With TPM2 we don't actually lock the TPM once verified boot is finished.
Instead we disable the platform hierarchy which serves the same purpose.
Add an implementation of this so we can safely boot into the kernel.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Add support for this so that the TPM can be set up for use with
Chromium OS verified boot.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Update tpm2_clear() and tpm2_pcr_extend() so that the command size
is not repeated twice. Add a small comment to the latter.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Add support for TPMv2 versions of API functions. So far this is not
complete as the standard is quite large, but it implements everything
currently available for TPMv2 in U-Boot.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Take over the plain 'tpm_...' functions for use by the new TPM API. Rename
all the TPMv1 functions so they are called from the API.
Update the TPMv1 functions so that they are called from the API. Change
existing users to use the tpm1_ prefix so they don't need to go through
the API, which might introduce uncertainty.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
There are two different TPM standards. U-Boot supports both but each has
its own set of functions. We really need a single TPM API that can call
one or the other. This is not always possible as there are some
differences between the two standards, but it is mostly possible.
Add an API to handle this. So far it is not plumbed into the build and
only supports TPMv1.
Signed-off-by: Simon Glass <sjg@chromium.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
The response is shown but not the request. Update the code to show both
if debugging is enabled.
Use a 'uint' type for size so it matches the register-word size on both
32- and 64-bit machines.
Signed-off-by: Simon Glass <sjg@chromium.org>
Update this to use log_debug() instead of the old debug().
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
At present the security chip is not used in these U-Boot phases. Update
the Makefile to exclude it.
Fix a few logging statements while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Sandbox provides a way to write out its emulated memory on exit. This
makes it possible to pass a bloblist from one phase (e.g. SPL) to the
next.
However the bloblist is not closed off, so the checksum is generally
invalid. Fix this by finishing up the bloblist before writing the memory
file.
Signed-off-by: Simon Glass <sjg@chromium.org>
This state is not accessible to the running U-Boot but at present it is
allocated in the emulated SDRAM. This doesn't seem very useful. Adjust
it to allocate from the OS instead.
The RAM buffer is currently not freed, but should be, so add that into
state_uninit(). Update the comment for os_free() to indicate that NULL is
a valid parameter value.
Note that the strdup() in spl_board_load_image() is changed as well, since
strdup() allocates memory in the RAM buffer.
Signed-off-by: Simon Glass <sjg@chromium.org>
We provide os_malloc() and os_free() but not os_realloc(). Add this,
following the usual semantics. Also update os_malloc() to behave correctly
when passed a zero size.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This code is still using the old command typedef. It was not noticed since
this file is not currently built. It is using a non-existent option in the
Makefile.
Drop this file since it is not needed for correct operation.
Signed-off-by: Simon Glass <sjg@chromium.org>
Comparing a hex dump on the U-Boot command line with the contents of a
file on the host system is fairly easy and convenient to do manually if
it is small. But the format used hexdump by default differs from that
shown by U-Boot. Add a note about how to make them the same.
(For large dumps, writing the data to the network with tftpput, or to a
USB stick with ext4save is easiest.)
Signed-off-by: Simon Glass <sjg@chromium.org>
Add notes about how to make binman produce verbose logging when building.
Add a comment on how to do this.
Signed-off-by: Simon Glass <sjg@chromium.org>
This is printed twice but we only need one message, since there is very
little processing in between them. Drop the second one, since all branches
of the switch() already have output. Update the U-Boot message to include
the phase being jumped to.
Signed-off-by: Simon Glass <sjg@chromium.org>
Remove the unused function set_dacr/get_dacr
Serie-cc: Ard Biesheuvel <ardb@kernel.org>
Serie-cc: R Sricharan <r.sricharan@ti.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Update the initial value of Domain Access Control Register (DACR)
and set by default the access permission to client (DACR_Dn_CLIENT = 1U)
for each of the 16 domains and no more to all-supervisor
(DACR_Dn_MANAGER = 3U).
This patch allows to activate the domain checking in MMU against the
permission bits in the translation tables and avoids prefetching issue
on ARMv7 [1].
Today it was already done for OMAP2 architecture
./arch/arm/mach-omap2/omap-cache.c::arm_init_domains
introduced by commit de63ac278c ("ARM: mmu: Set domain permissions
to client access") which fixes lot of speculative prefetch aborts seen
on OMAP5 secure devices.
[1] https://developer.arm.com/documentation/ddi0406/b/System-Level-Architecture/Virtual-Memory-System-Architecture--VMSA-/Memory-access-control/The-Execute-Never--XN--attribute-and-instruction-prefetching
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Reported-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
The normal memory (other that DCACHE_OFF) should be executable by default,
only the device memory (DCACHE_OFF) used for peripheral access should have
the bit execute never (TTB_SECT_XN_MASK).
