To quote the author:
The virtio PCI drivers forgo a number of consistency checks,
particularly around pointer validation and bounds checking. This series
focuses on the modern driver to add those checks.
The start of the series adds and fixes some basic bounds checks. Later
patches ensure PCI addresses fall within the expected regions rather
than any arbitrary address. This is acheived by introducing range
parameters to a few of the dm_pci_* functions that allow the ranges to
be checked.
The series also adds a few new configs to allow parts of virtio and PCI
to be disabled where the features may be unused and the current
implementations don't have the needed consistencty checks.
The virtio PCI capabilities describe regions of memory that should be
mapped. Map those with dm_pci_map_bar() which will ensure they are valid
PCI regions.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Prepare for calls to `virtio_pci_map_capability()` failing by returning
NULL on error. If this happens, later accesses to the pointers would be
unsafe so cause the probe to fail if such an error occurs.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Add a mask parameter to control the lookup of the PCI region from which
the mapping can be made.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Add mask parameter and reorder length parameter to match the other PCI
address conversion functions. Using PCI_REGION_TYPE as the mask gives
the old behaviour.
It's converted from a macro to an inline function as the length
parameter is now used twice, but should only be calculated once.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
When converting addresses, apply a mask to the region flags during
lookup. This allows the caller to specify which flags are important and
which are not, for example to exclude system memory regions.
The behaviour of the function is changed such that they don't
preferentially search for a non-system memory region. However, system
memory regions are added after other regions in decode_regions() leading
to a similar outcome.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Evolve dm_pci_map_bar() to include an offset and length parameter. These
allow a portion of the memory to be mapped and range checks to be
applied.
Passing both the offset and length as zero results in the previous
behaviour and this is used to migrate the previous callers.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Add tests for the functions dm_pci_bus_to_phys() and
dm_pci_phys_to_bus() which convert between PCI bus addresses and
physical addresses based on the ranges declared for the PCI controller.
The ranges of bus#1 are used for the tests, adding a translation to one
of the ranges to cover more cases.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
When converting between PCI bus and physical addresses, include a length
parameter that can be used to check that the entire range fits within
one of the PCI regions. This prevents an address being returned that
might be only partially valid for the range it is going to be used for.
Where the range check is not wanted, passing a length of 0 will have the
same behaviour as before this change.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
When parsing the `ranges` DT node, check that both extremes of the
regions are addressable without overflow. This assumption can then be
safely made when processing the regions.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
The flags parameter of dm_pci_map_bar() is used for PCI region flags
rather than memory mapping flags. Fix the type to match that of the
region flags and stop using the regions flags as memory mapping flags.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Read the virtio PCI capability out of the device configuration space to
a struct rather than accessing fields directly from the configuration
space as they are needed. This both makes access to the fields easier
and avoids re-reading fields.
Re-reading fields could result in time-of-check to time-of-use problems,
should the value in the configuration space change. The range check of
the `bar` field and the later call to `dm_pci_read_bar32()` is an
example of where this could happen.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Ensure the virtio PCI capabilities are contained within the bounds of
the device's configuration space. The expected size of the capability is
passed when searching for the capability to enforce this check.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Check that the common config is at least as large as the struct it is
expected to contain. Only then is it safe to cast the pointer and be
safe from out-of-bounds accesses.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Make sure virtio notifications are written within their allocated
buffer.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
The device config is optional, so check it was present and mapped before
trying to use the pointer. Bounds violations are an error, not just a
warning, so bail if the checks fail.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
The length of the device config was erroneously being taken from the
notify capability. Correct this by finding the length in the device
capability.
Fixes: 550435edf8 ("virtio: pci: Support non-legacy PCI transport device")
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Add a new config to control whether the driver for legacy virtio PCI
devices is included in the build. VIRTIO_PCI_LEGACY is included by
default when VIRTIO_PCI is selected, but it can also be independently
toggled.
Signed-off-by: Andrew Scull <ascull@google.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
This commit adds the Kconfig option to disable to enter
the U-Boot console from bootmenu.
If CMD_BOOTMENU_ENTER_UBOOT_CONSOLE is enabled, "U-Boot console"
entry is appeared as the last entry in the bootmenu, then user can
enter U-Boot console.
If CMD_BOOTMENU_ENTER_UBOOT_CONSOLE is disabled, "Quit" entry
is appeared as the last entry instead of "U-Boot console".
When user chooses "Quit" from bootmenu, the following default
commands are invoked.
- "bootefi bootmgr" (if efi bootmgr is enabled)
- "run bootcmd"
If the both commands are executed and returns to the bootmenu,
the bootmenu will appears again.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
This commit adds the UEFI related menu entries
into the bootmenu.
User can select which UEFI "Boot####" option to execute
from bootmenu, then bootmenu sets the "BootNext" UEFI
variable and invoke efi bootmgr. The efi bootmgr
will handle the "BootNext" UEFI variable.
If the "BootNext" UEFI variable is preset and efi bootmgr is enabled,
bootmenu invokes efi bootmgr to handle "BootNext" as first priority.
The UEFI boot entry has the "UEFI BOOTXXXX" prefix as below.
*** U-Boot Boot Menu ***
UEFI BOOT0000 : debian
UEFI BOOT0001 : ubuntu
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
This is a preparation for succeeding addition of uefi boot
and distro boot menu entries into bootmenu.
The bootmenu_entry title is updated to u16 string because
uefi use u16 string. This commit also factors out the function
to prepare the entries generated by "bootmenu_x" U-Boot environment
variable.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Under the current implementation, booting from removable media using
a architecture-specific default image name, say BOOTAA64.EFI, is
supported only in distro_bootcmd script. See the commit 74522c898b
("efi_loader: Add distro boot script for removable media").
