As discussed previously [1,2], the source command is not safe to use with
verified boot unless there is a key with required = "images" (which has its
own problems). This is because if such a key is absent, signatures are
verified but not required. It is assumed that configuration nodes will
provide the signature. Because the source command does not use
configurations to determine the image to source, effectively no
verification takes place.
To address this, allow specifying configuration nodes. We use the same
syntax as the bootm command (helpfully provided for us by fit_parse_conf).
By default, we first try the default config and then the default image. To
force using a config, # must be present in the command (e.g. `source
$loadaddr#my-conf`). For convenience, the config may be omitted, just like
the address may be (e.g. `source \#`). This also works for images
(`source :` behaves exactly like `source` currently does).
[1] https://lore.kernel.org/u-boot/7d711133-d513-5bcb-52f2-a9dbaa9eeded@prevas.dk/
[2] https://lore.kernel.org/u-boot/042dcb34-f85f-351e-1b0e-513f89005fdd@gmail.com/
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Two callers of image_source_script specify an image name. However, both
use the deprecated @ syntax, indicating that they have not been updated
in a while. If CONFIG_FIT_SIGNATURE is enabled, we will reject such
names outright. Back in commit 152576a598 ("stm32mp: stm32prog: handle
U-Boot script in flashlayout alternate"), we even renamed one of the
nodes. Instead of hard-coding a script image name, just use the default
image.
Signed-off-by: Sean Anderson <sean.anderson@seco.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Improve the partitioning trace done in command stm32prog:
- remove the trace "partition: Done" when the GPT partitioning is not done
- indicate the mmc instance used for each 'gpt write' command
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
As the SMC is only supported in SP-MIN for STM32MP15x, the associated
partition should be absent when the TA NVMEM is not available in OPT-TEE
in STM32MP13x.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Solve many compilation warning when stm32prog is activated on the aarch64.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Change the defaut flashlayout location, hardcoded at STM32_DDR_BASE,
to CONFIG_SYS_LOAD_ADDR to avoid issue on board with reserved memory
at STM32_DDR_BASE.
This patch changes the command behavior for STM32MP13 and STM32MP15
platform, as CONFIG_SYS_LOAD_ADDR(0xc2000000) != STM32_DDR_BASE
but without impact for serial boot with STM32CubeProgrammer.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
When the STM32CubeProgrammer sent a empty flashlayout.tsv
file, the command stm32prog correctly parse the file
but data->dev_nb = 0 and the stm32prog_devices_init
operations should be skipped.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Globally replace all occurances of WATCHDOG_RESET() with schedule(),
which handles the HW_WATCHDOG functionality and the cyclic
infrastructure.
Signed-off-by: Stefan Roese <sr@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
Tested-by: Tom Rini <trini@konsulko.com> [am335x_evm, mx6cuboxi, rpi_3,dra7xx_evm, pine64_plus, am65x_evm, j721e_evm]
We currently have an if_type (interface type) and a uclass id. These are
closely related and we don't need to have both.
Drop the if_type values and use the uclass ones instead.
Maintain the existing, subtle, one-way conversion between UCLASS_USB and
UCLASS_MASS_STORAGE for now, and add a comment.
Signed-off-by: Simon Glass <sjg@chromium.org>
The third parameter of dfu_alt_add(), the string description of alternate,
is build in stm32prog_alt_add() with a unnecessary character ';' at the
end of the string.
This separator was required in the first implementation of
dfu_alt_add() but is no more needed in the current implementation;
this separator is managed only in dfu_config_interfaces() which call
dfu_alt_add() for this parameter without this separator.
And since the commit 53b406369e ("DFU: Check the number of arguments
and argument string strictly"), this added character cause an error when
the stm32prog command is executed because the third parameter of
dfu_alt_add() must be a string with a numerical value; 's' must be NULL
in the result of call in dfu_fill_entity_mmc():
third_arg = simple_strtoul(argv[2], &s, 0);
Fixes: 53b406369e ("DFU: Check the number of arguments and argument string strictly")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Accept flashlayout without header in alternate 0, to simplify
the support of stm32prog command with dfu-util.
By default the flashlayout file size is the size of the received binary,
provided with the offset in the DFU alternate.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Update the stm32prog command to allow the reception of U-Boot script in
the FlashLayout alternate during the first USB enumeration.
This patch is aligned with the last TF-A behavior: the Flashlayout
is now loaded by U-Boot; it is no more present at STM32_DDR_BASE when
the stm32prog is launched after a serial boot, on UART or on USB.
The received script must be a U-Boot legacy image, no more need to add
a stm32image header.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
When an interruption is received during the first USB enumeration
used to received the FlashLayout, with handle ctrl-c, the second
enumeration is not needed and the result for stm32prog_usb_loop
is false (reset is not needed).
