Commit graph

79463 commits

Author SHA1 Message Date
Etienne Carriere
6983710a31 scmi: change parameter dev in devm_scmi_process_msg
Changes devm_scmi_process_msg() first argument from target parent device
to current SCMI device and lookup the SCMI agent device among SCMI device
parents for find the SCMI agent operator needed for communication with
the firmware.

This change is needed in order to support CCF in clk_scmi driver unless
what CCF will fail to find the right udevice related to exposed SCMI
clocks.

This patch allows to simplify the caller sequence, using SCMI device
reference as parameter instead of knowing SCMI uclass topology. This
change also adds some protection in case devm_scmi_process_msg() API
function is called for an invalid device type.

Cc: Lukasz Majewski <lukma@denx.de>
Cc: Sean Anderson <seanga2@gmail.com>
Cc: Jaehoon Chung <jh80.chung@samsung.com>
Cc: Patrick Delaunay <patrick.delaunay@foss.st.com>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
2022-03-02 17:42:06 -05:00
Etienne Carriere
41d62e2f27 sandbox: scmi: test against a single scmi agent
As per DT bindings since Linux kernel v5.14, the device tree can define
only 1 SCMI agent node that is named scmi [1]. As a consequence, change
implementation of the SCMI driver test through sandbox architecture to
reflect that.

This change updates sandbox test DT and sandbox SCMI driver accordingly
since all these are impacted.

Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
2022-03-02 17:42:06 -05:00
Etienne Carriere
4dea25a00d doc: binding: scmi: link to latest Linux kernel binding
Changes SCMI bindings documentation to relate to Linux kernel
source tree that recently changed the bindings description to YAML
format.

Reviewed-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
2022-03-02 17:42:06 -05:00
Tom Rini
2dfdba4a5a Merge branch '2022-03-02-armv8-fixes-and-cleanups' into next
To quote the author:
I was looking into the arm64 boot code lately and stumbled upon some
issues. Also Nishanth brought back memories of a lengthy debug session,
which was caused due to U-Boot keeping SErrors masked. As the resulting
patches are all somewhat related, I gathered this series here to address
those problems.

Patches 1 to 3 address exception handling issues, with the SError
enablement being the most prominent fix here.
Patch 4 cleans up asm/io.h. This was on the list before[1], but was
somehow lost when it was intercepted by a shorter version of itself.
Patches 5 and 6 clean up some unnecessarily complicated AArch64 assembly
code.
2022-03-02 13:59:33 -05:00
Andre Przywara
5ff4857d35 armv8: Fix and simplify branch_if_master/branch_if_slave
The branch_if_master macro jumps to a label if the CPU is the "master"
core, which we define as having all affinity levels set to 0. To check
for this condition, we need to mask off some bits from the MPIDR
register, then compare the remaining register value against zero.

The implementation of this was slighly broken (it preserved the upper
RES0 bits), overly complicated and hard to understand, especially since
it lacked comments. The same was true for the very similar
branch_if_slave macro.

Use a much shorter assembly sequence for those checks, use the same
masking for both macros (just negate the final branch), and put some
comments on them, to make it clear what the code does.
This allows to drop the second temporary register for branch_if_master,
so we adjust all call sites as well.

Also use the opportunity to remove a misleading comment: the macro
works fine on SoCs with multiple clusters. Judging by the commit
message, the original problem with the Juno SoC stems from the fact that
the master CPU *can* be configured to be from cluster 1, so the
assumption that the master CPU has all affinity values set to 0 does not
hold there. But this is already mentioned above in a comment, so remove
the extra comment.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2022-03-02 13:59:29 -05:00
Andre Przywara
f660fe0bd3 armv8: Simplify switch_el macro
The switch_el macro is a neat contraption to handle cases where we need
different code depending on the current exception level, but its
implementation was longer than needed.

