As discussed previously [1,2], the source command is not safe to use with
verified boot unless there is a key with required = "images" (which has its
own problems). This is because if such a key is absent, signatures are
verified but not required. It is assumed that configuration nodes will
provide the signature. Because the source command does not use
configurations to determine the image to source, effectively no
verification takes place.
To address this, allow specifying configuration nodes. We use the same
syntax as the bootm command (helpfully provided for us by fit_parse_conf).
By default, we first try the default config and then the default image. To
force using a config, # must be present in the command (e.g. `source
$loadaddr#my-conf`). For convenience, the config may be omitted, just like
the address may be (e.g. `source \#`). This also works for images
(`source :` behaves exactly like `source` currently does).
[1] https://lore.kernel.org/u-boot/7d711133-d513-5bcb-52f2-a9dbaa9eeded@prevas.dk/
[2] https://lore.kernel.org/u-boot/042dcb34-f85f-351e-1b0e-513f89005fdd@gmail.com/
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
We ask for CONFIG_SPL_LOAD_FIT_ADDRESS in Kconfig, so we cannot define
it in C as a fall-back. However, this option previously was buried under
"if ... endif" Kconfig logic. Rework a number of config options to now
have more robust dependency lines so that we can ask this address when
needed. With that done, we can remove the fallback in spl_ram.c.
Signed-off-by: Tom Rini <trini@konsulko.com>
With the change here, all extlinux.conf files with only "KERNEL
/fitImage" don't work anymore. One common example of this would be those
files generated by thee Poky/OE WIC bootimg-partition bootloader
partition generator.
This reverts commit d5ba6188df.
Reported-by: Neil Armstrong <neil.armstrong@linaro.org>
Reported-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Signed-off-by: Tom Rini <trini@konsulko.com>
Regarding the documentation found here:
https://github.com/u-boot/u-boot/blob/master/common/menu.c#L347
If both timeout and prompt is set to 0 the default entry shall
be booted immediately. However the current behaviour is that
the prompt is shown (tested with distroboot) until the user
selects an entry (no timeout).
This change implements a behaviour as documented. It was tested
with distroboot.
Signed-off-by: Manuel Traut <manuel.traut@mt.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Replace malloc and strcpy by strdup in
function parse_label_kernel.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Since the commit d5ba6188df ("cmd: pxe_utils: Check fdtcontroladdr
in label_boot") the FDT or the FDTDIR label is required in extlinux.conf
and the fallback done by bootm command when only the device tree present
in this command parameters is no more performed when FIT is used for
kernel.
When the label FDT or FDTDIR are absent or if the device tree file is
absent, the PXE command in U-Boot uses the default U-Boot device tree
selected by fdtcontroladdr = gd->fdt_blob, it is the "Scenario 3".
With this scenario the bootm FIP fallback is no more possible with
the extlinux.conf when only "kernel" label is present and is a FIP:
kernel <path>#<conf>[#<extra-conf[#...]]
As the U-Boot FDT is always provided in the third bootm argument,
the device tree found in FIP is not used as fallback, it was done
previously in boot_get_fdt().
This patch adds a new field kernel_label to save the full kernel label.
The FDT bootm parameters use the kernel address (to avoid to load a
second time the same FIP) and the config when this full label is reused
for "fdt" or "initrd" label.
This FIP support in extlinux.conf is restored when the "FDT" label
can be found and select the same FIP (identical file and configuration):
kernel <path>#<conf>[#<extra-conf[#...]]
fdt <path>#<conf>[#<extra-conf[#...]]
The patch add also this possibility for initrd.
initrd <path>#<conf>[#<extra-conf[#...]]
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reorder kernel treatment in label_boot at the beginning of the function.
This patch doesn't change the pxe command behavior, it is only a
preliminary step for next patch, build kernel_addr before parsing
the label initrd and fdt to build the next bootm arguments.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
If the user select the image type "flat_dt" a FIT image will be build.
This breaks the legacy use case of putting a Flat Device Tree into a
legacy u-boot image.
Add a new image type "fdt_legacy" to build a legacy u-boot image
with a "flat_dt" type.
Link: https://lore.kernel.org/all/20221028155205.ojw6tcso2fofgnhm@pengutronix.de
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Reviewed-by: Sean Anderson <seanga2@gmail.com>
As there are no more non-DM_ETH cases for networking, remove this legacy
file and update the Makefile to match current usage.
