Some strange modifications of the FIT can introduce security risks. Add an
option to check it thoroughly, using libfdt's fdt_check_full() function.
Enable this by default if signature verification is enabled.
CVE-2021-27097
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
At present this function does not accept a size for the FIT. This means
that it must be read from the FIT itself, introducing potential security
risk. Update the function to include a size parameter, which can be
invalid, in which case fit_check_format() calculates it.
For now no callers pass the size, but this can be updated later.
Also adjust the return value to an error code so that all the different
types of problems can be distinguished by the user.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Add tests to check that these two attacks are mitigated by recent patches.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
Add a library which performs two different attacks on a FIT.
Signed-off-by: Julien Lenoir <julien.lenoir@intel.com>
Signed-off-by: Bruce Monroe <bruce.monroe@intel.com>
Signed-off-by: Arie Haenel <arie.haenel@intel.com>
Signed-off-by: Simon Glass <sjg@chromium.org>
When searching for a node called 'fred', any unit address appended to the
name is ignored by libfdt, meaning that 'fred' can match 'fred@1'. This
means that we cannot be sure that the node originally intended is the one
that is used.
Disallow use of nodes with unit addresses.
Update the forge test also, since it uses @ addresses.
CVE-2021-27138
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
At present fdt_find_regions() assumes that the FIT is a valid devicetree.
If the FIT has two root nodes this is currently not detected in this
function, nor does libfdt's fdt_check_full() notice. Also it is possible
for the root node to have a name even though it should not.
Add checks for these and return -FDT_ERR_BADSTRUCTURE if a problem is
detected.
CVE-2021-27097
Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
This board has not been converted to CONFIG_DM by the deadline of v2020.01
and is missing other conversions which depend on this as well. Remove it.
Cc: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
This board has not been converted to CONFIG_DM by the deadline of v2020.01
and is missing other conversions which depend on this as well. Remove it.
As this is the last SH4A board, remove that support as well.
Cc: Marek Vasut <marek.vasut+renesas@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
This board has not been converted to CONFIG_DM by the deadline of v2020.01
and is missing other conversions which depend on this as well. Remove it.
Signed-off-by: Tom Rini <trini@konsulko.com>
This board has not been converted to CONFIG_DM by the deadline of v2020.01
and is missing other conversions which depend on this as well. Remove it.
Signed-off-by: Tom Rini <trini@konsulko.com>
This board has not been converted to CONFIG_DM by the deadline of v2020.01
and is missing other conversions which depend on this as well. Remove it.
Patch-cc: Nobuhiro Iwamatsu <iwamatsu.nobuhiro@renesas.com>
Patch-cc: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
This board has not been converted to CONFIG_DM by the deadline of v2020.01
and is missing other conversions which depend on this as well. Remove it.
Signed-off-by: Tom Rini <trini@konsulko.com>
This board relies on using CONFIG_LIBATA but does not enable CONFIG_AHCI. The
deadline for this conversion was the v2019.07 release. The use of CONFIG_AHCI
requires CONFIG_DM. The deadline for this conversion was v2020.01. Remove
this board.
Cc: Priyanka Jain <priyanka.jain@nxp.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
This board relies on using CONFIG_LIBATA but does not enable CONFIG_AHCI. The
deadline for this conversion was the v2019.07 release. The use of CONFIG_AHCI
requires CONFIG_DM. The deadline for this conversion was v2020.01. Remove
this board.
Cc: Priyanka Jain <priyanka.jain@nxp.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
This board relies on using CONFIG_LIBATA but does not enable CONFIG_AHCI. The
deadline for this conversion was the v2019.07 release. The use of CONFIG_AHCI
requires CONFIG_DM. The deadline for this conversion was v2020.01. Remove
this board.
Cc: Priyanka Jain <priyanka.jain@nxp.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
This board relies on using CONFIG_LIBATA but does not enable CONFIG_AHCI. The
deadline for this conversion was the v2019.07 release. The use of CONFIG_AHCI
requires CONFIG_DM. The deadline for this conversion was v2020.01. Remove
this board.