Simplify it by doing just one comparison, then using the different
condition codes to branch to the desired target. PState.CurrentEL just
holds two bits, and since we don't care about EL0, we can use >, =, < to
select EL3, EL2 and EL1, respectively.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2022-03-02 13:59:29 -05:00
Andre Przywara
7ab2e47d27 arm: Clean up asm/io.h
asm/io.h is the header file containing the central MMIO accessor macros.
Judging by the header and the comments, it was apparently once copied
from the Linux kernel, but has deviated since then *heavily*. There is
absolutely no point in staying close to the original Linux code anymore,
so just remove the old cruft, by:
- removing pointless Linux history
- removing commented code
- removing outdated comments
- removing unused definitions (for mem_isa)

This massively improves the readability of the file.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2022-03-02 13:59:29 -05:00
Andre Przywara
7ed340a828 armv8: Force SP_ELx stack pointer usage
In ARMv8 we have the choice between two stack pointers to use: SP_EL0 or
SP_ELx, which is banked per exception level. This choice is stored in
the SP field of PState, and can be read and set via the SPSel special
register. When the CPU takes an exception, it automatically switches to
the SP_ELx stack pointer.

Trusted Firmware enters U-Boot typically with SPSel set to 1, so we use
SP_ELx all along as our sole stack pointer, both for normal operation and
for exceptions.

But if we now for some reason enter U-Boot with SPSel cleared, we will
setup and use SP_EL0, which is fine, but leaves SP_ELx uninitialised.
When we now take an exception, we try to save the GPRs to some undefined
location, which will usually end badly.

To make sure we always have SP_ELx pointing to some memory, set SPSel
to 1 in the early boot code, to ensure safe operation at all times.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2022-03-02 13:59:29 -05:00
Andre Przywara
6c7691edd5 armv8: Always unmask SErrors
The ARMv8 architecture describes the "SError interrupt" as the fourth
kind of exception, next to synchronous exceptions, IRQs, and FIQs.
Those SErrors signal exceptional conditions from which the system might
not easily recover, and are normally generated by the interconnect as a
response to some bus error. A typical situation is access to a
non-existing memory address or device, but it might be deliberately
triggered by a device as well.
The SError interrupt replaces the Armv7 asynchronous abort.

Trusted Firmware enters U-Boot (BL33) typically with SErrors masked,
and we never enable them. However any SError condition still triggers
the SError interrupt, and this condition stays pending, it just won't be
handled. If now later on the Linux kernel unmasks the "A" bit in PState,
it will immediately take the exception, leading to a kernel crash.
This leaves many people scratching their head about the reason for
this, and leads to long debug sessions, possibly looking at the wrong
places (the kernel, but not U-Boot).

To avoid the situation, just unmask SErrors early in the ARMv8 boot
process, so that the U-Boot exception handlers reports them in a timely
manner. As SErrors are typically asynchronous, the register dump does
not need to point at the actual culprit, but it should happen very
shortly after the condition.

For those exceptions to be taken, we also need to route them to EL2,
if U-Boot is running in this exception level.

This removes the respective code snippet from the Freescale lowlevel
routine, as this is now handled in generic ARMv8 code.

Reported-by: Nishanth Menon <nm@ti.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2022-03-02 13:59:29 -05:00
Andre Przywara
e7588d81cd cmd: exception: arm64: fix undefined, add faults
The arm64 version of the exception command was just defining the
undefined exception, but actually copied the AArch32 instruction.

Replace that with an encoding that is guaranteed to be and stay
undefined. Also add instructions to trigger unaligned access faults and
a breakpoint.
This brings ARM64 on par with ARM(32) for the exception command.

Signed-off-by: Andre Przywara <andre.przywara@arm.com>
2022-03-02 13:59:29 -05:00
Tom Rini
f861ffa660 Merge branch '2022-03-02-enable-pylint-in-CI' into next
To quote the author:
This series adds a new errors-only pylint check and adds it to the CI
systems.

It also fixes the current errors in the U-Boot Python code, disabling
errors where it seems necessary.

A small patch to buildman allows it to build sandbox without any changes
to the default config file
2022-03-02 10:38:00 -05:00
Simon Glass
642e51addf Azure/GitLab CI: Add the pylint checker
Add a check that new Python code does not regress the pylint score for
any module.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-03-02 10:28:12 -05:00
Simon Glass
fc8af3803f buildman: Update default config to build for sandbox
At present the default .buildman file written by buildman does not specify
a default toolchain. Add an 'other' line so this works correctly and
sandbox builds run as expected.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-03-02 10:28:12 -05:00
Simon Glass
f44a52af4d Makefile: Add a way to check for pylint errors
Add a new 'pylint_err' target which only reports errors, not warnings.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-03-02 10:28:12 -05:00
Simon Glass
9e0077796f test: Correct pylint errors
Fix pylint errors in all test.

