Fit images were loaded to a buffer provided by spl_get_load_buffer().
This may work when the FIT image is small and fits between the start
of DRAM and SYS_TEXT_BASE.
One problem with this approach is that the location of the buffer may
be manipulated by changing the 'size' field of the FIT. A maliciously
crafted FIT image could place the buffer over executable code and be
able to take control of SPL. This is unacceptable for secure boot of
signed FIT images.
Another problem is with larger FIT images, usually containing one or
more linux kernels. In such cases the buffer be be large enough so as
to start before DRAM (Figure I). Trying to load an image in this case
has undefined behavior.
For example, on stm32mp1, the MMC controller hits a RX overrun error,
and aborts loading.
_________________
| FIT Image |
| |
/===================\ /=====================\
|| DRAM || | DRAM |
|| || | |
||_________________|| SYS_TEXT_BASE | ___________________ |
| | || FIT Image ||
| | || ||
| _________________ | SYS_SPL_MALLOC_START || _________________ ||
|| malloc() data || ||| malloc() data |||
||_________________|| |||_________________|||
| | ||___________________||
| | | |
Figure I Figure II
One possibility that was analyzed was to remove the negative offset,
such that the buffer starts at SYS_TEXT_BASE. This is not a proper
solution because on a number of platforms, the malloc buffer() is
placed at a fixed address, usually after SYS_TEXT_BASE. A large
enough FIT image could cause the malloc()'d data to be overwritten
(Figure II) when loading.
/======================\
| DRAM |
| |
| | CONFIG_SYS_TEXT_BASE
| |
| |
| ____________________ | CONFIG_SYS_SPL_MALLOC_START
|| malloc() data ||
|| ||
|| __________________ ||
||| FIT Image |||
||| |||
||| |||
Figure III
The solution proposed here is to replace the ad-hoc heuristics of
spl_get_load_buffer() with malloc(). This provides two advantages:
* Bounds checking of the buffer region
* Guarantees the buffer does not conflict with other memory
The first problem is solved by constraining the buffer such that it
will not overlap currently executing code. This eliminates the chance
of a malicious FIT being able to replace the executing SPL code prior
to signature checking.
The second problem is solved in conjunction with increasing
CONFIG_SYS_SPL_MALLOC_SIZE. Since the SPL malloc() region is
carefully crafted on a per-platform basis, the chances of memory
conflicts are virtually eliminated.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
bl2_to_bl31_params_mem is just an implementation detail of the SPL ATF
support and is not needed anywhere else. Move it from the header to the
actual module.
Signed-off-by: Michael Walle <michael@walle.cc>
Acked-by: Michal Simek <michal.simek@xilinx.com>
Move the actual implementation of the bl2_plat_get_bl31_params() to its
own function. The weak function will just call the default
implementation. This has the advantage that board code can still call
the original implementation if it just want to modify minor things.
Signed-off-by: Michael Walle <michael@walle.cc>
There is no need to have the storage available globally. This is also a
preparation for LOAD_IMAGE_V2 support. That will introduce a similar
generator function which also has its own storage.
Signed-off-by: Michael Walle <michael@walle.cc>
Acked-by: Michal Simek <michal.simek@xilinx.com>
This commit add the support of signature check for config node
in spl/tpl when the function spl_load_simple_fit is used.
Signed-off-by: Philippe Reynes <philippe.reynes@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This uclass is intended to provide a way to obtain information about a
U-Boot board. But the concept of a U-Boot 'board' is the whole system,
not just one circuit board, meaning that 'board' is something of a
misnomer for this uclass.
In addition, the name 'board' is a bit overused in U-Boot and we want to
use the same uclass to provide SMBIOS information.
The obvious name is 'system' but that is so vague as to be meaningless.
Use 'sysinfo' instead, since this uclass is aimed at providing information
on the system.
Rename everything accordingly.
Note: Due to the patch delta caused by the symbol renames, this patch
shows some renamed files as being deleted in one place and created in
another.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
SPL is creating fit-images DT node when loadables are recorded in selected
configuration. Entries which are created are using entry-point and
load-addr property names. But there shouldn't be a need to use non standard
properties because entry/load are standard FIT properties. But using
standard FIT properties enables option to use generic FIT functions to
descrease SPL size. Here is result for ZynqMP virt configuration:
xilinx_zynqmp_virt: spl/u-boot-spl:all -82 spl/u-boot-spl:rodata -22 spl/u-boot-spl:text -60
The patch causes change in run time fit image record.