Cc: Priyanka Jain <priyanka.jain@nxp.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
This board has not been converted to CONFIG_DM_MMC by the deadline of
v2019.04, which is almost two years ago. In addition there are other DM
migrations it is also missing. Remove it.
Cc: Chris Packham <judge.packham@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Acked-by: Chris Packham <judge.packham@gmail.com>
This board has not been converted to CONFIG_DM_MMC by the deadline of
v2019.04, which is almost two years ago. In addition there are other DM
migrations it is also missing. Remove it.
Cc: Prabhakar Kushwaha <prabhakar.kushwaha@nxp.com>
Cc: Priyanka Jain <priyanka.jain@nxp.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
This board has not been converted to CONFIG_DM_MMC by the deadline of
v2019.04, which is almost two years ago. In addition there are other DM
migrations it is also missing. Remove it.
Cc: Stefano Babic <sbabic@denx.de>
Signed-off-by: Tom Rini <trini@konsulko.com>
Acked-by: Stefano Babic <sbabic@denx.de>
This board has not been converted to CONFIG_DM_MMC by the deadline of
v2019.04, which is almost two years ago. In addition there are other DM
migrations it is also missing. Remove it.
Cc: Lauri Hintsala <lauri.hintsala@bluegiga.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Acked-by: Lauri Hintsala <lauri.hintsala@silabs.com<mailto:lauri.hintsala@silabs.com>>
Signed-off-by: Tom Rini <trini@konsulko.com<mailto:trini@konsulko.com>>
On Rockchip platforms we need this area of code in TPL, but there is no
TPL_SEPARATE_BSS symbol.
This reverts commit 0a2aaab0b6.
Reported-by: Markus Reichl <m.reichl@fivetechno.de>
Reported-by: Jesper Schmitz Mouridsen <jesper@schmitz.computer>
Reported-by: Peter Robinson <pbrobinson@gmail.com>
Tested-by: Peter Robinson <pbrobinson@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Bug fixes:
* fix stack smashing in UEFI capsule updates
* correct loading of UEFI binaries where Virtual size is not a
multiple of FileAlignment
* simplify detection of capsule files.
* buildman: use threading.is_alive() instead of removed method IsAlive()
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmApIc4ACgkQxIHbvCwF
GsRQpQ//Zk4eJAHeibV4whdjyWpVXEnRR1fMFDgD7WUq3jTZmUvNp99ME5UJv+6J
9R3WHZGfYIS+SypEe1BhzaSOfeS8GPkuk6bkEeM8MRA5L5vAdnONmUAa5TGp+xaq
0V//k9U7raeWD+pdo7WA3GA8wQ4BoOgbCVNJfePfO2bD3okJZOT4S5qjFWD7Thfj
TgiN6L44he5MrY9rKF0ZJcijtKpKBbwf5AYSurafgEJJJWkaEDynt2H5aJiIJ67v
8LiomMPmvke7owft7JxntScvxNfcKagFojtSB3zShJ7Fbx0EMJFyGHfdBQHNiqgA
7GbQyhdk6FFlhlAwanTjxMfPfpLBjeTZhv5UtIpEDU8gv7PHEgVAT2NAQjcEbU6G
TssHzaWvpA/fNlV/s7b+uoW4pyvuvbeCtdxj7WB8O+j7uW5Z6APzMAxJZJ6RoCx/
GDtsvkUUKpLwpPXQwsi/+BS6FNZGqY/GnijZmFdQZkUieXVLqCmuyu83UKfa8jMH
6Q9yjSH9jDEWe4xS3XwfLY49k6qeKNjOZbB1aYQPqZallfvXx9qOYzQi1HHSx6Z5
FngAYj3c6lxHp0p726m2Vjgceg02O3AmMaVHOkIh4TpLoRzR2msJAgpOghNtAi49
vV47rr0HpvhBwfgVuJ+uVf7lFDbondoX5t9OuptUFxmyEZH5b5o=
=Na9Y
-----END PGP SIGNATURE-----
Merge tag 'efi-2021-04-rc2-2' of https://gitlab.denx.de/u-boot/custodians/u-boot-efi
Pull request for UEFI sub-system for efi-2021-04-rc2-2
Bug fixes:
* fix stack smashing in UEFI capsule updates
* correct loading of UEFI binaries where Virtual size is not a
multiple of FileAlignment
* simplify detection of capsule files.