This patch avoids the need of a second ctrl to interrupt the command
stm32prog.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add support of UUID for FIP parttion, required by Firmware update
support in TF-A:
- UUID TYPE for FIP partition: 19d5df83-11b0-457b-be2c-7559c13142a5
- "fip-a" partition UUID: 4fd84c93-54ef-463f-a7ef-ae25ff887087
- "fip-b" partition UUID: 09c54952-d5bf-45af-acee-335303766fb3
This check is done with a new partition type "FIP" associated
at the FIP UUID.
The A/B partition UUID is detected by the partition name:
"fip-a", "fip-b".
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add support of new header for the STM32IMAGE version V2
in command stm32prog command for STM32MP13x family.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
When OP-TEE is used, the SMC for BSEC management are not
available and the PTA provisioning for OTP must be used.
U-Boot opens the session to this PTA and use it for OTP
access.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add a configuration flag CONFIG_CMD_STM32PROG_OTP to enable the support of
OTP update in stm32prog command.
This new configuration allows to deactivate this feature for security reason
and it is a preliminary step for support of OPT update with the OP-TEE
provisioning TA.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Signed-off-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add the partition name and remove the line number in error messages
of treat_partition_list() to provide correct information to user of
STM32CubeProgrammer.
The "line number" value was confusing because it is incorrect here;
the index in part_array[] is not aligned with the line number in
the parsed Layout file, because the empty lines and the lines beginning
by '#' are skipped during the first parsing in parse_flash_layout().
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The missing trailing newline could confuse check-config.sh if the
definition of an option was on the first line of the next file that
find(1) happened to return.
Signed-off-by: William Grant <wgrant@ubuntu.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
The MTD tee partitions used to save the OP-TEE binary are needed when
TF-A doesn't use the FIP container to load binaries.
This patch puts under CONFIG_STM32MP15x_STM32IMAGE flag the associated
code in U-Boot binary and prepare the code cleanup when
CONFIG_STM32MP15x_STM32IMAGE support will be removed after TF-A migration
to FIP support.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
It is a pain to have to specify the value 10 in each call. Add a new
dectoul() function and update the code to use it.
Signed-off-by: Simon Glass <sjg@chromium.org>
It is a pain to have to specify the value 16 in each call. Add a new
hextoul() function and update the code to use it.
Add a proper comment to simple_strtoul() while we are here.
Signed-off-by: Simon Glass <sjg@chromium.org>
Use the existing defines PMIC_SIZE and OTP_SIZE and a new define
CMD_SIZE for virtual partition size.
This patch corrects the size for OTP partition in alternate name
(1024 instead of 512) and avoids other alignment issues.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Reduce the content of short help message for stm32prog command and
removed the carriage return to fix the display of 'help' command when
this command is activated.
Fixes: 954bd1a923 ("stm32mp: add the command stm32prog")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Move the message "Invalid or missing layout file."
to debug level as it is a normal behavior and not an error
and add the missing '\n'.
This patch avoids the strange trace :
Boot over usb0!
Invalid or missing layout file.DFU alt info setting: done
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Use get_cpu_dev() in uart getID command and remove the defines
DEVICE_ID_BYTE1 and 2 defines.
This patch prepare the support for new SOC family.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Correctly handle number of alternate when DM_PMIC is not activated.
This patch remove the last UNKNOWN partition in this case.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Acked-by: Jaehoon Chung <jh80.chung@samsung.com>
Handle the second USB enumeration only when the flashlayout is received
and when phase is PHASE_FLASHLAYOUT. This patch removes the call of
stm32prog_next_phase as it is already done in stm32prog_dfu_init().
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
When CONFIG_FIT_SIGNATURE is activated, CONFIG_LEGACY_IMAGE_FORMAT
is deactivated and the define IMAGE_FORMAT_LEGACY don't exist with
include/image.h:
#if defined(CONFIG_LEGACY_IMAGE_FORMAT)
#define IMAGE_FORMAT_LEGACY 0x01 /* legacy image_header based format */
#endif
This patch adds the needed check on compilation flag
CONFIG_LEGACY_IMAGE_FORMAT to avoid the compilation error
for command stm32prog:
cmd_stm32prog.c:81:8: error: ‘IMAGE_FORMAT_LEGACY’ undeclared
(first use in this function); did you mean ‘IMAGE_FORMAT_FIT’?
81 | if (IMAGE_FORMAT_LEGACY ==
| ^~~~~~~~~~~~~~~~~~~
| IMAGE_FORMAT_FIT
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add the support in command stm32prog of kernel load and start
with initrd file, identify by the partition Type "Binary" in
the flashlayout.tsv, for example:
- 0x01 fsbl Binary none 0x0 tfa.stm32
- 0x03 fip Binary none 0x0 fip.bin
P 0x10 kernel System ram0 0xC2000000 uImage.bin
P 0x11 dtb FileSystem ram0 0xC4000000 board.dtb
P 0x12 initrd Binary ram0 0xC4400000 <initrd>
The <initrd> file can be a legacy image "uInitrd", generated
with mkimage, or a RAW initrd image "initrd.gz".