Before:
fit-images {
uboot {
os = "u-boot";
type = "firmware";
size = <0xfd520>;
entry-point = <0x8000000>;
load-addr = <0x8000000>;
};
};
After:
fit-images {
uboot {
os = "u-boot";
type = "firmware";
size = <0xfd520>;
entry = <0x8000000>;
load = <0x8000000>;
};
};
Replacing calling fdt_getprop_u32() by fit_image_get_entry/load() also
enables support for reading entry/load properties recorded in 64bit format.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The sandbox is built with the SDL2 library with invokes the X11 library
which in turn calls getc(). But getc() in glibc is defined as
int getc(FILE *)
This does not match our definition.
int getc(void)
The sandbox crashes when called with parameter -l.
Rename our library symbol getc() to getchar().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
CONFIG_{SPL,TPL}_SIZE_LIMIT are defined as hex (SPL_SIZE_LIMIT was
converted in b51882d0 ("spl: Convert CONFIG_SPL_SIZE_LIMIT to hex"), but
there are still places that reference integer values. Change those to hex
as well. Also, update the Makefile to check for 0x0 instead of 0.
This also fixes the following build error when CONFIG_SPL_SIZE_LIMIT
is set by menuconfig to 0x0:
...
spl/u-boot-spl.bin exceeds file size limit:
limit: 0 bytes
actual: 0x80f0 bytes
excess: 0x80f0 bytes
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Some boards, specifically 64-bit Allwinner boards (sun50i), are
extremely limited on SPL size. One strategy that was used to make space
was to remove the FIT "os" property parsing code, because it uses a
rather large lookup table.
However, this forces the legacy FIT parsing code path, which requires
the "firmware" entry in the FIT to reference the U-Boot binary, even if
U-Boot is not the next binary in the boot sequence (for example, on
sun50i boards, ATF is run first).
This prevents the same FIT image from being used with a SPL with
CONFIG_SPL_FIT_IMAGE_TINY=n and CONFIG_SPL_ATF=y, because the boot
method selection code looks at `spl_image.os`, which is only set from
the "firmware" entry's "os" property.
To be able to use CONFIG_SPL_ATF=y, the "firmware" entry in the FIT
must be ATF, and U-Boot must be a loadable. For this to work, we need to
parse the "os" property just enough to tell U-Boot from other images, so
we can find it in the loadables list to append the FDT, and so we don't
try to append the FDT to ATF (which could clobber adjacent firmware).
So add the minimal code necessary to distinguish U-Boot/non-U-Boot
loadables with CONFIG_SPL_FIT_IMAGE_TINY=y. This adds about 300 bytes,
much less than the 7400 bytes added by CONFIG_SPL_FIT_IMAGE_TINY=n.
Acked-by: Patrick Wildt <patrick@blueri.se>
Signed-off-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Jagan Teki <jagan@amarulasolutions.com>
This reverts commit eb39d8ba5f.
The commit breaks booting of fitImage by SPL, the system simply hangs.
This is because on arm32, the fitImage and all of its content can be
aligned to 4 bytes and U-Boot expects just that.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Reuben Dowle <reuben.dowle@4rf.com>
Cc: Tom Rini <trini@konsulko.com>
Signed-off-by: Marek Vasut <marex@denx.de>
ATF support was all the time based on FIT image support but this dependency
is not recorded anywhere.
For !SPL_FIT && SPL_ATF there is compilation error:
common/spl/spl.c: In function 'board_init_r':
common/spl/spl.c:689:26: error: 'struct spl_image_info' has no member named 'fdt_addr'
689 | spl_fixup_fdt(spl_image.fdt_addr);
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
The patch does sed 's/SPL_FPGA_SUPPORT/SPL_FPGA/g' but also fixing Makefile
and zynqmp.c to simplify if/endif logic in zynqmp.c.
This change is mostly done to be able to use CONFIG_IS_ENABLED macro and
obj-$(CONFIG_$(SPL_)FPGA) in Makefile. For them symbols need to be in sync.
And removing one line from Topic Miami boards which is not needed because
symbol is not enabled via Kconfig.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
usb_init() may be called multiple times for fetching multiple images
from SPL. Skip reinitializing USB if its already been done
Signed-off-by: Faiz Abbas <faiz_abbas@ti.com>
Create a new API spl_usb_load() that takes the filename as a parameter
instead of taking the default U-boot PAYLOAD_NAME
Signed-off-by: Faiz Abbas <faiz_abbas@ti.com>
Add support for SquashFS filesystem. Right now, it does not support
compression but support for zlib will be added in a follow-up commit.