* buildman: use threading.is_alive() instead of removed method IsAlive()
The isAlive() method was deprecated in Python 3.8 and has been removed in
Python 3.9. See https://bugs.python.org/issue37804. Use is_alive() instead.
Since Python 2.6 is_alive() has been a synonym for isAlive(). So there
should be no problems for users using elder Python 3 versions.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
fix get_last_capsule() leads to writes beyond the stack allocated buffer.
This was indicated when enabling the stack protector.
utf16_utf8_strcpy() only stops copying when reaching '\0'. The current
invocation always writes beyond the end of value[].
The output length of utf16_utf8_strcpy() may be longer than the number of
UTF-16 tokens. E.g has "CapsuleКиев" has 11 UTF-16 tokens but 15 UTF-8
tokens. Hence, using utf16_utf8_strcpy() without checking the input may
lead to further writes beyond value[].
The current invocation of strict_strtoul() reads beyond the end of value[].
A non-hexadecimal value after "Capsule" (e.g. "CapsuleZZZZ") must result in
an error. We cat catch this by checking the return value of strict_strtoul().
A value that is too short after "Capsule" (e.g. "Capsule0") must result in
an error. We must check the string length of value[].
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
'.' and '..' are directories. So when looking for capsule files it is
sufficient to check that the attribute EFI_FILE_DIRECTORY is not set. We
don't have to check for these special names.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
PE section table entries' SizeOfRawData must be a multiple of
FileAlignment, and thus may be rounded up and larger than their
VirtualSize.
We should not load beyond the VirtualSize, which is "the total size of
the section when loaded into memory" -- we may clobber real data at the
target in some other section, since we load sections in reverse order
and sections are usually laid out sequentially.
Signed-off-by: Asherah Connor <ashe@kivikakk.ee>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
-----BEGIN PGP SIGNATURE-----
iQFQBAABCgA6FiEEqxhEmNJ6d7ZdeFLIHrMeAg6sL8gFAmAmOowcHGV1Z2VuLmhy
aXN0ZXZAbWljcm9jaGlwLmNvbQAKCRAesx4CDqwvyGEpB/oD2ZQdqY/kfu0SlKE6
2Qor+MSwDA8yQlAKfiX2J3x0sAaGNkeUPQrWLxutACd34MJsjG41sr6uvLwu4E9f
bc91Gk1Xv/kmySi7JPfpctb01Bd1GVpzuHELIumGgYRkNSwAFFaXrqVPxr/9cN3t
dEcfbKX0p4qXUv/TDw3tE1D63dYPIJC3yX0/4n/n824AKeqRyTMVC34rjfEOoE/r
0w6YSxwQ8hlh23xwc2tyEMSKR4jNp8mAtQcl03Gi/6xiaqgH6lQ6ardSblr3qvjW
6Ev1nd3f9d8i0CzipbLH6PL4G31Ft+ZG/Z/z8wqA6w15h29wu7CfV8yC0aBV0g0/
N1ko
=7ddr
-----END PGP SIGNATURE-----
Merge tag 'u-boot-atmel-fixes-2021.04-a' of https://gitlab.denx.de/u-boot/custodians/u-boot-atmel
First set of u-boot-atmel fixes for 2021.04 cycle:
This small PR includes just two fixes but very important: one revert in
the clk subsystem which fixes the boot on many old boards
(sama5d2_xplained, sama5d4_xplained), which currently crash at boot; and
one small fix related to debug serial on sama7g5ek board.