After a DFU detach the bootm command with be executed
with the associated address, for example:
$> bootm 0xC2000000 0xC4400000:<size> 0xC4000000
When the "Binary" partition type is absent, the 'bootm'
command starts the kernel without ramdisk, for example:
$> bootm 0xC2000000 - 0xC4000000
With this paths, it is no more mandatory to generate FIT
including the kernel, DT and initrd:
- 0x01 fsbl Binary none 0x0 tfa.stm32
- 0x03 fip Binary none 0x0 fip.bin
P 0x10 fit System ram0 0xC2000000 fit.bin
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Handle timeout in stm32prog_serial_get_buffer to sent NACK
to STM32CubeProgrammer when the buffer is not fully received.
This patch avoids to reach the STM32CubeProgrammer timeout and
the associated unrecoverable error.
Timeout error occurred while waiting for acknowledgment.
Error: Write Operation fails at packet number 4165 at address 0x1044FF
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
This patch removes the header check for UART download;
the check of checksum is not mandatory with even parity and chuck
checksum for each 256 received bytes and it is only done for
STM32 image (FSBL = TF-A BL2), not for FIT image.
This patch solve issue of duplicated 0x100 byte written with FIP header.
Fixes: 4fb7b3e108 ("stm32mp: stm32prog: add FIP header support")
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add support of TF-A FIP header in command stm32prog for all the boot
partition and not only the STM32IMAGE.
This patch is a preliminary patch to support FIP as second boot stage
after TF-A BL2 when CONFIG_TFABOOT is activated for trusted boot chain.
The FIP is archive binary loaded by TF-A BL2, which contains the secure OS
= OP-TEE and the non secure firmware and device tree = U-Boot.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
The command "stm32prog serial <dev>" can directly use the device sequence
number of serial uclass as this sequence number is egual to alias when it
exist; this assumption simplify the code and avoid access to gd->fdt_blob
and the device tree parsing.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Add CONFIG_CMD_STM32PROG_SERIAL and CONFIG_CMD_STM32PROG_USB to
independently select the support of UART or USB communication for
STM32CubeProgrammer.
For serial boot over UART, user can deactivate CONFIG_CMD_STM32PROG_SERIAL
to use U-Boot console of binary loaded by UART (for board bring-up for
example).
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Move CONFIG_CMD_STM32PROG in a specific Kconfig file for stm32prog command.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Move this out of the common header and include it only where needed. In
a number of cases this requires adding "struct udevice;" to avoid adding
another large header or in other cases replacing / adding missing header
files that had been pulled in, very indirectly. Finally, we have a few
cases where we did not need to include <asm/global_data.h> at all, so
remove that include.
Signed-off-by: Simon Glass <sjg@chromium.org>
Signed-off-by: Tom Rini <trini@konsulko.com>
Remove the test on data->dfu_seq, because dfu_seq=0 not only when
the DFU is not started (mask with 0xffff). This flush is mandatory
as the final treatment, common with USB, is done in DFU callback.
This patch avoids issue if the received length is a multiple of
the DFU packet.
For example if size of bootfs partition is egual to 0x4000000,
data->dfu_seq=0 at the end of the partition, the flush it not
requested and the phase is not increased in the callback.
U-Boot continue to request the bootfs in the next GetPhase command.
Fixes: 468f0508b5 ("stm32mp: stm32prog: add serial link support")
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
In the spirit of using the same base name for all of these related macros,
rename this to have the operation at the end. This is not widely used so
the impact is fairly small.
Signed-off-by: Simon Glass <sjg@chromium.org>
When partitions are not available on a device the command stm32prog raises
an error but a device can have no partition to check in init_device()
and the command need to continue to the next part_id.
This patch correct an issue for ram0 target, when block_dev and mtd
are NULL.
For example with the simple flashlayout file:
Opt Part Name Type Device Offset Binary
- 0x01 fsbl Binary none 0x0 tf-a-serialboot.stm32
- 0x03 ssbl Binary none 0x0 u-boot.stm32
P 0x10 kernel System ram0 0xC2000000 uImage.bin
P 0x11 dtb FileSytem ram0 0xC4000000 stm32mp157f-ev1.dtb
Fixes: ffc405e63b ("stm32mp: stm32prog: add upport of partial update")
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@st.com>
Use IS_ENABLED to prevent ifdef in stm32prog command.
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@st.com>
This header file should not be included in other header files. Remove it
and use a forward declaration instead.
Signed-off-by: Simon Glass <sjg@chromium.org>
Check result of find_mmc_device() before calling mmc_init().
This patch avoid a data abort when the command try to acces
to sd/mmc device deactivated in device tree.
Fixes: aff4c5dd82 ("stm32mp: stm32prog: add MMC device")
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@st.com>
Add parentheses around CONFIG_IS_ENABLED() in the if statement, to
fix potential build failures.
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@st.com>
Add "Device Name" in iproduct during DFU USB enumeration
to have this information in STM32CubeProgrammer trace
(this tools is compatible with @Name since v2.3)
Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
Reviewed-by: Patrice Chotard <patrice.chotard@st.com>