Rather than verifying configuration signature of the configuration node
containing the kernel image types, verify all configuration nodes, even
those that do not contain kernel images. This is useful when the nodes
contain ie. standalone OSes or U-Boot.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Tom Rini <trini@konsulko.com>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add FIT data-position & data-offset property support for bootm,
which were already supported in SPL.
Signed-off-by: Kelvin Cheung <keguang.zhang@gmail.com>
Just add IH_TYPE_STANDALONE to fit_get_image_type_property().
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
These functions may be needed in SPL, so add empty variants of them
if CONFIG_SPL_FIT_PRINT is disabled.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Rename CONFIG_FIT_SPL_PRINT to CONFIG_SPL_FIT_PRINT and add Kconfig
entry for it.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: Simon Glass <sjg@chromium.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
We only call fit_conf_print from one place in the code, so mark it as
static and move it up to where we call it. This in turn has us move a
few other already static functions up further as well.
Signed-off-by: Tom Rini <trini@konsulko.com>
The signature/hash information are displayed for images but nor for
configurations.
Add subnodes printing in fit_conf_print() like it's done in fit_image_print()
Signed-off-by: Clément Péron <peron.clem@gmail.com>
[trini: Add guards around fit_conf_print to avoid warnings]
Signed-off-by: Tom Rini <trini@konsulko.com>
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from. So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry. Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.
In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.
This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents. There's also a few places where I found we did not have a tag
and have introduced one.
Signed-off-by: Tom Rini <trini@konsulko.com>
SPL ATF implementation requires FIT image with partitions where the one
is Firmware/ATF and another one Firmware/U-Boot. OS field is used for
recording that difference that's why make sense to show values there for
Firmware types.
For example:
Image 0 (atf)
Description: ATF bl31.bin
Created: Mon Mar 26 15:58:14 2018
Type: Firmware
Compression: uncompressed
Data Size: 51152 Bytes = 49.95 KiB = 0.05 MiB
Architecture: ARM
OS: ARM Trusted Firmware
Load Address: 0xfffe0000
Hash algo: md5
Hash value: 36a4212bbb698126bf5a248f0f4b5336
Image 1 (uboot)
Description: u-boot.bin
Created: Mon Mar 26 15:58:14 2018
Type: Firmware
Compression: uncompressed
Data Size: 761216 Bytes = 743.38 KiB = 0.73 MiB
Architecture: ARM
OS: U-Boot
Load Address: 0x08000000
Hash algo: md5
Hash value: f22960fe429be72296dc8dc59a47d566
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jun Nie <jun.nie@linaro.org>
SPL ATF support requires to have firmware property which should be also
listed by mkimage -l when images is created.
The patch is also using this macro in spl_fit to match keyword.
When image is created:
Default Configuration: 'config'
Configuration 0 (config)
Description: ATF with full u-boot
Kernel: unavailable
Firmware: atf
FDT: dtb
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Jun Nie <jun.nie@linaro.org>
Reviewed-by: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
U-boot proper signature is not verified by SPL on most platforms
even config SPL_FIT_SIGNATURE is enabled. Only fsl-layerscape
platform support secure boot in platform specific code. So
verified boot cannot be achieved if u-boot proper is loaded by
SPL.
This patch add signature verification to u-boot proper images
when loading FIT image in SPL. It is tested on Allwinner bananapi
zero board with H2+ SoC.
Signed-off-by: Jun Nie <jun.nie@linaro.org>
The DT spec demands a unit-address in a node name to match the "reg"
property in that node. Newer dtc versions will throw warnings if this is
not the case.
Fix all occurences in the tree where node names were mentioned in
comments, to not give bad examples to the reader.
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
For external data, FIT has a optional property "data-position" which
can set the external data to a fixed offset to FIT beginning.
Add the support for this property in SPL FIT.
