This adds a new config value FIT_SIGNATURE_MAX_SIZE, which controls the
max size of a FIT header's totalsize field. The field is checked before
signature checks are applied to protect from reading past the intended
FIT regions.
This field is not part of the vboot signature so it should be sanity
checked. If the field is corrupted then the structure or string region
reads may have unintended behavior, such as reading from device memory.
A default value of 256MB is set and intended to support most max storage
sizes.
Suggested-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Teddy Reed <teddy.reed@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Verification of hashes needs to take place before any image post
processing, thus matching full FIT image processing.
This allows mechanisms such as encryption be applied to images
prior to fit generation at the spl level.
Signed-off-by: Ben Whitten <ben.whitten@lairdtech.com>
Move the FPGA loading from IS_ENABLED(CONFIG_SPL_OS_BOOT) &&
IS_ENABLED(CONFIG_SPL_GZIP) conditional. The FPGA loading can
be used without OS loading and GZIP support in SPL. This issue
was most likely induced by some merge conflict, so fix it.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Handle the case where the full fitImage support is enabled. In this
case, the whole fitImage must be loaded up front as some parts of the
fitImage code require memory-mapped access to the entire fitImage.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Handle the case where the full fitImage support is enabled. In this
case, the whole fitImage must be loaded up front as some parts of the
fitImage code require memory-mapped access to the entire fitImage.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Rather than verifying configuration signature of the configuration node
containing the kernel image types, verify all configuration nodes, even
those that do not contain kernel images. This is useful when the nodes
contain ie. standalone OSes or U-Boot.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Rename CONFIG_SPL_RESET_SUPPORT to CONFIG_SPL_DM_RESET, so can use
CONFIG_IS_ENABLED(DM_RESET) checking in reset.h later.
Signed-off-by: Ley Foon Tan <ley.foon.tan@intel.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
With driver model philosophy, we should avoid explicitly calling
driver initialization routine during boot. This updates the ram
init sequence table to exclude the IDE initialization for DM BLK.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The ARM64 has 2 MiB alignment requirement for the kernel. When using
fitImage, this requirement may by violated, the kernel will thus be
executed from unaligned address and fail to boot. Do what booti does
and run booti_setup() for kernel_noload images on arm64 to obtain a
suitable aligned address to which the image shall be relocated.
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Cc: Bin Chen <bin.chen@linaro.org>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Tom Rini <trini@konsulko.com>
Both putc() and puts() can be called before global_data is set up. Some of
the code paths don't handle this correctly. Add an explicit test before
any member is accessed.
Reported-by: Coverity (CID: 169030)
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Don't continue updating the offset when buffer is full.
When the buffer size exhausts and there's no space left to write
warn the user and update only the needed size and not both the
offset and needed size.
Add needed buffer size information in the iotrace command.
Signed-off-by: Ramon Fried <ramon.fried@gmail.com>
The header definitions are needed for reading
record information in cmd/iotrace.c
Signed-off-by: Ramon Fried <ramon.fried@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
1. Add initial support of boot states mode (red, green, yellow)
2. Add functions for enforcing dm-verity configurations
Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>
Implement AVB ops on top of existing mmc subsystem API. Currently there
is a full implementation of such operations, defined by [1]
AVB2.0 specification:
.read_from_partition() - reads N bytes from a partition identified by
a name.
.write_to_partition() - Writes N bytes to a partition identified by a name.
.validate_vbmeta_public_key() - checks if the given public ‘vbmeta’
partition is trusted.
.get_unique_guid_for_partition() - Gets the GUID for a partition identified
by a string name.
As [1] specification recommends to use tamper-evident storage for storing
rollback indexes and device state (LOCKED/UNLOCKED),
currently are only stubs instead of full implementation for these ops:
.read_rollback_index() - Gets the rollback index for a given index location
.write_rollback_index() - Sets the rollback index to a given location
.read_is_device_unlocked() - Gets where the device is unlocked
[1] https://android.googlesource.com/platform/external/avb/+/master/README.md
Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>
ARCH_MX6 has default values for SYS_MMCSD_RAW_MODE_U_BOOT_USE_SECTOR
and SYS_MMCSD_RAW_MODE_U_BOOT_SECTOR.
