CONFIG_SECURE_BOOT is too generic and forbids to use it for cross
architecture purposes. If Secure Boot is required for imx, this means to
enable and use the HAB processor in the soc.
Signed-off-by: Stefano Babic <sbabic@denx.de>
As part of the SPL FIT boot flow, the device tree is appended to U-Boot
proper. The device tree is used to record information on the loadables
to make them available to the SPL framework and U-Boot proper. Depending
on the U-Boot device tree provider, the FIT image might not include a
device tree. Information on the loadables is missing in this case.
When booting via firmware bundled with the FIT image, U-Boot SPL loads
the firmware binary and U-Boot proper before starting the firmware. The
firmware, in turn, is responsible for starting U-Boot proper.
Information on the memory location of the U-Boot proper loadable must be
available to the SPL framework so that it can be passed to the firmware
binary. To support this use case when no device tree is found in the FIT
image, fall back to the U-Boot device tree in this situation.
At the same time, update the comment to remove the note that the
destination address must be aligned to ARCH_DMA_MINALIGN. Alignment is
only required as an intermediate step when reading external data. This
is automatically handled by spl_fit_append_fdt(). After reading the
external data, it is copied to the specified address, which does not
have to be aligned to ARCH_DMA_MINALIGN.
Signed-off-by: Lukas Auer <lukas.auer@aisec.fraunhofer.de>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Anup Patel <anup.patel@wdc.com>
As part of the effort to remove things from common.h, create a new header
for the gzip functions. Move the function declarations to it and add
missing documentation.
Signed-off-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
The current U-Boot SPL image loader infrastructure is very powerful,
able to initialize and load from a variety of boot media however it
is strongly geared towards loading specific types of images in a very
specific way. To address the need being able to use this infrastructure
to load arbitrary image files go ahead and refactor it as follows:
- Refactor existing spl_mmc_load_image function into superset function,
accepting additional arguments such as filenames and media load offset
(same concept can also be applied toother spl_XXX_load_image functions)
- Extend the loader function to "remember" their peripheral initialization
status so that the init is only done once during the boot process,
- Extend the FIT image loading function to allow skipping the parsing/
processing of the FIT contents (so that this can be done separately
in a more customized fashion)
- Populate the SPL_LOAD_IMAGE_METHOD() list with a trampoline function,
invoking the newly refactored superset functions in a way to maintain
compatibility with the existing behavior
This refactoring initially covers MMC/SD card loading (RAW and FS-based).
Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
FIT_IMAGE_TINY is used to reduce the size of the SPL by removing os-type
tracking and recording the loadables into the loaded FDT. When this option
is enabled, it is assumed that the next stage firmware is u-boot.
However this does not play well with the SPL_OS_BOOT option that enables
loading different type of next stage firmware, like the OS itself.
When SPL_OS_BOOT is used, do not disable os-tracking. The added footprint
is about 300 Bytes.
Signed-off-by: Jean-Jacques Hiblot <jjhiblot@ti.com>
Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>
If FIT_IMAGE_TINY is enabled, spl_fit_image_get_os returns -ENOTSUPP.
In this case, we should default to IH_OS_U_BOOT not to IH_OS_INVALID.
Signed-off-by: Abel Vesa <abel.vesa@nxp.com>
Tested-by: Fabio Estevam <festevam@gmail.com>
Introduce two board level callback functions to FIT image loading process, and
a SPL_FIT_FOUND flag to differentiate FIT image or RAW image.
Implement functions in imx common SPL codes to call HAB funtion
to authenticate the FIT image. Generally, we have to sign multiple regions
in FIT image:
1. Sign FIT FDT data (configuration)
2. Sign FIT external data (Sub-images)
Because the CSF supports to sign multiple memory blocks, so that we can use one
signature to cover all regions in FIT image and only authenticate once.
The authentication should be done after the entire FIT image is loaded into
memory including all sub-images.
We use "-p" option to generate FIT image to reserve a space for FIT IVT
and FIT CSF, also this help to fix the offset of the external data (u-boot-nodtb.bin,
ATF, u-boot DTB).
The signed FIT image layout is as below:
--------------------------------------------------
| | | | | | | |
| FIT | FIT | FIT | | U-BOOT | ATF | U-BOOT |
| FDT | IVT | CSF | | nodtb.bin | | DTB |
| | | | | | | |
--------------------------------------------------
Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
This patch partially reverts:
"spl: fit: Add support for loading FPGA bitstream"
(sha1: 26a642238b)
There shouldn't be a need to call private spl_load_fpga_image function
because the whole sequence should be already handled by fpga framework.