Signed-off-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Tomas Melin <tomas.melin@vaisala.com>
Cc: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Cc: "Andrew F. Davis" <afd@ti.com>
Cc: Igor Grinberg <grinberg@compulab.co.il>
Cc: "tomas.melin@vaisala.com" <tomas.melin@vaisala.com>
Cc: Kever Yang <kever.yang@rock-chips.com>
Cc: Andre Przywara <andre.przywara@arm.com>
Cc: York Sun <york.sun@nxp.com>
Cc: Lokesh Vutla <lokeshvutla@ti.com>
Cc: "Cooper Jr., Franklin" <fcooper@ti.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Tuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
Cc: Jean-Jacques Hiblot <jjhiblot@ti.com>
Cc: Rick Altherr <raltherr@google.com>
Cc: Tom Rini <trini@konsulko.com>
Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>
Reviewed-by: York Sun <york.sun@nxp.com>
Introduce an overlay based method for constructing a base DT blob
to pass to the kernel.
It is based on a specific method now to get the FDT from a FIT image
named boot_get_fdt_fit().
Signed-off-by: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Acked-by: Simon Glass <sjg@chromium.org>
fit_image_load() threw away the extra configuration parts when
loading. We need them around for applying extra overlays for
building the boot fdt.
Signed-off-by: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Acked-by: Simon Glass <sjg@chromium.org>
As part of the fdt overlay support which need it, allow
a list of configurations per property.
Signed-off-by: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Acked-by: Simon Glass <sjg@chromium.org>
Enable support for loading a splash image from within a FIT image.
The image is assumed to be generated with mkimage -E flag to hold
the data external to the FIT.
Signed-off-by: Tomas Melin <tomas.melin@vaisala.com>
Acked-by: Igor Grinberg <grinberg@compulab.co.il>
After an image is selected out of a FIT blob for further processing we
run an optional, platform specific, post-processing function on this
component. This post-processing may modify the position and size of the
image, so after post-processing we update the location and size for this
image in the FIT header. This can cause problems as the position of
subsequent components in the FIT blob are only referenced by relative
position to the end of the last component. When we resize or move a
component the following components position will be calculated
incorrectly. To fix this, we do not update the FIT header but instead
only update our local understanding of the image data. This also allows
us to re-run post-processing steps if needed.
Signed-off-by: Andrew F. Davis <afd@ti.com>
Tested-by: Carlos Hernandez <ceh@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Lokesh Vutla <lokeshvutla@ti.com>
Commit ec6617c3 includes autoconf.h in image-fit.c, causing conflict
for board odroid-xu3 which overwrites CONFIG_SYS_BOARD in header
file. Move the include higher and use linux/kconfig.h instead of
generated/autoconf.h.
Signed-off-by: York Sun <york.sun@nxp.com>
CC: Alison Wang <alison.wang@nxp.com>
To support loading a 32-bit OS, the execution state will change from
AArch64 to AArch32 when jumping to kernel.
The architecture information will be got through checking FIT image,
then U-Boot will load 32-bit OS or 64-bit OS automatically.
Signed-off-by: Ebony Zhu <ebony.zhu@nxp.com>
Signed-off-by: Alison Wang <alison.wang@nxp.com>
Signed-off-by: Chenhui Zhao <chenhui.zhao@nxp.com>
Reviewed-by: York Sun <york.sun@nxp.com>
The signature for this macro has changed. Bring in the upstream version and
adjust U-Boot's usages to suit.
Signed-off-by: Simon Glass <sjg@chromium.org>
Update to drivers/power/pmic/palmas.c:
Signed-off-by: Keerthy <j-keerthy@ti.com>
Change-Id: I6cc9021339bfe686f9df21d61a1095ca2b3776e8
These have now landed upstream. The naming is different and in one case the
function signature has changed. Update the code to match.