Signed-off-by: Joao Marcos Costa <joaomarcos.costa@bootlin.com>
In some cases SPL needs to be able to erase but TPL just needs to read.
Allow these to have separate settings for SPI_FLASH_TINY.
Signed-off-by: Simon Glass <sjg@chromium.org>
This converts the following to Kconfig:
CONFIG_SPL_NAND_DRIVERS
CONFIG_SPL_NAND_ECC
CONFIG_SPL_NAND_SIMPLE
Signed-off-by: Adam Ford <aford173@gmail.com>
Commit 40686c394e ("riscv: Clean up IPI initialization code")
caused U-Boot failed to boot on SiFive HiFive Unleashed board.
The codes inside arch_cpu_init_dm() may call U-Boot timer APIs
before the call to riscv_init_ipi(). At that time the timer register
base (e.g.: the SiFive CLINT device in this case) is unknown yet.
It might be the name riscv_init_ipi() that misleads people to only
consider it is related to IPI, but in fact the timer capability is
provided by the same SiFive CLINT device that provides the IPI.
Timer capability is needed for both UP and SMP.
Considering that the original refactor does have benefits, that it
makes the IPI code more similar to U-Boot initialization idioms.
It also removes some quite ugly macros. Let's do the minimal revert
instead of a complete revert, plus a fixes to arch_cpu_init_dm() to
consider the SPL case.
Fixes: 40686c394e ("riscv: Clean up IPI initialization code")
Signed-off-by: Bin Meng <bin.meng@windriver.com>
Reviewed-by: Sean Anderson <seanga2@gmail.com>
Tested-by: Leo Liang <ycliang@andestech.com>
The Linux coding style guide (Documentation/process/coding-style.rst)
clearly says:
It's a **mistake** to use typedef for structures and pointers.
Besides, using typedef for structures is annoying when you try to make
headers self-contained.
Let's say you have the following function declaration in a header:
void foo(bd_t *bd);
This is not self-contained since bd_t is not defined.
To tell the compiler what 'bd_t' is, you need to include <asm/u-boot.h>
#include <asm/u-boot.h>
void foo(bd_t *bd);
Then, the include direcective pulls in more bloat needlessly.
If you use 'struct bd_info' instead, it is enough to put a forward
declaration as follows:
struct bd_info;
void foo(struct bd_info *bd);
Right, typedef'ing bd_t is a mistake.
I used coccinelle to generate this commit.
The semantic patch that makes this change is as follows:
<smpl>
@@
typedef bd_t;
@@
-bd_t
+struct bd_info
</smpl>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
- Despite other ext4 filesystem functions, ext4fs_mount returns
0 in case of error.
- This leads to u-boot crash in case that an SD card
with valid partition table but without ext4 filesystem created
in a partition is found on SD card.
- Fix this by returning a proper error code of '-1' from spl_load_image_ext
function in case of ext4fs_mount error.
Signed-off-by: Thomas Schaefer <thomas.schaefer@kontron.com>
[hthiery: slightly reword the commit message]
Signed-off-by: Heiko Thiery <heiko.thiery@gmail.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Replacing the ret variable with err and handling first the error
condition about the value returned by the spl_nand_fit_read routine,
improves the code readability.
Furthermore, the 'else' int the 'else return ret' instruction was
useless.
cc: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Dario Binacchi <dariobin@libero.it>
The offset at which the image to be loaded from NAND is located is
retrieved from the itb header. The presence of bad blocks in the area
of the NAND where the itb image is located could invalidate the offset
which must therefore be adjusted taking into account the state of the
sectors concerned.
cc: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Dario Binacchi <dariobin@libero.it>
Reviewed-by: Michael Trimarchi <michael@amarulasolutions.com>
If uboot does not embed its device tree and the FIT loading function
returns error in case of failure in the FDT append, the redundant itb
image could be loaded.
cc: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Dario Binacchi <dariobin@libero.it>
Reviewed-by: Michael Trimarchi <michael@amarulasolutions.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The previous IPI code initialized the device whenever the first call was
made to a riscv_*_ipi function. This made it difficult to determine when
the IPI device was initialized. This patch introduces a new function
riscv_init_ipi. It is called once during arch_cpu_init_dm. In SPL, it is
called in spl_invoke_opensbi. Before this point, no riscv_*_ipi functions
should be called.
