Commit graph

14 commits

Author SHA1 Message Date
Simon Glass
6f3c2d8aa5 image: Add an option to do a full check of the FIT
Some strange modifications of the FIT can introduce security risks. Add an
option to check it thoroughly, using libfdt's fdt_check_full() function.

Enable this by default if signature verification is enabled.

CVE-2021-27097

Signed-off-by: Simon Glass <sjg@chromium.org>
Reported-by: Bruce Monroe <bruce.monroe@intel.com>
Reported-by: Arie Haenel <arie.haenel@intel.com>
Reported-by: Julien Lenoir <julien.lenoir@intel.com>
2021-02-15 22:31:53 -05:00
Ravik Hasija
7a01882eb3 common: Kconfig.boot: Add FIT_PRINT config option
Config allows to disable printing contents of fitImage to optimize boottime.

Signed-off-by: Ravik Hasija <rahasij@linux.microsoft.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2021-02-01 16:32:06 -05:00
Joel Peshkin
652b504ff2 Add optional salt to AUTOBOOT_STOP_STR_SHA256
Adds an optional SALT value to AUTOBOOT_STOP_STR_SHA256.   If a string
followed by a ":" is prepended to the sha256, the portion to the left
of the colon will be used as a salt and the password will be appended
to the salt before the sha256 is computed and compared.

Signed-off-by: Joel Peshkin <joel.peshkin@broadcom.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Bin Meng <bmeng.cn@gmail.com>
Cc: Patrick Delaunay <patrick.delaunay@st.com>
Cc: Heiko Schocher <hs@denx.de>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Joel Peshkin <joel.peshkin@broadcom.com>
To: u-boot@lists.denx.de
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heiko Schocher <hs@denx.de>
2021-01-16 14:49:09 -05:00
Simon Glass
51bb33846a bootm: Support string substitution in bootargs
In some cases it is necessary to pass parameters to Linux so that it will
boot correctly. For example, the rootdev parameter is often used to
specify the root device. However the root device may change depending on
whence U-Boot loads the kernel. At present it is necessary to build up
the command line by adding device strings to it one by one.

It is often more convenient to provide a template for bootargs, with
U-Boot doing the substitution from other environment variables.

Add a way to substitute strings in the bootargs variable. This allows
things like "rootdev=${rootdev}" to be used in bootargs, with the
${rootdev} substitution providing the UUID of the root device.

For example, to substitute the GUID of the kernel partition:

  setenv bootargs "console=/dev/ttyS0 rootdev=${uuid}/PARTNROFF=1
		kern_guid=${uuid}"
  part uuid mmc 2:2 uuid
  bootm

This is particularly useful when the command line from another place. For
example, Chrome OS stores the command line next to the kernel itself. It
depends on the kernel version being used as well as the hardware features,
so it is extremely difficult to devise a U-Boot script that works on all
boards and kernel versions. With this feature, the command line can be
read from disk and used directly, with a few substitutions set up.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-12-04 19:48:29 -05:00
Simon Glass
96d0aa9143 x86: Use CONFIG_CHROMEOS_VBOOT for verified boot
At present CONFIG_CHROMEOS is used to determine whether verified boot is
in use. The code to implement that is not in U-Boot mainline.

However, it is useful to be able to boot a Chromebook in developer mode
in U-Boot mainline without needing the verified boot code.

To allow this, use CONFIG_CHROMEOS_VBOOT to indicate that verified boot
should be used, and CONFIG_CHROMEOS to indicate that the board supports
Chrome OS. That allows us to define CONFIG_CHROMEOS on coral.

Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
2020-11-06 09:51:31 +08:00
Patrick Delaunay
87459da102 Remove default value of CONFIG_PREBOOT for CONFIG_USB_STORAGE
Remove the default value "usb start" for CONFIG_USB_STORAGE as the USB
storage boot initialization is correctly managed by  distro boot command
('usb_boot' defined in include/config_distro_bootcmd.h already include
the command 'usb  start').

Fixes: 324d77998e ("Define default CONFIG_PREBOOT with right config option")
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2020-10-22 11:26:14 -04:00
Simon Glass
832876a46a Kconfig: Move DEFAULT_FDT_FILE under boot options
This relates to booting since it is the default devicetree provided to
Linux. Move it under the 'boot options' menu.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-10-09 12:01:55 -04:00
Simon Glass
aefa34f55e Kconfig: Move SUPPORT_RAW_INITRD under boot options
This relates to booting, so move it under the 'boot images' menu.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-10-09 12:01:55 -04:00
Simon Glass
fe5db255f4 Kconfig: Move misc boot options under 'boot options'
There are a number of miscellaneous boot images at the top level of the
kconfig menu. Move these into the 'boot options' menu.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-10-09 12:01:54 -04:00
Simon Glass
95fd4f3330 Kconfig: Move CONFIG_BOOTDELAY under autoboot options
This option relates to autoboot, so move it there.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-10-09 11:59:51 -04:00
Simon Glass
98eed0d4f9 Kconfig: Move autoboot options under boot options
At present the autoboot options are in cmd/Kconfig but they don't really
relate to commands. They relate to booting, so move this menu under the
boot menu.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-10-09 11:59:50 -04:00
Simon Glass
7b6baa3314 Kconfig: Move boot media under boot options
This relates to booting, so move it under the boot menu.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-10-09 11:59:50 -04:00
Simon Glass
75e65cc72e Kconfig: Move boot timing under boot options
This relates to booting, so move it under the boot menu.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-10-09 11:59:50 -04:00
Simon Glass
cf29816768 Kconfig: Move boot menu into common/
Most of the boot options are in common/Kconfig but that file is already
extremely large. Create a new Kconfig.boot to hold the boot options.

Signed-off-by: Simon Glass <sjg@chromium.org>
2020-10-09 11:59:48 -04:00