For obvious reasons BootROMS rejects unsigned images when secure boot is
enabled in OTP secure bits. So check for OPT secure bits and do not allow
flashing unsigned images when secure boot is enabled. Access to OTP via
U-Boot fuse API is currently implemented only for A38x and A37xx SoCs.
Additionally Armada 3700 BootROM rejects signed trusted image when secure
boot is not enabled in OTP. So add also check for this case. On the other
hand Armada 38x BootROM acceps images with secure boot header when secure
boot is not enabled in OTP.
OTP secure bits may have burned also boot device source. Check it also and
reject flashing images to target storage which does not match OTP.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
Currently for A38x image is checked only header checksum.
So check also for image data checksum to prevent flashing broken image.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Stefan Roese <sr@denx.de>
Testing on the theadorable Armada XP platform has shown, thaz using the
current value of 1000ms as response timeout does not result in reliable
booting via kwboot. Using 10ms seems to be much better. So let's change
this value to this 10ms instead.
Signed-off-by: Stefan Roese <sr@denx.de>
Acked-by: Pali Rohár <pali@kernel.org>
Add CONFIG_SUPPORT_PASSING_ATAGS and friends to support legacy
image method of booting. Debian and OpenWrt installer use uImage
with appended DTB for these Kirkwood boards.
Signed-off-by: Tony Dinh <mibodhi@gmail.com>
Reviewed-by: Stefan Roese <sr@denx.de>
Running tests in parallel is much faster, e.g. 15 seconds to run the tests
on sandbox (only), instead of 100 seconds (on a 16-core machine). Add a
'make pcheck' option to access this feature.
Note that the tools/ tests still run each tool's tests once after the
other, although within that, they do run in parallel. So for example,
the buildman tests run in parallel, then the binman tests run in
parallel. There would be a signiificant advantage to running them all
in parallel together, but that would require a large amount of
refactoring, e.g. with more use of pytest fixtures.
Update the documentation to represent the current state.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present when -n is used, all workers try to build U-Boot at once.
Add a lock to ensure that only one of them builds, with the others using
the build that is produced.
The lock file is removed on startup.
Signed-off-by: Simon Glass <sjg@chromium.org>
This assumes that the GPIO starts as 0 but it does not if
test_gpio_input() ran first and test_gpio_exit_statuses() was skipped.
This can happen when running tests in parallel.
Fix it.
Signed-off-by: Simon Glass <sjg@chromium.org>
When doing a quick check we don't need to run all the vboot tests. Just
run the first one, which is enough to catch most problems.
Signed-off-by: Simon Glass <sjg@chromium.org>
This test seems to interfere with the other test in this file. Mark it
single-threaded to avoid any problems.
Signed-off-by: Simon Glass <sjg@chromium.org>
This test relies on the silent_linux env variable being set. Add this
to the code so it can run without relying on other bootm tests having been
run first.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present test_pinmux_status() assumes that test_pinmux_dev() has run
beforehand. Drop this assumption so we can run the tests in parallel.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add board_rng_seed() as a temporary solution
-----BEGIN PGP SIGNATURE-----
iQFFBAABCgAvFiEEslwAIq+Gp8wWVbYnfxc6PpAIreYFAmMfNjoRHHNqZ0BjaHJv
bWl1bS5vcmcACgkQfxc6PpAIreaPVAf/SjZXU864AaleX1mCYtOSdhpAictwaJwY
k1MJ/NxuRzvkF+yUMqnJMXVCUno3M9g3zYP4caworu2xL/YEXKCCswyowpNGBMZP
uR84CgroKxLMjx2OPyWIpaAYEJz6O61Nj3AXuUx7y9XwOCiDImOi1et97LfgPA/z
sxBp7Q0QpPMFWiJ6oijH9PdnzoN2A2ddSSYzDiRUtCOsc5XOq6rx27PH10yDyFyV
oBhE/siuERnIt/MvPqs0aNIiKJ6lyjcqkMnDU94LD36EAT6Z3ll5tzJR1f7+DC3p
VFppSypxCJdIw07qliCcCFQhFAe5BcmWQ+FuDydWu3OjOVc/WX0V2w==
=r1u5
-----END PGP SIGNATURE-----
Merge tag 'dm-pull-12sep22' of https://source.denx.de/u-boot/custodians/u-boot-dm
Binman VPL support (patch was lost)
Add board_rng_seed() as a temporary solution
A recurring theme on LKML is the boot process deadlocking due to some
process blocking waiting for random numbers, while the kernel's
Cryptographic Random Number Generator (crng) is not initalized yet,
but that very blocking means no activity happens that would generate
the entropy necessary to finalize seeding the crng.