If there is missing loading bistream by chunks it should be done via
fpga framework instead of having private hooks.
Also spl_load_fpga_image() weak function is not used anywhere and
opening a way for not reviewed hacks out of mainline U-Boot is not the
right way to go.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
There is no reason to limit gzip usage only for OS_BOOT and kernel image
type.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Tested-by: York Sun <york.sun@nxp.com>
The SPL loaders assume that the CONFIG_SYS_TEXT_BASE memory location
is available and can be corrupted by loading ie. uImage or fitImage
headers there. Sometimes it could be beneficial to load the headers
elsewhere, ie. if CONFIG_SYS_TEXT_BASE is not yet writable while we
still want to parse the image headers in some local onchip memory to
ie. extract firmware from that image.
Add the possibility to override the location where the headers get
loaded by introducing new function, spl_get_load_buffer() which takes
two arguments -- offset from the CONFIG_SYS_TEXT_BASE and size of the
data that are to be loaded there -- and returns a valid buffer address
or hangs the system. The default behavior is the same as before, add
the offset to CONFIG_SYS_TEXT_BASE and return that address. User can
override the weak spl_get_load_buffer() function though.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
A message should be displayed if an image is loaded
to an FPGA, because the hardware might have changed,
and the user should be informed
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Verification of hashes needs to take place before any image post
processing, thus matching full FIT image processing.
This allows mechanisms such as encryption be applied to images
prior to fit generation at the spl level.
Signed-off-by: Ben Whitten <ben.whitten@lairdtech.com>
Move the FPGA loading from IS_ENABLED(CONFIG_SPL_OS_BOOT) &&
IS_ENABLED(CONFIG_SPL_GZIP) conditional. The FPGA loading can
be used without OS loading and GZIP support in SPL. This issue
was most likely induced by some merge conflict, so fix it.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Add support for loading FPGA into the SPL fitImage support. The
mechanism is flexible and allows user to override the actual
function for loading the FPGA itself. This is because on some
systems, the FPGA must be programmed to allow DRAM access, so
loading the full fitImage may not be possible if it contains
the bitstream. Instead, the spl_load_fpga_image() provides all
the tools to load the bitstream in parts while programming it
into the FPGA.
Signed-off-by: Marek Vasut <marex@denx.de>
[trini: Don't always have a branch to print out type]
Signed-off-by: Tom Rini <trini@konsulko.com>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
SPL ATF support requires to have firmware property which should be also
listed by mkimage -l when images is created.
The patch is also using this macro in spl_fit to match keyword.
When image is created:
Default Configuration: 'config'
Configuration 0 (config)
Description: ATF with full u-boot
Kernel: unavailable
Firmware: atf
FDT: dtb
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jun Nie <jun.nie@linaro.org>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
U-boot proper signature is not verified by SPL on most platforms
even config SPL_FIT_SIGNATURE is enabled. Only fsl-layerscape
platform support secure boot in platform specific code. So
verified boot cannot be achieved if u-boot proper is loaded by
SPL.
This patch add signature verification to u-boot proper images
when loading FIT image in SPL. It is tested on Allwinner bananapi
zero board with H2+ SoC.
Signed-off-by: Jun Nie <jun.nie@linaro.org>
Thomas reported U-Boot failed to build host tools if libfdt-devel
package is installed because tools include libfdt headers from
/usr/include/ instead of using internal ones.
This commit moves the header code:
include/libfdt.h -> include/linux/libfdt.h
include/libfdt_env.h -> include/linux/libfdt_env.h
and replaces include directives:
#include <libfdt.h> -> #include <linux/libfdt.h>
#include <libfdt_env.h> -> #include <linux/libfdt_env.h>
Reported-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
For external data, FIT has a optional property "data-position" which
can set the external data to a fixed offset to FIT beginning.
Add the support for this property in SPL FIT.