Revert changes in at91 compat.c that cause u-boot to fail booting on
sama5d4_xplained and sama5d2_xplained
Log below:
<debug_uart>
No serial driver found
Could not initialize timer (err -19)
Could not initialize timer (err -19)
Could not initialize timer (err -19)
Could not initialize timer (err -19)
Could not initialize timer (err -19)
Could not initialize timer (err -19)
Could not initialize timer (err -19)
Could not initialize timer (err -19)
Fixes: a2703ce10c ("dm: Remove uses of device_bind_offset()")
Cc: Simon Glass <sjg@chromium.org>
Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
If the serial tx/rx are floating, it can happen that bogus characters
are detected on the line at boot time. This leads to U-boot accidentally
thinking someone pressed a key to stop autoboot, thus stopping booting process.
This can happen if the serial cable is not connected. There are hardware
pull-ups on the board connected to serial cable VBUS.
To solve this when the cable is not plugged, enable internal pull-ups as well
for the tx/rx lines.
Signed-off-by: Eugen Hristev <eugen.hristev@microchip.com>
The Linux kernel v5.7-rc1 introduced the compatible "st,stm32mp15-hsotg".
See Linux kernel commit d49850110434 ("dt-bindings: usb: dwc2: add
support for STM32MP15 SoCs USB OTG HS and FS")
This patch updates the supported compatible in DWC2 driver,
removes the add-on done in U-Boot dtsi and keeps the compatible
defined in SOC dtsi arch/arm/dts/stm32mp151.dtsi:
usbotg_hs: usb-otg@49000000 {
compatible = "st,stm32mp15-hsotg", "snps,dwc2";
reg = <0x49000000 0x10000>;
...
};
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Testing with v2021.01 on MIPS Octeon has shown, that the latest patch
for the "short packet event trb handling" did introduce a bug on
platforms with virtual address != physical address. This patch fixes
this issue by using the correct address types in the compare (both
physical in this case).
Signed-off-by: Stefan Roese <sr@denx.de>
Cc: Aaron Williams <awilliams@marvell.com>
Cc: Chandrakala Chavva <cchavva@marvell.com>
Cc: Ran Wang <ran.wang_1@nxp.com>
Cc: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Cc: Marek Vasut <marex@denx.de>
Cc: Bin Meng <bmeng.cn@gmail.com>
Function dm_pci_map_bar() may fail and returns NULL. Check this to prevent
dereferencing a NULL pointer.
In xhci-pci this may happen when board does not enable CONFIG_PCI_PNP and
PCI_BASE_ADDRESS_0 contains unconfigured zero address.
Signed-off-by: Pali Rohár <pali@kernel.org>
Add optional properies to disable usb2 or usb3 ports, they are used
when provided ports are not used on some special platforms.
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Add support to disable specific ports, it's useful for some
scenarios:
1. usb3 PHY is shared whith PCIe or SATA, the corresponding
usb3 port can be disabled;
2. some usb2 or usb3 ports are not used on special platforms,
they should be disabled to save power.
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Use the ADC channel 1 to check the hardware revision of the board and
detect the N2 vs. N2+ and the C4 vs. HC4 variants. Each of them use
different dtb file, so adjust fdtfile environment variable to the
detected variant.
The ADC min/max values for each variant are taken from the vendor code,
adjusted to the 12-bit ADC driver operation mode (vendor code use 10-bit
mode).
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Jaehoon Chung <jh80.chung@samsung.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
The Amlogic AXG MIPI + PCIe Analog PHY provides function for both PCIe and
MIPI DSI at the same time, and provides the Analog part of MIPI DSI transmission
and Analog part of the PCIe lines.
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
The Amlogic AXG SoCs embeds a MIPI D-PHY used to communicate with DSI
panels.
This D-PHY depends on a separate analog PHY.
Signed-off-by:Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Add the PHY configure op callback to the generic PHY uclass to permit
configuring the PHY.
It's useful for MIPI DSI PHYs to setup the link timings.
Signed-off-by:Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
The MIPI D-PHY spec defines default values and boundaries for most of the
parameters it defines. Introduce helpers to help drivers get meaningful
values based on their current parameters, and validate the boundaries of
these parameters if needed.