This is not a problem on boards that have a good hwrng (when the
kernel is configured to trust it), whether in the CPU or in a TPM or
elsewhere. However, that's far from all boards out there. Moreover,
there are consumers in the kernel that try to obtain random numbers
very early, before the kernel has had any chance to initialize any
hwrng or other peripherals.
Allow a board to provide a board_rng_seed() function, which is
responsible for providing a value to be put into the rng-seed property
under the /chosen node.
The board code is responsible for how to actually obtain those
bytes.
- One possibility is for the board to load a seed "file" from
somewhere (it need not be a file in a filesystem of course), and
then ensure that that the same seed file does not get used on
subsequent boots.
* One way to do that is to delete the file, or otherwise mark it as
invalid, then rely on userspace to create a new one, and living
with the possibility of not finding a seed file during some boots.
* Another is to use the scheme used by systemd-boot and create a new
seed file immediately, but in a way that the seed passed to the
kernel and the new (i.e. next) seed cannot be deduced from each
other, see the explanation at
https://lore.kernel.org/lkml/20190929090512.GB13049@gardel-login/
and the current code at
https://github.com/systemd/systemd/blob/main/src/boot/efi/random-seed.c
- The board may have an hwrng from which some bytes can be read; while
the kernel can also do that, doing it in U-Boot and providing a seed
ensures that even very early users in the kernel get good random
numbers.
- If the board has a sensor of some sort (temperature, humidity, GPS,
RTC, whatever), mixing in a reading of that doesn't hurt.
- etc. etc.
These can of course be combined.
The rng-seed property is mixed into the pool used by the linux
kernel's CRNG very early during boot. Whether it then actually
contributes towards the kernel considering the CRNG initialized
depends on whether the kernel has been configured with
CONFIG_RANDOM_TRUST_BOOTLOADER (nowadays overridable via the
random.trust_bootloader command line option). But that's for the BSP
developer to ultimately decide.
So, if the board needs to have all that logic, why not also just have
it do the actual population of /chosen/rng-seed in ft_board_setup(),
which is not that many extra lines of code?
I considered that, but decided handling this logically belongs in
fdt_chosen(). Also, apart from saving the board code from the few
lines of boilerplate, doing it in ft_board_setup() is too late for at
least some use cases. For example, I want to allow the board logic to
decide
ok, let's pass back this buffer and use that as seed, but also let's
set random.trust_bootloader=n so no entropy is credited.
This requires the rng-seed handling to happen before bootargs
handling. For example, during the very first boot, the board might not
have a proper seed file, but the board could still return (a hash of)
some CPU serial# or whatnot, so that at least no two boards ever get
the same seed - the kernel always mixes in the value passed in
rng-seed, but if it is not "trusted", the kernel would still go
through the same motions as it would if no rng-seed was passed before
considering its CRNG initialized. I.e., by returning that
unique-to-this-board value and setting random.trust_bootloader=n, the
board would be no worse off than if board_rng_seed() returned nothing
at all.
Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
The user provided key address was not flushed in struct aes because of
the flushing location in the function.
Signed-off-by: Janne Ylalehto <ylalehto@gmail.com>
Link: https://lore.kernel.org/r/20220816124525.19671-1-ylalehto@gmail.com
Signed-off-by: Michal Simek <michal.simek@amd.com>
The drivers informs the user that a post config was not run after FPGA
configuration. This message is unnecessary in SPL because the
ps7_post_config function is called via spl_board_prepare_for_boot
function before jump_to_image_no_args function from board_init_r
function.
Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Link: https://lore.kernel.org/r/20220808145331.24723-1-stefan.herbrechtsmeier-oss@weidmueller.com
Signed-off-by: Michal Simek <michal.simek@amd.com>
Move arm twd timer driver from zynq to generic location.
DM timer drivers are designed differently to original driver. Timer is
counting up and not down.
Information about clock rates are find out in timer_pre_probe() that's
why there is no need to get any additional information from DT in the
driver itself (only register offset).
Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Link: https://lore.kernel.org/r/20220805061629.1207-1-stefan.herbrechtsmeier-oss@weidmueller.com
Signed-off-by: Michal Simek <michal.simek@amd.com>
Documentation:
* man-page for tftpput
UEFI:
* fix driver binding protocol for block IO devices
* don't delete invalid handles
* add a unit test for the EFI Conformance Profile Table
Other:
* correct short text for tftpboot
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmMbeUEACgkQxIHbvCwF
GsSGsw//WJAuuzP5ufWGxJk2pR9v9LatIsV+w2W1fBTsTb/dbMZ4Sika2Z1izeer
vmakldnOTLoTXZxng/Ke9J7PEefS8NSUgHbXYLq6a5ckrsji58kGHhDvUjrU2eOf
D4SBh8eGW/wgmnzHgmsVU0vcXbtWUomWlV4v8SGjYWq5KOTOdFGYmMddqv8cnUVa
wXHktLaDi9TzzFdfeYPbAlKboQTdRkw0CbzY8z6jlxm2Yd/i7Iw9v7MWwFN5rv1N
Zlx9Kl0SV1Jz//yzUajyiXXVYK+kVcpjDcvOPhx4GL96mcvW4yyGlOKjpUkTR3H3
l7112u4lwNSUIJIeDMCazqKgdGMsl+RLuJymAIRCdaBs3c0FsuX4WHNAr0H1KT9X
oVnzeBKZKjFTT76Q39F80O0JrdDMxqMm1fGiy1ySlRCJNd+dlYZKoopt8PpWkk1E
IBHsE1m1OXe+n2PNrh6YR9egv9RmfdwBEl0wBftNb9DQ+gNAvR7wVRpmDRCqYuBR
l/k6GsznHK4hh1Wh+BhrrUeQ3YbboK3RvGA9toYp6BEk/5F2dDuy5pVM7OETjGEY
DaKjqPjMv41SCIzpcEkzPJEvQ0tEFuk+GEC168IXQmcV/gttvuLNLFfnlLE1amQr
g09ePeaXKzjiWYSi5wEz1GQs7W9WBnJ5+2zOL41ih125xra6/NE=
=1zZW
-----END PGP SIGNATURE-----
Merge tag 'efi-2022-10-rc5' of https://source.denx.de/u-boot/custodians/u-boot-efi
Pull request for efi-2022-10-rc5
Documentation:
* man-page for tftpput
UEFI:
* fix driver binding protocol for block IO devices
* don't delete invalid handles
* add a unit test for the EFI Conformance Profile Table
Other:
* correct short text for tftpboot
UEFI block devices can either mirror U-Boot's internal devices or be
provided by an EFI application like iPXE.
When ConnectController() is invoked for the EFI_BLOCK_IO_PROTOCOL
interface for such an application provided device we create a virtual
U-Boot block device of type "efi_blk".
Currently we do not call ConnectController() when handles for U-Boot's
internal block devices are created. If an EFI application calls
ConnectController() for a handle relating to an internal block device,
we erroneously create an extra "efi_blk" block device.
E.g. the UEFI shell has a command 'connect -r' which calls
ConnectController() for all handles with device path protocol.
In the Supported() method of our EFI_DRIVER_BINDING_PROTOCOL return
EFI_UNSUPPORTED when dealing with an U-Boot internal device.
Reported-by: Etienne Carriere <etienne.carriere@linaro.org>
Fixes: commit 05ef48a248 ("efi_driver: EFI block driver")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Tested-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Change efi_delete_handle() to not free EFI handles twice.
This change tries to resolved an issue seen since U-Boot v2022.07
in which ExitBootService() attempts to release some EFI handles twice.
The issue was seen booting a EFI shell that invokes 'connect -r' and
then boots a Linux kernel. Execution of connect command makes EFI
subsystem to bind a block device for each root block devices EFI handles.
However these EFI device handles are already bound to a driver and we
can have 2 registered devices relating to the same EFI handler. On
ExitBootService(), the loop removing the devices makes these EFI handles
to be released twice which corrupts memory.
This patch prevents the memory release operation caused by the issue but
but does not resolve the underlying problem.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Add log message.
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Add a new unit test to test the integrity of the
EFI Conformance Profile Table.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
We can use efi_st_get_config_table() in multiple unit tests.
Export the function.
Export system-table and boot-services.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Provide a man-page for the tftpput command.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The command's name is a misnomer.
The command loads a file but does not run (boot) it.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Calling tftpput with less than 2 arguments must lead to a failure.