This is, however, half-baked implementation because
1) UEFI specification requires this feature to be implemented as part
of Boot Manager's responsibility:
3 - Boot Manager
3.5.1 Boot via the Simple File Protocol
When booting via the EFI_SIMPLE_FILE_SYSTEM_PROTOCOL, the FilePath will
start with a device path that points to the device that implements the
EFI_SIMPLE_FILE_SYSTEM_PROTOCOL or the EFI_BLOCK_IO_PROTOCOL. The next
part of the FilePath may point to the file name, including
subdirectories, which contain the bootable image. If the file name is
a null device path, the file name must be generated from the rules
defined below.
...
3.5.1.1 Removable Media Boot Behavior
To generate a file name when none is present in the FilePath, the
firmware must append a default file name in the form
\EFI\BOOT\BOOT{machine type short-name}.EFI ...
2) So (1) entails the hehavior that the user's preference of boot media
order should be determined by Boot#### and BootOrder variables.
With this patch, the semantics mentioned above is fully implemented.
For example, if you want to boot the system from USB and SCSI in this
order,
* define Boot0001 which contains only a device path to the USB device
(without any file path/name)
* define Boot0002 which contains only a device path to the SCSI device,
and
* set BootOrder to Boot0001:Boot0002
To avoid build error for sandbox, default file name "BOOTSANDBOX.efi"
is defined even if it is out of scope of UEFI specification.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
On sandbox use binary name corresponding to host architecture.
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This function will be used in the next commit where some behavior
of EFI boot manager will be expanded.
Signed-off-by: AKASHI Takahiro <takahiro.akashi@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
menu_get_choice() needs to handle the case that menu item
is empty. In this case, menu_get_choice() returns -ENOENT.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
To make user aware of the menu entry selection, menu always
appears regardless of the number of entry.
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Adjust test/py/tests/test_bootmenu.py
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Provide a unit test for function u16_strlcat().
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Provide u16 string version of strlcat().
Signed-off-by: Masahisa Kojima <masahisa.kojima@linaro.org>
Reviewed-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
lib/charset.c is not optional for
EFI_APP || EFI_LOADER || UFS || UT_UNICODE.
These must select CONFIG_CHARSET.
Fixes: 726cd9836d ("efi: Make unicode printf available to the app")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
The unit test has not been built since CPU_V7 was rename CPU_V7A.
Fixes: acf1500138 ("arm: v7: Kconfig: Rename CPU_V7 as CPU_V7A")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
When resetting the text console the colors have to be set before clearing
the screen. Otherwise the background color may be wrong.
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
%s/cammand/command/
%s/sequencies/sequences/
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
* correct output for timeout > 99 s
* don't use spaces to advance to the output column
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Based on reading https://www.msys2.org/docs/ci/ and "Other Systems"
rework how we update MSYS2 to the current version. We run it once, to
perform nothing other than being the first run, then we run pacman
twice.
Signed-off-by: Tom Rini <trini@konsulko.com>
Add Nuvoton NPCM BMC Flash Interface Unit(FIU) SPI master
controller driver using SPI-MEM interface.
The FIU supports single, dual or quad communication interface.
The FIU controller driver provides flash access in UMA(User
Mode Access) mode by using an indirect address/data mechanism.
the dts node is followed upstream kernel dts name.
Signed-off-by: Jim Liu <JJLIU0@nuvoton.com>
Signed-off-by: Stanley Chu <yschu@nuvoton.com>
Reviewed-by: Jagan Teki <jagan@amarulasolutions.com>
[Jagan: fixed the Kconfig, Makefile order]
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Add Macronix mx25u51245g flash entry, so this can be used on
SoCFPGA devices.
Signed-off-by: Tien Fong Chee <tien.fong.chee@intel.com>
[Jagan: updated commit head]
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Reviewed-by: Jagan Teki <jagan@amarulasolutions.com>
Add ID for Winbond W25Q128JW device. This is a 128 Mbit QSPI NOR.
Tested on W25Q128JWPIM part.
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Horatiu Vultur <horatiu.vultur@microchip.com>
Cc: Simon Goldschmidt <simon.k.r.goldschmidt@gmail.com>
Cc: Stefan Roese <sr@denx.de>
Cc: Vignesh R <vigneshr@ti.com>
Reviewed-by: Stefan Roese <sr@denx.de>
Reviewed-by: Jagan Teki <jagan@amarulasolutions.com>
To quote the author:
U-Boot provides a verified-boot feature based around FIT, but there is
no standard way of implementing it for a board. At present the various
required pieces must be built up separately, to produce a working
implementation. In particular, there is no built-in support for selecting
A/B boot or recovery mode.
This series introduces VPL, a verified program loader phase for U-Boot.
Its purpose is to run the verified-boot process and decide which SPL
binary should be run. It is critical that this decision happens before
SPL runs, since SPL sets up SDRAM and we need to be able to update the
SDRAM-init code in the field.
Adding VPL into the boot flow provides a standard place to implement
verified boot. This series includes the phase itself, some useful Kconfig
options and a sandbox_vpl build for sandbox. No verfied-boot support is
provided in this series.
Most of the patches in this series are fixes and improvements to docs and
various Kconfig conditions for SPL.
Add an initial VPL build for sandbox. This includes the flow:
TPL (with of-platdata) -> VPL -> SPL -> U-Boot
To run it:
./tpl/u-boot-tpl -D
The -D is needed to get the default device tree, which includes the serial
console info.
Add a Makefile check for OF_HOSTFILE which is the option that enables
devicetree control on sandbox.
Signed-off-by: Simon Glass <sjg@chromium.org>