Signed-off-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tomas Melin <tomas.melin@vaisala.com>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: "Andrew F. Davis" <afd@ti.com>
Cc: Igor Grinberg <grinberg@compulab.co.il>
Cc: "tomas.melin@vaisala.com" <tomas.melin@vaisala.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Andre Przywara <andre.przywara@arm.com>
Cc: York Sun <york.sun@nxp.com>
Cc: Lokesh Vutla <lokeshvutla@ti.com>
Cc: "Cooper Jr., Franklin" <fcooper@ti.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Cc: Jean-Jacques Hiblot <jjhiblot@ti.com>
Cc: Rick Altherr <raltherr@google.com>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>
Reviewed-by: York Sun <york.sun@nxp.com>
A minor code-size increase from the changes for tracking the os-type
of FIT images and from infrastructure for recording the loadables into
the the loaded FDT, broke the builds for sun50i and some OMAP2+ devices.
This change adds a new config option (enabled by default for
MACH_SUN50I, MACH_SUN50I_H5 and ARCH_OMAP2PLUS) that does skips these
processing steps (bringing code size down to below the limit
again). The os-type is not evaluated, but assumed to be IH_OS_UBOOT
(i.e. taking the code-paths intended for backward-compatibility).
Note that enabling this config option precludes any useful downstream
processing, such as utilising a special calling convention for ATF or
OPTEE, based on the os-type of the loadables.
Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
If a FDT was loaded (e.g. to append it to U-Boot image), we store it's
address and record information for all loadables into this FDT. This
allows us to easily keep track of images for multiple privilege levels
(e.g. with ATF) or of firmware images preloaded into temporary
locations (e.g. PMU firmware that may overlap the SPL stage).
Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
To better support bootin through an ATF or OPTEE, we need to
streamline some of the logic for when the FDT is appended to an image:
depending on the image type, we'd like to append the FDT not at all
(the case for the OS boot), to the 'firmware' image (if it is a
U-Boot) or to one of the loadables (if the 'firmware' is an ATF, an
OPTEE, or some other image-type and U-Boot is listed in the
loadabled).
To achieve this goal, we drop the os_boot flag and track the type of
image loaded. If it is of type IH_OS_U_BOOT, we append the FDT.
Signed-off-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
Acked-by: York Sun <york.sun@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
common/spl/spl_fit.c:201:12: warning: passing argument 4 of ‘gunzip’
from incompatible pointer type [-Wincompatible-pointer-types]
src, &length))
Signed-off-by: York Sun <york.sun@nxp.com>
Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
CC: Jean-Jacques Hiblot <jjhiblot@ti.com>
If CONFIG_SPL_OS_BOOT is enabled, boot OS if kernel image is found
in FIT structure.
Signed-off-by: York Sun <york.sun@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
SPL supports U-Boot image in FIT format which has data outside of
FIT structure. This adds support for embedded data for normal FIT
images.
Signed-off-by: York Sun <york.sun@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add Kconfig option SPL_GZIP and SPL_ZLIB to enable gunzip support for
SPL boot, eg. falcon boot compressed kernel image.
Signed-off-by: York Sun <york.sun@nxp.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Some of the functions within spl_fit will be used for non spl purposes.
Instead of duplicating functions simply break the functions to be reused
into its own file.
Signed-off-by: Franklin S Cooper Jr <fcooper@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
[trini: Only add the new define to image.h, otherwise we see breakage
due to massive include leakage into host tools in some cases]
Signed-off-by: Tom Rini <trini@konsulko.com>
So far we were not using the FIT image format to its full potential:
The SPL FIT loader was just loading the first image from the /images
node plus one of the listed DTBs.
Now with the refactored loader code it's easy to load an arbitrary
number of images in addition to the two mentioned above.
As described in the FIT image source file format description, iterate
over all images listed at the "loadables" property in the configuration
node and load every image at its desired location.
This allows to load any kind of images:
- firmware images to execute before U-Boot proper (for instance
ARM Trusted Firmware (ATF))
- firmware images for management processors (SCP, arisc, ...)
- firmware images for devices like WiFi controllers
- bit files for FPGAs
- additional configuration data
- kernels and/or ramdisks
The actual usage of this feature would be platform and/or board specific.
Also update the FIT documentation to mention the new SPL feature and
provide an example .its file to demonstrate its features.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Lokesh Vutla <lokeshvuta@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Jagan Teki <jagan@openedev.com>
Reviewed-by: Jagan Teki <jagan@openedev.com>
At the moment we load two images from a FIT image: the actual U-Boot
image and the .dtb file. Both times we have very similar code, that deals
with alignment requirements the media we load from imposes upon us.