This requires adding a get_spawn() method to the ConsoleBase base, so that
its subclass is happy.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-03-02 10:28:12 -05:00
Simon Glass
68a0b7156a moveconfig: Correct pylint errors
Fix two pylint errors in this file.

Note ACTION_SPL_NOT_EXIST is not defined so the dead code can be removed.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-03-02 10:28:12 -05:00
Simon Glass
8d2ef3e993 binman: Correct pylint errors
Fix pylint errors that can be fixed and mask those that seem to be
incorrect.

A complication with binman is that it tries to avoid importing libfdt
(or anything that imports it) unless needed, so that things like help
still work if it is missing.

Note that two tests are duplicated in binman and two others have
duplicate names, so both of these issues are fixed also.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-03-02 10:28:12 -05:00
Simon Glass
8a455fc08f dtoc: Correct pylint errors
Fix pylint errors in this directory.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-03-02 10:28:12 -05:00
Simon Glass
ac05335d85 buildman: Correct pylint errors
Fix pylint errors that can be fixed and mask those that seem to be
incorrect.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-03-02 10:28:12 -05:00
Simon Glass
32cc6ae273 patman: Correct pylint errors
Fix pylint errors that can be fixed and mask those that seem to be
incorrect.

Signed-off-by: Simon Glass <sjg@chromium.org>
2022-03-02 10:28:12 -05:00
Tom Rini
f64aac4a69 Merge https://source.denx.de/u-boot/custodians/u-boot-usb 2022-03-01 07:48:39 -05:00
Tim Harvey
a41b88ec02 phy: nop-phy: Fix phy reset if no reset-gpio defined
Ensure there is a valid reset-gpio defined before using it.

Fixes: f9852acdce ("phy: nop-phy: Fix enabling reset")
Cc: Adam Ford <aford173@gmail.com>
Signed-off-by: Tim Harvey <tharvey@gateworks.com>
2022-03-01 00:21:11 +01:00
Tom Rini
f9a719e295 Prepare v2022.04-rc3
Signed-off-by: Tom Rini <trini@konsulko.com>
2022-02-28 18:02:33 -05:00
Tom Rini
8df7e97047 Merge branch '2022-02-28-bugfixes'
- Assorted bugfixes
2022-02-28 15:45:52 -05:00
Linus Walleij
c2aed9cfb9 board: stemmy: Detect board variants and patch DTB
This patch scans the cmdline from the Samsung SBL (second stage
bootloader) and stores the parameters board_id=N and lcdtype=N
in order to augment the DTB for different board and LCD types.

We then add a custom ft_board_setup() callback that will inspect
the DTB and patch it using the stored LCD type. At this point
we know which product we are dealing with, so using the passed
board_id we can also print the board variant for diagnostics.

We patch the Codina, Skomer and Kyle DTBs to use the right
LCD type as passed in lcdtype from the SBL.

This also creates an infrastructure for handling any other
Samsung U8500 board variants that may need a slightly augmented
DTB.

Cc: Markuss Broks <markuss.broks@gmail.com>
Cc: Stephan Gerhold <stephan@gerhold.net>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2022-02-28 10:33:45 -05:00
Janne Grunau
6fb4f7387e arm: apple: Switch to fully dynamic mem layout
Support for Apple M1 Pro and Max will allow using a single binary for
all M1 SoCs. The M1 Pro/Max have a different memory layout. The RAM
start address is 0x100_0000_0000 instead of 0x8_0000_0000.
Replace the hardcoded memory layout with dynamic initialized
environment variables in board_late_init().

Tested on Mac Mini (2020) and Macbook Pro 14-inch (2021).

Signed-off-by: Janne Grunau <j@jannau.net>
Reviewed-by: Mark Kettenis <kettenis@openbsd.org>
2022-02-28 10:33:45 -05:00
Felix Brack
551f426011 arm: pdu001: Setup pinmux for console UART as early as possible
To make sure we get a working console as soon as possible in the SPL the
UART pins require to be configured earlier. This is especially
true for the pins of UART3, since the PDU001 board uses this UART for
the console by default.

Signed-off-by: Felix Brack <fb@ltec.ch>
2022-02-28 10:33:11 -05:00
Felix Brack
286f94803e arm: pdu001: Fix early debugging UART
The changes from commit 0dba45864b ("arm: Init the debug UART")
prevent the early debug UART from being initialized correctly.
To fix this we not just configure the pin multiplexer but add setting up
early clocks.