If tftpput is called with two arguments, these are the address and
the size of the file to be transferred.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
- remove test on CONFIG_DM_REGULATOR in stm32mp1 board
and enable CONFIG_DM_REGULATOR for stm32f769-disco
- handle ck_usbo_48m clock provided by USBPHYC to fix the command 'usb start'
after alignment with Linux kernel v5.19 DT (clocks = <&usbphyc>)
- Fix SYS_HZ_CLOCK value for stih410-b2260 board
- Switch STMM32MP15x DHSOM to FMC2 EBI driver
- Remove hwlocks from pinctrl in STM32MP15x to avoid issue with kernel
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE56Yx6b9SnloYCWtD4rK92eCqk3UFAmMZoW4ACgkQ4rK92eCq
k3W2MAgAsmy2aSlMYo/AGlJ/KCrZuk6OirNHtdOdacvbcdUUbpkNpBSjdkrRm2If
VUnY1utIIJe6gFgnBUxXJ3RF5FZuhkdawc6V25HtDp6H3WamzJknKs5Vc4TlKp59
hZCOto7/+G/cd2XLdCKFUBl+new1pdDPsEm56+57DeZ7QGAQRX35PUQ5+HBjQJ/N
n/wJgS6wkEdIQLLwmCVxbHUkC+pRotTza5F2A0qZJgYPMcMpVFYKtzIa4GbWB5YS
MKGHbM8f3C8RLPQaHHTRycoA2Yor1I52B4Oi7605c5zHQr9pjrgtWsernDzkIhsB
ThYHSYQBUBTY4HBfzFwzCkVGqqLWNg==
=PMFY
-----END PGP SIGNATURE-----
Merge tag 'u-boot-stm32-20220907' of https://source.denx.de/u-boot/custodians/u-boot-stm
- simplify the STM32MP15x package parsing code
- remove test on CONFIG_DM_REGULATOR in stm32mp1 board
and enable CONFIG_DM_REGULATOR for stm32f769-disco
- handle ck_usbo_48m clock provided by USBPHYC to fix the command 'usb start'
after alignment with Linux kernel v5.19 DT (clocks = <&usbphyc>)
- Fix SYS_HZ_CLOCK value for stih410-b2260 board
- Switch STMM32MP15x DHSOM to FMC2 EBI driver
- Remove hwlocks from pinctrl in STM32MP15x to avoid issue with kernel
Fman microcode is executable code (AFAICT) loaded into a
coprocessor. As such, if verified boot is enabled, it must be verified
like other executable code. However, this is not currently done.
This commit adds verified boot functionality by encapsulating the
microcode in a FIT, which can then be signed/verified as normal. By
default we allow fallback to unencapsulated firmware, but if
CONFIG_FIT_SIGNATURE is enabled, then we make it mandatory. Because
existing Layerscape do not use this config (instead enabling
CONFIG_CHAIN_OF_TRUST), this should not break any existing boards.
An example (mildly-abbreviated) its is provided below:
/ {
#address-cells = <1>;
images {
firmware {
data = /incbin/(/path/to/firmware);
type = "firmware";
arch = "arm64";
compression = "none";
signature {
algo = "sha256,rsa2048";
key-name-hint = "your key name";
};
};
};
configurations {
default = "conf";
conf {
description = "Load FMAN microcode";
fman = "firmware";
};
};
};
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Several ethernet drivers load firmware from FIT images. Convert them to
use the fit_get_data helpers.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
This converts the FIT loading process of the fpga command to use
fit_get_data_node.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
This reduces sec_firmware_get_data to a single call to
fit_get_data_conf_prop. I think sec_firmware_check_copy_loadable could also
be converted, but it does not map as straightforwardly, so I have left it
for a future cleanup.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Several different firmware users have repetitive code to extract the
firmware data from a FIT. Add some helper functions to reduce the amount
of repetition. fit_conf_get_prop_node (eventually) calls
fdt_check_node_offset_, so we can avoid an explicit if. In general, this
version avoids printing on error because the callers are typically
library functions, and because the FIT code generally has (debug)
prints of its own. One difference in these helpers is that they use
fit_image_get_data_and_size instead of fit_image_get_data, as the former
handles external data correctly.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
The config to use for FIT images can be better specified by enabling
CONFIG_MULTI_DTB_FIT and implementing board_fit_config_name_match.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Correctly calculate offsets between SPL and proper U-Boot when new config
option CONFIG_FSL_PREPBL_ESDHC_BOOT_SECTOR for generating eSDHC boot sector
is enabled. Otherwise SPL would not be able to boot proper U-Boot.
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
CPLD in load_default mode ignores watchdog reset signal. It does not reset
board when watchdog triggers reset signal.
Detect load_default mode by GPIO7 - LOAD_DEFAULT_N and delete watchdog
max6370 node from device to prevent registering driver for non-working
watchdog.
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Peng Fan <peng.fan@nxp.com>