Do the same for ARCH_MX7 so that users may have a consistent
experience through the i.MX families.
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Add timestamp to each iotrace record to aid in debugging
of IO timing access bugs.
Signed-off-by: Ramon Fried <ramon.fried@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When dealing with a lot of IO regions, sometimes
it makes sense only to trace a specific one.
This patch adds support for region limits.
If region is not set, the iotrace works the same as it was.
If region is set, the iotrace only logs io operation that falls
in the defined region.
Signed-off-by: Ramon Fried <ramon.fried@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
In case of no relocation we'll just waste some space at the very end
of usable memory area. If target device has very limited amount of memory
(for example 256 kB) this loss will be pretty inconvenient.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Cc: Bin Meng <bmeng.cn@gmail.com>
Cc: Heiko Schocher <hs@denx.de>
Cc: York Sun <york.sun@nxp.com>
Cc: Stefan Roese <sr@denx.de>
For distro-boot, the TIMEOUT directive in the boot script specifies
how long to pause in units of 1/10 sec. [1]
Commit 8594753ba0 ("menu: only timeout when menu is displayed")
corrected this by simply dividing the timeout value by 10 in
menu_interactive_choice().
I see two problems:
- For example, "TIMEOUT 5" should wait for 0.5 sec, but the current
implementation cannot handle the granularity of 1/10 sec.
In fact, it never breaks because "m->timeout / 10" is zero,
which means no timeout.
- The menu API is used not only by cmd/pxe.c but also by
common/autoboot.c . For the latter case, the unit of the
timeout value is _second_ because its default is associated
with CONFIG_BOOTDELAY.
To fix the first issue, use DIV_ROUND_UP() so that the timeout value
is rounded up to the closest integer.
For the second issue, move the division to the boundary between
cmd/pxe.c and common/menu.c . This is a more desirable place because
the comment of struct pxe_menu says:
* timeout - time in tenths of a second to wait for a user key-press before
* booting the default label.
Then, the comment of menu_create() says:
* timeout - A delay in seconds to wait for user input. If 0, timeout is
* disabled, and the default choice will be returned unless prompt is 1.
[1] https://www.syslinux.org/wiki/index.php?title=SYSLINUX#TIMEOUT_timeout
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
This undocumented function relies on arch-specific code to declare a nop
weak version. Add the weak function in common code instead to avoid having
to duplicate the same function in each arch.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Alexander Graf <agraf@suse.de>
Introduce CONFIG_IMAGE_SPARSE and CONFIG_CMD_MMC_SWRITE so the "mmc
swrite" command is separated from the fastboot code.
Move image-sparse from common to lib so it's clear it's library code.
Rename CONFIG_FASTBOOT_FLASH_FILLBUF_SIZE to CONFIG_IMAGE_SPARSE_FILLBUF_SIZE
and migrate it to Kconfig.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Acked-by: Jassi Brar <jaswinder.singh@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add the response string as a parameter to fastboot_okay/fail, instead
of modifying a global, to match the contract expected by the AOSP
U-Boot code.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Reviewed-by: Joe Hershberger <joe.hershberger@ni.com>
Separate CMD_FASTBOOT from FASTBOOT and move code and configuration to
drivers/fastboot.
Switch dependencies on FASTBOOT to USB_FUNCTION_FASTBOOT as anyone who wants
FASTBOOT before this series wants USB_FUNCTION_FASTBOOT. Split
USB_FUNCTION_FASTBOOT from FASTBOOT so they retain their existing
behaviour.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Acked-by: Joe Hershberger <joe.hershberger@ni.com>
Add FIT data-position & data-offset property support for bootm,
which were already supported in SPL.