Signed-off-by: Felix Brack <fb@ltec.ch>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2022-02-28 10:33:11 -05:00
Pali Rohár
11f29d4436 tools: mkimage/dumpimage: Allow to use -l with -T
Currently -l option for mkimage and dumpimage ignores option -T and always
tries to autodetect image type.

With this change it is possible to tell mkimage and dumpimage to parse
image file as specific type (and not random autodetected type). This allows
to use mkimage -l or dumpimage -l as tool for validating image.

params.type for -l option is now by default initialized to zero
(IH_TYPE_INVALID) instead of IH_TYPE_KERNEL. imagetool_get_type() for
IH_TYPE_INVALID returns NULL, which is assigned to tparams. mkimage and
dumpimage code is extended to handle tparams with NULL for -l option. And
imagetool_verify_print_header() is extended to do validation via tparams if
is not NULL.

Signed-off-by: Pali Rohár <pali@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
2022-02-28 10:33:11 -05:00
Hou Zhiqiang
2058967d2f tools: pblimage: fix image header verification function
The Layerscape platforms have different RCW header value from FSL
PowerPC platforms, the current image header verification callback
is only working on PowerPC, it will fail on Layerscape, this patch
is to fix this issue.

This is a historical problem and exposed by the following patch:
http://patchwork.ozlabs.org/project/uboot/patch/20220114173443.9877-1-pali@kernel.org

Signed-off-by: Hou Zhiqiang <Zhiqiang.Hou@nxp.com>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 12:01:02 +05:30
Daniel Klauer
453db60568 lx2160a: Fix distroboot device list for configs without USB/SCSI/etc
The BOOT_TARGET_DEVICES list for distro_bootcmd was hard-coded to assume
that all boot devices are available/enabled in the configuration,
thus ignoring the actual config settings. The config_distro_bootcmd.h
header file specifically has compile-time checks to detect such problems.

To allow disabling USB, SCSI, etc. in custom lx2160a board configs,
make it depend on the config settings and use only the enabled features.

Signed-off-by: Daniel Klauer <daniel.klauer@gin.de>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 12:01:02 +05:30
Michael Walle
554a85313b board: sl28: use fit image generator
Simplify the binman config and fdt nodes by using the "@..-SEQ"
substitutions and CONFIG_OF_LIST.

Signed-off-by: Michael Walle <michael@walle.cc>
[Rebased]
Signed-off-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 12:01:02 +05:30
Michael Walle
62ba0e5df6 board: sl28: disable random MAC address generation
Nowadays, u-boot (when CONFIG_NET_RANDOM_ETHADDR is set) will set
enetaddr to a random value if not set and then pass the randomly
generated MAC address to linux.

This is bad for the following reasons:
 (1) it makes it impossible for linux to detect this error
 (2) linux won't trigger any fallback mechanism for the case where
     it didn't find any valid MAC address
 (3) a saveenv will store this randomly generated MAC address in the
     environment

Probably, the user will also be unaware that something is wrong. He will
just get different MAC addresses on each reboot, asking himself why this
is the case.

As this board usually have a serial port, the user can just fix this by
setting the MAC address manually in the environment. Also disable the
netconsole just in case, because it cannot be guaranteed that it will
work in any case. After all, this was just a convenience option, because
the bootloader - right now - doesn't have the ability to read the MAC
address, which is stored in the OTP. But it is far more important to
have a clear view of whats wrong with a board and that means we can no
longer use this Kconfig option.

Signed-off-by: Michael Walle <michael@walle.cc>
[Rebased]
Signed-off-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 12:01:02 +05:30
Michael Walle
2810da7c80 board: sl28: remove "Useful I2C tricks" section from docs
They are no longer needed, because we now have proper driver support for
the sl28cpld management controller.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 11:59:35 +05:30
Michael Walle
453d1711d2 board: sl28: disable recovery watchdog
This board has an internal watchdog which supervises the board startup.
Although, the initial state of the watchdog is configurable, it is
enabled by default. In board_late_init(), which means almost everything
worked as expected, disable the watchdog.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 11:59:35 +05:30
Michael Walle
2ba8a446ce board: sl28: enable SoC watchdog support
The SoC provides two additional watchdogs integrated in the SoC. Enable
support for these.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 11:59:35 +05:30
Michael Walle
34502f7aa3 board: sl28: enable sl28cpld support
Enable the GPIO and watchdog driver. Don't start the watchdog
automatically, though.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 11:59:35 +05:30
Michael Walle
d36b683a0f board: sl28: print CPLD version on bootup
Most of the time it is very useful to have the version of the board
management controller. Now that we have a driver, print it during
startup.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 11:59:35 +05:30
Michael Walle
fea5161322 board: sl28: fix DRAM pretty print
The current console output is:

DRAM:  4 GiB
DDR    4 GiB (DDR3, 32-bit, CL=11, ECC on)

The size is printed twice and we can save one line of console output if
we join both lines. The new output is as follows:

DRAM:  4 GiB (DDR3, 32-bit, CL=11, ECC on)

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 11:59:35 +05:30
Michael Walle
07d6cb9378 gpio: add sl28cpld driver
The gpio block is part of the sl28cpld sl28cpld management controller.
There are three different flavors: the usual input and output where the
direction is configurable, but also input only and output only variants.

Signed-off-by: Michael Walle <michael@walle.cc>
[Rebased]
Signed-off-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 11:59:35 +05:30
Michael Walle
f606c9a895 watchdog: add sl28cpld watchdog driver
The watchdog timer is part of the sl28cpld management controller. The
watchdog timer usually supervises the bootloader boot-up and if it bites
the failsafe bootloader will be activated. Apart from that it supports
the usual board level reset and one SMARC speciality: driving the
WDT_TIMEOUT# signal.

Signed-off-by: Michael Walle <michael@walle.cc>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 11:59:35 +05:30
Michael Walle
42595eb706 misc: add sl28cpld base driver
Add a multi-function device driver which will probe its children and
provides methods to access the device.

Signed-off-by: Michael Walle <michael@walle.cc>
[Rebased]
Signed-off-by: Priyanka Jain <priyanka.jain@nxp.com>
2022-02-28 11:59:35 +05:30
Tom Rini
a900c7f816 Pull request for efi-2022-04-rc3
Documentation:
 
 * add man-page for fatload
 * add SMBIOS table page
 
 UEFI:
 
 * partial fix for UEFI secure boot with intermediate certs
 * disable watchdog when returning to command line
 * reset system after capsule update
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEbcT5xx8ppvoGt20zxIHbvCwFGsQFAmIZ0JQACgkQxIHbvCwF
 GsS3fA/9GAvda+4uvrWKw7H4bI49m0mDEMyUWd9k8f4Tzk20130/dPONtXFrdgqM
 uStlcK0NapUPq7i4iNvur3mbwkTrbgF3ynmXvUak+Yj27jngQlXtFJtmdPCQqmBA
 OvhUL35AEsIef2ZTCTBZOOVhMO9EcG9TzAU/o4sLo5VOUmi4DcLPD8uLa+B8qd+N
 LYb1gUfbG9Y/ban/kw22b2ug1EUpx2PFpag4PB4ITK8KGoTu8LNco7PqEQU/muCc
 FUa2wHHFgNnO4aW5JoyAI8+Rmxw/ZSII0QU4AFTf3p+T5LGsHojHj/XMTUPk2oeS
 W36MMDeqNgfyH7PmkGDm03HPthPHLridAd9/5hyKynpzRhA/kmp2e3g5UUzfCG8H
 XMp4JM3Ki06beQPh+h3dj4b8UQeyyqhetuvZfZhW76apJqBC3/asbkooH9p4cSV9
 rr2wi4OdFb0f/nVrrVfnEZnqIQOgC4iuTo3FC5ruoElRgWCoLsf9zvvzFr+OS+d1
 qeD2nWNmY4MTC3PEtd7JV6c56KqkabmsD2bhOGLcxDjs/pwaKUm7p5wZx/AtNjN1
 haFa+3pSYl7oxCu1sWLWPdiuiRRpA+VEYj8JstR/KDcdCMHouFW7jdbarpHVQdZo
 kQ7FCchuTjL28scrZDXNMz6ODoKaLLVAmf3Nqq0upT3paVLI6uI=
 =XSzP
 -----END PGP SIGNATURE-----

Merge tag 'efi-2022-04-rc3' of https://source.denx.de/u-boot/custodians/u-boot-efi

Pull request for efi-2022-04-rc3

Documentation:

* add man-page for fatload
* add SMBIOS table page

UEFI:

* partial fix for UEFI secure boot with intermediate certs
* disable watchdog when returning to command line
* reset system after capsule update
2022-02-26 10:21:39 -05:00
Tom Rini
7228ef9482 Merge https://source.denx.de/u-boot/custodians/u-boot-sh
- rzg2_beacon updates
2022-02-26 10:21:13 -05:00
Masahisa Kojima
3fa9ed9ae3 efi_loader: update the timing of enabling and disabling EFI watchdog
UEFI specification requires that 5 minutes watchdog timer is
armed before the firmware's boot manager invokes an EFI boot option.
This watchdog timer is updated as follows, according to the
UEFI specification.