Signed-off-by: Tom Rini <trini@konsulko.com>
The rest of the unmigrated CONFIG symbols in the CONFIG_SYS namespace do
not easily transition to Kconfig. In many cases they likely should come
from the device tree instead. Move these out of CONFIG namespace and in
to CFG namespace.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The rest of the unmigrated CONFIG symbols in the CONFIG_SYS_SDRAM
namespace do not easily transition to Kconfig. In many cases they likely
should come from the device tree instead. Move these out of CONFIG
namespace and in to CFG namespace.
Signed-off-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Due to usage of PREBOOT in Kconfig, macro CONFIG_PREBOOT is always defined
when CONFIG_USE_PREBOOT is enabled. In case CONFIG_PREBOOT is not
explicitly enabled it is set to empty C string and therefore
'#ifdef CONFIG_PREBOOT' guard does not work. Fix this issue by introducing
a new Kconfig symbol PREBOOT_DEFINED which cause to define new C macro
CONFIG_PREBOOT_DEFINED only when CONFIG_PREBOOT is really defined.
Change usage of '#ifdef CONFIG_PREBOOT' by '#ifdef CONFIG_USE_PREBOOT' for
code which checks if preboot code would be called and by
'#ifdef CONFIG_PREBOOT_DEFINED' for defining preboot code.
Signed-off-by: Pali Rohár <pali@kernel.org>
At present we put the driver in the /chosen node in U-Boot. This is a bit
strange, since U-Boot doesn't normally use that node itself. It is better
to put it under the bootstd node.
To make this work we need to copy create the node under /chosen when
fixing up the device tree. Copy over all the properties so that fwupd
knows what to do.
Update the sandbox device tree accordingly.
Signed-off-by: Simon Glass <sjg@chromium.org>
Enable the various features needed in VPL, by adding Kconfig options.
Update the defconfig for sandbox_vpl so that the build for each phase
includes what is needed. Drop LZMA for now and make sure partition support
is omitted in SPL, since it is not needed.
Signed-off-by: Simon Glass <sjg@chromium.org>
We don't need the U-Boot prefix on the version and in fact it is harmful
since pytest gets confused seeing the U-Boot banner bring displayed when
the version is printed.
Drop the prefix from the string.
We could produce an entirely new string from the component parts, but this
adds to the rodata size and would break the use of version_string as the
only thing which holds this information.
Signed-off-by: Simon Glass <sjg@chromium.org>
The vbe_fixup file handles device tree fixups, but these are called OS
requests in VBE. Rename the file to reflect its wider purpose.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add support for filtering out FIT images by phase. Rather than adding yet
another argument to this already overloaded function, use a composite
value, where the phase is only added in if needed.
The FIT config is still selected (and verified) as normal, but the images
are selected based on the phase.
Tests for this come in a little later, as part of the updated VPL test.
Signed-off-by: Simon Glass <sjg@chromium.org>
We want to be able to mark an image as related to a phase, so we can
easily load all the images for SPL or for U-Boot proper.
Add this to the FIT specification, along with some access functions.
Signed-off-by: Simon Glass <sjg@chromium.org>
The current name is inconsistent with SPL which uses CONFIG_SPL_TEXT_BASE
and this makes it imposible to use CONFIG_VAL().
Rename it to resolve this problem.
Signed-off-by: Simon Glass <sjg@chromium.org>
Just like we exclude data-size, data-position, and data-offset from
fit_config_check_sig, we must exclude them while signing as well.
While we're at it, use the FIT_DATA_* defines for fit_config_check_sig
as welll.
Fixes: 8edecd3110 ("fit: Fix verification of images with external data")
Fixes: c522949a29 ("rsa: sig: fix config signature check for fit with padding")
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Beside some rather unexciting sync of the DTs from the kernel tree, and
some Kconfig cleanup, there are some improvements for the ARMv5 Allwinner
family, to support boards with the F1C200s (64MB DRAM) better. We will
get actual board support as soon as the DTs have passed the Linux review
process.
There is also support for the X96 Mate TV Box, featuring the H616 SoC and
a full 4GB of DRAM.
Also we found the secret to enable SPI booting on the H616 (pin PC5 must
be pulled to GND), so the SPI boot support patch is now good to go.
Passed the gitlab CI, plus briefly tested on Pine64-LTS, LicheePi Nano,
X96 Mate and OrangePi Zero.
Traditionally we assumed that every Allwinner board would come with at
least 256 MB of DRAM, and set our DRAM layout accordingly. This affected
both the default load addresses, but also U-Boot's own address
expectations (like being loaded at 160 MB).
Some SoCs come with co-packaged DRAM, but only provide 32 or 64MB. So
far we special-cased those *chips*, as there was only one chip per DRAM
size. However new chips force us to take a more general approach.
Introduce a Kconfig symbol, which provides the minimum DRAM size of the
board. If nothing else is specified, we use 256 MB, and default to
smaller values for those co-packaged SoCs.