This applies the following upstream commits by
Thierry Reding <treding@nvidia.com> :
604e61e fdt: Add functions to retrieve strings
8702bd1 fdt: Add a function to get the index of a string
2218387 fdt: Add a function to count strings
Signed-off-by: Simon Glass <sjg@chromium.org>
Commit bac17b78da ("image-fit: switch ENOLINK to ENOENT") changed
fit_get_node_from_config to return -ENOENT when a property doesn't
exist, but didn't change any of its callers which check return values.
Notably it didn't change boot_get_ramdisk, which leads to U-Boot failing
to boot FIT images which don't include ramdisks with the following
message:
Ramdisk image is corrupt or invalid
It also didn't take into account that by returning -ENOENT to denote the
lack of a property we lost the ability to determine from the return
value of fit_get_node_from_config whether it was the property or the
configuration node that was missing, which may potentially lead callers
to accept invalid FIT images.
Fix this by having fit_get_node_from_config return -EINVAL when the
configuration node isn't found and -ENOENT when the property isn't
found, which seems to make semantic sense. Callers that previously
checked for -ENOLINK are adjusted to check for -ENOENT, which fixes the
breakage introduced by commit bac17b78da ("image-fit: switch ENOLINK
to ENOENT").
The only other user of the return fit_get_node_from_config return value,
indirectly, is bootm_find_os which already checked for -ENOENT. From a
read-through of the code I suspect it ought to have been checking for
-ENOLINK prior to bac17b78da ("image-fit: switch ENOLINK to ENOENT")
anyway, which would make it right after this patch, but this would be
good to get verified by someone who knows this x86 code or is able to
test it.
Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Cc: Jonathan Gray <jsg@jsg.id.au>
Cc: Marek Vasut <marex@denx.de>
Acked-by: Marek Vasut <marex@denx.de>
Acked-by: Stefan Roese <sr@denx.de>
Acked-by: George McCollister <george.mccollister@gmail.com>
Tested-by: George McCollister <george.mccollister@gmail.com>
Commit 62afc60188 introduced fpga image load via
bootm but broke the OS check in fit_image_load().
This commit removes following compiler warning:
---8<---
In file included from tools/common/image-fit.c:1:
/Volumes/devel/u-boot/tools/../common/image-fit.c:1715:39: warning: use of logical '||' with constant operand [-Wconstant-logical-operand]
os_ok = image_type == IH_TYPE_FLATDT || IH_TYPE_FPGA ||
^ ~~~~~~~~~~~~
/Volumes/devel/u-boot/tools/../common/image-fit.c:1715:39: note: use '|' for a bitwise operation
os_ok = image_type == IH_TYPE_FLATDT || IH_TYPE_FPGA ||
^~
|
1 warning generated.
--->8---
Signed-off-by: Andreas Bießmann <andreas@biessmann.org>
Cc: Michal Simek <michal.simek@xilinx.com>
Acked-by: Michal Simek <michal.simek@xilinx.com>
This commit allows injecting a board/platform/device-specific post-
processing function into the FIT image data loading process, which can
include modifying the size and altering the starting source address of
an image data artifact. This might be desired to do things like strip
headers or footers attached to the images before they were packaged into
the FIT, or to perform operations such as decryption or authentication.
Introduce new configuration option CONFIG_FIT_IMAGE_POST_PROCESS to
allow controlling this feature. If enabled, a platform-specific post-
process function must be provided.
Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
In certain circumstances it comes in handy to be able to boot into a second
U-Boot. But as of now it is not possible to boot a U-Boot binary that is inside
a FIT image, which is problematic for projects that e.g. need to guarantee a
unbroken chain of trust from SOC all the way into the OS, since the FIT signing
mechanism cannot be used.
This patch adds the capability to load such FIT images.