 1) The EFI Image may reset or disable the watchdog timer as needed.
 2) If control is returned to the firmware's boot manager,
    the watchdog timer must be disabled.
 3) On successful completion of EFI_BOOT_SERVICES.ExitBootServices()
    the watchdog timer is disabled.

1) is up to the EFI image, and 3) is already implemented in U-Boot.
This patch implements 2), the watchdog is disabled when control is
returned to U-Boot.

In addition, current implementation arms the EFI watchdog at only
the first "bootefi" invocation. The EFI watchdog must be armed
in every EFI boot option invocation.

Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-02-26 07:37:01 +01:00
Masami Hiramatsu
3e6f810006 efi_loader: test/py: Reset system after capsule update on disk
Add a cold reset soon after processing capsule update on disk.
This is required in UEFI specification 2.9 Section 8.5.5
"Delivery of Capsules via file on Mass Storage device" as;

    In all cases that a capsule is identified for processing the system is
    restarted after capsule processing is completed.

This also reports the result of each capsule update so that the user can
notice that the capsule update has been succeeded or not from console log.

Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-02-26 07:37:01 +01:00
Masami Hiramatsu
e7233c9c93 test/py: Handle expected reboot while booting sandbox
Add expected_reset optional argument to ConsoleBase::ensure_spawned(),
ConsoleBase::restart_uboot() and ConsoleSandbox::restart_uboot_with_flags()
so that it can handle a reset while the 1st boot process after main
boot logo before prompt correctly.

Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-02-26 07:37:01 +01:00
Masami Hiramatsu
06396e2e66 test/py: Handle expected reset by command
Add wait_for_reboot optional argument to ConsoleBase::run_command()
so that it can handle an expected reset by command execution.

This is useful if a command will reset the sandbox while testing
such commands, e.g. run_command("reset", wait_for_reboot = True)

Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
2022-02-26 07:37:01 +01:00
Masami Hiramatsu
a6aafce494 efi_loader: use efi_update_capsule_firmware() for capsule on disk
Since the efi_update_capsule() represents the UpdateCapsule() runtime
service, it has to handle the capsule flags and update ESRT. However
the capsule-on-disk doesn't need to care about such things.

Thus, the capsule-on-disk should use the efi_capsule_update_firmware()
directly instead of calling efi_update_capsule().

This means the roles of the efi_update_capsule() and capsule-on-disk
are different. We have to keep the efi_update_capsule() for providing
runtime service API at boot time.

Suggested-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Masami Hiramatsu <masami.hiramatsu@linaro.org>
Reviewed-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
2022-02-26 07:37:00 +01:00
Ilias Apalodimas
bdcc0a9594 efi_loader: fix uefi secure boot with intermediate certs
The general rule of accepting or rejecting an image is
 1. Is the sha256 of the image in dbx
 2. Is the image signed with a certificate that's found in db and
    not in dbx
 3. The image carries a cert which is signed by a cert in db (and
    not in dbx) and the image can be verified against the former
 4. Is the sha256 of the image in db

For example SHIM is signed by "CN=Microsoft Windows UEFI Driver Publisher",
which is issued by "CN=Microsoft Corporation UEFI CA 2011", which in it's
turn is issued by "CN=Microsoft Corporation Third Party Marketplace Root".
The latter is a self-signed CA certificate and with our current implementation
allows shim to execute if we insert it in db.

However it's the CA cert in the middle of the chain which usually ends up
in the system's db.  pkcs7_verify_one() might or might not return the root
certificate for a given chain.  But when verifying executables in UEFI,  the
trust anchor can be in the middle of the chain, as long as that certificate
is present in db.  Currently we only allow this check on self-signed
certificates,  so let's remove that check and allow all certs to try a
match an entry in db.

Open questions:
- Does this break any aspect of variable authentication since
  efi_signature_verify() is used on those as well?

Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
2022-02-26 07:37:00 +01:00