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Overidde the weak function dram_bank_mmu_setup() to set the DDR
(preloc case) or the SYSRAM (in SPL case) executable before to enable
the MMU and configure DACR.
This weak function is called in dcache_enable/mmu_setup.
This patchs avoids a permission access issue when the DDR is marked
executable (by calling mmu_set_region_dcache_behaviour with
DCACHE_DEFAULT_OPTION) after MMU setup and domain access permission
activation with DACR in dcache_enable.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Mark the top of ram, used for relocated U-Boot as a normal memory
(cacheable and executable) to avoid permission access issue when
U-Boot jumps to this relocated code.
When MMU is activated in pre-reloc stage; only the beginning of
DDR is marked executable.
This patch avoids access issue when DACR is correctly managed.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Historically, the reset_cpu() function had an `addr` parameter which was
meant to pass in an address of the reset vector location, where the CPU
should reset to. This feature is no longer used anywhere in U-Boot as
all reset_cpu() implementations now ignore the passed value. Generic
code has been added which always calls reset_cpu() with `0` which means
this feature can no longer be used easily anyway.
Over time, many implementations seem to have "misunderstood" the
existence of this parameter as a way to customize/parameterize the reset
(e.g. COLD vs WARM resets). As this is not properly supported, the
code will almost always not do what it is intended to (because all
call-sites just call reset_cpu() with 0).
To avoid confusion and to clean up the codebase from unused left-overs
of the past, remove the `addr` parameter entirely. Code which intends
to support different kinds of resets should be rewritten as a sysreset
driver instead.
This transformation was done with the following coccinelle patch:
@@
expression argvalue;
@@
- reset_cpu(argvalue)
+ reset_cpu()
@@
identifier argname;
type argtype;
@@
- reset_cpu(argtype argname)
+ reset_cpu(void)
{ ... }
Signed-off-by: Harald Seiler <hws@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
This reverts commit 576007aec9.
The parameter passed to reset_cpu() no longer holds a meaning as all
call-sites now pass the value 0. Thus, branching on it is essentially
dead code and will just confuse future readers.
Revert soft-reset support and just always perform a hard-reset for now.
This is a preparation for removal of the reset_cpu() parameter across
the entire tree in a later patch.
Fixes: 576007aec9 ("lpc32xx: cpu: add support for soft reset")
Cc: Sylvain Lemieux <slemieux@tycoint.com>
Signed-off-by: Harald Seiler <hws@denx.de>
The current implementation of reset_cpu() in the ns3 board code does not
archieve what it is supposed to (according to the comments), due to
a number of reasons:
1. The argument to reset_cpu() is _not_ actually passed from the
`reset` command, but is set to 0 in all call-sites (in this
specific case, see arch/arm/lib/reset.c). Thus, performing
different kinds of resets based on its value will not work as
expected.
2. Contrary to its documentation, the passed argument is not
interpreted, but a static `L3_RESET` define is used. The other
comment properly notes that this will always perform a L3 reset,
though.
3. The "parsing" of the static `L3_RESET` value is not even using the
upper and lower nibble as stated in the comment, but uses the last
two decimal digits of the value.
This is currently one of the only implementations left in U-Boot, which
make "use" of the value passed to reset_cpu(). As this is done under
false assumption (the value does not have any meaning anymore), it makes
sense to bring it into line with the rest and start ignoring the
parameter.
This is a preparation for removal of the reset_cpu() parameter across
the entire tree in a later patch.
Fixes: b5a152e7ca ("board: ns3: default reset type to L3")
Cc: Bharat Gooty <bharat.gooty@broadcom.com>
Cc: Rayagonda Kokatanur <rayagonda.kokatanur@broadcom.com>
Signed-off-by: Harald Seiler <hws@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
nds32 is one of the only architectures which still have a reset_cpu()
implementation that makes use of the `addr` parameter. The rest of
U-Boot now ignores it and passes 0 everywhere. It turns out that even
here, reset_cpu() is no longer referenced anywhere; reset is either not
implemented (e.g. ae3xx) or realized using a WDT (e.g. ag101).
Remove this left-over implementation in preparation for the removal of
the `addr` parameter in the entire tree.
Cc: Rick Chen <rick@andestech.com>
Signed-off-by: Harald Seiler <hws@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Rick Chen <rick@andestech.com>
In drivers we use a family of printing functions including pr_err() and
pr_cont(). CONFIG_LOGLEVEL is used to control which of these lead to output
via printf().