An example .its snippet (utilizing signature verification) might look
like the following:
images {
firmware@1 {
description = "2nd stage U-Boot image";
data = /incbin/("u-boot-dtb.img.gz");
type = "firmware";
arch = "arm";
os = "u-boot";
compression = "gzip";
load = <0x8FFFC0>;
entry = <0x900000>;
signature@1 {
algo = "sha256,rsa4096";
key-name-hint = "key";
};
};
};
Signed-off-by: Mario Six <mario.six@gdsys.cc>
Reviewed-by: Tom Rini <trini@konsulko.com>
The comments in the source file are riddled with spelling mistakes. Be
a good citizen and take a stab at cleaning up some of the more obvious
ones.
Signed-off-by: Andreas Dannenberg <dannenberg@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Add function boot_get_fpga() which find and load bitstream to
programmable logic if fpga entry is present.
Function is supported on Xilinx devices for full and partial bitstreams
in BIN and BIT format.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Remove additional blankline in image.h
Add FIT_FPGA_PROP that user can identify an optional
entry for fpga.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This function returns an error code and its caller may be able to fix the
error. For example fit_handle_file() expands the device tree to fit if there
is a lack of space.
In this case the caller does not want an error displayed. It is confusing,
since it suggests that something is wrong, when it fact everything is fine.
Drop the error.
Signed-off-by: Simon Glass <sjg@chromium.org>
FIT image supports more than 32 bits in addresses by using #address-cell
field. Fixing 64-bit support by using this field.
Signed-off-by: York Sun <york.sun@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
FIT image supports load address and entry address. Getting these
addresses can use a common function.
Signed-off-by: York Sun <york.sun@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
There are already two FIT options in Kconfig but the CONFIG options are
still in the header files. We need to do a proper move to fix this.
Move these options to Kconfig and tidy up board configuration:
CONFIG_FIT
CONFIG_OF_BOARD_SETUP
CONFIG_OF_SYSTEM_SETUP
CONFIG_FIT_SIGNATURE
CONFIG_FIT_BEST_MATCH
CONFIG_FIT_VERBOSE
CONFIG_OF_STDOUT_VIA_ALIAS
CONFIG_RSA
Unfortunately the first one is a little complicated. We need to make sure
this option is not enabled in SPL by this change. Also this option is
enabled automatically in the host builds by defining CONFIG_FIT in the
image.h file. To solve this, add a new IMAGE_USE_FIT #define which can
be used in files that are built on the host but must also build for U-Boot
and SPL.
Note: Masahiro's moveconfig.py script is amazing.
Signed-off-by: Simon Glass <sjg@chromium.org>
[trini: Add microblaze change, various configs/ re-applies]
Signed-off-by: Tom Rini <trini@konsulko.com>
This reverts commit 84ca65aa4b.
On signature verification failures fit_image_verify() should NOT exit with
error. Only keys marked 'required' can cause image verification failure.
This logic is already there and works correctly.
Add a comment to make this clear.
Fixes: 84ca65aa (image-fit: Fix signature checking)
Signed-off-by: Simon Glass <sjg@chromium.org>
A recent change broke the 'bootm' command on sandbox. The root cause is
using a pointer as an address. Conversion from pointer to address needs to
use map_to_sysmem() so that sandbox can do the right thing. The problem was
pre-existing but uncovered by a recent commit.
Fix this. Also move fit_get_end() to the C file to avoid needing to include
mapmem.h (and thus asm/io.h) everywhere.
Fixes: 1fec3c5d (common/image.c: Make boot_get_ramdisk() perform a check for Android images)
Signed-off-by: Simon Glass <sjg@chromium.org>
This fixes the following compiler warning:
In file included from tools/common/image-fit.c:1:0:
./tools/../common/image-fit.c: In function ‘fit_conf_print’:
./tools/../common/image-fit.c:1470:27: warning: logical not is only applied
to the left hand side of comparison [-Wlogical-not-parentheses]
(const char **)&uname) > 0;
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Added a trimmed down instance of boot_get_<thing>() to satisfy the
minimum requierments of the added feature. The function follows the
normal patterns set by other boot_get<thing>'s, which should make it a
bit easier to combine them all together into one boot_get_image()
function in a later refactor.