Then select the different DRAM maps according to this new symbol, so
that different SoCs with the same DRAM size can share those definitions.
Inspired by an idea from Icenowy.
This is just refactoring: compiled for all boards before and after this
patch: the binaries were identical.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
As a starting point, add support for providing random data, if requested
by the OS. Also add ASLR, as a placeholder for now.
Signed-off-by: Simon Glass <sjg@chromium.org>
(fixed up to use uclass_first_device_err() instead)
Make sure the log_msg_ret() values are unique so that the log trace is
unambiguous with LOG_ERROR_RETURN. Also avoid reusing the 'node' variable
for two different nodes in bootmeth_vbe_simple_ft_fixup(), since this is
confusing.
Signed-off-by: Simon Glass <sjg@chromium.org>
Now that we support multiple device trees with the ofnode interface, we
can pass the correct FDT to this event. This allows the 'working' FDT to
be fixed up, as expected, so long as OFNODE_MULTI_TREE is enabled.
Also make sure we don't try to do this with livetree, which does not
support fixups yet.
Signed-off-by: Simon Glass <sjg@chromium.org>
This code uses casts between addresses and pointers, so does not work with
sandbox. Update it so we can allow sandbox to do device tree fixups.
Signed-off-by: Simon Glass <sjg@chromium.org>
At present when bootm fails, it says:
subcommand not supported
and then prints help for the bootm command. This is not very useful, since
generally the error is related to something else, such as fixups failing.
It is quite confusing to see this in a test run.
Change the error and show the error code.
We could update the OS functions to return -ENOSYS when they do not
support the bootm subcommand. But this involves some thought since this is
arch-specific code and proper errno error codes are not always returned.
Also, with the code as is, all required subcommands are of course
supported - a problem would only come if someone added a new one or
removed support for one from an existing OS. Therefore it seems better to
leave that sort of effort for when our bootm tests are improved.
Note: v1 of this patch generated a discussion[1] about printing error
strings automatically using printf(). That is outside the scope of this
patch but will be dealt with separately.
[1] https://patchwork.ozlabs.org/project/uboot/patch/20220909151801.336551-3-sjg@chromium.org/
Signed-off-by: Simon Glass <sjg@chromium.org>
bootdev_list() uses uclass_*_device_err() to iterate devices.
However, the only value _err adds is returning an error when the device
pointer is null, and that's checked anyway.
Also there is some intent to report errors, and that's what
uclass_*_device_check() is for, use it.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Setting an alternative signature info node in "pre_load_sig_info_path"
allows verification of an image using the bootm pre-load mechanism with
a different key, e.g.: setenv pre_load_sig_info_path "/alt/sig" ; bootm
preload [addr]
Signed-off-by: Steven Lawrance <steven.lawrance@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Putting these definitions in a header will allow signatures to be
validated independently of bootm.
Signed-off-by: Steven Lawrance <steven.lawrance@softathome.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This adds keyword devicetree-overlay as an alias for fdtoverlays in
extlinux (sysboot) and pxe to better follow the Boot Loader Specification
[1], improves documentation around them by adding an example for both
fdtoverlays and devicetree-overlay and the environment variable required
for this feature. The link for the spec is updated to the current one.
[1] https://systemd.io/BOOT_LOADER_SPECIFICATION/
Signed-off-by: Edoardo Tomelleri <e.tomell@gmail.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
This function turns out to be a little confusing since it looks up a path
and also registers the tree. Split it into two, one that gets the root
node and one that looks up a path, so the purpose is clear.
Registering the tree will happen in a function to be added in a later
patch, called oftree_from_fdt().
Signed-off-by: Simon Glass <sjg@chromium.org>
This is not needed and we should avoid typedefs. Use the struct instead
and rename it to indicate that it really is a legacy struct.
Signed-off-by: Simon Glass <sjg@chromium.org>
In a lot of cases kernel resets UART HW. To ensure that U-Boot messages
printed before booting the kernel are not lost, call new U-Boot console
flush() function.
Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Globally replace all occurances of WATCHDOG_RESET() with schedule(),
which handles the HW_WATCHDOG functionality and the cyclic
infrastructure.
Signed-off-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Tom Rini <trini@konsulko.com> [am335x_evm, mx6cuboxi, rpi_3,dra7xx_evm, pine64_plus, am65x_evm, j721e_evm]
Remove all but a few that are difficult, relying on legacy CONFIG options
or optional global_data fields.
Drop the duplicate function name in the comment for boot_get_cmdline().
Signed-off-by: Simon Glass <sjg@chromium.org>