These helpers and header are taken from Linux commit 9123e3a74ec7 ("Linux 5.9-rc1").
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
- Fixes pinctrol for stmfx and stm32
- Add support of I2C6_K in stm32mp15 clock driver
- Alignment with Linux kernel device tree v5.11-rc2 for ST boards
-----BEGIN PGP SIGNATURE-----
iQEzBAABCgAdFiEE56Yx6b9SnloYCWtD4rK92eCqk3UFAmAiog0ACgkQ4rK92eCq
k3XnJQf/Xt7lkR/p+7+Vokk/n6gKtcBTbeJJ4K4OGXvf4JZIgjHKMdY+ZKaY685G
YnYK1LIB+24XfxEHkZVfDtRHJk9Y2Zpiim+en3xjcnegZCoiZ9VsTl+i3T0FyuON
EJXl37unqwPaBq/atK0ZV4CEt8c2RuFGUWcDI8eWhnnim5PKFHSwuSytgX9HyiE8
FLiFP6WrktcQ40cUNkJvhqND/kegGYvitMr/zl55I+rSFdsJYUPOiHf/BCK/3NJ8
IhFM2hQtaqxlICWuIhz03FxQHL0SKTf3QFr11W2Ik0T7PEv2UhY4LZeDYjItnQLI
Tn4Q2SuszACKccQTV3EaVmFE6HFK5w==
=yRPd
-----END PGP SIGNATURE-----
Merge tag 'u-boot-stm32-20210209' of https://gitlab.denx.de/u-boot/custodians/u-boot-stm
- Enable the fastboot oem commands in stm32mp15 defconfig
- Fixes pinctrol for stmfx and stm32
- Add support of I2C6_K in stm32mp15 clock driver
- Alignment with Linux kernel device tree v5.11-rc2 for ST boards
Device tree alignment with Linux kernel v5.11-rc2
- fix DCMI DMA features on stm32mp15 family
- Add alternate pinmux for FMC EBI bus
- Harmonize EHCI/OHCI DT nodes name on stm32mp15
- update sdmmc IP version for STM32MP15
- Add LP timer irqs on stm32mp151
- Add LP timer wakeup-source on stm32mp151
- enable HASH by default on stm32mp15
- enable CRC1 by default on stm32mp15
- enable CRYP by default on stm32mp15
- set bus-type in DCMI endpoint for stm32mp157c-ev1 board
- reorder spi4 within stm32mp15-pinctrl
- add STUSB1600 Type-C using I2C4 on stm32mp15xx-dkx
- fix mdma1 clients channel priority level on stm32mp151
- fix dmamux reg property on stm32mp151
- adjust USB OTG gadget fifo sizes in stm32mp151
- update stm32mp151 for remote proc synchronization support
- support child mfd cells for the stm32mp1 TAMP syscon
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
The kilohertz unit abbreviation should read 'kHz'.
Note to STM32 team: modified files were generated, it may be worth
to fix STM32CubeMX tool.
Signed-off-by: Fabrice GIRARDOT <fabrice.girardot@flowbird.group>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Add support of missing I2C6_K with bit 3 of RCC_MC_APB5ENSETR =
I2C6EN: I2C6 peripheral clocks enable.
This patch allows customer to use I2C6 in SPL or in U-Boot
as other I2C instance, already support in clk driver.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Bind only the enabled GPIO subnode, to avoid to probe the node
"gpio-controller" present in SOC dtsi (disabled by default) but
not enabled in the included pincontrol dtsi file.
For example, in stm32mp15xxac-pinctrl.dtsi 2 gpio bank are absent:
gpioj: gpio@5000b000
gpiok: gpio@5000c000
Then these GPIO are absent in output of command "dm tree" and
"gpio status -a"
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
OTYPE can be used for output or for alternate function to select
PP = push-pull or OP = open-drain mode, according reference manual
(Table 81. Port bit configuration table).
This patch removes this indication for input pins and adds it
for AF and output pins for pinmux command output.
Fixes: b305dbc08b ("pinctrl: stm32: display bias information for all pins")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>