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Rick Chen <rick@andestech.com>
This change allows more fine tuning of driver model based SPI support in
SPL and TPL. It is now possible to explicitly enable/disable the DM_SPI
support in SPL and TPL via Kconfig option.
Before this change it was necessary to use:
/* SPI Flash Configs */
#if defined(CONFIG_SPL_BUILD)
#undef CONFIG_DM_SPI
#undef CONFIG_DM_SPI_FLASH
#undef CONFIG_SPI_FLASH_MTD
#endif
in the ./include/configs/<board>.h, which is error prone and shall be
avoided when we strive to switch to Kconfig.
The goal of this patch:
Provide distinction for DM_SPI support in both U-Boot proper and SPL (TPL).
Valid use case is when U-Boot proper wants to use DM_SPI, but SPL must
still support non DM driver.
Another use case is the conversion of non DM/DTS SPI driver to support
DM/DTS. When such driver needs to work in both SPL and U-Boot proper, the
distinction is needed in Kconfig (also if SPL version of the driver
supports OF_PLATDATA).
In the end of the day one would have to support following use cases (in
single driver file - e.g. mxs_spi.c):
- U-Boot proper driver supporting DT/DTS
- U-Boot proper driver without DT/DTS support (deprecated)
- SPL driver without DT/DTS support
- SPL (and TPL) driver with DT/DTS (when the SoC has enough resources to
run full blown DT/DTS)
- SPL driver with DT/DTS and SPL_OF_PLATDATA (when one have constrained
environment with no fitImage and OF_LIBFDT support).
Some boards do require SPI support (with DM) in SPL (TPL) and some only
have DM_SPI{_FLASH} defined to allow compiling SPL.
This patch converts #ifdef CONFIG_DM_SPI* to #if CONFIG_IS_ENABLED(DM_SPI)
and provides corresponding defines in Kconfig.
Signed-off-by: Lukasz Majewski <lukma@denx.de>
Tested-by: Adam Ford <aford173@gmail.com> #da850-evm
Signed-off-by: Hou Zhiqiang <Zhiqiang.Hou@nxp.com>
[trini: Fixup a few platforms]
Signed-off-by: Tom Rini <trini@konsulko.com>
The current recommendation for best security practice from the US government
is to use SHA384 for TOP SECRET [1].
This patch adds support for SHA384 and SHA512 in the hash command, and also
allows FIT images to be hashed with these algorithms, and signed with
sha384,rsaXXXX and sha512,rsaXXXX
The SHA implementation is adapted from the linux kernel implementation.
[1] Commercial National Security Algorithm Suite
http://www.iad.gov/iad/programs/iad-initiatives/cnsa-suite.cfm
Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
Add U-Boot proper sector start offset for SiFive FU540.
This value is based on the partition layout supported
by SiFive FU540.
u-boot.itb need to write on this specific offset so-that
the SPL will retrieve it from here and load.
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Pragnesh Patel <pragnesh.patel@sifive.com>
In a loading chain SPL -> ATF (->OP-TEE) -> U-Boot, ATF and a subsequent
OP-TEE will re-use the same fdt as the U-Boot target and may need the
information about usable memory ranges.
Especially OP-TEE needs this to initialize dynamic shared memory
(the only type U-Boot implements when talking to OP-TEE).
So allow spl_fixup_fdt() to take a fdt_blob argument, falling back to
the existing CONFIG_SYS_SPL_ARGS_ADDR if needed and call it from the
ATF path as well.
Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
We should not be using typedefs and these make it harder to use
forward declarations (to reduce header file inclusions). Drop the typedef.
Signed-off-by: Simon Glass <sjg@chromium.org>
Move this header out of the common header. Network support is used in
quite a few places but it still does not warrant blanket inclusion.
Note that this net.h header itself has quite a lot in it. It could be
split into the driver-mode support, functions, structures, checksumming,
etc.
Signed-off-by: Simon Glass <sjg@chromium.org>
A large number of boards call preloader_console_init unconditionally.
Currently, they fail to build with CONFIG_SPL_SERIAL=n, because the
function is undefined in that case. To fix the build, always define
preloader_console_init, but make it no-op when CONFIG_SPL_SERIAL=n.
For the few boards that did check for CONFIG_SPL_SERIAL before calling
preloader_console_init, remove the checks, since the function can now
be called unconditionally.
Signed-off-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>
When enable CONFG_SPL_DM_USB_GADGET, sdp should use
usb_gadget_initialize() and usb_gadget_release() to
support DM gadget driver.
Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>