Factor out this code into a new function, which we just call twice.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Jagan Teki <jagan@openedev.com>
At the moment we ignore any errors due to missing FIT properties,
instead go ahead and calculate our addresses with the -1 return value.
Fix this and bail out if any of the mandatory properties are missing.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Jagan Teki <jagan@openedev.com>
Reviewed-by: Jagan Teki <jagan@openedev.com>
Currently the SPL FIT loader always looks only for the first image in
the /images node a FIT tree, which it loads and later executes.
Generalize this by looking for a "firmware" property in the matched
configuration subnode, or, if that does not exist, for the first string
in the "loadables" property. Then using the string in that property,
load the image of that name from the /images node.
This still loads only one image at the moment, but refactors the code to
allow extending this in a following patch.
To simplify later re-usage, we also generalize the spl_fit_select_index()
function to not return the image location, but just the node offset.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Lokesh Vutla <lokeshvuta@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Jagan Teki <jagan@openedev.com>
Currently the SPL FIT loader uses the spl_fit_select_fdt() function to
find the offset to the right DTB within the FIT image.
For this it iterates over all subnodes of the /configuration node in
the FIT tree and compares all "description" strings therein using a
board specific matching function.
If that finds a match, it uses the string in the "fdt" property of that
subnode to locate the matching subnode in the /images node, which points
to the DTB data.
Now this works very well, but is quite specific to cover this particular
use case. To open up the door for a more generic usage, let's split this
function into:
1) a function that just returns the node offset for the matching
configuration node (spl_fit_find_config_node())
2) a function that returns the image data any given property in a given
configuration node points to, additionally using a given index into
a possbile list of strings (spl_fit_select_index())
This allows us to replace the specific function above by asking for the
image the _first string of the "fdt" property_ in the matching
configuration subnode points to.
This patch introduces no functional changes, it just refactors the code
to allow reusing it later.
(diff is overly clever here and produces a hard-to-read patch, so I
recommend to throw a look at the result instead).
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Lokesh Vutla <lokeshvuta@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Reviewed-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Kever Yang <kever.yang@rock-chips.com>
Tested-by: Jagan Teki <jagan@openedev.com>
In raw mode a full sector is to be read even if image covers part of
a sector. Number of sectors are calculated as ROUND_UP(size)/sec_size by FIT
framework. This calculation assumes that image is at the 0th offset of a sector,
which is not true always in FIT case. So, include the image offset while
calculating number of sectors.
Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
The next stage boot loader image and the selected FDT can be post-
processed by board/platform/device-specific code, which can include
modifying the size and altering the starting source address before
copying these binary blobs to their final destination. This might be
desired to do things like strip headers or footers attached to the
images before they were packaged into the FIT, or to perform operations
such as decryption or authentication. Introduce new configuration
option CONFIG_SPL_FIT_IMAGE_POST_PROCESS to allow controlling this
feature. If enabled, a platform-specific post-process function must
be provided.
Signed-off-by: Daniel Allred <d-allred@ti.com>
Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When no DTB can be matched successfully to the board that's being used
a list of available FIT-embedded DTBs will be output to the console for
diagnostic purposes. But rather than the contents of the "description"
FDT property a non-existent property was accessed and as a result "NULL"
was output instead of the actual name(s) of the DTB(s). Fix this issue
by using the correct property which is also the exact same property
that's used earlier during the actual board matching process.
Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
When loading fit header, it should be loaded to a previous address
aligned to ARCH_DMA_MINALIGN and not 8. Fixing the same.
Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
This provides a way to load a FIT containing U-Boot and a selection of device
tree files from a File system. Making sure that all the reads and writes
are aligned to their respective needs.
Tested-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
[trini: Make this still apply with Michal's alignment change for 'fit']
Signed-off-by: Tom Rini <trini@konsulko.com>
sectors field is not being updated when reading fdt from fit image. Because of
this size_of(u-boot.bin) is being read when reading fdt. Fixing it by updating
the sectors field properly.
Tested-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
If bl_len is not aligned it can caused a problem because another code
expects that start is aligned.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
When FDT is not present in the image user doesn't get any error what's
wrong. Print error message if LIBCOMMON_SUPPORT is enabled.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Seris-cc: uboot
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This provides a way to load a FIT containing U-Boot and a selection of device
tree files. The board can select the correct device tree by probing the
hardware. Then U-Boot is started with the selected device tree.
Signed-off-by: Simon Glass <sjg@chromium.org>