
u-boot. The metadata is read to gather information on the update bank,
which is the bank to which the firmware images would be flashed to. On
a successful completion of the update of all components, the active
bank field in the metadata is updated, to reflect the bank from which
the platform will boot on the subsequent boots.
Currently, the feature is being enabled on the STM32MP157C-DK2 and
Synquacer boards. The DK2 board boots a FIP image from a uSD card
partitioned with the GPT partioning scheme, while the Synquacer board
boots a FIP image from a MTD partitioned SPI NOR flash device.
This feature also requires changes in a previous stage of
bootloader, which parses the metadata and selects the bank to boot the
image(s) from. Support has being added in tf-a(BL2 stage) for the
STM32MP157C-DK2 board to boot the active bank images. These changes
have been merged to the upstream tf-a repository.
The patch for adding a python test for the feature has been developed,
and was sent in the version 5 of the patches[3]. However, the test
script depends on adding support for the feature on MTD SPI NOR
devices, and that is being done as part of the Synquacer
patches. Hence these set of patches do not have the test script for
the feature. That will be added through the patches for adding support
for the feauture on Synquacer platform.
[1] - https://developer.arm.com/documentation/den0118/a
[2] - https://git.codelinaro.org/linaro/dependable-boot/mbfw/uploads/6f7ddfe3be24e18d4319e108a758d02e/mbfw.pdf
[3] - https://lists.denx.de/pipermail/u-boot/2022-June/485992.html
Add documentation for the FWU Multi Bank Update feature. The document
describes the steps needed for setting up the platform for the
feature, as well as steps for enabling the feature on the platform.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Add support for setting OEM flags in the capsule header. As per the
UEFI specification, bits 0-15 of the flags member of the capsule
header can be defined per capsule GUID.
The oemflags will be used for the FWU Multi Bank update feature, as
specified by the Dependable Boot specification[1]. Bit
15 of the flags member will be used to determine if the
acceptance/rejection of the updated images is to be done by the
firmware or an external component like the OS.
[1] - https://git.codelinaro.org/linaro/dependable-boot/mbfw/uploads/6f7ddfe3be24e18d4319e108a758d02e/mbfw.pdf
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
The Dependable Boot specification[1] describes the structure of the
firmware accept and revert capsules. These are empty capsules which
are used for signalling the acceptance or rejection of the updated
firmware by the OS. Add support for generating these empty capsules.
[1] - https://git.codelinaro.org/linaro/dependable-boot/mbfw/uploads/6f7ddfe3be24e18d4319e108a758d02e/mbfw.pdf
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Add test cases for accessing the FWU Metadata on the sandbox
platform. The sandbox platform also uses the metadata access driver
for GPT partitioned block devices.
The FWU feature will be tested on the sandbox64 variant with a raw
capsule. Remove the FIT capsule testing from sandbox64 defconfig --
the FIT capsule test will be run on the sandbox_flattree variant.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Suggested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Add a command to read the metadata as specified in the FWU
specification and print the fields of the metadata.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
The FWU Multi Bank Update feature supports updating firmware images
to one of multiple sets(also called banks) of images. The firmware
images are clubbed together in banks, with the system booting images
from the active bank. Information on the images such as which bank
they belong to is stored as part of the metadata structure, which is
stored on the same storage media as the firmware images on a dedicated
partition.
At the time of update, the metadata is read to identify the bank to
which the images need to be flashed(update bank). On a successful
update, the metadata is modified to set the updated bank as active
bank to subsequently boot from.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The FWU Multi Bank Update specification requires the Update Agent to
carry out certain checks at the time of platform boot. The Update
Agent is the component which is responsible for updating the firmware
components and maintaining and keeping the metadata in sync.
The spec requires that the Update Agent perform the following checks
at the time of boot
* Sanity check of both the metadata copies maintained by the platform.
* Get the boot index passed to U-Boot by the prior stage bootloader
and use this value for metadata bookkeeping.
* Check if the system is booting in Trial State. If the system boots
in the Trial State for more than a specified number of boot counts,
change the Active Bank to be booting the platform from.
Call these checks through the main loop event at the time of platform
boot.
Signed-off-by: Sughosh Ganu <sughosh.ganu@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>