Signed-off-by: Kelvin Cheung <keguang.zhang@gmail.com>
Follow implementation in mALLOc(). Check GD_FLG_FULL_MALLOC_INIT flag and use
malloc_simple if GD_FLG_FULL_MALLOC_INIT is unset. Adjust the malloc bytes
to align with the requested alignment.
The original memalign() function will access mchunkptr struct to adjust the
alignment if there is misalignment happen, but mchunkptr struct is not being
initialized before full malloc is initialized. This cause the system crash.
Signed-off-by: Ley Foon Tan <ley.foon.tan@intel.com>
Reviewed-by: Marek Vasut <marek.vasut@gmail.com>
Add support for loading U-Boot and optionally FDT from a fitImage
in SPL by using the full fitImage support from U-Boot. While we do
have limited SPL loading support in SPL with a small footprint, it
is missing a lot of important features, like checking signatures.
This support has all the fitImage features, while the footprint is
obviously larger.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Just add IH_TYPE_STANDALONE to fit_get_image_type_property().
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
These functions may be needed in SPL, so add empty variants of them
if CONFIG_SPL_FIT_PRINT is disabled.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Rename CONFIG_FIT_SPL_PRINT to CONFIG_SPL_FIT_PRINT and add Kconfig
entry for it.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add support for loading FPGA into the SPL fitImage support. The
mechanism is flexible and allows user to override the actual
function for loading the FPGA itself. This is because on some
systems, the FPGA must be programmed to allow DRAM access, so
loading the full fitImage may not be possible if it contains
the bitstream. Instead, the spl_load_fpga_image() provides all
the tools to load the bitstream in parts while programming it
into the FPGA.
Signed-off-by: Marek Vasut <marex@denx.de>
[trini: Don't always have a branch to print out type]
Signed-off-by: Tom Rini <trini@konsulko.com>
We only call fit_conf_print from one place in the code, so mark it as
static and move it up to where we call it. This in turn has us move a
few other already static functions up further as well.
Signed-off-by: Tom Rini <trini@konsulko.com>
microblaze:
- Align defconfig
zynq:
- Rework fpga initialization and cpuinfo handling
zynqmp:
- Add ZynqMP R5 support
- Wire and enable watchdog on zcu100-revC
- Setup MMU map for DDR at run time
- Show board info based on DT and cleanup IDENT_STRING
zynqmp tools:
- Add read partition support
- Add initial support for Xilinx bif format for boot.bin generation
mmc:
- Fix get_timer usage on 64bit cpus
- Add support for SD3.0 UHS mode
nand-zynq:
- Add support for 16bit buswidth
- Use address cycles from onfi params
scsi:
- convert ceva sata to UCLASS_AHCI
timer:
- Add Cadence TTC for ZynqMP r5
watchdog:
- Minor cadence driver cleanup
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlr1ldMACgkQykllyylKDCHioACghoJw6+NqsZXl8zGWRP38yZ5K
mvgAnihfOQq125mpKPZmcc5yt6wVwYIU
=8ji9
-----END PGP SIGNATURE-----
Merge tag 'xilinx-for-v2018.07' of git://www.denx.de/git/u-boot-microblaze
Xilinx changes for v2018.07
microblaze:
- Align defconfig
zynq:
- Rework fpga initialization and cpuinfo handling
zynqmp:
- Add ZynqMP R5 support
- Wire and enable watchdog on zcu100-revC
- Setup MMU map for DDR at run time
- Show board info based on DT and cleanup IDENT_STRING
zynqmp tools:
- Add read partition support
- Add initial support for Xilinx bif format for boot.bin generation
mmc:
- Fix get_timer usage on 64bit cpus
- Add support for SD3.0 UHS mode
nand-zynq:
- Add support for 16bit buswidth
- Use address cycles from onfi params
scsi:
- convert ceva sata to UCLASS_AHCI
timer:
- Add Cadence TTC for ZynqMP r5
watchdog:
- Minor cadence driver cleanup
The officially described way to generate boot.bin files for ZynqMP is to
describe the contents of the target binary using a file of the "bif"
format. This file then links to other files that all get packed into a
bootable image.