Our logging functions allow finer grained control of output. So replace
printf() by the matching logging functions. The usage of CONFIG_LOGLEVEL
remains unchanged.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
When the btrfs_read_fs_root() function is searching a ROOT_ITEM with
location key offset other than -1, it currently fails via BUG_ON.
The offset can have other value than -1, though. This can happen for
example if a subvolume is renamed:
$ btrfs subvolume create X && sync
Create subvolume './X'
$ btrfs inspect-internal dump-tree /dev/root | grep -B 2 'name: X$
location key (270 ROOT_ITEM 18446744073709551615) type DIR
transid 283 data_len 0 name_len 1
name: X
$ mv X Y && sync
$ btrfs inspect-internal dump-tree /dev/root | grep -B 2 'name: Y$
location key (270 ROOT_ITEM 0) type DIR
transid 285 data_len 0 name_len 1
name: Y
As can be seen the offset changed from -1ULL to 0.
Do not fail in this case.
Signed-off-by: Marek Behún <marek.behun@nic.cz>
Cc: David Sterba <dsterba@suse.com>
Cc: Qu Wenruo <wqu@suse.com>
Cc: Tom Rini <trini@konsulko.com>
As Stephen is no longer actively maintaining the uboot-test-hooks
repository, switch to using the instance on our GitLab.
Acked-by: Stephen Warren <swarren@wwwdotorg.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
- Enable uefi related commands for STMicroelectronics STM32MP15 boards
- Remove duplicate uart nodes in stm32mp15 device tree
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE56Yx6b9SnloYCWtD4rK92eCqk3UFAmA5DRwACgkQ4rK92eCq
k3WKtQf+Nk2N8XzhKgoz4dfg+A/uZ1ppKiuuYfHWitvw9OLrjGO61MnYOc6Dh7De
LchPExBYnatj3lxu3IEaaNUGJRujnt9n3W8JNQTGB81MI1TO2oITEhAyDqpMGtqt
pvr1NaoxhZM4B7n/HoQnVB+XtlP08w45SQiEXjjaO82hWRk45sAZ7WGFSs60iVck
ocqhrJ/2AraG98JQPxWfvdqr+24gl1Gt++KT/cdHS//IeYJJYuiCD3m9vOj8TatH
gDVbfR6tquZ5HLvKr/orRz3smaCuutWdHcDwcjs3kFK1rBHSYFZhG3qHQ3ZqNm+w
T/7JIqz4W366o7QZXXlCoi56w2tpug==
=f/Cg
-----END PGP SIGNATURE-----
Merge tag 'u-boot-stm32-20210226' of https://gitlab.denx.de/u-boot/custodians/u-boot-stm
- Add USB host boot support in stm32mp1 config
- Enable uefi related commands for STMicroelectronics STM32MP15 boards
- Remove duplicate uart nodes in stm32mp15 device tree
VenHw and VenMedia device path nodes may carry vendor defined data of
arbitrary length. When converting a device path node to text ensure that we
do not overrun our internal buffer.
In our implementation of
EFI_DEVICE_PATH_TO_TEXT_PROTOCOL.ConvertDevicePathToText() we could first
determine the output length and then allocate buffers but that would nearly
double the code size. Therefore keep the preallocated buffers and truncate
excessive device paths instead.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Fix a missing comma sign (,) from a printf(), that is only
reachable if DEBUG is defined, in which case the build fails with:
tools/mkeficapsule.c:266:36: error: expected ‘)’ before ‘bin’
266 | printf("\tbin: %s\n\ttype: %pUl\n" bin, guid);
| ^~~~
| )
Signed-off-by: Klaus Heinrich Kiwi <klaus@linux.vnet.ibm.com>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The UEFI spec does not allow ACPI tables to be in runtime services memory.
It recommends EfiACPIReclaimMemory.
Remove a superfluous check that the allocated pages are 16 byte aligned.
EFI pages are 4 KiB aligned.
Fixes: 86df34d42b ("efi_loader: Install ACPI configuration tables")
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
The board can boot with UEFI. With the latest changes in U-Boot's
EFI subsystem we also have support for EFI runtime variables, without
SetVariable support. We can also store the EFI variables in a file on the
ESP partition and preserve them across reboots.
The env and efidebug commands are missing in order to configure
EFI variables and the efibootmgr though. Since U-Boot's default config
enables other EFI related commands (e.g bootefi), let's add the env related
and efidebug commands and allow users to do that
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Remove duplicated uart nodes introduced with commit 62f95af92a
("ARM: dts: stm32mp1: DT alignment with Linux kernel v5.9-rc4"),
because the uart nodes wasn't correctly ordered in alphabetic order.
Only cosmetic: the generated device tree don't change.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>