Documentation for the new function can be found in source:
include/image.h
Signed-off-by: Karl Apsite <Karl.Apsite@dornerworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Added FIT_LOADABLE_PROP, so the user can identify an optional entry
named "loadables" in their .its configuration. "loadables" is a comma
separated list in the .its
Documentation can be found in doc/uImage.FIT/source_file_format.txt and
doc/uImage.Fit/multi-with-loadables.its
Signed-off-by: Karl Apsite <Karl.Apsite@dornerworks.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
In the case where the arch defines a custom map_sysmem(), make sure that
including just mapmem.h is sufficient to have these functions as they
are when the arch does not override it.
Also split the non-arch specific functions out of common.h
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
The dumpimage is able to extract components contained in a FIT image:
$ ./dumpimage -T flat_dt -i CONTAINER.ITB -p INDEX FILE
The CONTAINER.ITB is a regular FIT container file. The INDEX is the poisition
of the sub-image to be retrieved, and FILE is the file (path+name) to save the
extracted sub-image.
For example, given the following kernel.its to build a kernel.itb:
/dts-v1/;
/ {
...
images {
kernel@1 {
description = "Kernel 2.6.32-34";
data = /incbin/("/boot/vmlinuz-2.6.32-34-generic");
type = "kernel";
arch = "ppc";
os = "linux";
compression = "gzip";
load = <00000000>;
entry = <00000000>;
hash@1 {
algo = "md5";
};
};
...
};
...
};
The dumpimage can extract the 'kernel@1' node through the following command:
$ ./dumpimage -T flat_dt -i kernel.itb -p 0 kernel
Extracted:
Image 0 (kernel@1)
Description: Kernel 2.6.32-34
Created: Wed Oct 22 15:50:26 2014
Type: Kernel Image
Compression: gzip compressed
Data Size: 4040128 Bytes = 3945.44 kB = 3.85 MB
Architecture: PowerPC
OS: Linux
Load Address: 0x00000000
Entry Point: 0x00000000
Hash algo: md5
Hash value: 22352ad39bdc03e2e50f9cc28c1c3652
Which results in the file 'kernel' being exactly the same as '/boot/vmlinuz-2.6.32-34-generic'.
Signed-off-by: Guilherme Maciel Ferreira <guilherme.maciel.ferreira@gmail.com>
Allow booting the OpenRTOS payloads via fitImage image type.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Simon Glass <sjg@chromium.org>
Cc: Tom Rini <trini@ti.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This is a bit odd in that we are permitted to boot images for either, even
though they are separate architectures.
Signed-off-by: Simon Glass <sjg@chromium.org>
Add a new setup@ section to the FIT which can be used to provide a setup
binary for booting Linux on x86. This makes it possible to boot x86 from
a FIT.
Signed-off-by: Simon Glass <sjg@chromium.org>
Since sandbox is used for testing, it should be able to 'boot' an image
from any archhitecture. This allows us to test an image by loading it in
sandbox.
Signed-off-by: Simon Glass <sjg@chromium.org>
Commit e3a5bbce broke the FIT image tests by not loading a ramdisk even if
a load address is provided in the FIT. The rationale was that a load address
of 0 should be considered to mean 'do not load'.
Add a new load operation which supports this feature, so that the ramdisk
will be loaded if a non-zero load address is provided.
Signed-off-by: Simon Glass <sjg@chromium.org>
commit 18b06652cd "tools: include u-boot version of sha256.h"
unconditionally forced the sha256.h from u-boot to be used
for tools instead of the host version. This is fragile though
as it will also include the host version. Therefore move it
to include/u-boot to join u-boot/md5.h etc which were renamed
for the same reason.
cc: Simon Glass <sjg@chromium.org>
Signed-off-by: Jeroen Hofstee <jeroen@myspectrum.nl>