This patch adds support to read such a .bif file and generate a respective
ZynqMP boot.bin file that can include the normal image and pmu files, but
also supports image partitions now. This makes it a handy replacement for
the proprietary "bootgen" utility that is currently used to generate
boot.bin files with FSBL.
Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Every va_start() call must be matched by a va_end() call.
scripts/checkpatch.pl required reformatting the complete function
zm_dprintf().
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Attempting to build with both DEBUG and CONFIG_USE_TINY_PRINTF along
with CONFIG_SPL_YMODEM_SUPPORT fails at link time:
common/built-in.o: In function `zm_dprintf':
common/xyzModem.c:190: undefined reference to `vsprintf'
Disable Ymodem debug if we don't have full vsprintf support.
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Reviewed-by: Joe Hershberger <joe.hershberger@ni.com>
This patch adds support for incrementation of the bootcount in SPL.
Such feature is necessary when we do want to use this feature with
'falcon' boot mode (which loads OS directly in SPL).
Signed-off-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
The code has been refactored to use common wrappers from bootcount.h
header.
Signed-off-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Alex Kiernan <alex.kiernan@gmail.com>
New, SPL related config option - CONFIG_SPL_BOOTCOUNT_LIMIT has been
added to allow drivers/bootcount code re-usage in SPL.
This code is necessary to use and setup bootcount in SPL in the case of
falcon boot mode.
Signed-off-by: Lukasz Majewski <lukma@denx.de>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Alex Kiernan <alex.kiernan@gmail.com>
In do_bootm_states when doing BOOTM_STATE_LOADOS we use load_end
uninitialized and Coverity notes this now. This however leads down
another interesting path. We pass this pointer to bootm_load_os and
that in turn uses this uninitialized value immediately to calculate the
flush length, and is wrong. We do not know what load_end will be until
after bootm_decomp_image is called, so we must only set flush_len after
that. All of this also makes it clear that the only reason we pass a
pointer for load_end to bootm_load_os is so that we can call lmb_reserve
on success. Rather than initialize load_end to 0 in do_bootm_states we
can just call lmb_reserve ourself.
Reported-by: Coverity (CID: 175572)
Cc: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The signature/hash information are displayed for images but nor for
configurations.
Add subnodes printing in fit_conf_print() like it's done in fit_image_print()
Signed-off-by: Clément Péron <peron.clem@gmail.com>
[trini: Add guards around fit_conf_print to avoid warnings]
Signed-off-by: Tom Rini <trini@konsulko.com>
Add support for the SoCFPGA header v1, which is used on Arria 10.
The layout of the v0 and v1 header is similar, yet there are a few
differences which make it incompatible with previous v0 header, so
add a new entry.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Dinh Nguyen <dinguyen@kernel.org>
Cc: Chin Liang See <chin.liang.see@intel.com>
write_sparse_image could be useful for non-fastboot users.
For ex a platform, without usb-device/fastboot support, could
get sparse images over tftp and write using the mmc command.
Or non-android systems could also leverage the sparse format.
Towards that, this patch removes anything fastboot specific from
the write_sparse_image implementation. Which includes making the
function return integer as error code and calls for fastboot logging
via an optional callback function 'mssg'.
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have multiple licenses (in
these cases, dual license) declared in the SPDX-License-Identifier tag.
In this case we change from listing "LICENSE-A LICENSE-B" or "LICENSE-A
or LICENSE-B" or "(LICENSE-A OR LICENSE-B)" to "LICENSE-A OR LICENSE-B"
as per the Linux Kernel style document. Note that parenthesis are
allowed so when they were used before we continue to use them.
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
With tighter build flags the fact that <stdio_dev.h> doesn't have a
reference back to MAX_NAMES causes an error. Include <stdio.h> here and
then in common/console.c use MAX_NAMES rather than 3 when working with
stdio_names.
Reported-by: Peter Robinson <pbrobinson@gmail.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Tested-by: Peter Robinson <pbrobinson@gmail.com>
